Intelligent Authentication creates base of a strong Identity solution and collaborative and innovative approach add success to it. Innovation in identity and authentication space is a definite as shift in technology happens. This article explains the underlying benefits of a strong authentication and ID solution, besides unveiling the shift in technology in this space.

August 2008! A sensational identity fraud case stirred the entire US Department of Justice. The data breach was believed to be the largest hacking and identity theft case ever prosecuted by the Department of Justice. Eleven people had been charged in connection with the hacking of nine major retailers and the theft and sale of more than 41 million credit and debit card numbers. Among hackers, one was a U.S. Secret Service informant. Three of those charged are U.S. citizens while the others are from places such as Estonia, Ukraine, Belarus and China.

They used sophisticated computer hacking techniques that would allow them to breach security systems and install programs that gathered enormous quantities of personal financial data, which they then allegedly either sold to others or used themselves.

Just after one year…

August 2009! Another sensational credit and debit card identity theft once again stirred the whole world. It is believed this identity theft is the biggest known in the American history. A Florida man has been accused of stealing information about 130 million credit and debt cards from customers of 7-Eleven and other retail giants.

28-year-old Albert Gonzales and two unnamed Russian co-conspirators hacked into the payment systems of numerous companies, including Heartland Payment Systems, Hannaford Brothers and the 7-Eleven chain. The group researched the credit and debit card systems used by their victims, attacked their networks and sent the data to computer servers they operated in California, Illinois, Latvia, the Netherlands and Ukraine.

These incidents clearly indicate the increasing pace of the identity fraud cases. With the rise and spread of globalization, identity fraud has become one of the fastest growing crimes in the world. International e-criminals have exploited the rapid change in internet access, telecommunications and technology. Simultaneously, Market deregulation has challenged the role of national boundaries and been a problem for regulators.

Identity fraud is today witnessed almost in everywhere in our lives today. Hackers today exploit even the social networking sites to gather sensitive data. Recent Facebook scam is most probably is one of the recent examples of such activity. The twitter incident is also another big example of such activity. Internal documents of twitter, which were stored on Google Apps, were hacked.

Scammers always open their eagle eyes and sniffing to every social networking place connecting people world wide. The new type of attack introduced by scammers is now posing as to be identity theft, directly steals personal information known as ‘viral wall post’. Here the hackers’ roles come in picture where these hackers post or sponsor a message with a link to another site.

These links are full of malware parasite and when clicked on this link, personal information or social security is gifted to hackers i.e hackers are now eligible to access and gain all our personal information, thus a good example of identity fraud.

Companies are concerned and challenged with how to best contain this increasing menace. A strong identity authentication system can help organizations avoid many of the pitfalls created by complex systems and complex transactions. A strong authentication system leverages strong validation practices of identities.

Trend

Based on the analysis of 67 million computers during 2008, PandaLabs (Panda Security’s malware analysis and detection laboratory) revealed that 1.1 percent of the worldwide population of Internet users have been actively exposed to identity theft malware. Extrapolating the results from Panda Security’s online malware scanning service, ActiveScan, PandaLabs found that more 10 million users worldwide were infected with active identity theft-based malware last year.

According to the survey, 1.07 percent of all PCs scanned in 2008 were infected with active malware (resident in memory during the scan) related to identity theft, such as banker Trojans. 35 percent of the infected PCs had up-to-date antivirus software installed. The number of PCs infected with identify theft malware increased by 800 percent from the first half of 2008 to the second half.

According to another recent study published by an independent research firm, the mean cost per ID theft incident in the U.S. is $496.00, putting the total estimated risk of ID theft from malware in this country alone at approximately $1.5 billion. According to the Federal Trade Commission (FTC), the average time victims spend resolving identity theft issues is 30 hours per incident. The cumulative cost in hours alone from identity theft related malware based on Panda Security’s projected infection rate could reach 90 million hours.

The 2009 Identity Fraud Survey Report, released by Javelin Strategy & Research confirms that the number of identity fraud victims has increased 22 percent to 9.9 million adults in the United States, while the total annual fraud amount only increased slightly by seven percent to $48 billion over the past year. The report found detection and resolution efforts are working well—consumers and businesses are detecting and resolving fraud more quickly. As a result the mean consumer costs of identity fraud plummeted by 31 percent to $496 per incident in 2008. The study also found that women were 26 percent more likely to be victims of identity fraud than men this past year.

Identity fraudsters have already affected the credit ratings of around half a million people, and a further 440,000 are predicted to suffer over the next five years in UK alone. That is according to research conducted by the Centre for Economics and Business Research for LV Home Insurance. Cases of the crime have increased by around a third each year during the past eight years, and the number of victims is expected to continue to rise due to the economic downturn, the group said. The research found identity theft costs the average victim £2,100 to correct.

