How To Choose An Authentication Solution From The Rsa Decision Tree

Transcription

1 White paper The RSA Decision Tree: Selecting the Best Solution for Your Business

2 What is the best authentication solution for my business? This is a recurring question being asked by organizations around the globe. With the number of new and emerging security products being denoted by analysts as the silver bullet solution, it is critical to recognize that there are many authentication choices available on the market. Before making a final selection as to the authentication solution that will work best, organizations must consider their user authentication needs, the threats targeting their business, their business objectives, and the regulatory guidelines that impact their industry. RSA has developed the Decision Tree a comprehensive tool to help organizations understand, evaluate and select the most appropriate authentication solution to meet the needs of their users and their business. The RSA Decision Tree provides a framework to help narrow the selection of authentication solutions based on five critical factors. This white paper provides an overview of the Decision Tree, examines the five factors critical to selecting an authentication solution, and offers a clear guide to selecting the right solution that effectively balances risk, cost and end user convenience. The Need for Strong Protecting access to information and assuring the identities of users requesting that access is a core element of any security initiative. While the primary driver for user authentication has been to secure remote access to enterprise information, today, there are a number of reasons for the increasing demand for strong authentication across the organization. Movement of new business applications online. Recognizing the new business opportunities and cost efficiencies associated with providing access to information online, many organizations are starting to offer more Web-based business applications. Increased demand for remote access. The global nature of business and employee mobility has forced many organizations to provide anytime, anywhere access to enable employee productivity. Access privileges to new user populations. Contractors, partners and suppliers now require on-demand access to proprietary information such as sales forecasts, competitive intelligence, pricing charts, inventory, and customer data. Increase in customer-facing portals. There is an increased demand by customers to provide real-time access and the ability to manage account information online. Regulatory compliance. Numerous regulations have been issued in the last few years requiring organizations to enact security measures that prevent unauthorized access to information. Advanced threats. Depending on the user and the nature of information, a number of threats exist that require strong authentication to mitigate risk. For enterprise users, organizations must provide strong authentication to protect against unauthorized access to critical business information and to combat the risk of the insider threat. For customers, organizations must provide proactive measures to protect against the threat of phishing, Trojans and other forms of malware. The State of User Despite the fact that password-only authentication is recognized for providing relatively weak security, the use of a single password as a means of assuring user identities continues to dominate. However, the authentication method once viewed as free has actually become expensive in terms of ongoing management and support costs. According to Forrester Research, the average help desk labor cost for a single password reset is about $70. 2 RSA White Paper

3 New authentication methods continue to appear on the market making the selection even more challenging for organizations looking to implement a strong authentication strategy. In the enterprise, hardware authenticators still dominate for securing access to corporate resources. Yet, employee mobility and the use of mobile phones and PDAs has caused an increase in demand for software authenticators. For consumer-facing portals, risk-based authentication and knowledge-based authentication are common security mechanisms because of their ease-of-use and their scalability to a mass user base. With so many authentication options available on the market, organizations are finding it difficult to establish an authentication strategy. For many organizations, multiple authentication options can be selected based on factors such as the user population, the value of information being protected, portability, and user experience. RSA developed the Decision Tree to help organizations objectively weigh the assorted options and align the needs of their users and their business to make the optimum choice. Critical Factors to Consider in Developing an Strategy There are five critical factors to consider in developing an appropriate authentication strategy. These five factors are: The value of the information being protected The strength of user authentication to apply Planned usage Needs of the end user population Technical environment The value of protected information The first factor to consider is the value of the information to be protected and the cost of unauthorized access to that information. Proprietary business data, bank account and credit card details, health records or personally identifiable information (PII) are all types of information that could be considered high value. And unauthorized access to that information could be costly (i.e., a bank having to assume the costs of unauthorized fund transfers for customers) and detrimental to a company s brand and reputation. The higher the value of the information is and the higher the risk to the organization if the data is accessed by an unauthorized user, the stronger the authentication solution that is needed to protect it. The strength of user authentication to apply Considering the user population and the information being accessed by those users can help organizations determine the level of user authentication to apply. For example, organizations cannot force authentication on their customers so considerations in selecting a solution for this user base might be convenience and willingness to adopt. For employees and partners, however, organizations have more control over the types of authentication to deploy and will more likely consider features such as portability, total cost of ownership and overall management. Planned usage When organizations deploy an authentication solution, there is often more than one business objective to be met. In other words, depending on the user and the types of activities performed, an organization might determine that additional layers of authentication are needed beyond just assuring user identities. For example, a financial institution seeking to decrease their fraud losses might implement a transaction monitoring solution to monitor high-risk money transfers. Another example to consider would be for enterprise users. An organization might require certain users that work with and exchange highly sensitive information such as HR, payroll, and finance to have an authentication solution that enables file and encryption. End user population When deploying authentication to an end user community, there are many factors to consider depending on the end user population. From the user s perspective, organizations must consider things such as ease-of-use, the user s willingness to adopt, and the information the user will be accessing. From the organization s perspective, they must consider things such as total cost of ownership, training requirements, scalability to end users, and mobility of the solution. RSA White Paper 3

