Tackling the Authentication ChallengeIt's About Staying Ahead of Regulations and Risks
Organizations in 2013 will continue to explore new authentication solutions to improve user access to sensitive information. What are the specific solutions employed by this panel of security leaders?
PeaceHealth Southwest Medical Center, which currently uses finger biometrics, is exploring voice as well, although the organization is being cautious before proceeding, says IT security compliance officer Christopher Paidhrin.
"We're exploring voice, but because of our environment and sound issues, we haven't moved there [yet]," he says in an interview with Information Security Media Group [transcript below].
But Paidhrin's organization maintains its strong authentication through the use of employee badges, which act as a second factor for authentication alongside username and password.
The State of Delaware is in the final stages of upgrading its enterprise-wide identity and access management system, which will allow for biometric identifications. "This is a service that enables the users to access multiple applications with single username and credentials, aka single sign-on," says Elayne Starkey, the state's chief security officer.
Matthew Speare of M&T Bank says 2013 is the year to focus on the customer. "We certainly have been examining voice biometrics as well as certificates and soft tokens," the senior vice president of information technology says.
Over the years, Speare explains, the financial services industry has utilized user ID and password as the primary authentication mechanism. "Now, [they need] to do something different," he says.
"We're trying to balance the higher level authentication mechanisms without crushing our telephone banking centers and getting poor end-user experience, because it's quite the shift for them," Speare says. "Any change that you do is a shift."
In this third installment of a four-part interview series, the three security leaders discuss:
- Specific authentication challenges they face;
- New IAM technologies they are exploring;
- How to balance effectiveness with ease-of-use.
About the participants:
Christopher Paidhrin is IT security compliance officer at PeaceHealth Southwest Medical Center, where he has worked for 12 years. Earlier, he worked in higher education, as well as in private sector and entrepreneurial ventures, where he held a number of director-level positions.
Matthew Speare is senior vice president, information technology, at M&T Bank. He is responsible for developing and sustaining an information risk program that effectively protects the personal information of millions of customers of M&T Bank, the nation's 17th largest bank holding company, based in Buffalo, New York.
Elayne Starkey is CSO for the State of Delaware, a role she's held for seven years. She is responsible for the enterprisewide protection of information assets from high consequence events, including cyber and physical terrorism and natural disasters.
Authentication: Bank's Perspective
TOM FIELD: Matt, you went into 2012 with the FFIEC authentication guidance sort of in your back pocket, knowing that examiners were going to be coming to your institutions wanting to be talking about online authentication this year. Given that backdrop, how have you tackled the authentication challenge, the identity and access management challenge really?
MATT SPEARE: When you look at not only the requirements, but the way that the history is progressing, how do we have a high level of probability that the customer that's logging in is who they claim to be? With the increase in products and services that we're making available - and I imagine this is no different for Chris or Elayne with healthcare and government - we want to be able to push as many services as we can to the remote channel, be it Internet or mobile, and be able to do so in a manner that's not only secure but has a high level of authorization behind it, meaning that we know that those people logging in are the customers that we're servicing.
[It's] going through and really understanding what your vulnerability points are and conducting that gap analysis between where you're at today and where you believe that you need to be in the future. As part of the FFIEC, from the middle of 2011, that was step one.
Then, you want to go after those products and services that have a higher level of risk to them, and go after those gaps first. In some ways, I think that we're going after it in a way that goes beyond what the regulatory bodies are asking for because this is the update from 2011. Who knows what they'll want for 2014, so we have to do a little bit of guessing to make sure that we can put ourselves in a defensive role position, not just from a regulatory standpoint but also in the cases where customers get breached and lose funds. That also puts us in a very defensive standpoint from legal and reputational risk.
There has been a lot of activity once this gap analysis was completed for implementation of newer technologies, such as anomaly detection coupled with feeding from Internet intelligence agencies so that we have a full picture of not only what's going on with the individual transaction that a customer is attempting to make, but also with the threat landscape as to what the bad guys are trying to do today, and what has been their trend. It's a much more robust ecosystem that we're building.
Just like information security in general, it goes back to Elayne's comment. It's a race that we will never finish and chances are no one will ever win. Our job is just to make sure that we're right in there towards the front-end of the pack. When you think about the way that you look at this battle that goes on between financial institutions and hackers, my job is I will never be able to beat them. They're very well-funded and incredibly creative and have nothing but time on their hands. My job is just make it painful enough that they want to go down the street and go after a different financial institution, and in this race around authentication you want to be up towards the front of the pack. That continues to make it very difficult for them to be able to breach those authentication mechanisms and get around them so that they'll leave our customers alone.