The Association of British Insurers said fraud has soared to an estimated £1.9bn a year, costing the average household £44 annually in higher premiums. Insurers think around £5.2m of fraudulent claims go undetected every day, a 24% increase compared with two years ago. But firms are also detecting more fraud, with suspect claims worth £730m rejected last year, up almost a third from 2007.

Lost or stolen wallets, checkbooks and credit cards are still the most likely avenues for fraudsters to gain personal information—totaling 43 percent of incidents where the source was known. This is up significantly from 33 percent of the incidents in the previous year. In 2008, online access, such as using virus-afflicted computers at home or at work, accounted for only 11 percent of the total fraud. Combined with the increased speed of misuse, this trend points to more attacks of opportunity, when a fraudster takes advantage of personal information to which they suddenly have access, such as a lost wallet or watching someone enter their ATM PIN.

Understanding Underlying Benefits of Strong IAM

Concerns relating to external and internal security issues are rising across the middle and top management, esp. from financial services institutions, as recorded by Gartner across three consecutive annual surveys. These are often a result of poor user access management processes and lack of identity governance within an enterprise.

IT staff within enterprises spend an inordinate amount of time managing user permissions and policies that can exist in hundreds of different places. Manual provisioning of new users can take anywhere from 2 days to a week’s time. Removing user rights can take just as long and brings the additional risk of missing an application that should have access terminated, when someone switches jobs or leaves an organization. An IAM solution provides complete IAM governance through the full life cycle management of a user from on-boarding with correct role-based access permissions, enforcing those access control policies, detecting and correcting any attempts to modify user permissions, to off-boarding, such that the risk incurred from providing user access can be mitigated.

Single-sign-on capability provided by an IAM solution can eliminate the need to remember multiple passwords to get access to all the entitled applications—there is no need for employees to jot down passwords since there is only one password to remember, thereby enhancing internal security significantly. With a tremendous increase in online ecommerce activity, 2008-09 recorded many incidents of online theft and various other frauds related to online transactions. These incidents have aroused the need for strong authentication. Reserve Bank of India issued a guideline whereby Indian banks are required to implement stronger authentication mechanism for online transactions exceeding a certain monetary value.

Manjeri Dharmarajan, Brand Leader, Tivoli, IBM India Software Lab

According to Manjeri Dharmarajan, Brand Leader, Tivoli, IBM India Software Lab, an IAM system can help banks comply with required guideline by implementing a 2 factor authentication solution. He also believes that through an IAM solution, an enterprise can establish proper controls so it can adequately protect and manage its information assets- preserving enterprise’s intellectual property, external reputation and risks to business.

In the past authentication solutions had separate existence than other security management tools in the enterprises. IT security industry has done good work in consolidating identities of enterprises to a single identity infrastructure using identity management products. A single consolidated place for all identities in an enterprise brings down the cost of management, eliminates redundancy and offers quicker provisioning.

Rajeev Shukla, VP, Software Engineering at CA’s India Technology Center

Further integration of authentication solutions and IAM will ensure that end to end impact of consolidated identity stores is even higher. A single authentication solution integrated with consolidated identity store ensures robustness and uniformity in an enterprise. Rajeev Shukla, VP, Software Engineering at CA’s India Technology Center, firmly believes that Once authentication solution is implemented along with IAM, any changes to authentication methods to deal with regularly changing security challenges can be accommodated easily.

Tejas Lagad, Director, Product Management, BFSI, PortWise, says, “Identity and access management (IAM) is essentially a business solution—and a multi faceted one.” Each function with an organization derives its benefits. Let’s take the example of a financial institution that chooses to deploy an IAM solution. The CEO benefits from IAM because it enhances customer trust and loyalty by providing a secure online experience. The Risk Manager uses IAM to reduce fraud, and the associated costs incurred through recovery and administration.

Tejas Lagad, Director, Product Management, BFSI, PortWise

Marketing like it because it protects and strengthens the organization’s brand by minimizing the risk of identity fraud. Sales division benefits by capturing valuable customer data, and attracting new customers—with a convenient, secure, and easy-to-use solution. And finally, the Compliance Officer uses it to demonstrate continued and sustained compliance to regulations. The CIO, of course, has to wear all these hats.

Organizations are increasingly coming under attack from hacking, phishing, key logging and social engineering and must mitigate this risk by ensuring greater data integrity and enhanced visibility of threats to that data. “Organizations of all sizes will benefit significantly from the greater network access security offered by two-factor authentication (2FA) solutions as they come under greater commercial, regulatory and social pressure to provide more flexible working patterns for their staff.” says, Mohit Malkani, Executive Director, TelExcell Information Systems (exclusive distributor of CRYPTOCard range of products in India).

