Network security and conveniencehosteu.msgapp.com/uploads/96495/Documents/White... · Network...
Transcript of Network security and conveniencehosteu.msgapp.com/uploads/96495/Documents/White... · Network...
Network security and convenience:
Why the pursuit of ‘frictionless authentication’ is a compromise too far
Abstract
This paper explores how the corporate IT department has allowed
(or been forced to permit) a dangerous ‘culture of convenience’ to
permeate through its systems at the expense of data security.
It reimagines and realigns the relationship between user authentication,
security, convenience and the user experience, and offers advice to
businesses on risk-based and adaptive authentication techniques that
can quickly and cost effectively reduce their risk of exposure.
© 2015 Swivel Secure Ltd www.swivelsecure.com
Network Security and Convenience 2
Executive summary
1 How security has lost its way
1.1 Human frailty - the username and password issue
1.2 The myth of the ‘5tr0nG Pa55w0rd’
2 The era of the security breach
2.1 Definition: frictionless authentication
3 Frictionless authentication: Adoption drivers
4 BYOD & The use of personal devices at work
4.1 The impact of ‘cart before the horse’ security policy
4.2 Security devalued
4.3 Industry focus: legal sector
5 Redefining a culture of security
5.1 Reimagining the security & convenience relationship
Contents
4
5
5
6
7
7
8
9
9
10
11
11
12
Network Security and Convenience 3
5.2 How risk-based friction can enhance reputation
6 Only adaptive authentication can deliver the required balance
7 About Swivel Secure
Contents
13
14
15
Network Security and Convenience 4
Executive summary
This paper explores how the corporate IT department has allowed (or
been forced to permit) a dangerous ‘culture of convenience’ to permeate
through its systems at the expense of data security. 2014 was a year in
which an unprecedented number of high profile and acutely impactful
hacks, bugs and data breaches caused mass disruption online, resulting
in the theft and exposure of millions of commercially and personally
sensitive records.
This paper examines the weaknesses
in the methods used to guard the
gateways to corporate data, and
explains why a strong alpha-numeric
password is, in today’s heightened and
evolved threat environment, no more
secure than one that is considered
weak. It highlights how a corporate
fixation with providing an optimally
convenient, or ‘frictionless’ user
experience, learned in part from the
integration of low-security consumer
applications in the workplace, is
dangerously exposing corporate
networks to criminal forces that
grow in competency daily. The paper
reimagines and realigns the relationship
between user authentication, security,
convenience and the user experience,
and offers advice to businesses on
risk-based and adaptive authentication
techniques that can quickly and cost
effectively reduce their risk of exposure.
1 Independent survey of 2,500 US consumers conducted by The Leadership Factor in May 2014 commissioned by Swivel Secure 5
1. How security has lost its way
As digital services and connected devices continue to evolve, individuals
and organisations alike are entrusting ever greater volumes of sensitive
personal and corporate data to their keep. In this way, technology is no
longer a mere facility to support our interactions in the physical world, it is
now a cultural game changer, enabling immediate, global communication
and providing a channel through which we can remain connected to
important information from anywhere and at any time.
As the years go by, the apps, devices and services we use to support our digital lives have become
ever more complex and feature rich, leading, inevitably, to a laser-like focus on providing an intuitive
and accessible user experience. This focus is, for the most part, a force for good; it simplifies our
digital existence, makes the digital world navigable, and ensures the tools and services we use remain
useable and convenient as they continue to evolve. Yet it is precisely this pursuit of convenience that
has led consumers and corporations into dangerous waters; it has overshadowed the need to protect
sensitive personal and commercial data from falling into the wrong hands. Put simply, the pursuit of
the slickest, most unobtrusive ‘frictionless’ user experience has forced security to take a back seat.
As a result, the security measures that guard the digital gateways to sensitive commercial and
personal data have never been so weak. Much of this can be attributed to the fact that username and
password (UNP) combinations remain the universally accepted form of authentication for the vast
majority of online applications, both in and out of the work place.
