Part 3 Business Continuity and implementation

Business Continuity and Availability – Authenticators and Authentication

Authenticators

One challenge is that with loss or failure of the primary authenticators, users would be unable to conduct any on-line commerce. The ideal way to solve this potential problem would be to have a primary and secondary authentication device. A useful analogy is having a spare set of keys in the event of misplacement, loss or misadventure. This may take the form of a HOTP enabled photo ID or a second mobile phone.

Authentication

This document has not covered the best way to provide authentication to users seeking access to assets. As in all complex systems, this is where the “devil is in the detail”.
The one given is that the authentication must be resilient and distributed. A useful analogue would be peer-to-peer traffic used to distribute torrent files. For mobile phones users, systems exist but a prioritisation or escalation protocol may be required to ensure authentication is given priority in a similar fashion to Quality of Service (QOS) used for Voice over Internet Protocol (VoIP) in network transport.
The simplest and most inexpensive way to ensure rapid deployment would be for users to authenticate to their existing Financial Service or Mobile Service provider. Establishing a third party to enable interoperability (Australian Transaction Reports and Analysis Centre  - Austrac’s business model is a good example) is a high priority, as long as it is cost effective and doesn’t require an army of public servants to administer it.


Links
Critical pieces of the infrastructure required to implement the Federated System are in commercial production in all organisations around the nation. Here are the nuts and bolts that make these systems work together.

Authentication – a basic overview                                                                                  
What is a Radius Server                                                                                         ?
Authentication  - a basic overview                                                                                     
Australian Transaction Reports and Analysis Centre  -  AUSTRAC                         

Desired Outcomes

Better online security for Australian Citizens
Pundits speculate that criminal activity targeting on-line commerce is in its infancy. By initiating a National system and framework, Australia can demonstrate real leadership in protecting its citizens from online threats.

It’s much better than passwords
Passwords fail to meet the needs of security. Increasing complexity in password management is costing organisations vast sums of money and failing to protect the digital assets they are supposed to protect. Stronger unchanging passwords are easier to administer (and remember) and more challenging to crack. By extending the length of a password to 12 characters the chances of a brute force attack achieving success is minimal. One or two very strong unchanging passwords are better than any number of weak passwords. Adding MFA to this strategy makes the efficacy of the system much better.

Improved Safety and Privacy
By ensuring sign on credentials are valid, the security of users privacy and identity are protected with a subsequent increase of trust in systems and processes. With the ability to extend the reach of this improved security, all stakeholders benefit.

National Defence and Security
By building better security safeguards into Australia’s national infrastructure, citizens are assured that the potential of state sponsored threats is mitigated. By using Information technology as an attack vector, more resilient and protected systems are able to repel infection or attack.

Reduction in Financial Loss and Risk
Online fraud is a measureable cost we must all add to what we pay for the use of Financial Services. The Return on Investment (ROI) based upon this framework is impossible to gauge but like insurance, how do you measure success?

Social Capital
The framework provides greater protection for users of consumer social media (Facebook), business social media (LinkedIn) and hybrids (Twitter). Lives have been lost because of online bullying with little or no legal recourse for the victims. Is digital assault a valid crime? Non repudiation is guaranteed ensuring that the lawless slings and arrows delivered via online media may be curbed to conform to current defamation legislation. 

Summary:

By implementing a national multi-factor authentication system Australian citizens will benefit from having the highest levels of online security in the world. This technology may provide a significant competitive advantage to business in securing digital assets and could lead to innovation based export opportunities. The headlines report massive breaches of information that directly expose our financial systems to grave risk. Australia must set the benchmark in secure digital vigilance to safeguard our information security perimeter from existing and potential threats.

 

For Part 1::The business drivers and technology basics of two-factor or multi-factor authentication
And Part 2: Part two – Open standards are the key to building a Federated System

__________________________________________________________________________________

About the Author:
Mike Ryan is a freelance copywriter and marketing contractor with a passion for Information Security. He has presented at an Australian Information Security Association (AISA)  branch meeting prosecuting the case for improved security and that punitive legislation  be enforced to protect  Australian citizens from data disclosure and privacy breaches.

Mike Ryan – Brass Razoo Group      Website: www.brassrazoo.net.au                                                                                          


Comments

Comments are now closed

CSO Corporate Partners
  • f5
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

SECURE Web Gateway

Balancing the requirement for strong network security with the need to harness collaborative web technologies is essential for business growth.

Security Awareness Tip
Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.