Part 3 – The Core Challenges To Security: Cost & Complexity


Costs of Hardware, Software, Distribution, Support, and Maintenance

Second factor authentication is specifically engineered to add another layer to the security system.(96) However, as discussed these systems are incredibly expensive to purchase and maintain.(97) The majority of second factor security technology deployments require significant upfront financial investments to acquire new hardware (tokens, smart cards, or other devices) and supporting software.(98) Once deployed, the cost to maintain and support go on in perpetuity.(99)

To illustrate further, a standard token-based two-factor authentication system, like RSA SecureID costs approximately three hundred thousand dollars for two thousand users. The breakdown in costs is approximately sixty percent initial investment and forty percent ongoing maintenance and customer support.(100) Since the financial collapse of 2008 many governments and corporations are motivated to increase operational efficiency and security, while simultaneously lowering their total cost of ownership.(101)

Forcing Users To Change Human Behavior

Whenever there is a change in technology there is typically a simultaneous change in human behavior; in the world of authentication solutions this is almost always the case.(102) Examples of changes in human behavior would be requiring additional steps to login procedures, the need to carry new devices, or the installation of supplemental software, which requires normal updates.(103) These and other inconveniences to the user are typically reflected in the increased number of help desk support requests, which can normally lead to additional challenges within an organization.(104) With changes in human behavior by a new technology, support costs will rise which leaves key decision makers with an unreasonable choice between user convenience and security.(105) Access to systems and mission critical services is paramount, thus in the majority of cases user convenience trumps security.(106) CEO’s do not want to trade one dollar of fraud for a dollar in customer support costs.(107)

Architecting a System that Addresses Security, Cost, and Complexity

With cloud based software and services exponentially growing in popularity, leveraging browser based JavaScript to capture unique human biorhythms based on computer keyboard or touchscreen typing patterns was the logical first step.(108) Using browser based JavaScript to capture keystroke biometrics (Keyboard or Touchscreen) serves several purposes in the architecture.(109) First, by leveraging the browser there are zero requirements for users to download and install client side software.(110) Competing solutions by comparison leverage the browser as well, but require specific proprietary plug-ins such as Flash Objects or ActiveX.(111) Second, browsers are ubiquitous so there is zero user training in how to work a web browser or changes in current human behavior required.(112) Third, the utility of a lightweight biometric significantly improves the efficacy of the security.(113)

Arguably the most unique aspect of this type of solution is the result of a line of inquiry that seeks to address the attribution problem in authentication.(114) Further inquiry led to the exploration of key artificial intelligence concepts found in the research of MIT Professor Marvin Minsky.(115) In Professor Minsky’s book, “The Emotion Machine”, he suggests a model of mind based on reacting to ‘cognitive obstacles’.(116) He refers to this as the ‘critic-selector’ model.(117) There are “critic” resources each of which can recognize a specific species of “problem type”.(118) When a “critic” senses evidence that one is facing a type of problem, then that “critic” will try to activate a “way to think” that may be useful in this situation.(119) These concepts are leveraged as core components of an artificial intelligence (AI) based event-driven security architecture.(120) This architecture is designed to respond to discrete events identified as suspect in real-time, without imposing a significant processing burden or causing major disruption of workflow.(121)

Solution At A Glance

Secure → Multiple identity attributes contribute to greater identity assurance.

Cost Efficient → No hardware/software to distribute or maintain, dramatically reduces helpdesk/support costs.

Convenient → No required changes in human behavior, open, extensible authentication architecture.

Building The Solution

1 ) Technological Open Standards and Web Services

In order to ease technical integration and create interoperability between systems and software, open standards and web services are utilized.(122) Essential to the operation of the solution it requires multiple identity factors be passed through a users browser client API to an authentication server where the information can be processed.(123)

2) A Versatile Authentication Solution

Given the nature of a cloud based computing environment, additional consideration is given to the growing acceptance of those infrastructures and services.(124) As stated in the previous section this system leverages open standards and interoperability, and can support a broad range of standard protocols including Remote Authentication Dial-In User Service (RADIUS), Lightweight Directory Access Protocol (LDAP), Terminal Access Controller System Plus (TACAS+), Kerberos, and Security Assertion Markup Language (SAML).(125)

This solution can be delivered a number of ways either as a service (SaaS) or using an on premise solution that sits behind the firewall model.(126) Interoperability is key and this solution natively supports .NET, JAVA, PHP, and C/C++, and integrates with legacy applications and databases (Hibernate DAO is used to provide database transparency, which means the code is agnostic to any change in database vendor).(127)

The versatility of this architecture and authentication platform enables for it to be capable of working in combination with a variety of other authentication methods:(128)

