Académique Documents
Professionnel Documents
Culture Documents
What is the best authentication solution for my business? This is a recurring question being asked by organizations around the globe. With the number of new and emerging security products being denoted by analysts as the silver bullet solution, it is critical to recognize that there are many authentication choices available on the market. Before making a final selection as to the authentication solution that will work best, organizations must consider their user authentication needs, the threats targeting their business, their business objectives and the regulatory guidelines that impact their industry. RSA has developed the Authentication Decision Tree a comprehensive tool to help organizations understand, evaluate and select the most appropriate authentication solution to meet the needs of their users and their business. The RSA Authentication Decision Tree provides a framework to help narrow the selection of authentication solutions based on five critical factors. This white paper provides an overview of the Authentication Decision Tree, examines the five factors critical to selecting an authentication solution, and offers a clear guide to selecting the right solution that effectively balances risk, cost and end user convenience.
White Paper
Remote and mobile access. The global nature of business and employee mobility has forced many organizations to provide around-the-clock access from multiple locations and multiple devices including mobile to enable employee productivity. Access for new user populations. Todays organizations are extending access privileges beyond the employee to external contractors, partners and suppliers. These new user populations require on-demand access to proprietary information such as sales forecasts, competitive intelligence, pricing charts, inventory, and customer data.
PAGE 2
Planned usage
When organizations deploy an authentication solution, there is often more than one business objective to be met. In other words, depending on the user and the types of activities performed, an organization might determine that additional layers of authentication are needed beyond just assuring user identities. For example, a financial institution seeking to decrease their fraud losses might implement a transaction monitoring solution to monitor high-risk money transfers. Another example to consider would be for enterprise users. An organization might require certain users that work with and exchange highly sensitive information such as HR, payroll and finance to have an authentication solution that enables file and e-mail encryption.
Technical environment
Finally, the technical environment where the solution will be deployed is important in helping to determine such factors as what level of authentication strength to apply. For example, in an environment where desktops are more controlled and anti-virus software is likely to be up-to-date, security requirements may not be as rigorous compared to a scenario where the user environment is not as controlled and a large percentage of the user population is accessing the network from remote locations around the world. Another technical consideration is the range of end user devices being used for access. For both corporate and customer-facing applications, the end user base is likely to be accessing information from devices ranging from laptops and desktops to PDAs and mobile phones to kiosks. The types of access devices are important in determining the authentication form factors offered to end users. Today, many organizations regularly issue smart phones (i.e., iPhone, Android, or Blackberry) that enable access to corporate email. This relatively new aspect of mobility often referred to as the consumerization of IT increases employee productivity and flexibility. These benefits, coupled with the increasing functionality and power of new devices are fueling the drive for the use of consumer devices for business use. But this trend also introduces many issues and questions for the organization, including how to manage the costs of ongoing IT support for the exploding variety of devices, where to draw the line for that support, and how to manage the growing security threats introduced by mobility.
PAGE 3
PAGE 4
Fraud prevention
Some authentication methods are required to monitor transactions and activities that are performed by a user after initial authentication at login in order to prevent fraud. While this scenario is relevant primarily for financial services applications, other industries are beginning to experience targeted attacks, such as phishing and malware, by cybercriminals for the purpose of gaining deeper access to a companys infrastructure to collect personal and/or proprietary corporate data that can be sold on the black market.
Knowledge-based authentication
Knowledge-based authentication is a method used to authenticate an individual based on knowledge of personal information, substantiated by a real-time interactive questionand-answer process. The questions presented to a user are gleaned from scanning public record databases, are random and previously unknown or unasked to the user.
PAGE 5
Risk-based authentication
Risk-based authentication is a system that measures behind-the-scenes a series of risk indicators to assure user identities and/or authenticate online activities. Such indicators include certain device attributes, user behavioral profiles, device profiles and IP geo-location. The higher the risk level presented, the greater the likelihood is that an identity or action is fraudulent. If the risk engine determines the authentication request to be above the acceptable policy, then risk-based authentication provides the option to step-up authentication. In a step-up authentication scenario, a user may be asked to answer a few challenge questions, or submit an authorization code delivered to a phone via SMS (text) message or e-mail.
Digital certificates
A digital certificate is a unique electronic document containing information that identifies the person or machine to which it is bound. The digital certificate can be stored on a desktop, smart card or USB. For stronger two-factor authentication, the digital certificate can be locked on a smart card or USB, requiring the user to enter a PIN in order to unlock the certificate and use the credential. The digital certificate can then be utilized to authenticate a user to a network or application. In addition to being used for user authentication, digital certificates can add value to the enterprise by enabling digital signatures or e-mail encryption. Digital certificates can also be combined with OTP deployments using a hybrid authenticator. In this case, the hybrid authenticator stores multiple credentials and streamlines the end user experience. A common use case for a combined certificate and OTP deployment is to unlock hard disk encryption with a digital certificate followed by authentication to a VPN with a one-time password.
PAGE 6
The RSA Authentication Decision Tree can help organizations make the relevant comparisons among the authentication methods that are designed to meet their requirements. By using this simple framework, organizations are provided with an objective assessment among the leading authentication solutions. While cost is an important consideration, organizations must consider a number of other elements in determining what is most suitable to their needs. Too often, the focus is on acquisition cost alone, but in considering that as a priority factor, one only needs to look to password-only authentication to prove that cost should never be the only consideration. Passwords are essentially free in terms of acquisition cost; however, they are surprisingly expensive in terms of ongoing management and support costs.
RSA Solutions
For more than 25 years, RSA has been a leading provider of strong two-factor authentication solutions. RSA offers a variety of solutions to help businesses of all sizes provide strong authentication while balancing risk, cost and end user convenience.
Hardware Authenticators
From a usability perspective, traditional hardware authenticators (sometimes referred to as key fobs) are small enough to fit on a key chain and meet the needs of users who prefer a tangible solution or access the Internet from a number of different locations.
PAGE 7
PAGE 8
Software Authenticators
RSA SecurID software authenticators use the same algorithm as RSA SecurID hardware authenticators but provide an added benefit for mobile users by eliminating the need for users to carry dedicated hardware devices. Instead of being stored in SecurID hardware, the symmetric key is safeguarded securely on the users PC, smart phone or USB device.
Mobile Devices
RSA SecurID software authenticators are available for a variety of smart phone platforms including BlackBerry, iPhone, Android, Microsoft Windows Mobile, Java ME, Palm OS, Symbian OS and UIQ devices.
PAGE 9
PAGE 10
PAGE 11
About RSA
RSA is the premier provider of security, risk and compliance solutions, helping the worlds leading organizations succeed by solving their most complex and sensitive security challenges. These challenges include managing organizational risk, safeguarding mobile access and collaboration, proving compliance, and securing virtual and cloud environments. Combining business-critical controls in identity assurance, data loss prevention, encryption and tokenization, fraud protection and SIEM with industry leading eGRC capabilities and consulting services, RSA brings trust and visibility to millions of user identities, the transactions that they perform and the data that is generated.
RSA, the RSA logo, EMC2, EMC and where information lives are registered trademarks or trademarks of EMC Corporation in the United States and other countries. All other trademarks used herein are the property of their respective owners. 2011 EMC Corporation. All rights reserved. Published in the USA.
www.rsa.com
DECTREE WP 0711