THE RSA AUTHENTICATION DECISION TREE

Select the Best Authentication Solution for Your Business

What is the best authentication solution for my business? This is a recurring question being asked by organizations around the globe. With the number of new and emerging security products being denoted by analysts as the silver bullet solution, it is critical to recognize that there are many authentication choices available on the market. Before making a final selection as to the authentication solution that will work best, organizations must consider their user authentication needs, the threats targeting their business, their business objectives and the regulatory guidelines that impact their industry. RSA has developed the Authentication Decision Tree a comprehensive tool to help organizations understand, evaluate and select the most appropriate authentication solution to meet the needs of their users and their business. The RSA Authentication Decision Tree provides a framework to help narrow the selection of authentication solutions based on five critical factors. This white paper provides an overview of the Authentication Decision Tree, examines the five factors critical to selecting an authentication solution, and offers a clear guide to selecting the right solution that effectively balances risk, cost and end user convenience.

The Need for Strong Authentication

Protecting access to information and assuring the identities of users requesting that access is a core element of any security initiative. In the last few years, numerous industry regulations have been issued that require organizations to enact strong authentication security measures to protect against unauthorized access to information. Today, as functionality and technology move to new channels, so do the threats that target sensitive data driving an increasing demand for strong authentication across the organization. The online and mobile channels. Recognizing the new business opportunities, cost efficiencies and the customer service aspects associated with providing real-time access to information online, many organizations are offering an increasing number of Webbased customer portals and business applications that enable customers to access and manage their accounts 24/7. Mobile access smart phones in particular provide customers with similar access and often offer even more functionality through customized applications.

White Paper

Remote and mobile access. The global nature of business and employee mobility has forced many organizations to provide around-the-clock access from multiple locations and multiple devices including mobile to enable employee productivity. Access for new user populations. Todays organizations are extending access privileges beyond the employee to external contractors, partners and suppliers. These new user populations require on-demand access to proprietary information such as sales forecasts, competitive intelligence, pricing charts, inventory, and customer data.

The State of User Authentication

Despite the fact that password-only authentication is recognized for providing relatively weak security, the use of a single password as a means of assuring user identities continues to dominate. However, the authentication method once viewed as free has actually become expensive in terms of ongoing management and support costs. According to the Help Desk Institute, roughly 30 percent of all help desk calls are for password resets and cost between $25 to $50 per call. New authentication methods continue to appear on the market making the selection even more challenging for organizations looking to implement a strong authentication strategy. In the enterprise, hardware authenticators still dominate for securing access to corporate resources. Yet, employee mobility and the use of mobile phones and PDAs have caused an increase in demand for software authenticators. For consumer-facing portals, riskbased authentication and knowledge-based authentication are common security mechanisms because of their ease-of-use and their scalability to a mass user base. With so many authentication options available on the market, organizations are finding it difficult to establish an authentication strategy. For many organizations, multiple authentication options can be selected based on factors such as the user population, the value of information being protected, portability and user experience. RSA developed the Authentication Decision Tree to help organizations weigh the assorted options objectively and align the needs of their users and their business to make the optimum choice.

Critical Factors to Consider in Developing an Authentication Strategy

There are five critical factors to consider in developing an appropriate authentication strategy. These five factors are: The value of the information being protected The strength of user authentication to apply Planned usage Needs of the end user population Technical environment

The value of protected information

The first factor to consider is the value of the information to be protected and the cost of unauthorized access to that information. Proprietary business data, bank account and credit card details, health records or personally identifiable information (PII) are all types of information that could be considered high value. And unauthorized access to that information could be costly (i.e., a bank having to assume the costs of unauthorized fund transfers for customers) and detrimental to a companys brand and reputation. The higher the value of the information is and the higher the risk to the organization if the data is accessed by an unauthorized user, the stronger the authentication solution that is needed to protect it.

PAGE 2

The strength of user authentication to apply

Considering the user population and the information being accessed by those users can help organizations determine the level of user authentication to apply. For example, organizations cannot force authentication on their customers so considerations in selecting a solution for this user base might be convenience and willingness to adopt. For employees and partners, however, organizations have more control over the types of authentication to deploy and will more likely consider features such as portability, total cost of ownership and overall management.

Planned usage
When organizations deploy an authentication solution, there is often more than one business objective to be met. In other words, depending on the user and the types of activities performed, an organization might determine that additional layers of authentication are needed beyond just assuring user identities. For example, a financial institution seeking to decrease their fraud losses might implement a transaction monitoring solution to monitor high-risk money transfers. Another example to consider would be for enterprise users. An organization might require certain users that work with and exchange highly sensitive information such as HR, payroll and finance to have an authentication solution that enables file and e-mail encryption.