1.1 Human frailty - the username and password issue
Despite their ubiquity, usernames and
passwords are an inherently frail form of
authentication. Yet, as end users, we are
consistently advised by service providers
to devise a new and unique, ‘strong’ alpha-
numeric password for each and every
application that requires user verification.
The construction of ‘5tr0nG pa55w0rd5’
follows a syntax which is deliberately
unfamiliar. This is what makes them difficult
for another to predict and equally difficult for
end users to remember. Indeed so prevalent
has their use become that end-users are no
longer able use the UNP system as it was
originally intended; by applying a unique
password to each account and storing them
in our memories only. In fact, a 2014 study1 of
2,500 Americans revealed that nearly 70% of
respondents routinely write their passwords
down, or employ another system to manage
them. These systems, such as keeping lists in
a webmail account, on a note kept on mobile
device, or written down and kept in a draw,
expose usernames and passwords to being
lost or stolen and used for malicious intent.
Network Security and Convenience 6
1.2 The myth of the ‘5trOnG Pa55w0rd’
The reality is that strong passwords simply
do not exist. But to use human frailty alone to
explain why this is so is to tell only half of the
story. There are major technical fallibilities to
contend with, too.
In 2014, the ‘Heartbleed’ bug, a
next generation virus, swept
through webservers across the
world, causing untold damage
and exposing millions of UNPs
to hackers. The bug intercepted
huge blocks of data that pass through
a service provider’s webserver. The
hacker would then sift through these
indiscriminate blocks of data in order to
isolate the data strings that look like UNPs.
These strings would then be speculatively
applied until access was granted to a user’s
account. And if, like most of us, that user had
repurposed the same UNP across multiple
accounts, the hacker then held all the keys to
unlock free and undetected access to all of
these sites too.
The security value achieved by building in
variations of characters and symbols into a
recognisable password is lost entirely; once
the password has been exposed, it is nothing
more than a string of characters, just like any
other. What key-loggers and Heartbleed have
demonstrated is that the criminal practice of
attempting to guess UNPs has now given way
to methods specifically designed to obtain
them. If online authentication is to guard
against future multidimensional attacks like
these, it too must evolve.
Inevitably, then, end-users resort to the
reuse of the same UNP to access multiple
applications. Checking the ‘remember me’
box at the login stage, which removes the
requirement to re-enter their UNP details upon
their next visit, together with the use of email
addresses as usernames, has created
multiple points of weakness in the security
chain. According to a 2014 Data Breach
Investigations report by Verizon , more than
63,000 security breaches occurred during
2013. With high rewards for the hackers at
stake, this number is predicted to continue to
increase exponentially as hacking methods
become ever more sophisticated.
Similarly, an alpha-numeric ‘5tr0nG
P@ssw0rd5’ is no greater defence
against a key-logger attack (where
a record of a user’s keystrokes are
captured by a rogue operator and
interrogated for UNPs) than one
that is considered weak. In this way,
the strong password only serves to
detract from the user’s experience.”
“
3 John Hawes, “2013 An Epic Year For Data Breaches With Over 800 Million Records Lost,” Naked Security, February 19, 20144 Ponemon Institute’s 2014 Cost of a Data Breach study
7
2. The era of the security breach
2.1 Definition: frictionless authentication
In security terms, ‘friction’ is often referred to as the level of disruption that
a chosen form of authentication causes to data and application accessibility.
Frictionless authentication, therefore, is the path of least resistance; a
process that is focused on delivering a convenient user experience, often at
the expense of appropriate or even adequate levels of security protection.
The numbers are staggering. In 2013 alone (amongst others), 40 million people in the US, 54 million
in Turkey, 20 million in Korea, 16 million in Germany, and more than 20 million in China had their
personal information stolen as a result of cybercrime. One estimate puts the total at more than 800
million individual records in 2013.3
As data breaches become the norm rather
than the exception, organizations that hold
sensitive information are under both legislative
and reputational pressure to put a data leak
prevention strategy into place.
The consequences of not doing so can
be catastrophic and are often subject to
extensive and damaging publicity. Target
Corp, eBay, Sony and LinkedIn have all
suffered critical blows in recent times.
