Part 3 Business Continuity and implementation

Business Continuity and Availability – Authenticators and Authentication

Authenticators

One challenge is that with loss or failure of the primary authenticators, users would be unable to conduct any on-line commerce. The ideal way to solve this potential problem would be to have a primary and secondary authentication device. A useful analogy is having a spare set of keys in the event of misplacement, loss or misadventure. This may take the form of a HOTP enabled photo ID or a second mobile phone.

Authentication

This document has not covered the best way to provide authentication to users seeking access to assets. As in all complex systems, this is where the “devil is in the detail”.
The one given is that the authentication must be resilient and distributed. A useful analogue would be peer-to-peer traffic used to distribute torrent files. For mobile phones users, systems exist but a prioritisation or escalation protocol may be required to ensure authentication is given priority in a similar fashion to Quality of Service (QOS) used for Voice over Internet Protocol (VoIP) in network transport.
The simplest and most inexpensive way to ensure rapid deployment would be for users to authenticate to their existing Financial Service or Mobile Service provider. Establishing a third party to enable interoperability (Australian Transaction Reports and Analysis Centre  - Austrac’s business model is a good example) is a high priority, as long as it is cost effective and doesn’t require an army of public servants to administer it.


Links
Critical pieces of the infrastructure required to implement the Federated System are in commercial production in all organisations around the nation. Here are the nuts and bolts that make these systems work together.

Authentication – a basic overview                                                                                  
What is a Radius Server                                                                                         ?
Authentication  - a basic overview                                                                                     
Australian Transaction Reports and Analysis Centre  -  AUSTRAC                         

Desired Outcomes

Better online security for Australian Citizens
Pundits speculate that criminal activity targeting on-line commerce is in its infancy. By initiating a National system and framework, Australia can demonstrate real leadership in protecting its citizens from online threats.

It’s much better than passwords
Passwords fail to meet the needs of security. Increasing complexity in password management is costing organisations vast sums of money and failing to protect the digital assets they are supposed to protect. Stronger unchanging passwords are easier to administer (and remember) and more challenging to crack. By extending the length of a password to 12 characters the chances of a brute force attack achieving success is minimal. One or two very strong unchanging passwords are better than any number of weak passwords. Adding MFA to this strategy makes the efficacy of the system much better.

Improved Safety and Privacy
By ensuring sign on credentials are valid, the security of users privacy and identity are protected with a subsequent increase of trust in systems and processes. With the ability to extend the reach of this improved security, all stakeholders benefit.

National Defence and Security
By building better security safeguards into Australia’s national infrastructure, citizens are assured that the potential of state sponsored threats is mitigated. By using Information technology as an attack vector, more resilient and protected systems are able to repel infection or attack.

Reduction in Financial Loss and Risk
Online fraud is a measureable cost we must all add to what we pay for the use of Financial Services. The Return on Investment (ROI) based upon this framework is impossible to gauge but like insurance, how do you measure success?

Social Capital
The framework provides greater protection for users of consumer social media (Facebook), business social media (LinkedIn) and hybrids (Twitter). Lives have been lost because of online bullying with little or no legal recourse for the victims. Is digital assault a valid crime? Non repudiation is guaranteed ensuring that the lawless slings and arrows delivered via online media may be curbed to conform to current defamation legislation. 

Summary:

By implementing a national multi-factor authentication system Australian citizens will benefit from having the highest levels of online security in the world. This technology may provide a significant competitive advantage to business in securing digital assets and could lead to innovation based export opportunities. The headlines report massive breaches of information that directly expose our financial systems to grave risk. Australia must set the benchmark in secure digital vigilance to safeguard our information security perimeter from existing and potential threats.

 

For Part 1::The business drivers and technology basics of two-factor or multi-factor authentication
And Part 2: Part two – Open standards are the key to building a Federated System

__________________________________________________________________________________

About the Author:
Mike Ryan is a freelance copywriter and marketing contractor with a passion for Information Security. He has presented at an Australian Information Security Association (AISA)  branch meeting prosecuting the case for improved security and that punitive legislation  be enforced to protect  Australian citizens from data disclosure and privacy breaches.

Mike Ryan – Brass Razoo Group      Website: www.brassrazoo.net.au                                                                                          


Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Mike Ryan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place