4 Technical environment Finally, the technical environment where the solution will be deployed is important in helping to determine factors such as what level of authentication strength to apply. For example, in an environment where desktops are more controlled and anti-virus software is likely to be up-to-date, security requirements may not be as rigorous compared to a scenario where the user environment is not as controlled and a large percentage of the user population is accessing the network from remote locations around the world. Another technical consideration would be the range of end user devices being used for access. For both corporate and customer-facing applications, the end user base is likely to be accessing information from devices ranging from laptops and desktops to PDAs and mobile phones to kiosks. The types of access devices are important in determining the authentication form factors offered to end users. The Decision Tree In light of the number of new authentication methods and technologies, the increasing value of information, new user populations requiring access to networks and applications, the proliferation of advanced threats and a complex regulatory environment, organizations are being driven to reevaluate their existing authentication strategy. There are many existing authentication solutions to evaluate and market buzz about certain authentication technologies make the assessment difficult for many organizations. Biometric solutions, for example, enjoy a disproportionate share of media coverage compared to their actual deployment in the market. These solutions require expensive and cumbersome readers, making it an impractical solution for mobile or remote access or adoption by a mass consumer audience. The RSA Decision Tree was designed for organizations to objectively evaluate their user and business needs against the readily available authentication technologies on the market in order to ease the decision making process. As the market has yet to come up with a universal solution that will meet every business requirement and address the security needs for all users and all scenarios, the RSA Decision Tree can be used to help organizations select the most appropriate authentication solution, or combination of solutions, while balancing risk, cost and end user convenience. How to Use the Decision Tree In determining what solution(s) will work best for an organization, the RSA Tree examines the following criteria: Control over the end user environment Access methods to be used The demand for anywhere, anytime access The need for disk, file or encryption Fraud prevention Control over the end user environment Control over the end user environment is critical in determining the appropriate authentication method. Considerations include things such as whether the organization is allowed to install software on the end user s system and whether they can dictate the operating system platform an end user is required to work on. But why is this so important? Looking at something as simple as being able to control the operating system is important because not all authentication solutions are going to be universally compatible with all operating systems. In an enterprise environment, the organization has direct control over the operating systems on user devices. However, there is no control over the operating systems of external users, such as customers and partners, so the authentication method offered to these populations may be different. 4 RSA White Paper

5 Access methods to be used Access methods are very important in determining an authentication strategy. Some authentication methods only work for accessing web-based applications while others can be used to authenticate to multiple, non-web based applications. Therefore, taking into account the user, their access rights, and their planned usage will have a direct effect on the authentication methods selected. The demand for anytime, anywhere access The global nature of business and increased employee mobility has created a demand for anytime, anywhere access. Providing the option for users to securely access information is critical to the continuation of business. For employees or partners, providing the option of anytime, anywhere access is critical to sustaining productivity; for customers, it is important for maintaining customer satisfaction. Factors to weigh include: Do you need to accommodate user access from varying remote locations? Do you need to accommodate user access from unknown systems such as kiosks, hotel systems or shared workstations? Do you need to accommodate user access from varying devices such as PDAs and mobile phones? Disk, file or encryption When evaluating an authentication strategy, organizations should consider the other business purposes that it may want the authentication method to address. For example, a healthcare organization might have the need to encrypt protected health information (PHI) or other personally identifiable information (PII) of a patient as it is transmitted between departments and facilities in order to meet HIPAA regulations. In this instance, the healthcare organization might require individuals with access rights to PHI and PII to access the data only from trusted machines. Fraud prevention Some authentication methods are required to monitor transactions and activities that are performed by a user after initial authentication at login in order to prevent fraud. While this scenario is mostly relevant for financial services applications, other industries are beginning to experience targeted attacks, such as phishing and malware, by fraudsters for the sole purpose of collecting personal data to be used in the commission of identity theft. A Myriad of Possibilities Passwords Passwords provide single-factor authentication for assuring user identities. While initial acquisition is free, there are ongoing management and support costs (password resets, for example) which can wind up being expensive in the longterm. The level of security provided is very low and passwords are prone to hackers and sharing among individuals. Knowledge-based authentication (KBA) Knowledge-based authentication is a method used to authenticate an individual based on knowledge of personal information, substantiated by a real-time interactive question and answer process. The questions presented to a user are gleaned from scanning public record databases, are random and previously unknown or unasked to the user. Risk-based authentication Risk-based authentication is a system that measures a series of risk indicators behind-the-scenes to assure user identities and/or authenticate online activities. Such indicators include certain device attributes, user behavioral profiles and IP geo-location. The higher the risk level presented, the greater the likelihood is that an identity or action is fraudulent. RSA White Paper 5