End user population

When deploying authentication to an end user community, there are many factors to consider depending on the end user population. From the users perspective, organizations must consider aspects such as ease-of-use, the users willingness to adopt and the information the user will be accessing. From the organizations perspective, consideration must include total cost of ownership, training requirements, scalability to end users and mobility of the solution.

Technical environment
Finally, the technical environment where the solution will be deployed is important in helping to determine such factors as what level of authentication strength to apply. For example, in an environment where desktops are more controlled and anti-virus software is likely to be up-to-date, security requirements may not be as rigorous compared to a scenario where the user environment is not as controlled and a large percentage of the user population is accessing the network from remote locations around the world. Another technical consideration is the range of end user devices being used for access. For both corporate and customer-facing applications, the end user base is likely to be accessing information from devices ranging from laptops and desktops to PDAs and mobile phones to kiosks. The types of access devices are important in determining the authentication form factors offered to end users. Today, many organizations regularly issue smart phones (i.e., iPhone, Android, or Blackberry) that enable access to corporate email. This relatively new aspect of mobility often referred to as the consumerization of IT increases employee productivity and flexibility. These benefits, coupled with the increasing functionality and power of new devices are fueling the drive for the use of consumer devices for business use. But this trend also introduces many issues and questions for the organization, including how to manage the costs of ongoing IT support for the exploding variety of devices, where to draw the line for that support, and how to manage the growing security threats introduced by mobility.

PAGE 3

The Authentication Decision Tree

In light of the number of new authentication methods and technologies, the increasing value of information, new user populations requiring access to networks and applications, the proliferation of advanced threats and a complex regulatory environment, organizations are being driven to re-evaluate their existing authentication strategy. There are many existing authentication solutions to evaluate and market buzz about certain authentication technologies make the assessment difficult for many organizations. Biometric solutions, for example, enjoy a disproportionate share of media coverage compared to their actual deployment in the market. These solutions require expensive and cumbersome readers, making it an impractical solution for mobile or remote access or adoption by a mass consumer audience. The RSA Authentication Decision Tree was designed for organizations to evaluate their user and business needs objectively against the readily available authentication technologies on the market in order to ease the decision-making process. As the market has yet to come up with a universal solution that will meet every business requirement and address the security needs for all users and all scenarios, the RSA Authentication Decision Tree can be used to help organizations select the most appropriate authentication solution, or combination of solutions, while balancing risk, cost and end user convenience.

How to Use the Authentication Decision Tree

In determining what solution(s) will work best for an organization, the RSA Authentication Tree examines the following criteria: Control over the end user environment Access methods to be used Requirements of access across multiple locations or devices The need for disk, file or e-mail encryption Fraud prevention Size of the end user base

Control over the end user environment

Control over the end user environment is critical in determining the appropriate authentication method. Considerations include things such as whether the organization is allowed to install software on the end users system or consumer device, and whether they can dictate the operating system platform an end user is required to work on. But why is this so important? Looking at something as simple as being able to control the operating system is important because not all authentication solutions are going to be compatible with all operating systems universally. In an enterprise environment, the organization has direct control over the operating systems on user devices. However, there is no control over the operating systems of external users, such as customers and partners, so the authentication method offered to these populations may be different.

Access methods to be used

Access methods are very important in determining an authentication strategy. Some authentication methods only work for accessing Web-based applications while others can be used to authenticate to multiple, non-Web based applications. Therefore, taking into account the user, their access rights, and their planned usage will have a direct effect on the authentication methods selected.

PAGE 4

Requirements of access across multiple locations or devices

The global nature of business and increased employee mobility has created a demand for around-the-clock access from multiple locations and multiple devices including mobile devices. For employees or partners, providing the option of anytime, anywhere access is critical to sustaining productivity; for customers, it is important for maintaining customer satisfaction. Above all, providing the anywhere, anytime option for users to access information securely is critical to the continuation of business. Factors to weigh include: Do you need to accommodate user access from varying remote locations? Do you need to accommodate user access from unknown systems such as kiosks, hotel systems or shared workstations? Do you need to accommodate user access from varying devices such as PDAs, mobile phones, or other consumer devices (i.e., tablets)?

The need for disk, file or e-mail encryption

When evaluating an authentication strategy, organizations should consider the other business purposes that it may want the authentication method to address. For example, a healthcare organization might have the need to encrypt protected health information (PHI) or other personally identifiable information (PII) of a patient as it is transmitted between departments and facilities in order to meet HIPAA regulations. In this instance, the healthcare organization might require individuals with access rights to PHI and PII to access the data only from trusted machines.

