It’s in the news quite a bit: compromised network access has resulted in the theft of millions of users' data. Microsoft, Evernote, Target, Facebook, Apple... they've all suffered embarrassing hacks.
Over the past few years there has been a shift of realization that virtual assets (information) are just as important to keep safe as physical assets (the laptop). In the physical security world, we would never rely on just one method to protect an asset. We use layers of security, just like an onion. The outer layer is a fence, followed by CCTV surveillance, and door locks coupled with intrusion, glass-break, volumetric and audio sensors, and finally a fire-rated safe in the basement bolted to the concrete.
In the virtual world, however, we rarely see companies taking the same approach. The physical server is locked away safe, physically, but the information is still accessed the same way I used to access it in 1997 - with a user name and password. VPN's have made the connection a little more secure, but it still has not authenticated the user in a more demanding way.
The layered approach to security in the physical world needs to be duplicated in the virtual world. Each physical layer can be equated with a virtual "authentication" layer. If you require access to the information, then additional layers, or authentication factors, are applied. These factors of authentication can make a real difference in information security.
Factors required to assert authentication can be broken down into:
1. Something you know (PIN numbers, passwords etc.)
2. Something you have (a card or credential or license)
3. Something you are (a biometric measurement of your physical characteristics)
When protecting information, always use this layered approach. If the information is not sensitive, a single factor (like a network username and password) is enough. If the information contains personal or client information, then you must incorporate at least 2 factors of authentication in the process to gain access to the information. If you are guarding company secrets, intellectual property, pharmaceutical recipes or atomic plans, then adding a biometric requirement to the process will enable you to use 3-factor authentication to retrieve the information.
Two Factor Authentication has been mandated by several federal authorities in the US and Canada. The Canadian Police Information Centre (CPIC) mandated many years ago that by April 2009, any request for sensitive information from their system must comply with 2 factor authentication methods. Private companies are now also beginning to realize the effectiveness of such security.
Another often over-looked aspect of using Two Factor Authentication is the efficiency of the process. Usernames are largely eliminated, and password recovery support, which can take up to 50% of a technical support department’s time, is built into the system. The user only has to remember a PIN (if 2 factors are required) along with the card, and a secure connection is established. Resetting the PIN can be done at any time by the user, who is prompted to answer 3 personal questions that they chose at the time of enrolment.
Two Factor authentication can also be centrally managed, and tied to group policies within a network environment, and pushed out to all PCs requiring access. Users with existing building cards can use these same cards to enroll for the very first time, without attending the “security card office”, or calling IT to do it for them. Out-of-office access, or logins on remote/mobile PCs, can also be accommodated.