Very recently ‘InfoSecurity’ spoke to Tejas Lagad, Director, Product Management, BFSI, PortWise, to understand Portwise’s expertise in BFSI security solutions and company’s capability to combat next generation network security threats. He revealed today’s major network security challenges and explained Portwise’s strength to prevent them.

Tejas Lagad, Director, Product Management, BFSI, PortWise

1. How serious and complex the next generation network security threats can be according to your opinion?

A good way to evaluate the next generation network security threats is to take a look at technology and business trends and project where they will end up in the next few years. As a culmination of several factors, malicious attackers are realizing that breaking through firewalls is a hard task, so instead of banging their heads against a wall they target the devices users use to access applications and data, such as PC’s, laptops, PDA’s, and BlackBerrys. By infecting a user’s device with a Trojan horse, often key-logging or screen-scraping programs, or viruses, malicious attackers have a direct connection through to the most sensitive applications and data.

Figure

Another challenge is authentication. When users were simply accessing information on a closed local area network (LAN), simple passwords were usually good enough to protect information. However, with therise in identity theft crimes, the need for stronger levels of authentication becomes critical. Especially since there are password cracking programs available that can break any password in less than 10 seconds. A recent research reported that the average security breach costs an organization $6.3 million and passwords are the weakest link in the security armor, so protecting that link in real-time and identifying where these threats are originating is imperative to today's organizations.

2. Can layered security approach be strong enough to combat next generation network threats? 

Good security needs to be balanced by usability. There are several individual solutions available on the market today to help combat the threat of new innovative attack methods. However there is no one solution that fits all and deploying all of these may be an over-kill. Here is where layered security helps.
Layered security to combat fraudsters can be compared to physical security measures seen at various airports. The more the risk, the more stringent the procedures are. A walk-through metal detector and X-ray scanning is enough for domestic travel but international travel is usually accompanied with an interview by airline-hired private security personnel and manual inspection of hand luggage.

Similarly, layered security can perform a risk-based assessment of the environmental factors before a user is granted access. For example, a user might have access to Outlook Web Access without any checks, but if the user tries to access the intranet a full device scan might be requested before a user can proceed.

An organization should be very careful while classifying devices and granting them to access sensitive data. The corporate laptop, because it is under the control of the organization might be approved for all entry, whereas the home PC is outside of the control of the organization and might only be approved for Outlook Web Access and not other enterprise applications, such as CRM, ERP, sales systems, order processing systems, and intranet applications. The internet kiosk, which is considered a high risk device because anyone can use it for any purpose, might be denied access to all enterprise resources.

3. The swift proliferation of network based wide variety of handheld devices and computing devices has posed new challenges and threats. How can an organization manage maximum security in such a scenario?

The swift proliferation of network based wide variety of handheld devices and computing devices is both a challenge and an opportunity. The challenge is to extend endpoint security assessments to every handheld device and computing device that a user employs to access information internally. Organisations should deploy solutions that ensure that every device can be tested for any vulnerability before a user can proceed. The opportunity is to convert the handheld device into a strong authentication device.

Traditionally, expensive hardware tokens have been used to provide the 2nd authentication factor. But hardware tokens are cumbersome to carry around, have a limited life-span, and are expensive to distribute. A software-based 2-factor authentication solution can use something that most people already possess, such as mobile phone, PDA’s and BlackBerrys.

The software two-factor solution is very simple. Once a user has entered username and password (1-factor authentication), the user is sent a unique one time password via text message that is valid for 60 seconds by default. The user can then enter that password into the system to be granted access to applications and data. If the user does not have a signal on their device, they can install a small java applet that automatically generates a unique one time password every 60 seconds (this is also known as a soft token). Because the one time password is time sensitive, it is virtually identity theft and hacker proof. And if the device used for 2-factor authentication becomes lost or stolen, the administrator can easily freeze or lock the account.

4. With the move towards open access network and all IP networks, security has become much more complex and tough to manage. What is your advice for organizations to drive maximum security?

Most organisations are thinking of opening up their IT systems for remote application access so that employees, partners and customers can take advantage of being connected 24 hours a day, 7 days a week, but are not sure where to start or what to believe. Ensuring secure access for mobile and fixed computing is a 6 step process, from the moment the user tries to connect to an application to the moment they log off. The six steps needs to cover assessment of end user devices, authentication of identity, authorization of application access, secure encrypted access to applications, audit capability of user activities, and abolishment of traces left behind by the user.

5. What are your best solutions (maximum two) to address this issue?

PortWise offers a security solution that effectively addresses all of the issues mentioned above.

PortWise Identity and Access Manager: An integrated software suite developed to help organizations to make business applications available for remote users in a secure and convenient manner. The product suite includes a comprehensive security feature set, including:

Application delivery: PortWise utilizes clientless SSL VPN technology to provide application access to remote users, without having to install proprietary client software on the user’s device. PortWise utilizes web browser technology to access corporate data. Hence, PortWise supports every device or handset with a built-in web browser.

End-point Integrity: Before a user is allowed access, a device scan can be performed to guarantee the device complies with the corporate security requirements in terms of antivirus software, personal firewall configuration, and software upgrades.

Integrated Strong Authentication: The integrated authentication service in PortWise Identity and Access Manager provides a framework for multi-factor user authentication that allows deployment of secure and convenient strong user authentication throughout the whole organization. The authentication mechanisms available include software tokens, web-based tokens, out-of-band authentication through SMS text and email, OATH-compliant hardware tokens, PKI-compliant certificates, etc

Single Sign-on: To create a secure and user-friendly access environment, PortWise includes Single Sign-On mechanisms to provide transparent login to back-end applications. The user signs in once to the PortWise Authentication Service, and subsequent authentication to back-end applications is then handled by the system, without any user interaction.

6. How do you predict the future network security threats scenario in India at least for the next two years?
India’s computer emergency response team (CERT) recorded a good 1,237 cyber security-related incidents back in 2007. According to Anti-Phishing Working Group (APWG), an International agency which tracks phishing incidents, India ranks third with about 9.39% of the total phishing incidents that were reported globally, in 2007.
In fact Indian enterprises are at an advantage. They can learn from the technology mistakes made by their western counterparts, avoid expensive and complex solutions and straightaway dive into solutions that are proven, sturdy and inexpensive to deploy and maintain.

—By: Tejas Lagad, Director, Product Management, BFSI, PortWise.