6 Challenge questions Challenge questions (sometimes called shared secrets ) are questions which an online user enrolls in and is then prompted to answer when additional authentication is required based on the risk of the transaction or activity being performed. Challenge questions are different from knowledge-based authentication in that users select questions to answer from a pool of pre-determined questions and provide the answers to those questions. Out-of-band phone authentication Out-of-band phone authentication involves the generation of an automated call to a phone number previously recorded during enrollment. The call informs the actual user of the activity details and prompts them to enter the confirmation number (a one-time password (OTP)) displayed on the web browser into the keypad on the phone. Provided it is the correct number, the online activity is confirmed to be genuine and the user can continue without disruption. Out-ofband phone authentication is typically used as a secondary factor of authentication to protect high-risk activities such as a change in personal information or a high-value money transfer. One-time password authentication One-time password (OTP) authentication is a leading twofactor authentication solution; it is based on something you know (a PIN or password) and something you have (an authenticator). The authenticator generates a new OTP code every 60 seconds, making it difficult for anyone other than the genuine user to input the correct code at any given time. To access information or resources protected by one-time password technology, users simply combine their secret Personal Identification Number (PIN) with the token code that appears on their authenticator display at that given time. The result is a unique, one-time password that is used to positively assure a user s identity. One-time password technology is available in many form factors including: Hardware authenticators: Traditional hardware authenticators (sometimes referred to as key fobs ) are portable devices that are small enough to fit on a keychain and meet the needs of users who prefer a tangible solution or access the Internet from a number of different locations. Software authenticators (for PCs, USB drives, or mobile devices): Software authenticators are typically offered as an application or in a toolbar format that is securely placed on a user s desktop, laptop, or mobile device. On-demand: On-demand authentication involves delivery of a unique OTP on demand via SMS (text message) to a mobile device or a user s registered address. Upon receipt of the unique OTP, a user simply enters it, along with their PIN when challenged, to gain access to their corporate network or an online application. Invisible user authentication Invisible user authentication involves actively introducing additional identifiers with the simple addition of a cookie and/or a flash shared object (also referred to as flash cookie ) which can then serve as a more unique identifier of a user s device. Invisible user authentication can also track characteristics that are a natural part of any device such as HTTP headers, operating system versions, browser version, languages, and time zone. Invisible user authentication also uses behavioral profiling to track user behavior. This involves identifying the activities that are performed by the device and the user and matching that data against the historical profile of activity related to that user to determine if there is inconsistent or unusual behavior that may indicate unauthorized access. 6 RSA White Paper

7 An Decision Tree Scenario Company profile A large healthcare organization representing several regional hospitals and specialty health centers that serves more than 1.5 million patients. User groups Physicians, payers and insurers, patients, healthcare administrators Business and user needs Physicians are constantly on the go, moving between multiple facilities, and stay connected to healthcare and patient records through a Blackberry or other mobile device. This enables instant, secure access to pertinent health records to ensure the highest quality of patient care. Payers and insurers need access to patient records and medical history and services performed in order to settle or adjust claims. Healthcare administrators are always in need of access to protected health information (PII) and personally identifiable information (PII) of patients. From case workers to billing specialists, access to patient information is critical to their job performance. Patients are provided access to their personal information and medical history through a Web-enabled portal. In addition to making updates to their personal information, they are provided a number of other convenient online services such as the ability to schedule appointments, submit prescription renewal requests and pay medical bills. choices With a diverse user base that all require access to various systems and for different needs, this healthcare organization would likely need to consider a myriad of authentication solutions including: Physicians: Software-based OTP for mobile devices Analyzing the Attributes Once an organization assesses the needs of their business and their users, selecting the appropriate authentication strategy based on the available choices is ultimately a tradeoff among a number of variables: Strength of security Typical use case Client side requirements Portability Multiple uses User challenges Distribution requirements System requirements Cost The RSA Decision Tree can help organizations make the relevant comparisons among the authentication methods that are designed to meet their requirements. By using this simple framework, organizations are provided with an objective assessment among the leading authentication solutions. While cost is an important consideration, organizations must consider a number of other elements in determining what is most suitable to their needs. Too often, the focus is on acquisition cost alone, but in considering that as a priority factor, one only needs to look to password-only authentication to prove that cost should never be the only consideration. Passwords are essentially free in terms of acquisition cost, however, they are surprisingly expensive in terms of ongoing management and support costs. The chart on page 8 and 9 compares and examines each authentication choice in terms of these nine attributes. Payers and insurers: Hardware tokens Healthcare administrators: Hardware tokens Patients: Risk-based authentication or Invisible User (IUA) RSA White Paper 7