Such circumstances adversely impact the
brand’s reputation, and the company in
question often incurs losses from imposed
fines, together with the damage to their
revenues that occurs from a resultant drop
in market confidence. According to the
Ponemon Institute4, each record lost comes
at a cost to the business of $145, with the
average total cost of a data breach standing
at $3.5million, a rise of 15% compared to
2013’s study.
********
****************
********
********
********
********
password
password
password
password
password
Network Security and Convenience 8
3. Frictionless authentication: Adoption drivers
The determination to maximize end-user convenience has driven service providers to maintain
support for UNP authentication, despite its considerable fallibilities. Indeed the preoccupation
with creating a convenient end-user experience has led service providers to strive for an entirely
frictionless authentication environment, by developing solutions such as mobile clients which cache
credentials and grant unfettered access as soon as the user opens the application.
Surprisingly, there is little doubt that major
providers of webmail, social media platforms,
cloud storage and other popular online
facilities are well aware of the frailties of
password-based authentication, but because
they fear a user exodus if they deviate from the
UNP model, most are unwilling to do so. Even
for large-scale corporate cloud installations,
the added ‘friction’ of stronger security at the
login stage has been seen as a step too far; an
annoyance to convenience-loving employees
who see it as only as an extra ‘hassle’ when
trying to access information.
This situation is, in part, due to the proliferation
of consumer cloud-based applications being
used in the workplace, such as Twitter,
Facebook and Dropbox, coupled with a
distinct shift in corporate working behaviors
toward flexible, home and mobile working.
Network Security and Convenience 9
4. BYOD & The use of personal devices at work
4.1 The impact of ‘cart before the horse’ security policy
The advent of BYOD has resulted in the
security department re-engineering its
security policies. Rather than developing a
holistic policy for the entire infrastructure
and applying it to the network’s various
access links (such as remote VPN, cloud,
mobile device or desktop), the CSO has
been hounded into developing
security policies in reaction to,
say, the CEO’s demand to read
email on his iPad. It is easy to
see how the IT department
has allowed (or been forced
to permit) a ‘culture of
convenience’ to permeate
through its systems at
the expense of data
security.
The business benefits of increased mobility,
flexibility and operational efficiency brought
about by advances in technology are well
understood. Moreover, the advent of tablets
and smartphones have fired a newfound
enthusiasm for technology among workers.
The combination of these two factors can be
intoxicating for many CIOs and
IT Directors, who have suddenly
found themselves in unusual
favor with both the board and
with lower level staff. For many
however, the net result has been
a BYOD overload which has
become difficult to police and
left the business’ critical IP
dangerously vulnerable.
Corporate culture has driven a shift in the equipment and systems being introduced, to enable
commercial operations to be conducted. As consumers have adopted mobile computing devices
outside of work, such as smartphones and tablets, these technologies have also infiltrated the
workplace - a phenomenon known as bring your own device (BYOD). The disruptive impact of BYOD
on corporate security has been severe, and has forced the Chief Security Officer (CSO) to relinquish
control on a number of fronts, from the level and type of security installed on these devices; to the
number of corporate and consumer applications, be they consumer or corporate, being accessed via
these ‘unknown’ devices.
Swivel
10
4.2 Security devalued
These working practices have been the
catalyst for security and authentication being
pushed down the corporate value chain to
the position of lowest common denominator.
This approach to security has also been
‘default endorsed’ by application developers
and service providers that have developed
solutions specifically designed to deliver as
close to a ‘frictionless environment’ as possible.
Rarely is this environment appropriate to the
enterprise. The automatic, user-generated
permissions required to reduce friction in
the authentication process (such as ‘single
sign-on’, or ‘remember me’ options), place
unfair responsibility for corporate security on
the shoulders of individual employees. For
the system to work effectively, the end-user
must guarantee the uniqueness of their UNP
credentials, correctly interpret the corporate
security policies and manage how they are
accessing, sharing and storing corporate data
in order to abide absolutely. It is very rare for
a ‘one size fits all’ strategy to be applicable to
everyone in an organization. Policies that apply
this approach in the name of convenience
should be widely discouraged.