Authentication in Government & Healthcare
FIELD: I know in healthcare and government you have the same challenges, even if you don't have the same regulatory requirements. Christopher and Elayne, I would love to hear how you have tackled the authentication challenges that you face.
ELAYNE STARKEY: We offer an enterprise-wide identity management service to applications across all of state government, and this is a service that enables the users to access multiple applications with single username and credentials, aka single sign-on. It also relieves the individual applications and the development work there from their burden of writing and re-writing an authentication system with every single internally developed system and just continuing to repeat that functionality over and over. It also provides probably our most popular feature of all, the self-service password management utility, along with that. Those are just a few of the offerings that we're positioning ourselves. We've done some upgrades this calendar year. We're getting ready for 2013 to be the year when we get applications converted and get a lot of those applications on-boarded to the new IAM system.
CHRISTOPHER PAIDHRIN: Similar to what Elayne was sharing, at PeaceHealth Southwest we have an identity access management solution. It also integrates into our single-sign-on solution. Everything's transparent, collaborative and communicates as a synergistic system. We also offer self-service. We're exploring for the New Year service messaging, and by that I mean secure, HIPAA-compliant, including images. That adds a whole extra layer of accountability, responsibility, audit trails and disclosure/exposure issues.
Going back to what we were saying earlier, we all have confidentiality agreements in many different ways. At PeaceHealth Southwest, we require it every year again and again so that there's no question about the ownership and the onus of custodianship on each individual. We have an integrated system and it extends out into our terminal services that individuals remotely log into our portals, deeply integrated into our identity and access management system. The challenge that we're finding is that with so many individuals coming and going, the provisioning aspect needs to be matured so that we do not spend so much time on defining the RBAC for every new individual. We have to improve our processes so that it becomes more automated. While we have single sign-on and while we have self-subscription, the complexity of the services that we offer, the number of applications and that role-based access control, that matrix is too big. We need to streamline it while maintaining the controls in that minimum necessary criterion for HIPAA. That's a big challenge for all of healthcare.
FIELD: There are a number of new authentication solutions that organizations are investigating. I hear a lot about using mobile as an out-of-band methodology. I hear a lot about biometrics, specifically voice biometrics. I'd like to hear from each of you. What are some of the new authentication solutions that you at least are investigating in your organizations? Christopher, why don't you start off?
PAIDHRIN: With our single-sign-on solution, we already have built in multiple authentication and multiple authorization schemes. We have finger biometrics which has been in place for at least the last six years. We're exploring voice, but because of our environment and sound issues, we haven't moved there. We're staying away from retina or iris identification, but we do use strong authentications. We have our badges. Our identification badges not only give us physical access to certain areas, but they also act as a second factor in our authentication for username-password and a badge. Our single-sign-on solution allows us to say, "You can use A, B and C in this location, but if you're remote, you have to use B and C." In this way, we have a deeper control of what that strong authentication factor is based upon location, role, responsibility and access to content.
STARKEY: As I mentioned earlier, in Delaware we're in the final weeks right now of upgrading our enterprise-wide identity and access management system. It turned out to be a fairly significant upgrade that has taken us a little bit more time than originally planned, but there are good, significant changes between the old version and the new version which is going to allow us to explore some of the biometric identifications that you mentioned. Although at this point we're kind of focusing in on core functionality. We plan on trying to migrate our old version of the applications up to the new versions. That's step one, followed by a round of on-boarding. We have a number of applications patiently waiting in the queue for the new version to be ready so that we can on-board those new applications in the early part of the first quarter of 2013.
SPEARE: When you think about my organization, we've done a lot over the years internally. Realistically, 2012 and 2013 are focused on the customer. In there, you have to balance what's acceptable for the end-user experience, or non-employees, because that's much more problematic for us than the internal employees. We certainly have been examining voice biometrics as well as certificates and soft tokens, mechanisms to provide higher levels of authentication requirements to our customers who are experimenting as to what really will be acceptable to them. Because unfortunately, over the years, at least in the financial services industry, this has been a user ID and password-based authentication mechanism, and much of what we've done over the last few years has been transparent to that, or has actually been hidden from them not knowing what we were doing with anomaly detection. Now, it actually requires them to do something different. We're trying to balance the higher level of authentication mechanisms without crushing our telephone banking centers and getting poor end-user experience, because it's quite the shift for them. Any change that you do is a shift.