At #6 on our list of “Top 20” SOC Capability Areas is Authentication Management. This is the 2nd of 4 separate “Access Control” capability areas that are often addressed together – Identity, Authentication, Authorization, and Privacy/Confidentiality Management. (We discuss the complexities of Auditing separately.)
Here we focus on Authentication capabilities as a critical Security Operations responsibility for three main reasons:
· First, no Identity (subject or object, person or non-person) can be trusted without some level of Authentication. All Access Control decisions rely directly upon whether a subject’s identity is trusted.
· Second, despite a range of advanced solutions available today, many users and organizations remain notoriously bad at implementing/enforcing Authentication controls (e.g., strong, unique passwords).
· And third, compromised credentials remain one of the most serious challenges to maintaining information security (confidentiality and integrity) and mitigating risk.
If Authentication is such a lynchpin to the job of Security Operations (protecting the organization), then Authentication Management capabilities warrant significant attention.
Of course, the most familiar challenge to implementing strong Authentication techniques and technologies remains User Convenience. The more complex Authentication becomes, the more resistance Users have.
Single-factor Authentication (SFA) approaches (i.e., strong passwords, PINs, a combination of both) are easier to manage, and more convenient for Users, but have repeatedly proven to be insufficient to protect against even low-skilled attackers. More advanced Authentication protocols, such as Kerberos, have helped to enable Single Sign On (SSO) while defending against commodity challenges such as eavesdropping and replay attacks. But most of those still inherently rely on using a single factor for the initial, local User authentication.
Multi-factor Authentication (MFA) mechanisms such as Public Key Infrastructure (PKI) are certainly a stronger approach to Authentication, but demand significantly more management overhead. The same has proven true for most biometric MFA solutions, where registration is burdensome and stolen credentials (yes) cannot simply be re-provisioned. However, MFA has grown increasingly more feasible in recent years as newer solutions prove to be more manageable by taking advantage of things that Users, such as remote customers, already “have” (e.g., cell phones, fingerprinted devices, etc.) or “are” (e.g., location). Registration of these credentials is still tedious, but doesn’t typically require the cost and physical provisioning of special equipment such as smart cards or tokens.
Regardless of the Authentication mechanisms selected, from passwords and user tokens to digital certificates, Authentication is the root of all Access Control decisions, and Security Operations teams must deal with the non-trivial administrative task of granting and revoking credentials, for the ever growing number of subjects in their environment, on a daily basis. Requiring access to credentialing capabilities that can deal with a diverse set of credentials for the full range of person and non-person entities in their environment.
This article barely scratches the surface of the need for Authentication Management capabilities in contemporary Security Operations. But taken together with the other capability areas in this “Top 20” list, we hope to shine a light on the breadth, depth, and complexity of what is involved in building effective Security Operations today.
Contact us if you'd like help identifying and selecting Authentication Management capabilities to support your own Security Operations efforts.