|By Claus Rosendal||
|July 21, 2014 08:45 AM EDT||
The online world has become a dangerous place. According to a survey, 90 percent of all companies fell victim to a security breach in the last twelve months. Hacking and advanced persistent threats (APTs) have rendered the two-factor authentication token, now over 20 years old, essentially obsolete. Without question, a real need exists for a truly secure approach to real-time multifactor authentication to combat today's modern threats.
Remote Access Spikes Security Risk
The use of online services has exploded in the last decade as enterprises have adopted remote access as the default way to access systems and conduct business. With the pervasive use of online access to conduct business, the threat of identity theft has increased with stunning speed and complexity. Ponemon Research surveyed more than 500 corporations and found that 90 percent had been successfully hacked in the last twelve months. This finding underscores the need for major enterprises to adopt stringent, effective security methods as a means to protect against breaches. As a result, modern mobile phone-based multifactor authentication is in high demand.
Advances in Hacking
In the same way that the remote access industry has evolved, so have threats and their complexity. In the early days of online services, usernames and passwords were typically the only form of authentication. To defeat them, hackers used "brute force" attacks to guess the username or password, or "dictionary attacks" to assume a user's identity. In a dictionary attack, a computer or a hacker attempts various combinations of potential passwords until access is granted.
Systems eventually evolved to block these attempts by locking the account down after a few faulty attempts, leading hackers to develop new techniques like key loggers. Today, the most widely used attacks are pharming, phishing or a combination of the two. These terms describe methods by which users are led to a counterfeit website that looks just like the original. This tricks the user into entering his or her username and password. Some of the more advanced attacks send stolen information to the hackers in real time via a small instant message program, compromising many popular two-factor authentication tokens. As an example, Zeus malware captures a user's credentials - even advanced time-based token codes - and sends the information to the hacker.
As if that weren't enough, newer and more sophisticated methods of intercepting user interactions with online services have emerged in recent years, including man-in-the-browser, man-in-the-middle and session hijacking. Even the most secure traditional two-factor authentication token devices can no longer secure a user's identity against these new, more insidious threats. Yet many organizations are unaware that traditional tokens can be compromised, posing a significant security risk.
Many Security Technologies Fall Short
Today's ever-changing threat environment creates a never-ending battle wherein organizations must constantly evaluate the right level of investment in security. Often, the best possible protection is not financially feasible for many organizations, and thus a trade-off has to be made. To protect against identity theft schemes within budgetary constraints, organizations have sampled different technologies, including certificates, biometric scanning, identity cards and hard- and software tokens, with the latter being the most dominate technology. Certificates are often viewed as the ideal way to connect two devices with a secure, identifiable connection. The main issue is the deployment and administration of these certificates and the risks that these are copied without the user knowing it. Furthermore, the certificate authority might be compromised as well.
Biometric scanning has also enjoyed some success, often seen as a very secure alternative. However, the assumption that you always have a functioning finger or iris scanner handy has proven impractical, and the resulting scan produces a digital file that can itself be compromised. Another alternative is the identity card, which often proves impractical in a world of Bring Your Own Device ("BYOD"), where users demand access from an ever-changing variety of devices. Therefore, a new approach is needed.
A Mobile Approach to Security
Many organizations have begun using multi-factor authentication based on mobile networks to address today's modern threats while meeting a user's need for easier and more flexible solutions.
Two elements drive the adoption of the new crop of multi-factor authentication: one, the need to deliver hardened security that anticipates novel threats; and two, the need to deploy this level of security easily and at a low cost. The device used in the authentication process also needs to be connected to the network in real time and be unique to the user in question.
If the authentication engine sends a regular token via SMS, however, today's malware threats can steal the code easily. Therefore, organizations must seek strategies that operate efficiently in a message-based environment to successfully defend against modern threats. Key elements can include:
- One-time password: To get the highest possible level of security, the one-time password (OTP) must both be generated in real time and be specific (locked) to the particular session, as opposed to tokens that use seed files where the passcodes are stored.
- Minimal complexity: To minimize infrastructure complexity, the solution should plug into different login scenarios, such as Citrix, VMware, Cisco, Microsoft, SSL VPNs, IPsec VPNs and web logins. Other ways to minimize infrastructure overload include providing these logins in an integrated, session-based architecture.
- Multiple defenses: To support real-time code delivery, the organization needs robust and redundant server-side architecture along with multiple delivery mechanism support, regardless of geographic location.
- Easy management: The solution should be able to be managed easily within the existing user management infrastructure.