“ I was dragging a sensitive file across my windows desktop and
accidentally dropped the file icon over my Skype window. The file was
automatically sent to the person I was last Skyping with. I couldn’t help
thinking that I should have been prompted to confirm my intent before
the file was sent. I love Dropbox too, but this poses the same problem
– it’s far too easy to share the wrong file with the wrong people.”
Network Security and Convenience
Network Security and Convenience 11
4.3 Industry focus: legal sector
The legal sector has a number of common
IT security risks and challenges. Modern legal
practices rely on IT in every part of their
business, from case management, to the
everyday management of the practice, to the
protection of confidential client information.
This reliance on IT also creates significant
vulnerabilities. As a result, IT security plays
a significant role in the legal sector, as the
repercussions of case documentation falling
into the wrong hands, either by accident of
by malicious means would have devastating
consequences for both the practice and
its clients.
Correctly understanding and implementing
the appropriate user verification and
authentication solutions, together with
defining appropriate levels of
access to information and
confidential documents,
will effectively
mitigate the
most prevalent of
attack vectors and
dramatically increase
overall security. Legal
firms, in particular, have a duty of care
enshrined in law to handle clients’ information
confidentially. In this sector particularly, the
pursuit of user convenience delivered via
frictionless authentication must not be the
only means to access applications as the risk
and end-user responsibility is unacceptable.
5. Redefining a culture of security
All businesses and organizations have a security culture unique to them. Just as a business culture
can be described as collaborative, argumentative, structured or unstructured, this applies to security
culture also. All too often, organizations will have a security policy that isn’t enforced.
Only when it is too late will they respond to the
threats. A true security culture should embody
vigilance in process, a clear understanding of
what is at stake and garner widespread support
for the preventative measures that have been
put in place. It should also come from the top.
A sensible first step is to form a holistic view
of company’s data, assess what is ‘business-
critical’ and develop a strict policy document
which must be adhered to. As part of this
process it is important to recognise that
corporate use cases should not necessarily
mirror consumer use cases. A consumer’s
user experience of accessing their personal
social media account does not represent an
appropriate benchmark for corporate access
to sensitive CRM data.
Network Security and Convenience 12
5.1 Reimagining the security & convenience relationship
There is no ‘one size fits all’ solution to
IT security and there is certainly no ‘one
password secures all’ solution. But neither is it
the case that non-UNP based authentication
should be viewed as the enemy of the user
experience. On the contrary, new adaptive
authentication solutions can help to apply
exactly the right level of visible security as is
appropriate to the access being requested,
serving to remind the user of the security
risks associated with whatever it is they
are doing. Applying an appropriate level of
‘friction’ to the authentication process will
ensure that a user is conscious that they
are moving into a secure environment and
must proceed in accordance with whatever
enterprise security policies have been defined
for that environment.
In this way, security should be viewed as
an asset and a strong contributing factor
to the overall user experience, in which the
level of convenience also plays an important
part. When reimagined in this ‘adaptive’ way,
security and convenience become components
of one another, and can be applied
proportionately and precisely, as is appropriate
to any given access request.
In circumstances where highly sensitive and
confidential content is being reviewed, or
when access requests are being made from
beyond the control of the fixed network
perimeter, for example, it is right that the
user should be challenged to re-verify their
credentials before they are granted access.
Equally, however, under circumstances where
access to lower value data is being accessed,
or indeed when the user has already
authenticated into a secure environment
during the same ‘session’, then barriers to
access can be confidently lifted in order to
raise convenience levels for the user.
Organizations can then define the access
control parameters that work best for their
business structure, keeping the gateways to
certain information accessible only to those
with the right permissions. Laying down
such a policy will, however, only enable
limited progress.
As a next step, our advice to businesses
is to deliver authentication through a
standalone platform which redirects users
back to the corporate domain so that the
user’s credentials can be validated using a
corporate authentication solution before
access is granted.