Fraud prevention
Some authentication methods are required to monitor transactions and activities that are performed by a user after initial authentication at login in order to prevent fraud. While this scenario is relevant primarily for financial services applications, other industries are beginning to experience targeted attacks, such as phishing and malware, by cybercriminals for the purpose of gaining deeper access to a companys infrastructure to collect personal and/or proprietary corporate data that can be sold on the black market.

Size of the end user base

The size of the end user base being protected is important as cost is often one of the biggest considerations especially for small to mid-sized businesses. Several authentication solutions are designed and priced - specifically for a very small or very large user base.

A Myriad of Authentication Possibilities

Passwords
Passwords provide single-factor authentication for assuring user identities. While initial acquisition is free, there are ongoing management and support costs (password resets, for example) which can wind up being expensive in the long-term. The level of security provided is very low and passwords are prone to hackers and sharing among individuals.

Knowledge-based authentication
Knowledge-based authentication is a method used to authenticate an individual based on knowledge of personal information, substantiated by a real-time interactive questionand-answer process. The questions presented to a user are gleaned from scanning public record databases, are random and previously unknown or unasked to the user.

PAGE 5

Risk-based authentication
Risk-based authentication is a system that measures behind-the-scenes a series of risk indicators to assure user identities and/or authenticate online activities. Such indicators include certain device attributes, user behavioral profiles, device profiles and IP geo-location. The higher the risk level presented, the greater the likelihood is that an identity or action is fraudulent. If the risk engine determines the authentication request to be above the acceptable policy, then risk-based authentication provides the option to step-up authentication. In a step-up authentication scenario, a user may be asked to answer a few challenge questions, or submit an authorization code delivered to a phone via SMS (text) message or e-mail.

One-time password authentication

One-time password (OTP) authentication is a leading two-factor authentication solution; it is based on something you know (a PIN or password) and something you have (an authenticator). The authenticator generates a new OTP code every 60 seconds, making it difficult for anyone other than the genuine user to input the correct code at any given time. To access information or resources protected by one-time password technology, users simply combine their secret personal identification number (PIN) with the token code that appears on their authenticator display at that given time. The result is a unique, one-time password that is used to assure positively a users identity. One-time password technology is available in many form factors including: Hardware authenticators. Traditional hardware authenticators (sometimes referred to as key fobs) are portable devices that are small enough to fit on a key chain and meet the needs of users who prefer a tangible solution or who access the Internet from a number of different locations. Software authenticators. Software authenticators (for PCs, USB drives, or mobile devices) are typically offered as an application or in a toolbar format that is securely placed on a users desktop, laptop or mobile device. On-demand. On-demand authentication involves delivery of a unique OTP on demand via SMS (text message) to a mobile device or a users registered e-mail address. Upon receipt of the unique OTP, a user simply enters it, along with their PIN when challenged, to gain access to their corporate network or an online application.

Digital certificates
A digital certificate is a unique electronic document containing information that identifies the person or machine to which it is bound. The digital certificate can be stored on a desktop, smart card or USB. For stronger two-factor authentication, the digital certificate can be locked on a smart card or USB, requiring the user to enter a PIN in order to unlock the certificate and use the credential. The digital certificate can then be utilized to authenticate a user to a network or application. In addition to being used for user authentication, digital certificates can add value to the enterprise by enabling digital signatures or e-mail encryption. Digital certificates can also be combined with OTP deployments using a hybrid authenticator. In this case, the hybrid authenticator stores multiple credentials and streamlines the end user experience. A common use case for a combined certificate and OTP deployment is to unlock hard disk encryption with a digital certificate followed by authentication to a VPN with a one-time password.

PAGE 6

Analyzing the Authentication Attributes

Once an organization assesses the needs of its business and its users, selecting the appropriate authentication strategy based on the available choices ultimately is a tradeoff among a number of variables: 1. 2. 3. 4. 5. 6. 7. 8. 9. Strength of security Typical use case Client-side requirements Portability Multiple use User challenges Distribution requirements System requirements Cost

The RSA Authentication Decision Tree can help organizations make the relevant comparisons among the authentication methods that are designed to meet their requirements. By using this simple framework, organizations are provided with an objective assessment among the leading authentication solutions. While cost is an important consideration, organizations must consider a number of other elements in determining what is most suitable to their needs. Too often, the focus is on acquisition cost alone, but in considering that as a priority factor, one only needs to look to password-only authentication to prove that cost should never be the only consideration. Passwords are essentially free in terms of acquisition cost; however, they are surprisingly expensive in terms of ongoing management and support costs.