- Context-specific: To maximize security, the company should leverage contextual information - such as geo-location and behavior patterns - to effectively authenticate the user.
The Security Horizon
The modern convenience of online services has brought with it the modern scourge of identity theft. Methods of identity theft have outpaced popular security measures, necessitating a new standard in data defense: session- and location-specific multi-factor authentication. This kind of real-time solution, delivered to a user's mobile phone, can provide the security organizations must have if they hope to protect their employees, users and data from modern online threats.
Wow, if you ever wanted to learn about Rugged DevOps (some call it DevSecOps), sit down for a spell with Shannon Lietz, Ian Allison and Scott Kennedy from Intuit. We discussed a number of important topics including internal war games, culture hacking, gamification of Rugged DevOps and starting as a small team. There are 100 gold nuggets in this conversation for novices and experts alike.
May. 2, 2016 06:30 AM EDT Reads: 725
SYS-CON Events announced today that DatacenterDynamics has been named “Media Sponsor” of SYS-CON's 18th International Cloud Expo, which will take place on June 7–9, 2016, at the Javits Center in New York City, NY. DatacenterDynamics is a brand of DCD Group, a global B2B media and publishing company that develops products to help senior professionals in the world's most ICT dependent organizations make risk-based infrastructure and capacity decisions.
May. 2, 2016 06:30 AM EDT Reads: 2,512
With DevOps becoming more well-known and established practice in nearly every industry that delivers software, it is important to continually reassess its efficacy. This week’s top 10 includes a discussion on how the quick uptake of DevOps adoption in the enterprise has posed some serious challenges. Additionally, organizations who have taken the DevOps plunge must find ways to find, hire and keep their DevOps talent in order to keep the machine running smoothly.
May. 2, 2016 06:15 AM EDT Reads: 1,430
Call it DevOps or not, if you are concerned about releasing more code faster and at a higher quality, the resulting software delivery chain and process will look and smell like DevOps. But for existing development teams, no matter what the velocity objective is, getting from here to there is not something that can be done without a plan. Moving your release cadence from months to weeks is not just about learning Agile practices and getting some automation tools. It involves people, tooling and ...
May. 2, 2016 04:30 AM EDT Reads: 1,519
Between the mockups and specs produced by analysts, and resulting applications built by developers, there exists a gulf where projects fail, costs spiral, and applications disappoint. Methodologies like Agile attempt to address this with intensified communication, with partial success but many limitations. In his session at 18th Cloud Expo, Charles Kendrick, CTO & Chief Architect at Isomorphic Software, will present a revolutionary model enabled by new technologies. Learn how business and devel...
May. 2, 2016 04:30 AM EDT Reads: 1,758
The notion of customer journeys, of course, are central to the digital marketer’s playbook. Clearly, enterprises should focus their digital efforts on such journeys, as they represent customer interactions over time. But making customer journeys the centerpiece of the enterprise architecture, however, leaves more questions than answers. The challenge arises when EAs consider the context of the customer journey in the overall architecture as well as the architectural elements that make up each...
May. 2, 2016 03:15 AM EDT Reads: 1,978
In 2006, Martin Fowler posted his now famous essay on Continuous Integration. Looking back, what seemed revolutionary, radical or just plain crazy is now common, pedestrian and "just what you do." I love it. Back then, building and releasing software was a real pain. Integration was something you did at the end, after code complete, and we didn't know how long it would take. Some people may recall how we, as an industry, spent a massive amount of time integrating code from one team with another...
May. 2, 2016 12:30 AM EDT Reads: 924
As the software delivery industry continues to evolve and mature, the challenge of managing the growing list of the tools and processes becomes more daunting every day. Today, Application Lifecycle Management (ALM) platforms are proving most valuable by providing the governance, management and coordination for every stage of development, deployment and release. Recently, I spoke with Madison Moore at SD Times about the changing market and where ALM is headed.
May. 1, 2016 08:45 PM EDT Reads: 1,504
Struggling to keep up with increasing application demand? Learn how Platform as a Service (PaaS) can streamline application development processes and make resource management easy.
May. 1, 2016 08:15 PM EDT Reads: 2,104
If there is anything we have learned by now, is that every business paves their own unique path for releasing software- every pipeline, implementation and practices are a bit different, and DevOps comes in all shapes and sizes. Software delivery practices are often comprised of set of several complementing (or even competing) methodologies – such as leveraging Agile, DevOps and even a mix of ITIL, to create the combination that’s most suitable for your organization and that maximize your busines...