Mohit Malkani, Executive Director, TelExcell Information Systems

It is imperative for an organization implementing identity and access management infrastructure to consider strong authentication solutions. Implementing an identity and access management solution without a strong authentication solution could be compared to building a strong fort with state of the art security and locking the front door with a fragile lock.

The need of the hour is to meet the security and compliance requirements for the organization without reducing business agility. Let us consider a simple scenario. One of the benefits of implementing identity and access management solution is enterprise wide single sign. This increases business agility by improving user productivity and experience. If the initial authentication e.g network authentication into the enterprise is not strong enough, the entire access control policy for critical applications could be compromised leading to security breeches due to single sign on capability. Looking at this from a different perspective, the fear of security being compromised by implementing enterprise single sign on can be mitigated by implementing strong authentication solutions along with identity and access management solutions.

Boby Jacob, Manager, Services, Novell India

Supporting the above mentioned statements, Boby Jacob, Manager, Services, Novell India, says that strong authentication solutions tied to a unique identity of a user can also remove ambiguity and ensure non-repudiation from an audit and compliance perspective. This also leads to better enforcement of security policies across the organization.

Generating Higher Revenue

Federated identity management capability enables enterprises to securely exchange user identities between disparate internal business units and with partner sites. For example: an airline company can tie up with a car rental company using a federated identity management solution such that a traveler could identify himself/herself once as a customer for booking the flight and this identity can be carried over to be used for the car rental booking. Thus, enterprises can seize new market opportunities and reach new target audiences, generating avenues for business growth.

For online businesses, the web access single sign-on capabilities offered by an IAM solution accelerates response time for end users (employees, customers and partners) to its web applications. Customer satisfaction yields a more loyal customer base and repeat business. Similarly, with strong authentication, you can tap a badge and be identified rather than type your name and password. You can also tap your badge to logout or lock screen. For example, technicians sharing a kiosk on a factory floor or ware house can quickly login, logout and share sessions by simply tapping their badges vs. the usual long drawn key board login/logout process. Faster productivity on the factory floor translates to more revenue.

Enterprises seeking to save on IT costs inevitably, and rightly, look at alternative ways to use IT. These may include enabling more-flexible working hours, allowing employees to work from home, transitioning IT employees to different duties and using temporary staff more extensively. These alternatives need to be undertaken without incurring additional operating costs and access across networks, applications and services must remain seamless and must be provided quickly if real-world savings are to be realized. An IAM solution can enable such alternatives by mediating remote/partner-based access and governance over the user identity life cycle. Manjeri Dharmarajan believes that such approaches not only optimize IT costs but also lead to revenue generation through a more satisfied and productive employee base.

Provisioning of new users in different business applications is a costly and error prone activity in all enterprises. It takes a lot of time and effort to ensure that a new employee (or an existing one) has access to business application to perform their job. Identity and authentication solutions make it simpler and quicker to provision a new user in the system (for different business applications) with lower risks of mistakes. As time to provision users comes down, time to productivity also comes down, leading to overall gains for the organization. In the times, when we need to extract every possible value in an organization, lower time to productivity is very desirable.

Today compliance to regulations is critical. Lack of compliance can be a threat to business efficiency (and sometime existence). Majority of this compliance is related to access to information and separation of duties. As hundreds of users have access to multiple applications in an enterprise, it is very difficult to track and maintain compliance. A consolidated place for identities makes it simpler to track and maintain compliance. A reduced risk on compliance front will lead to revenue assurance.

A lot of revenue leakage in the organization happens because of users carrying incorrect access to information (and sometime transactions). These accesses can be fatal and can lead to revenue leakages, which are difficult to find out and cap. Rajeev Shukla feels that a strong authentication solution integrated with identity and access management can help organizations in keeping the access water tight. This will avoid any potential leakages to revenue.

Amuleek Bijral, Country Manager, India & SAARC, RSA

According to Amuleek Bijral, Country Manager, India & SAARC, RSA, The Security Division of EMC, Adaptive Authentication involves actively introducing additional identifiers with the simple addition of a cookie and/or a flash shared object (also referred to as “flash cookie”) which can then serve as a more unique identifier of a user’s device. It provides strong and convenient protection by monitoring and authenticating user activities based on risk levels, institutional policies, and user segmentation. Organizations can provide strong authentication that is cost-effective—without the need to deploy physical devices and by enabling users to self-enroll. Leveraging the SaaS (Software-as-a-Service) deployment model further reduces maintenance and overhead.