RSA Solutions
For more than 25 years, RSA has been a leading provider of strong two-factor authentication solutions. RSA offers a variety of solutions to help businesses of all sizes provide strong authentication while balancing risk, cost and end user convenience.

RSA SecurID Authentication

RSA SecurID one-time password technology provides a leading two-factor authentication solution; it is based on something you know (a PIN or password) and something you have (an authenticator). The authenticator itself can be one of a variety of formats, or form factors, which are described later in this section. RSA SecurID authentication offers a unique symmetric key (or seed record) that is combined with a proven algorithm to generate a new onetime password (OTP) every 60 seconds. Patented technology synchronizes each authenticator with the security server, ensuring a high level of security. To access resources that are protected by the RSA SecurID system, users simply combine their secret Personal Identification Number (PIN) with the token code that appears on their authenticator display at that given time. The result is a unique, one-time password that is used to assure a users identity positively. RSA SecurID authentication is available in the following form factors to meet the needs of organizations and their users:

Hardware Authenticators
From a usability perspective, traditional hardware authenticators (sometimes referred to as key fobs) are small enough to fit on a key chain and meet the needs of users who prefer a tangible solution or access the Internet from a number of different locations.

PAGE 7

Hybrid Authenticator with Digital Certificates

The RSA SecurID 800 authenticator is a hybrid device that combines the simplicity and portability of SecurID authentication with the power and flexibility of a smart card in one convenient USB form factor. The 800 offers standards-compliant digital certificate support for disk and file encryption, authentication, signing and other applications and strengthens simple password authentication by storing users domain credentials on a hardened security device. By combining multiple credentials and applications in a single device, the 800 is a master key that enables strong authentication across a heterogeneous IT environment in a way that is both simple and seamless for the end user.

An Authentication Decision Tree Scenario

Company profile A large healthcare organization representing several regional hospitals and specialty health centers that serves more than 1.5 million patients. Physicians, payers and insurers, patients and healthcare administrators Physicians are constantly on the go, moving among multiple facilities, and stay connected to healthcare and patient records through a laptop, Blackberry or other mobile device. This enables instant, secure access to pertinent health records to ensure the highest quality of patient care. Payers and insurers need access to patient records, medical history and services performed in order to settle or adjust claims. Healthcare administrators are always in need of access to protected health information and personally identifiable information (PII) of patients. From case workers to billing specialists, access to patient information is critical to their job performance. Patients are provided access to their personal information and medical history through a Webenabled portal. In addition to making updates to their personal information, they are provided a number of other convenient online services such as the ability to schedule appointments, submit prescription renewal requests and pay medical bills. Authentication choices With a diverse user base that requires access to various systems and for different needs, this healthcare organization would likely need to consider a myriad of authentication solutions including: Physicians: Software-based OTP for mobile devices Payers and insurers: Hardware tokens Healthcare administrators: Hardware tokens Patients: Risk-based authentication

User groups Business and user needs

PAGE 8

Software Authenticators
RSA SecurID software authenticators use the same algorithm as RSA SecurID hardware authenticators but provide an added benefit for mobile users by eliminating the need for users to carry dedicated hardware devices. Instead of being stored in SecurID hardware, the symmetric key is safeguarded securely on the users PC, smart phone or USB device.

Mobile Devices
RSA SecurID software authenticators are available for a variety of smart phone platforms including BlackBerry, iPhone, Android, Microsoft Windows Mobile, Java ME, Palm OS, Symbian OS and UIQ devices.

Microsoft Windows Desktops

The RSA SecurID Token for Windows Desktops is a convenient form factor that resides on a PC and enables automatic integration with leading remote access clients.

OTP Token Toolbar

The RSA SecurID Toolbar Token combines the convenience of auto-fill capabilities for Web applications with the security of anti-phishing mechanisms.

On-demand (delivered via SMS or e-mail)

RSA On-demand Authentication delivers a unique one-time password on demand via SMS (text message) to a mobile device or a users registered e-mail address. Upon receipt of the unique OTP, a user simply enters it, along with their PIN when challenged, to gain access to their corporate network or an online application.

