How to Handle Identity in a Heavily Regulated Industry

In heavily regulated industries like the financial and health care sectors, organizations are struggling with new computer security regulations. With the growth of the Internet and, most recently, mobile applications, regulatory compliance is a constant challenge for senior managers. As senior vice president and CIO for the USA Federal Credit Union, I was responsible for finding a multi-factor authentication (MFA) solution to comply with FFIEC guidelines (and to protect our members from phishing and other online attacks). 
While FFIEC’s mandate for MFA was made a year in advance of the December 2006 deadline, the industry lacked affordable, easy-to-use solutions. By mid-2006, financial institutions were still struggling with finding the best solution. With little time to implement and even fewer budgets, I chose the easiest and quickest path and deployed the “free” solution provided by our core systems provider. As a result, we found ourselves facing a string of member-service issues. 
Hopefully, the following we learned the hard way will serve as a guide for other organizations grappling with this problem.
Don’t cut corners in a rush to achieve compliance. As a not-for-profit credit union, we couldn’t just throw money at the compliance problem. Several of the mega-banks had developed proprietary solutions. The most common solution available on the market was traditional hardware-based one-time-password (OTP) tokens. These physical tokens were too expensive and impractical for widespread use among our globally dispersed membership base.
We needed an OTP token alternative, preferably an affordable software solution. Our core solution provider had one, and only one, in its product portfolio, and we trusted their recommendation. Unfortunately, this solution didn’t perform as advertised.
Most MFA solutions require users to go through a somewhat lengthy enrollment process, with challenge questions and out-of-band authentication, in order to establish that users are who they say they are. After the initial time-consuming login, the user should be shielded from a long logon process.
With our solution, unfortunately, the enrollment process never ended. Devices weren’t authenticated properly and our users had to endure lengthy enrollment-style logons over and over – often during the same session if they had been timed out. As a result, members deluged our call center with complaints, and many left. The lesson here is to test your MFA solution extensively before rolling it out to your end users.
Find a unified authentication solution. Finally, we decided we had to change our MFA solution or risk losing more members. We issued a formal Request for Proposal to several well-known vendors.
We were in the process of installing a separate authentication and identity enforcement system for our employees, one that would give them secure remote access to internal applications via VPNs. The solution provider, MultiFactor Corporation, learned of our online banking troubles and informed us that their system, SecureAuth, could as easily handle member-facing applications as internal ones.
This was a surprise. Most vendors separate internal and external authentication and require that you purchase different systems for each.
Having a unified authentication solution is both a money- and time-saver. Now, we have one point of contact. The system is standardized, which makes support simpler for my small staff. Moreover, our solution was designed as a Web service, so it will be able to meet our needs as we evolve.
Keep it simple. Because user identities tend to be the weakest link in corporate security, many solutions employ elaborate schemes to protect those identities. Some require user names to have numbers and special characters. OTP tokens rotate passwords frequently and force users to carry around a physical device in order to keep up.
With solutions like SecureAuth, users need only remember what they always have, their default user names and passwords. They must go through some steps up front to ensure they are who they are, but from then on, the software handles all of the heavy lifting of authentication transparently.
If anything seems out of the ordinary, such as a logon from a public terminal or an unknown device, users will be asked for further identity factors. Depending on your organization’s preference, these could be answers to challenge questions, one-time PINs delivered by email or even interactive telephone calls.
Keep identities in house. To achieve compliance, access to personal information must be strictly controlled. With many solutions, this is a problem, since user identities, roles and privileges are handled by third-party service providers. Many of these service providers then outsource much of what they do to still other service providers.
A better solution is to leverage existing in-house data stores, such as LDAP or Active Directory. We did this, and as a result, identities stay in house, are controlled 100 percent by our staff, and are easily audited.
We have learned that MFA is not a project; it is a process that continues to develop as our technology and our membership changes. Also, while security is critical, the end user experience is just as important.

Five Common Authentication Myths

Myth: Multi-factor authentication requires that we buy hardware-based tokens for our users.
Reality: Browser-based credentials are every bit as secure as hardware-based tokens, and they don’t burden security with help desk calls when they expire or are lost or stolen.

Myth: MFA is too expensive for my business.
Reality: When you factor in support and maintenance, all-software MFA solutions are often as affordable as user names and passwords alone.

Myth: MFA is too complicated for my already overworked staff.
Reality: New authentication solutions automate everything from enrollment to out-of-band authentication to expiring credentials.

Myth: I need different MFA systems for my employees, partners and customers.
Reality: Next-generation MFA solutions unify authentication, giving you a single system for VPN access for employees, Web access for customers and time-sensitive access for partners or contractors.

Myth: Deploying MFA will be a long, excruciating process.
Reality: Most businesses can evaluate, test and deploy software MFA in a month or two.

Did you enjoy this article? Click here to subscribe to Security Magazine. 

You must login or register in order to post a comment.



Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.


Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

Security Magazine

Security May 2015 Issue cover

2015 May

In the May 2015 issue of Security, learn how to be the bridge between busieness and security with "customer facing," how to effectively work with your CFO, and covert security.

Table Of Contents Subscribe

Body Cameras on Security Officers

Body cameras are being used increasingly by police in cities across the U.S. Will you arm your security officers with a body camera?
View Results Poll Archive


Effective Security Management, 5th Edition.jpg
Effective Security Management, 5th Edition

 Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics. 

More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.


Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13Google+

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.