May. 1, 2016 08:00 PM EDT Reads: 1,847
The goal of any tech business worth its salt is to provide the best product or service to its clients in the most efficient and cost-effective way possible. This is just as true in the development of software products as it is in other product design services. Microservices, an app architecture style that leans mostly on independent, self-contained programs, are quickly becoming the new norm, so to speak. With this change comes a declining reliance on older SOAs like COBRA, a push toward more s...
May. 1, 2016 06:15 PM EDT Reads: 1,398
SYS-CON Events announced today that Peak 10, Inc., a national IT infrastructure and cloud services provider, will exhibit at SYS-CON's 18th International Cloud Expo®, which will take place on June 7-9, 2016, at the Javits Center in New York City, NY. Peak 10 provides reliable, tailored data center and network services, cloud and managed services. Its solutions are designed to scale and adapt to customers’ changing business needs, enabling them to lower costs, improve performance and focus inter...
May. 1, 2016 06:00 PM EDT Reads: 1,180
SYS-CON Events announced today that Stratoscale, the software company developing the next generation data center operating system, will exhibit at SYS-CON's 18th International Cloud Expo®, which will take place on June 7-9, 2016, at the Javits Center in New York City, NY. Stratoscale is revolutionizing the data center with a zero-to-cloud-in-minutes solution. With Stratoscale’s hardware-agnostic, Software Defined Data Center (SDDC) solution to store everything, run anything and scale everywhere...
May. 1, 2016 01:30 PM EDT Reads: 1,584
SYS-CON Events announced today that Men & Mice, the leading global provider of DNS, DHCP and IP address management overlay solutions, will exhibit at SYS-CON's 18th International Cloud Expo®, which will take place on June 7-9, 2016, at the Javits Center in New York City, NY. The Men & Mice Suite overlay solution is already known for its powerful application in heterogeneous operating environments, enabling enterprises to scale without fuss. Building on a solid range of diverse platform support,...
May. 1, 2016 12:15 PM EDT Reads: 2,338
You deployed your app with the Bluemix PaaS and it's gaining some serious traction, so it's time to make some tweaks. Did you design your application in a way that it can scale in the cloud? Were you even thinking about the cloud when you built the app? If not, chances are your app is going to break. Check out this webcast to learn various techniques for designing applications that will scale successfully in Bluemix, for the confidence you need to take your apps to the next level and beyond.
May. 1, 2016 11:45 AM EDT Reads: 1,504
Digital means customer preferences and behavior are driving enterprise technology decisions to be sure, but let’s not forget our employees. After all, when we say customer, we mean customer writ large, including partners, supply chain participants, and yes, those salaried denizens whose daily labor forms the cornerstone of the enterprise. While your customers bask in the warm rays of your digital efforts, are your employees toiling away in the dark recesses of your enterprise, pecking data into...
May. 1, 2016 08:15 AM EDT Reads: 1,066
Much of the discussion around cloud DevOps focuses on the speed with which companies need to get new code into production. This focus is important – because in an increasingly digital marketplace, new code enables new value propositions. New code is also often essential for maintaining competitive parity with market innovators. But new code doesn’t just have to deliver the functionality the business requires. It also has to behave well because the behavior of code in the cloud affects performan...
May. 1, 2016 02:45 AM EDT Reads: 1,408
This is not a small hotel event. It is also not a big vendor party where politicians and entertainers are more important than real content. This is Cloud Expo, the world's longest-running conference and exhibition focused on Cloud Computing and all that it entails. If you want serious presentations and valuable insight about Cloud Computing for three straight days, then register now for Cloud Expo.
Apr. 30, 2016 02:30 PM EDT Reads: 1,744
I had the opportunity to catch up with Chris Corriere - DevOps Engineer at AutoTrader - to talk about his experiences in the realm of Rugged DevOps. We discussed automation, culture and collaboration, and which thought leaders he is following. Chris Corriere: Hey, I'm Chris Corriere. I'm a DevOps Engineer AutoTrader. Derek Weeks: Today we're going to talk about Rugged DevOps. It's a subject that's gaining a lot of traction in the community but not a lot of people are really familiar with wh...
Apr. 30, 2016 09:45 AM EDT Reads: 1,592
APIs have taken the world by storm in recent years. The use of APIs has gone beyond just traditional "software" companies, to companies and organizations across industries using APIs to share information and power their applications. For some organizations, APIs are the biggest revenue drivers. For example, Salesforce generates nearly 50% of annual revenue through APIs. In other cases, APIs can increase a business's footprint and initiate collaboration. Netflix, for example, reported over 5 bi...
Apr. 29, 2016 09:30 PM EDT Reads: 2,581