RSA Authentication Manager Express

RSA Authentication Manager Express is a strong multi-factor authentication platform that provides cost-effective protection for small- to mid-sized organizations. Authentication Manager Express works with leading SSL VPNs and Web-based applications to enable strong authentication and secure access to protected applications and data. Authentication Manager Express is powered by RSA risk-based authentication technology the same technology that protects the identities of more than 250 million users worldwide. This sophisticated system measures a series of risk indicators behind-thescenes to assure user identities. RSA Authentication Manager Express considers multiple factors in determining the risk associated with each access request including: Something the user knows such as a username and password Something the user has such as a laptop, desktop PC, or mobile device Something the user does such as recent authentication and account activity RSA Authentication Manager Express can invoke additional authentication methods in the event an access request does not meet the required assurance level. This is especially true in situations where a remote user is logging in from a device that is not recognized and has not been previously used to access the network. RSA Authentication Manager Express provides two methods for additional authentication: out-of-band SMS and challenge questions. RSA Authentication Manager Express is delivered on a plug-and-play appliance and supports up to 2,500 users.

PAGE 9

RSA Adaptive Authentication

RSA Adaptive Authentication is a multi-channel authentication and fraud detection platform that provides cost-effective protection for an entire user base. Adaptive Authentication involves introducing additional identifiers actively with the simple addition of a cookie and/or a flash shared object (also referred to as flash cookie) which serves as a more unique identifier of a users device. The solution provides strong and convenient protection by monitoring and authenticating user activities based on risk levels, institutional policies and user segmentation. Powered by RSAs risk-based authentication technology, Adaptive Authentication tracks over one hundred indicators to identify potential fraud including device profiles, IP geo-location and user behavioral profiles. Each activity is assigned a unique risk score; the higher the score, the greater the likelihood is that an activity is fraudulent. Adaptive Authentication offers behind-the-scenes monitoring that is invisible to the user. It is only when an activity is deemed to be high-risk that a user is then challenged to provide additional authentication, usually in the form of challenge questions or out-ofband phone authentication. With low challenge rates and high completion rates, Adaptive Authentication offers strong protection and superior usability and is an ideal solution for deployment to a large user base. RSA Adaptive Authentication is available in both SaaS (software as a service) and on-premise deployments. The solution is highly scalable and can support millions of users.

RSA Identity Verification

RSA Identity Verification utilizes knowledge-based authentication to assure user identities in real-time. RSA Identity Verification presents a user with a series of top-ofmind questions utilizing information on the individual that is obtained by scanning dozens of public record databases. Within seconds, RSA Identity Verification delivers a confirmation of identity, without requiring any prior relationship with the user. RSA Identity Verification also provides improved accuracy in authenticating users with the Identity Event Module. The Identity Event Module improves security by measuring the level of risk associated with an identity and allowing the configuration of the system to adjust the difficulty of the questions automatically during the authentication process in order to meet the specific nature of the risk. Some of the identity events that are measured include: Public record searches. Suspicious access to a users public record reports. Identity velocity. A high volume of activity associated with an individual at several businesses. IP velocity. Multiple authentication requests generated from the same IP.

PAGE 10

RSA Certificate Manager

The RSA Certificate Manager is an Internet-based certificate authority solution that provides core functionality for issuing, managing and validating digital certificates. It includes a secure Web server and a powerful signing engine for signing end user certificates digitally, and an integrated data repository for storing certificates, system data and certificate status information. The RSA Certificate Manager was the first to be common criteria certified and is also Identrust certified. Certificate Manager is built using open industry standards, making it interoperable with hundreds of standards-based applications out-of-the-box. Therefore it can be leveraged across other applications including Webbrowsers, e-mail and VPN clients to ensure maximum return on investment. It also provides the option to store credentials in Web browsers or on smart cards and USB tokens. For example, RSA digital certificates can be combined with the SecurID 800 hybrid authenticator to consolidate multiple credentials on a single device, simplifying the end user experience. Additional components of the RSA Digital Certificate Solution include RSA Registration Manager, RSA Validation Manager, RSA Key Recovery Module and RSA Root Signing Services.

PAGE 11

About RSA
RSA is the premier provider of security, risk and compliance solutions, helping the worlds leading organizations succeed by solving their most complex and sensitive security challenges. These challenges include managing organizational risk, safeguarding mobile access and collaboration, proving compliance, and securing virtual and cloud environments. Combining business-critical controls in identity assurance, data loss prevention, encryption and tokenization, fraud protection and SIEM with industry leading eGRC capabilities and consulting services, RSA brings trust and visibility to millions of user identities, the transactions that they perform and the data that is generated.

RSA, the RSA logo, EMC2, EMC and where information lives are registered trademarks or trademarks of EMC Corporation in the United States and other countries. All other trademarks used herein are the property of their respective owners. 2011 EMC Corporation. All rights reserved. Published in the USA.

www.rsa.com

DECTREE WP 0711