Network security and conveniencehosteu.msgapp.com/uploads/96495/Documents/White... · Network...

Network security and convenience:

Why the pursuit of ‘frictionless authentication’ is a compromise too far

Abstract

This paper explores how the corporate IT department has allowed

(or been forced to permit) a dangerous ‘culture of convenience’ to

permeate through its systems at the expense of data security.

It reimagines and realigns the relationship between user authentication,

security, convenience and the user experience, and offers advice to

businesses on risk-based and adaptive authentication techniques that

can quickly and cost effectively reduce their risk of exposure.

© 2015 Swivel Secure Ltd www.swivelsecure.com

Network Security and Convenience 2

Executive summary

1 How security has lost its way

1.1 Human frailty - the username and password issue

1.2 The myth of the ‘5tr0nG Pa55w0rd’

2 The era of the security breach

2.1 Definition: frictionless authentication

3 Frictionless authentication: Adoption drivers

4 BYOD & The use of personal devices at work

4.1 The impact of ‘cart before the horse’ security policy

4.2 Security devalued

4.3 Industry focus: legal sector

5 Redefining a culture of security

5.1 Reimagining the security & convenience relationship

Contents

4

5

5

6

7

7

8

9

9

10

11

11

12


5.2 How risk-based friction can enhance reputation

6 Only adaptive authentication can deliver the required balance

7 About Swivel Secure

Contents

13

14

15


Executive summary

This paper explores how the corporate IT department has allowed (or

been forced to permit) a dangerous ‘culture of convenience’ to permeate

through its systems at the expense of data security. 2014 was a year in

which an unprecedented number of high profile and acutely impactful

hacks, bugs and data breaches caused mass disruption online, resulting

in the theft and exposure of millions of commercially and personally

sensitive records.

This paper examines the weaknesses

in the methods used to guard the

gateways to corporate data, and

explains why a strong alpha-numeric

password is, in today’s heightened and

evolved threat environment, no more

secure than one that is considered

weak. It highlights how a corporate

fixation with providing an optimally

convenient, or ‘frictionless’ user

experience, learned in part from the

integration of low-security consumer

applications in the workplace, is

dangerously exposing corporate

networks to criminal forces that

grow in competency daily. The paper

reimagines and realigns the relationship

between user authentication, security,

convenience and the user experience,

and offers advice to businesses on

risk-based and adaptive authentication

techniques that can quickly and cost

effectively reduce their risk of exposure.

1 Independent survey of 2,500 US consumers conducted by The Leadership Factor in May 2014 commissioned by Swivel Secure 5

1. How security has lost its way

As digital services and connected devices continue to evolve, individuals

and organisations alike are entrusting ever greater volumes of sensitive

personal and corporate data to their keep. In this way, technology is no

longer a mere facility to support our interactions in the physical world, it is

now a cultural game changer, enabling immediate, global communication

and providing a channel through which we can remain connected to

important information from anywhere and at any time.

As the years go by, the apps, devices and services we use to support our digital lives have become

ever more complex and feature rich, leading, inevitably, to a laser-like focus on providing an intuitive

and accessible user experience. This focus is, for the most part, a force for good; it simplifies our

digital existence, makes the digital world navigable, and ensures the tools and services we use remain

useable and convenient as they continue to evolve. Yet it is precisely this pursuit of convenience that

has led consumers and corporations into dangerous waters; it has overshadowed the need to protect

sensitive personal and commercial data from falling into the wrong hands. Put simply, the pursuit of

the slickest, most unobtrusive ‘frictionless’ user experience has forced security to take a back seat.

As a result, the security measures that guard the digital gateways to sensitive commercial and

personal data have never been so weak. Much of this can be attributed to the fact that username and

password (UNP) combinations remain the universally accepted form of authentication for the vast

majority of online applications, both in and out of the work place.

1.1 Human frailty - the username and password issue

Despite their ubiquity, usernames and

passwords are an inherently frail form of

authentication. Yet, as end users, we are

consistently advised by service providers

to devise a new and unique, ‘strong’ alpha-

numeric password for each and every

application that requires user verification.