Identity and authentication solutions enable a company to deploy an effective access governance system able to handle today’s threats to a company’s revenue. This effective governance releases the IT staff from focusing on daily user access, allowing organizations to shift IT resources onto more strategic, revenue-generating opportunities.

Tejas Legad reaffirms that globally, identity and authentication solutions are serving as new revenue streams. Governments, banks, credit bureaus, ISPs, and universities are exploring the “identity provider for hire” market—that is, getting paid for identity proofing and authentication. Credit bureaus, for example, know a lot about users as a result of their data collection. They are thus in an excellent position to authenticate users in the online world.

For end-users, the impact on revenues comes from improved business continuity. Remote access in a disaster situation—for example when much of central London was closed off immediately after the July 2005 bombings—means that people can continue working securely from a remote location and consequent loss to business revenues is minimized. Continuity of service to customers removes the risk of them switching provider as a result of a break in supply.

In lieu to the statement above, Mohit Malkani points out that this is also an important USP at a time when concerns over external security threats to businesses and confidential customer data is greater than ever, with high-profile breaches constantly grabbing the media headlines, avoiding the threat of negative publicity resulting from a data breach is increasingly valuable. For channel partners, authentication solutions offer an additional revenuer stream which can be bundled with other services.

Criticality of Mutual Authentication

Today businesses operate with a principal of reaching out to customers. Services and products are provided on demand and anywhere. Businesses are deploying complex systems to facilitate this. A transaction which was earlier done by limited individuals within the enterprise is accessible to front line staff and sometime directly to customers. When you have such myriad number of people accessing systems and transactions, it leads to more and more threats such as money laundering and financial crimes.

A strong identity authentication system can help organizations avoid many of the pitfalls created by complex systems and complex transactions. A strong authentication system leverages strong validation practices of identities. It is based on taking information from identities, which cannot be compromised or faked. Biometrics authentication is one of the examples. Finger printing, iris recognition, etc are some of the examples of information about identity, which are impossible to duplicate. Using these can assist avoiding incorrect or compromised authentication.

Experts believe that Mutual authentication before sharing Identity information will not only protect stealing of Identity but also establish a trusted connection. Mutual authentication is a process by which a user (via browser) and website (via web server) authenticates to each other before any user interaction happens. Most web applications are designed such that they do not require client-side authentication. This creates an opening for a man-in-the-middle attack for online businesses. A website to user authentication prevents attackers from successfully taking over a web site to steal users' account credentials; and a user to website authentication would prevent attackers from successfully impersonating a user in order to perpetrate fraud. The end result of this process is a trusted connection between the mutually authenticated client and server, over which secure communication can be carried. IBM today provides mutual authentication capability as part of Tivoli Access Manager offering through the use of SSL digital certificates.

According to Rajeev Shukla, a robust mutual authentication of two domains can provide an additional layer of security, which goes beyond identity based authentication. In supplier and consumer relationships, mutual authentication can provide that extra layer of security.

Secure Internet identities, based on two-factor authentication, provide a way for businesses to ensure that users are who they say they are, as well as a way for consumers to be assured that no one else can access their accounts. In response to growing demand, RSA Security has unveiled a suite of services and solutions designed to help businesses implement efficient and effective approaches to consumer identity.
Mutual authentication goes a step beyond conventional authentication by authenticating the website to the user. This is a good defense against most traditional attacks including phishing. The Open Authentication (OATH) – an industry-wide collaboration to drive adoption of strong authentication standards—has also released draft specification for OATH-based Challenge Response Algorithm (OCRA). The key benefit of choosing solutions that comply with the OATH reference architecture is that organizations can ‘future-proof’ their two-factor authentication offering and avoid becoming locked into one vendor’s authentication credentials. However, just mutual authentication is not enough to counter some of recent attack vectors including some variants Man-in-the-Middle (MitM) attacks such as the Man-in-the-Browser (MitB) attack. A good defense against MitM and MitB attacks is Transaction Signing tokens.

Figure

Technology Shift

So far the focus of authentication has been around strength of authentication. A lot of innovative ways of authentication have been developed and adopted over the last decade. When we deploy these authentication technologies in an enterprise and on a given infrastructure we get decent amount of security. Today’s authentication technologies are strong enough to avoid any authentication related mistakes and issues. If a strong combination of authentication techniques is adopted, system will be secure from access point of view.

