How to Handle Identity in a Heavily Regulated Industry

March 1, 2010
/ Print / Reprints /
ShareMore
/ Text Size+


In heavily regulated industries like the financial and health care sectors, organizations are struggling with new computer security regulations. With the growth of the Internet and, most recently, mobile applications, regulatory compliance is a constant challenge for senior managers. As senior vice president and CIO for the USA Federal Credit Union, I was responsible for finding a multi-factor authentication (MFA) solution to comply with FFIEC guidelines (and to protect our members from phishing and other online attacks). 
     
While FFIEC’s mandate for MFA was made a year in advance of the December 2006 deadline, the industry lacked affordable, easy-to-use solutions. By mid-2006, financial institutions were still struggling with finding the best solution. With little time to implement and even fewer budgets, I chose the easiest and quickest path and deployed the “free” solution provided by our core systems provider. As a result, we found ourselves facing a string of member-service issues. 
     
Hopefully, the following we learned the hard way will serve as a guide for other organizations grappling with this problem.
     
Don’t cut corners in a rush to achieve compliance. As a not-for-profit credit union, we couldn’t just throw money at the compliance problem. Several of the mega-banks had developed proprietary solutions. The most common solution available on the market was traditional hardware-based one-time-password (OTP) tokens. These physical tokens were too expensive and impractical for widespread use among our globally dispersed membership base.
     
We needed an OTP token alternative, preferably an affordable software solution. Our core solution provider had one, and only one, in its product portfolio, and we trusted their recommendation. Unfortunately, this solution didn’t perform as advertised.
     
Most MFA solutions require users to go through a somewhat lengthy enrollment process, with challenge questions and out-of-band authentication, in order to establish that users are who they say they are. After the initial time-consuming login, the user should be shielded from a long logon process.
     
With our solution, unfortunately, the enrollment process never ended. Devices weren’t authenticated properly and our users had to endure lengthy enrollment-style logons over and over – often during the same session if they had been timed out. As a result, members deluged our call center with complaints, and many left. The lesson here is to test your MFA solution extensively before rolling it out to your end users.
     
Find a unified authentication solution. Finally, we decided we had to change our MFA solution or risk losing more members. We issued a formal Request for Proposal to several well-known vendors.
     
We were in the process of installing a separate authentication and identity enforcement system for our employees, one that would give them secure remote access to internal applications via VPNs. The solution provider, MultiFactor Corporation, learned of our online banking troubles and informed us that their system, SecureAuth, could as easily handle member-facing applications as internal ones.
     
This was a surprise. Most vendors separate internal and external authentication and require that you purchase different systems for each.
     
Having a unified authentication solution is both a money- and time-saver. Now, we have one point of contact. The system is standardized, which makes support simpler for my small staff. Moreover, our solution was designed as a Web service, so it will be able to meet our needs as we evolve.
     
Keep it simple. Because user identities tend to be the weakest link in corporate security, many solutions employ elaborate schemes to protect those identities. Some require user names to have numbers and special characters. OTP tokens rotate passwords frequently and force users to carry around a physical device in order to keep up.
     
With solutions like SecureAuth, users need only remember what they always have, their default user names and passwords. They must go through some steps up front to ensure they are who they are, but from then on, the software handles all of the heavy lifting of authentication transparently.
     
If anything seems out of the ordinary, such as a logon from a public terminal or an unknown device, users will be asked for further identity factors. Depending on your organization’s preference, these could be answers to challenge questions, one-time PINs delivered by email or even interactive telephone calls.
     
Keep identities in house. To achieve compliance, access to personal information must be strictly controlled. With many solutions, this is a problem, since user identities, roles and privileges are handled by third-party service providers. Many of these service providers then outsource much of what they do to still other service providers.
     
A better solution is to leverage existing in-house data stores, such as LDAP or Active Directory. We did this, and as a result, identities stay in house, are controlled 100 percent by our staff, and are easily audited.
     
We have learned that MFA is not a project; it is a process that continues to develop as our technology and our membership changes. Also, while security is critical, the end user experience is just as important.


Five Common Authentication Myths

Myth: Multi-factor authentication requires that we buy hardware-based tokens for our users.
Reality: Browser-based credentials are every bit as secure as hardware-based tokens, and they don’t burden security with help desk calls when they expire or are lost or stolen.

Myth: MFA is too expensive for my business.
Reality: When you factor in support and maintenance, all-software MFA solutions are often as affordable as user names and passwords alone.

Myth: MFA is too complicated for my already overworked staff.
Reality: New authentication solutions automate everything from enrollment to out-of-band authentication to expiring credentials.

Myth: I need different MFA systems for my employees, partners and customers.
Reality: Next-generation MFA solutions unify authentication, giving you a single system for VPN access for employees, Web access for customers and time-sensitive access for partners or contractors.

Myth: Deploying MFA will be a long, excruciating process.
Reality: Most businesses can evaluate, test and deploy software MFA in a month or two.

Did you enjoy this article? Click here to subscribe to Security Magazine. 

You must login or register in order to post a comment.

Multimedia

Videos

Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.

Podcasts

Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

Security Magazine

September 2014

2014 September

In the September issue of Security Magazine, find out who this year's most influential people are in the security industry are. Also, take a peek at the technology products that ASIS 2014 will be showcasing at the upcoming event. Read about the lessons learned from security at the World Cup, find out why tactical medical training is a must for your enterprise and how Atlanta increased security by sharing surveillance.
Table Of Contents Subscribe

Adopting New Technology

How long do you wait before adopting a new technology?
View Results Poll Archive

THE SECURITY STORE

comptiahighriseproductphoto
CompTIA Security+ Certification Study Guide
CompTIA's Security+ certification is a globally-recognized, vendor neutral exam that has helped over 60,000 IT professionals reach further and higher in their careers. The current Security+ exam (SY0-201) focuses more on being able to deal with security issues rather than just identifying them.
More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.  

STAY CONNECTED

Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13Google+