The construction of ‘5tr0nG pa55w0rd5’

follows a syntax which is deliberately

unfamiliar. This is what makes them difficult

for another to predict and equally difficult for

end users to remember. Indeed so prevalent

has their use become that end-users are no

longer able use the UNP system as it was

originally intended; by applying a unique

password to each account and storing them

in our memories only. In fact, a 2014 study1 of

2,500 Americans revealed that nearly 70% of

respondents routinely write their passwords

down, or employ another system to manage

them. These systems, such as keeping lists in

a webmail account, on a note kept on mobile

device, or written down and kept in a draw,

expose usernames and passwords to being

lost or stolen and used for malicious intent.


1.2 The myth of the ‘5trOnG Pa55w0rd’

The reality is that strong passwords simply

do not exist. But to use human frailty alone to

explain why this is so is to tell only half of the

story. There are major technical fallibilities to

contend with, too.

In 2014, the ‘Heartbleed’ bug, a

next generation virus, swept

through webservers across the

world, causing untold damage

and exposing millions of UNPs

to hackers. The bug intercepted

huge blocks of data that pass through

a service provider’s webserver. The

hacker would then sift through these

indiscriminate blocks of data in order to

isolate the data strings that look like UNPs.

These strings would then be speculatively

applied until access was granted to a user’s

account. And if, like most of us, that user had

repurposed the same UNP across multiple

accounts, the hacker then held all the keys to

unlock free and undetected access to all of

these sites too.

The security value achieved by building in

variations of characters and symbols into a

recognisable password is lost entirely; once

the password has been exposed, it is nothing

more than a string of characters, just like any

other. What key-loggers and Heartbleed have

demonstrated is that the criminal practice of

attempting to guess UNPs has now given way

to methods specifically designed to obtain

them. If online authentication is to guard

against future multidimensional attacks like

these, it too must evolve.

Inevitably, then, end-users resort to the

reuse of the same UNP to access multiple

applications. Checking the ‘remember me’

box at the login stage, which removes the

requirement to re-enter their UNP details upon

their next visit, together with the use of email

addresses as usernames, has created

multiple points of weakness in the security

chain. According to a 2014 Data Breach

Investigations report by Verizon , more than

63,000 security breaches occurred during

2013. With high rewards for the hackers at

stake, this number is predicted to continue to

increase exponentially as hacking methods

become ever more sophisticated.

Similarly, an alpha-numeric ‘5tr0nG

P@ssw0rd5’ is no greater defence

against a key-logger attack (where

a record of a user’s keystrokes are

captured by a rogue operator and

interrogated for UNPs) than one

that is considered weak. In this way,

the strong password only serves to

detract from the user’s experience.”

“

3 John Hawes, “2013 An Epic Year For Data Breaches With Over 800 Million Records Lost,” Naked Security, February 19, 20144 Ponemon Institute’s 2014 Cost of a Data Breach study

7

2. The era of the security breach

2.1 Definition: frictionless authentication

In security terms, ‘friction’ is often referred to as the level of disruption that

a chosen form of authentication causes to data and application accessibility.

Frictionless authentication, therefore, is the path of least resistance; a

process that is focused on delivering a convenient user experience, often at

the expense of appropriate or even adequate levels of security protection.

The numbers are staggering. In 2013 alone (amongst others), 40 million people in the US, 54 million

in Turkey, 20 million in Korea, 16 million in Germany, and more than 20 million in China had their

personal information stolen as a result of cybercrime. One estimate puts the total at more than 800

million individual records in 2013.3

As data breaches become the norm rather

than the exception, organizations that hold

sensitive information are under both legislative

and reputational pressure to put a data leak

prevention strategy into place.

The consequences of not doing so can

be catastrophic and are often subject to

extensive and damaging publicity. Target

Corp, eBay, Sony and LinkedIn have all

suffered critical blows in recent times.