Today the challenge is different. The challenge is related to access patterns of users and consumers. A user needs to access and use information or conduct transaction over multiple security domains. More often than not, these security domains are not even correlated to each other. So, a strong authentication, which was performed in one domain, has no validity (or lower validity) in another one. User may have to authenticate again with a different security domain to access the information there. This leads to two issues. First is duplication of authentication efforts. Second is security compromise. A user, who has been authenticated in his primary domain in a secure and robust way, should access the information in a different domain based on his primary authentication. Try using a second authentication factor may be risky because this one may not be as strong an authentication mechanism as first one.

New paradigms are emerging to solve this problem. Federation of identity and authentication is one emerging solution. A lot of products and solutions have started using federation as means of exchanging/distributing the identity and authentication. Federation today is dependent on specific products and approach adopted by them. As standards evolve to exchange/federate identity and authentication state information, it will become a more effective solution. Security Assertion Markup Language (SAML) is one of them. Sharing the authentication and authorization information will become simpler as more and more products and solutions will adopt it. Duplication and security compromises can be avoided if SAML kind of standards are developed and adopted in the industry on a wide basis.
Trusted identity assurance using identity verification and proofing represents an area that is growing in interest within the identity and authentication space. In online scenarios, the challenge is in determining the actual identity of each user when they register, since face-to-face identity proofing is not practical. The ability to establish a trusted identity relies on implementing a cost effective identity proofing and verification mechanism. The type of identity assurance required for an organization is determined by the risk threshold, business requirements and the enterprise IT security specific constraints.

Few experts believe that two factor authentication (2FA) is a very robust technology that has by no means reached its peak potential and has at least another 5-8 years growth potential, as businesses of all sizes recognize its potential and value in providing superior network protection in times of increasing threats. They believe that the next key development will be in the area of soft and SMS tokens. Company like Telexcell believes that this is the way forward, removing the physical device and integrating soft 2FA into the end point device e.g. laptop, BlackBerry. These 2FA formats are seeing an explosion in popularity and will eventually replace hard tokens altogether.

Most security-conscious organizations and even governments are implementing or investigating new authentication technologies. Many are demanding multi-factor authentication—where a password combined with something else, a token such as a smart card or USB device, is required for access to a network or PC. For portability and ease-of-use concerns, enterprises are also evaluating biometrics, the science of measuring and statistically analyzing a person’s biological data as a means for user authentication.

The European Union’s recent launch of separate passports for children in the Schengen borderless states, besides the requirement of two fingerprints of persons above 12 years, marks a major change in the incorporation of biometric data to protect personal identities world over. The latest drive to harmonize the rules on the deployment of biometric features in the bloc would further facilitate visa-free travel to the United States for citizens from EU countries that are currently part of such an arrangement. Second generation biometric passports contain a microchip wherein personal data are embedded, allowing remote access and a cryptographic means to prevent unauthorized use. Since 2006, digital facial images (given their greater social acceptability) are embedded in the microchip on passports and travel documents of the EU with a validity of over 12 months. In addition, the European Parliament recently gave an overwhelming endorsement to the controversial proposal to include two fingerprints, besides iris scans, as a backup to fine-tune data validity.

The introduction of separate passports for children is expected to strengthen the global combat against child trafficking. Further, the requirement to include the names of parents in the documents of minors and to obtain authorization when the latter are accompanied by a third party are intended to afford additional protection. Parliament has however decided to exempt persons below 12 years from the requirement to give fingerprints considering that they would continue to vary until adolescence. Attempts to strengthen cross-border security have come under intense scrutiny from civil liberties groups that question the authenticity of biometric information for personal identification, as well as potentially adverse implications for individual privacy.

Future

IAM has to move from just technology plumbing to become fused into organization business processes. Enterprises will start to deploy layered security controls and automated compliance controls around people and business processes to secure applications. IAM needs to deliver more enterprise value as IAM controls become fused into Applications, Data and IT infrastructure for addressing problems like Segregation of Duties. In this new digital world, services and agile infrastructures are identity enabled. They are redesigned to understand, accept and validate digital identities using cooperating, interoperable and federated identity providers. Identities must be customizable so that the principal can decide to share only a limited set of attributes and roles with some service providers—up to and including complete anonymity. Granted, some services don’t allow anonymous or limited- identity access, but both parties will be fully aware of the authentication criteria required to communicate and collaborate. Using these identities, the control over what can be shared is handled as a policy based service contract with an identity provider, or with tools that allow for identity processing and customization.

A lot more innovation will need to happen around identity and authentication as new models of software and computing evolve and get adopted. SaaS and MSP kind of application infrastructures present an altogether new challenge to identity and authentication. Established norms of identities and their definitions will change. Meaning of authentication in a domain will also change.

—By: ‘InfoSecurity’ Bureau.