8 Passwords Knowledge-based Risk-based Challenge Questions Out-of-band Phone OTP: Hardware Tokens Strength of Security Single-factor prone to crackers, sharing, etc. Stronger (Single-factor) Uncommon knowledge Two or more factors depending on risk assessment Weak if used standalone (Single-factor) Public knowledge Strong Two-factor Strong two-factor PIN plus token code Typical Use Case n-regulated Low value applications New user enrollment, Emergency access, PIN reset High volume consumer facing deployments Emergency access, PIN reset, Secondary method to RBA or IDA Consumer facing deployments Transaction verification Secondary method to RBA Mobile employee access Client side requirements Portability Works anywhere Works anywhere Browser-based applications Works anywhere Any telephone or mobile phone Works anywhere Multiple Use Platform for transaction monitoring and fraud detection User Challenges Easily forgotten and often written down Minimal Minimal to difficult Remembering initial answers (fuzzy logic) Moderate Mimimal Distribution Requirements User enrollment Assign and deliver tokens System Requirements User directory Subscription service server Custom agents Web-based applications Subscription service option Custom agents RBA server Custom agents Web-based applications server Application agents Cost Low acquisition but high help desk costs Moderate Low cost with some application integration Low acquisition but high help desk costs Low cost with some application integration High acquisition but low management 8 RSA White Paper

9 OTP and Digital Certificate Hybrid OTP: Software Tokens on PCs OTP: Software Tokens on USB Drives OTP: Software Tokens on Mobile Devices OTP code delivered On-demand Choices: Invisible User Strong two-factor PIN plus token code or certificate Strong two-factor PIN plus token Strong two-factor (can be biometric protected) Strong two-factor PIN plus software token code Strong two-factor PIN plus code delivered to phone Strong two-factor PIN or password plus registered device Internal users and traveling employees Mobile employee access Mobile employee access Mobile employee access Occasional or temp users Emergency Access Second factor to IDA SSL VPN access only all sized deployments Middleware for connected features Compatible PC Compatible USB device Compatible platform Any or SMS capable device OTP feature works anywhere Works only on assigned system Works anywhere but needs USB port availability Works anywhere Dependent on service coverage Restricted to registered system(s) File/ encryption Digital signing Remote access File storage Mimimal Minimal Minimal Minimal Two-step process - invisible Client software Certificate Token Assign and deliver software and seeds Assign and deliver software and seeds Assign and deliver software and seeds Certificate authority server server Application agents server Application agents server Application agents server Application agents SMS delivery method server Custom agents SSL VPN Higher infrastructure and management expenses Less than hardware tokens High device plus token Less than hardware tokens Less than either hardware or software tokens Less than either hardware or software tokens RSA White Paper 9