Such circumstances adversely impact the

brand’s reputation, and the company in

question often incurs losses from imposed

fines, together with the damage to their

revenues that occurs from a resultant drop

in market confidence. According to the

Ponemon Institute4, each record lost comes

at a cost to the business of $145, with the

average total cost of a data breach standing

at $3.5million, a rise of 15% compared to

2013’s study.

********

****************

********

********

********

********

password

password

password

password

password


3. Frictionless authentication: Adoption drivers

The determination to maximize end-user convenience has driven service providers to maintain

support for UNP authentication, despite its considerable fallibilities. Indeed the preoccupation

with creating a convenient end-user experience has led service providers to strive for an entirely

frictionless authentication environment, by developing solutions such as mobile clients which cache

credentials and grant unfettered access as soon as the user opens the application.

Surprisingly, there is little doubt that major

providers of webmail, social media platforms,

cloud storage and other popular online

facilities are well aware of the frailties of

password-based authentication, but because

they fear a user exodus if they deviate from the

UNP model, most are unwilling to do so. Even

for large-scale corporate cloud installations,

the added ‘friction’ of stronger security at the

login stage has been seen as a step too far; an

annoyance to convenience-loving employees

who see it as only as an extra ‘hassle’ when

trying to access information.

This situation is, in part, due to the proliferation

of consumer cloud-based applications being

used in the workplace, such as Twitter,

Facebook and Dropbox, coupled with a

distinct shift in corporate working behaviors

toward flexible, home and mobile working.


4. BYOD & The use of personal devices at work

4.1 The impact of ‘cart before the horse’ security policy

The advent of BYOD has resulted in the

security department re-engineering its

security policies. Rather than developing a

holistic policy for the entire infrastructure

and applying it to the network’s various

access links (such as remote VPN, cloud,

mobile device or desktop), the CSO has

been hounded into developing

security policies in reaction to,

say, the CEO’s demand to read

email on his iPad. It is easy to

see how the IT department

has allowed (or been forced

to permit) a ‘culture of

convenience’ to permeate

through its systems at

the expense of data

security.

The business benefits of increased mobility,

flexibility and operational efficiency brought

about by advances in technology are well

understood. Moreover, the advent of tablets

and smartphones have fired a newfound

enthusiasm for technology among workers.

The combination of these two factors can be

intoxicating for many CIOs and

IT Directors, who have suddenly

found themselves in unusual

favor with both the board and

with lower level staff. For many

however, the net result has been

a BYOD overload which has

become difficult to police and

left the business’ critical IP

dangerously vulnerable.

Corporate culture has driven a shift in the equipment and systems being introduced, to enable

commercial operations to be conducted. As consumers have adopted mobile computing devices

outside of work, such as smartphones and tablets, these technologies have also infiltrated the

workplace - a phenomenon known as bring your own device (BYOD). The disruptive impact of BYOD

on corporate security has been severe, and has forced the Chief Security Officer (CSO) to relinquish

control on a number of fronts, from the level and type of security installed on these devices; to the

number of corporate and consumer applications, be they consumer or corporate, being accessed via

these ‘unknown’ devices.

Swivel

10

4.2 Security devalued

These working practices have been the

catalyst for security and authentication being

pushed down the corporate value chain to

the position of lowest common denominator.

This approach to security has also been

‘default endorsed’ by application developers

and service providers that have developed

solutions specifically designed to deliver as

close to a ‘frictionless environment’ as possible.

Rarely is this environment appropriate to the

enterprise. The automatic, user-generated

permissions required to reduce friction in

the authentication process (such as ‘single

sign-on’, or ‘remember me’ options), place

unfair responsibility for corporate security on

the shoulders of individual employees. For

the system to work effectively, the end-user

must guarantee the uniqueness of their UNP

credentials, correctly interpret the corporate

security policies and manage how they are

accessing, sharing and storing corporate data

in order to abide absolutely. It is very rare for

a ‘one size fits all’ strategy to be applicable to

everyone in an organization. Policies that apply

this approach in the name of convenience

should be widely discouraged.