  • Keystroke Biometric Authentication Methods – Keystroke/Touchscreen ID
  • Device Authentication Methods – Machine ID – (Agent, operating system, monitor resolution, browser type, browser size);
  • Geospatial ID – (Timestamp, IP Address, location, host name, and proxy IP)
  • Out-of-Band (OOB) Authentication Methods – One time passwords (OTP) delivered via email and/or Short Message Service (SMS)
  • Knowledge- Based Authentication Methods – Challenge Response Questions (CRQ)

The nature of this solution makes it uniquely positioned to provide the necessary security to cloud based and mobile environments.(129) The utilization of open standards with a focus on interoperability; the ability to work in symphony with a range of authentication methods; and the facility to quickly integrate with multi-platform architectures without requiring any external hardware or extensive user training, provide the versatility necessary to address even the most challenging of use cases.(130)

3) Multi-Factor Authentication

Building upon the basic premise in information security that a solution that employs more than one factor is more difficult to compromise, this solution incorporates multiple identity factors in order to maximize effectiveness.(131) There is no standard definition in what constitutes multi-factor authentication, however it is generally accepted that the simple use of more than one authentication factor alone does not constitute multi-factor authentication.(132) The Federal Financial Institutions Examination Council (FFIEC) in their 2006 guidelines has provided the most useful definition for multi-factor authentication; “By definition true multi-factor authentication requires the use of solutions from two or more of the three categories of factors. Using multiple solution from the same category would not constitute multi-factor authentication.”(133) The three categories of authentication factors referred to in the guidelines are:

Personal – Something you know (Password, phrase or pin number)

Technical – Something you have (ID proximity card or token)

Human – Something you are (fingerprint, retinal scan or other biometric identifier)

The proposed solution utilizes multiple identity factors that cover all the categories listed above.(134) Regardless of the definition employed, the solution is built with the most comprehensive selection of authentication options available in the market today, including RSA SecrureID.(135)

4) Confidence Factors (136)

Keystroke                    Device                                   Geolocation

1)  Flight Time                 1) User Agent                       1) Time Stamp          8)  Region Code 2) Dwell Time                 2) Operating System           2) Location                9)  City                3) Key-To-Key                3) Monitor Resolution        3) IP Address         1 0)  Area Code      4) Reflective Time         4) Browser Type                   4) Host Name          11)  Country        .                                         5) Browser Size                     5) Proxy IP               12)  Latitude                                                                                                 6) Geo-Region         13) Longitude      .                                                                                          7) Country Code      14) Time Zone

5) How Does Intelligent Multi-Factor Authentication Work?

Upon authentication of the client, user data is passed to the decision engine where sets of mathematical algorithms examines the data and ultimately compute a Confidence Factor Score.(137) The Confidence Factor is a score that determines the level of confidence the system that you are who you say you are, and used to render the appropriate level of access to either an application or system.(138)

Courtesy of Delfigo Security

Courtesy of Delfigo Security

6) Real Time, Activity Based Defense

The software components utilized to capture multiple identity factors can be deployed one where they are necessary or required, as not all areas of an application or system require the identical level of security.(139) A risk assessment will need to be completed to determine which activities require a higher level of security and which do not (e.g. in a banking situation, a simple login that provides “view only” access to data poses less risk than a transaction that permits money to be transferred or a change in user profile).(140) The integration into multiple transaction areas within and application or system with minimal difficulty is a critical attribute enabled by event driven security.(141) What this does is enable the organization adopting the solution to focus on specific transaction types (password changes, account updates, etc.) where fraud is likely to occur, and prevent it before it manifests.(142)

7) Artificial Intelligence and Neural Based Defense System

The flexibility of the solution extends well past the deployment alternatives previously discussed.(143) What makes this solution highly unique is that the user can determine the level of importance of each identity attribute in the authentication engine.(144) Additionally, the user can also adjust the specific thresholds that must be met to gain access to a system or application.(145)

8) Confidence Factor Weightings

Each identity attribute can be ranked by the level of its’ importance, and assigned a numerical weighting within the administrator console by the user.(146) The weighting will designate the degree to which that attribute contributes to the computation of the overall score of confidence.(147) For Example, a biometric attribute may carry a significant more weight over browser window size, time stamp, or RSA SecureID Token.(148)

9) Authentication Thresholds

The score, or confidence factor, required to access a system or execute transactions within an application is not fixed and permanent.(149) Thresholds can be set by transaction type or activity, based on the assessment of risk for a particular user activity.(150)

Courtesy of Delfigo Security

Courtesy of Delfigo Security

Next up: I will bring to conclusion the arguments of Part 3.

This entry was posted in Part 3 and tagged , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s