In-Depth
Eye on Security: More Devices, More Data Points, Fewer Security Holes: Advanced Security Integration
Innovative, multi-level authentication measures are critical. Companies that use inventive ways to incorporate current technology to safeguard their information will ultimately come out on top.
By John Carney
Nowadays, "security" has more than one meaning. There is physical security, as in physical access control, and there is logical security, which deals with virus protection or the prevention of unauthorized network access. Every company needs to combine both physical and logical security to better manage its safety and intellectual property. One option for a company is to incorporate multiple forms of authentication that do not require users to change their behavior.
There are multiple ways to achieve these goals and lower risk:
- A close and continuous monitoring of network, data, hardware, personnel, etc.
- Tighter security policies within the building and tighter control with network access
- Stronger authentication mechanisms (with complex technology)
- Isolated physical network and identity management
However, these measures can be costly to implement and maintain. In some cases, they can limit and even prevent employees from doing their job, which reduces productivity. Integrating security technology with day-to-day devices, such as smartphones, can provide a higher level of security, save money, and maintain productivity, all without significant social re-engineering.
Risk Mitigation: A Multi-Piece Puzzle That Needs Solving
There are many ways to view risk mitigation, as many factors determine a threat level. Knowing how many people are in the building, who those people are, and where they are located when accessing sensitive information makes for a better identification method and helps reduce risks. The more data points and information that is available when a decision is made, the more easily risk can be mitigated.
Location can be the first key factor in the risk-mitigation picture, and "location" can mean many things:
- A large, few-square-mile campus
- An office, classroom, or store
- A doorway, in the case of physical access
- A GPS coordinate
No matter the size and scale of a location, it can be determined by multiple devices, such as GPS satellites, physical blueprints, wireless location-based services, or a combination of the above.
For example, the more easily a location can be determined within a company, the less complex it will be to safeguard information. A simple example is an employee's ability to access sensitive information only on company premises. If no one is allowed access to the network unless that person is on company property, it lowers the risk that an unauthorized user will obtain access to sensitive information. Unfortunately, it still doesn't solve the possibility that someone can enter the facility and take the information.
Some companies install locks and security cameras to make sure unwanted personnel aren't able to enter the building after hours. These safety measures, however, aren't optimal during the day. Without an identification system, anyone can enter the premises during work hours, so even though cameras may be able to identify who stole or accessed sensitive information, it is already too late.
ID Cards for Multi-Factor Authentication
Identification is an easy task for humans, but individual identification for computers, such as voice and DNA recognition, can cost a substantial amount. The more data points available to recognize the person, the lower the chance that the system will get it wrong. However, this leads to the challenge of increasing the number of data points without significant cost or the need for behavior engineering.
Many organizations require that employees wear ID cards in order to easily spot who is not an employee. Although the use of an ID is one way to reduce risk, there are many flaws involved with the sole use of a card. One situation that may arise is an employee leaving the ID card at home. In most cases, employees will not return home to retrieve their cards. They may attempt to get around without being noticed or may pick up a replacement, but ultimately the lack of a card won't affect their productivity. If the ID is a swipe card, then they may simply wait and tailgate other employees, entering the building directly behind them.
Problems arise with a one-way entry system. Although it solves basic entrance problems, it leaves security holes. Without the ability to track egress, there is no way of telling when an employee has left a location. An ID swipe into the building has allowed the employees network access, but the network does not know when they have left, still authorizing that employees' network IDs to access the network, whether they are present or not.
A new strategy that has lowered risk is the adoption of a smart card. Smart cards are used to access the network as a multi-factor authentication, with a user ID and a password. However, problems can surface with backing up the information on the card; it's more information that can be used against the company, and backing up the information requires further storage. More storage means more data that can be leaked and more technology that must be used to store the data safely.
Although the ID and smart card can patch holes in a security system, if either is lost, an even bigger hole is created. The person in possession of the lost card has time to decode any information and is given a key to easily access the network and all the information that goes with it.
A Higher Level of Integration with Existing Technology
As technology continues to develop, advancements in mobile devices are beginning to incorporate multiple applications; these devices are simultaneously fulfilling multiple technological demands. Devices such as cameras, video recorders, GPS system, and MP3 players all reside on a smartphone. An employee may not return for a forgotten ID, but most would return for a phone, and while few employees may actually forget to bring their IDs, even fewer would forget their phone.
With a higher level of integration, employees walk up to the door (which can be accessed only with an ID) and swipe their cards, alerting the system to their arrival. Their phones then connect to the network, alerting the system when to grant and when to deny their network ID access. The process previously was a single-factor authentication mechanism, but now there are multiple steps, creating a multi-factor authentication mechanism without having users change their daily routine. A cost and a problem with enhanced security is behavior modification, but in this case, there is none, allowing for optimum efficiency.
How will the network know when to revoke an employee's network access? The system could be integrated so that when employees or authorized persons leave the location, the phones disconnect, communicating to the network they are no longer on-site and their network access is now denied. Another data point is now added to the system.
Conclusion
A multi-level authentication system that will fit an organization can be created in many ways. Companies have location, identity, smart cards, alternative technology, and smartphones, all of which can be combined to enhance security without incurring large costs. Innovative security measures are key. Companies that use inventive ways to incorporate current technology to safeguard their information will ultimately come out on top.
John Carney is a senior manager at Cisco Government Practice where he is responsible for the technical marketing for government and security solutions and architectures on the Public Sector team. He joined Cisco in January of 2007 and has served as the Industry Solution Architect on the health-care, financial services, and public sector verticals. With over 25 years experience as a technical architect in a service provider/large data center environment, John's strength lies in his unique ability to understand the business issues facing customers and how they relate to the components in a large computing environment with an emphasis on security and secure deployments, including identity management, role-based, access and data security. You can contact the author at href="mailto:johncarn@cisco.com">johncarn@cisco.com.