“ I was dragging a sensitive file across my windows desktop and

accidentally dropped the file icon over my Skype window. The file was

automatically sent to the person I was last Skyping with. I couldn’t help

thinking that I should have been prompted to confirm my intent before

the file was sent. I love Dropbox too, but this poses the same problem

– it’s far too easy to share the wrong file with the wrong people.”

Network Security and Convenience


4.3 Industry focus: legal sector

The legal sector has a number of common

IT security risks and challenges. Modern legal

practices rely on IT in every part of their

business, from case management, to the

everyday management of the practice, to the

protection of confidential client information.

This reliance on IT also creates significant

vulnerabilities. As a result, IT security plays

a significant role in the legal sector, as the

repercussions of case documentation falling

into the wrong hands, either by accident of

by malicious means would have devastating

consequences for both the practice and

its clients.

Correctly understanding and implementing

the appropriate user verification and

authentication solutions, together with

defining appropriate levels of

access to information and

confidential documents,

will effectively

mitigate the

most prevalent of

attack vectors and

dramatically increase

overall security. Legal

firms, in particular, have a duty of care

enshrined in law to handle clients’ information

confidentially. In this sector particularly, the

pursuit of user convenience delivered via

frictionless authentication must not be the

only means to access applications as the risk

and end-user responsibility is unacceptable.

5. Redefining a culture of security

All businesses and organizations have a security culture unique to them. Just as a business culture

can be described as collaborative, argumentative, structured or unstructured, this applies to security

culture also. All too often, organizations will have a security policy that isn’t enforced.

Only when it is too late will they respond to the

threats. A true security culture should embody

vigilance in process, a clear understanding of

what is at stake and garner widespread support

for the preventative measures that have been

put in place. It should also come from the top.

A sensible first step is to form a holistic view

of company’s data, assess what is ‘business-

critical’ and develop a strict policy document

which must be adhered to. As part of this

process it is important to recognise that

corporate use cases should not necessarily

mirror consumer use cases. A consumer’s

user experience of accessing their personal

social media account does not represent an

appropriate benchmark for corporate access

to sensitive CRM data.


5.1 Reimagining the security & convenience relationship

There is no ‘one size fits all’ solution to

IT security and there is certainly no ‘one

password secures all’ solution. But neither is it

the case that non-UNP based authentication

should be viewed as the enemy of the user

experience. On the contrary, new adaptive

authentication solutions can help to apply

exactly the right level of visible security as is

appropriate to the access being requested,

serving to remind the user of the security

risks associated with whatever it is they

are doing. Applying an appropriate level of

‘friction’ to the authentication process will

ensure that a user is conscious that they

are moving into a secure environment and

must proceed in accordance with whatever

enterprise security policies have been defined

for that environment.

In this way, security should be viewed as

an asset and a strong contributing factor

to the overall user experience, in which the

level of convenience also plays an important

part. When reimagined in this ‘adaptive’ way,

security and convenience become components

of one another, and can be applied

proportionately and precisely, as is appropriate

to any given access request.

In circumstances where highly sensitive and

confidential content is being reviewed, or

when access requests are being made from

beyond the control of the fixed network

perimeter, for example, it is right that the

user should be challenged to re-verify their

credentials before they are granted access.

Equally, however, under circumstances where

access to lower value data is being accessed,

or indeed when the user has already

authenticated into a secure environment

during the same ‘session’, then barriers to

access can be confidently lifted in order to

raise convenience levels for the user.

Organizations can then define the access

control parameters that work best for their

business structure, keeping the gateways to

certain information accessible only to those

with the right permissions. Laying down

such a policy will, however, only enable

limited progress.

As a next step, our advice to businesses

is to deliver authentication through a

standalone platform which redirects users

back to the corporate domain so that the

user’s credentials can be validated using a

corporate authentication solution before

access is granted.