10 RSA Solutions RSA Adaptive RSA has been a leading provider of strong two-factor authentication solutions to businesses of all sizes for more than 20 years. RSA offers a variety of solutions to help organizations provide strong authentication while balancing risk, cost and end user convenience. RSA Identity Verification RSA Identity Verification utilizes knowledge-based authentication (KBA) to assures user identities in real-time. RSA Identity Verification presents a user with a series of top of mind questions utilizing information on the individual that is obtained by scanning dozens of public record databases. Within seconds, RSA Identity Verification delivers a confirmation of identity, without requiring any prior relationship with the user. RSA Identity Verification also provides improved accuracy in authenticating users with the Identity Event Module. The Identity Event Module improves security by measuring the level of risk associated with an identity and allowing the configuration of the system to automatically adjust the difficulty of the questions during the authentication process in order to meet the specific nature of the risk. Some of the identity events that are measured include: Public record searches. Suspicious access to a user s public record reports. Identity velocity. A high volume of activity associated with an individual at several businesses. IP velocity. Multiple authentication requests generated from the same IP. RSA Adaptive is a multi-channel authentication and fraud detection platform providing cost-effective protection for an entire user base. Adaptive provides strong and convenient protection by monitoring and authenticating user activities based on risk levels, institutional policies, and user segmentation. Powered by RSA s risk-based authentication technology, Adaptive tracks over one hundred indicators to identify potential fraud including device identification, IP geolocation, and behavioral profiles. Each activity is assigned a unique risk score; the higher the score, the greater the likelihood is that an activity is fraudulent. Adaptive offers behind-the-scenes monitoring that is invisible to the user. When an activity is deemed to be high-risk, a user is only then challenged to provide additional authentication, usually in the form of challenge questions or out-of-band phone authentication. With low challenge rates and high completion rates, Adaptive offers strong protection and superior usability and is an ideal solution for deployment to a large user base. RSA SecurID RSA SecurID one-time password technology provides a leading two-factor authentication solution; it is based on something you know (a PIN or password) and something you have (an authenticator). RSA SecurID offers a unique symmetric key (or seed record ) that is combined with a proven algorithm to generate a new one-time password (OTP) every 60 seconds. Patented technology synchronizes each authenticator with the security server, ensuring a high level of security. To access resources that are protected by the RSA SecurID system, users simply combine their secret Personal Identification Number (PIN) with the token code that appears on their authenticator display at that given time. The result is a unique, one-time password that is used to positively assure a user s identity. 10 RSA White Paper

11 RSA SecurID is available in the following form factors to meet the needs of organizations and their users: Hardware Authenticators From a usability perspective, traditional hardware authenticators (sometimes referred to as key fobs ) are small enough to fit on a keychain and meet the needs of users who prefer a tangible solution or access the Internet from a number of different locations. Hybrid Authenticator with Digital Certificates The RSA SecurID800 is a hybrid device that combines the simplicity and portability of SecurID with the power and flexibility of a smart card in one convenient USB form factor. The SID800 offers standards-compliant digital certificate support for disk and file encryption, authentication, signing, and other applications and strengthens simple password authentication by storing users domain credentials on a hardened security device. In combining multiple credentials and applications in a single device, the SID800 is a master key that enables strong authentication across a heterogeneous IT environment in a way that is both simple and seamless for the end user. Software Authenticators RSA SecurID software authenticators use the same algorithm as RSA SecurID hardware authenticators while eliminating the need for users to carry dedicated hardware devices. Instead of being stored in RSA SecurID hardware, the symmetric key is safeguarded securely on the user s PC, smart phone or USB device. Mobile devices RSA SecurID software authenticators are available for a variety of smart phone platforms including BlackBerry, Windows Mobile, Java ME, Palm OS and Symbian OS and UIQ devices. Windows desktops The RSA SecurID Token for Windows Desktops is a convenient form factor that resides on a PC and enables automatic integration with leading remote access clients. OTP token toolbar The RSA SecurID Toolbar Token combines the convenience of auto-fill capabilities for web applications with the security of anti-phishing mechanisms. Display Cards The RSA SecurID Display Card is a flexible, wallet-sized card that displays a new OTP every time the user presses a button. The RSA SecurID Display Card offers OTP-based strong security and greater portability by eliminating the need to carry an additional item on a keychain and by allowing end users to easily slip the card into a wallet or purse instead. On-demand (delivered via SMS or ) RSA On-demand delivers a unique one-time password on demand via SMS (text message) to a mobile device or a user s registered address. Upon receipt of the unique OTP, a user simply enters it, along with their PIN when challenged, to gain access to their corporate network or an online application. RSA Invisible User provides the ability to identify a user with an extremely high degree of accuracy. IUA identifies users by combining unique identifiers with statistical identifiers based on device forensic analysis and behavioral profiling. IUA authenticates users behind-thescenes and does not require any preliminary distribution of physical authenticators or software. RSA White Paper 11

12 Additional Information For additional information about using our interactive Decision Tree tool to evaluate your authentication options, contact your RSA account manager or channel partner or visit About RSA RSA, The Security Division of EMC, is the premier provider of security solutions for business acceleration, helping the world s leading organizations succeed by solving their most complex and sensitive security challenges. RSA s informationcentric approach to security guards the integrity and confidentiality of information throughout its lifecycle no matter where it moves, who accesses it or how it is used. RSA offers industry-leading solutions in identity assurance & access control, data loss prevention, encryption & key management, compliance & security information management and fraud protection. These solutions bring trust to millions of user identities, the transactions that they perform and the data that is generated. For more information, please visit and RSA and the RSA logo are registered trademarks and/or trademarks of RSA Security Inc. in the U.S. and/or other countries. EMC is a registered trademark of EMC Corporation. All other products and/or services mentioned are trademarks of their respective companies.. DECTR WP 0908