Network Security and Convenience 13
5.2 How risk-based friction can enhance reputation
Far from being seen as a ‘hassle’, the result of
introducing proportionate levels of security
friction into the user experience, according
to the gravity of the access request, is likely
to enhance an organization’s reputation. In
an age where governments, and some of the
biggest corporations are routinely suffering
crippling cyberattacks, the intelligent
application of strong authentication is
unlikely to be perceived as needless ‘theatre’,
nor an inhibitor to productivity. Instead, it
demonstrates an organization’s principles in
action, positioning the firm as trustworthy
and integral. In this way, security can play a
part in delivering real competitive advantage
and brand differentiation.
The challenge here is to add the layer of
friction, in this case the request for an
additional user permission, only when the risk
warrants it. Such circumstances could include
if the attachment was from an unrecognized
email address, for example, if the user was
blind copied, or if it displayed other common
attributes that indicate spam or malware.
“When someone emails me a word document and I want to print it, I click
‘Print’. I then get told that, because the file was an attachment, I need to
‘Enable Printing’ before I can proceed. Of course I ‘Enable Printing’; I just
clicked ‘Print’! Unfortunately this prompt occurs so often that it becomes
an automatic process. I routinely ‘Enable Printing’ without a second
thought. Then, as a result, I get infected by malware from a rogue email
attachment which I have automatically enabled, thanks to this process.”
Risk-based friction illustrated
Network Security and Convenience 14
6. Only adaptive authentication can deliver the required balance
It is a sound first step to establish static, risk-based policies which determine access requirements
based on who is accessing which service. A more powerful and protective step, however, is to define
policies based on each access request.
Going beyond ‘per-service’ and ‘per-user’
policies to create an additional layer of
granularity means that friction can be
reduced when it is appropriate to do so but
also increased as dictated by increases in
circumstantial risk.
A variety of factors should be taken into
account here, with different rules applied to
different stores of data. Such factors include
the sensitivity of customer and company
data being protected, the firm’s legal
obligations as defined by the authorities in the
company’s host country, details of commercial
agreements with partner organisations,
responsibilities to shareholders or investors,
together with any internal sensitivities
associated with employee records, or financial
forecasting. Only by conducting detailed and
controlled planning can an enterprise access
security policy support both a convenient
user experience and provide adequate
commercial protection. The pursuit of an
entirely frictionless digital environment in
the workplace is shortsighted and will lead
only to an increase in corporate cybercrime.
Fortunately, flexible and adaptive enterprise-
class authentication solutions are now readily
available and are more cost-effective than ever
before. CSOs that are serious about securing
the future of their organisations in today’s age
of rampant cybercrime have little option but to
sit up and take notice.
Swivel OTC: 5 7 6 8 0 1
OTC
643101Swivel
© 2015 Swivel Secure Ltd www.swivelsecure.com
7. About Swivel Secure
Established in 2000, Swivel is a pioneering network security solutions provider. Its multi-factor
authentication platform, underpinned by PINsafe, the company’s patented one-time-code extraction
technology, is recognized as the de facto standard in tokenless authentication technology.
Swivel’s range of static and dynamic risk based
authentication capabilities adapt the platform
to ensure user experience is optimized without
compromising risk. By applying the right
level of authentication according to a broad
range of factors, Swivel can support a broad
array of access control techniques to secure
remote, cloud and on-premises services.
With the widest range of user deployment
options, the Swivel platform delivers two
factor authentication via mobile apps, SMS,
OATH Tokens and interactive voice response
channels and stronger authentication through
integrated in-browser imagery.
Swivel’s established user base includes major
blue chip companies as well as SME and
public sector organisations. Customers vary
from UK NHS Trusts to multi-national logistics
organisations, educational institutions,
high street retailers, financial institutions
and one of the world’s largest IT hardware
components manufacturers.
Swivel is an accredited authentication
technology for Microsoft Office365
Dedicated, offering primary support for a
tokenless environment.
Swivel has an extensive worldwide network of
channel partners supported by offices in the
UK, US, Europe and Russia. It is a member of
the Marr Group, a global investment business.