5.2 How risk-based friction can enhance reputation

Far from being seen as a ‘hassle’, the result of

introducing proportionate levels of security

friction into the user experience, according

to the gravity of the access request, is likely

to enhance an organization’s reputation. In

an age where governments, and some of the

biggest corporations are routinely suffering

crippling cyberattacks, the intelligent

application of strong authentication is

unlikely to be perceived as needless ‘theatre’,

nor an inhibitor to productivity. Instead, it

demonstrates an organization’s principles in

action, positioning the firm as trustworthy

and integral. In this way, security can play a

part in delivering real competitive advantage

and brand differentiation.

The challenge here is to add the layer of

friction, in this case the request for an

additional user permission, only when the risk

warrants it. Such circumstances could include

if the attachment was from an unrecognized

email address, for example, if the user was

blind copied, or if it displayed other common

attributes that indicate spam or malware.

“When someone emails me a word document and I want to print it, I click

‘Print’. I then get told that, because the file was an attachment, I need to

‘Enable Printing’ before I can proceed. Of course I ‘Enable Printing’; I just

clicked ‘Print’! Unfortunately this prompt occurs so often that it becomes

an automatic process. I routinely ‘Enable Printing’ without a second

thought. Then, as a result, I get infected by malware from a rogue email

attachment which I have automatically enabled, thanks to this process.”

Risk-based friction illustrated


6. Only adaptive authentication can deliver the required balance

It is a sound first step to establish static, risk-based policies which determine access requirements

based on who is accessing which service. A more powerful and protective step, however, is to define

policies based on each access request.

Going beyond ‘per-service’ and ‘per-user’

policies to create an additional layer of

granularity means that friction can be

reduced when it is appropriate to do so but

also increased as dictated by increases in

circumstantial risk.

A variety of factors should be taken into

account here, with different rules applied to

different stores of data. Such factors include

the sensitivity of customer and company

data being protected, the firm’s legal

obligations as defined by the authorities in the

company’s host country, details of commercial

agreements with partner organisations,

responsibilities to shareholders or investors,

together with any internal sensitivities

associated with employee records, or financial

forecasting. Only by conducting detailed and

controlled planning can an enterprise access

security policy support both a convenient

user experience and provide adequate

commercial protection. The pursuit of an

entirely frictionless digital environment in

the workplace is shortsighted and will lead

only to an increase in corporate cybercrime.

Fortunately, flexible and adaptive enterprise-

class authentication solutions are now readily

available and are more cost-effective than ever

before. CSOs that are serious about securing

the future of their organisations in today’s age

of rampant cybercrime have little option but to

sit up and take notice.

Swivel OTC: 5 7 6 8 0 1

OTC

643101Swivel

© 2015 Swivel Secure Ltd www.swivelsecure.com

7. About Swivel Secure

Established in 2000, Swivel is a pioneering network security solutions provider. Its multi-factor

authentication platform, underpinned by PINsafe, the company’s patented one-time-code extraction

technology, is recognized as the de facto standard in tokenless authentication technology.

Swivel’s range of static and dynamic risk based

authentication capabilities adapt the platform

to ensure user experience is optimized without

compromising risk. By applying the right

level of authentication according to a broad

range of factors, Swivel can support a broad

array of access control techniques to secure

remote, cloud and on-premises services.

With the widest range of user deployment

options, the Swivel platform delivers two

factor authentication via mobile apps, SMS,

OATH Tokens and interactive voice response

channels and stronger authentication through

integrated in-browser imagery.

Swivel’s established user base includes major

blue chip companies as well as SME and

public sector organisations. Customers vary

from UK NHS Trusts to multi-national logistics

organisations, educational institutions,

high street retailers, financial institutions

and one of the world’s largest IT hardware

components manufacturers.

Swivel is an accredited authentication

technology for Microsoft Office365

Dedicated, offering primary support for a

tokenless environment.

Swivel has an extensive worldwide network of

channel partners supported by offices in the

UK, US, Europe and Russia. It is a member of

the Marr Group, a global investment business.

Network security and conveniencehosteu.msgapp.com/uploads/96495/Documents/White... · Network...

Documents

Transcript of Network security and conveniencehosteu.msgapp.com/uploads/96495/Documents/White... · Network...