@ISACA Volume 10  20 May 2015

Tips for Approaching Identification and Authentication


Security professionals regularly affirm the importance of strong authentication. I would like to believe that they simply shorten “identification and authentication” to “authentication” for brevity’s sake, but I am not that wishful in my thinking.

There often is a fundamental misunderstanding—identification and authentication (I&A) is, at a minimum, a 2-step process that, upon completion, provides some level of assurance that a person, or non-person entity (NPE) asserting an identity can be authenticated as that person or NPE.

There are 4 accepted means of authenticating an identity. These are something a user has, something a user knows, something a user is or a hybrid/combination of the first 3.

The hybrid approach to authentication is one of the most interesting. Biometrics is the most popular hybrid implementation. In a hybrid approach, biometric data are presented along with a pin or token. Authentication is made by accessing the database based on the PIN or token and then comparing the biometric data. The characteristics, such as user fingerprints, retina scans or voice patterns could be compared more quickly and, with the mechanical complement, become a more reasonable and manageable use of the technology.

An emerging implementation is the use of a password and a telephone number. The password provides access to a pre-entered telephone number. A PIN is communicated to the phone number and the user then keys in the PIN, prior to being granted access. This implementation is strong because it is a 2-factor authentication approach that is not overly expensive and provides an increased level of assurance.

Two common authentication implementations are single sign-on (SSO) and public key infrastructure (PKI). SSO solutions allow the user to log in once and be granted access to multiple servers, data repositories and more. Most SSO implementations rely on a server approach that should be viewed as a single attack vector across the architecture. This means if one compromises the SSO server, the whole architecture is compromised. A reduced sign-on (RSO) requires the user to authenticate to each server independently, lessening the effects of a single-vector attack. The RSO provides the user with an SSO experience but is, in fact, quite different.

PKI is a cryptologic-based system that facilitates authentication by providing the user with a unique key that is traceable back to the certificate authority that issued the key. This is referred to as a certificate. For NPEs, the certificate is referred to as server side. For people, the certificate is referred to as client side.

Consider the following guidelines when discussing I&A:

  • Choose the means of authentication based on the value of the data to be protected.
  • Train people on I&A. Humans are always the weak point.
  • Employ additional techniques to complement the password. Longer, complex passwords are the best way to get users to write down passwords.
  • Do not assume there is additional assurance because of the introduction of high-assurance technology or means of authenticating.
  • Always review the level of assurance across the overall security implementation, not only by authentication.
  • Remember, I&A is not access. Access is not I&A.
  • Differentiate between SSO and a user’s SSO experience. A reduced sign on often is the more secure solution.

I&A is 1 of the 3 core security requirements, the others being access and audit. These 3 security requirements represent the fundamental basis for any good security architecture and must align in implementation and assurance. In short, the weakest implementation of any of the 3 lowers the assurance of the overall system.

Bruce R. Wilkins, CISA, CISM, CGEIT, CRISC, CISSP, is the chief executive officer of TWM Associates Inc. In this capacity, Wilkins provides secure engineering solutions for innovative technology and cost-reducing approaches to existing security programs.


Learn to Manage Third-party Risk at ISACA Webinar


Privacy breaches often occur within third-party organizations contracted to perform services for enterprises. Both the contracting organization and the third party share responsibility in the event of a breach, but it is necessary to ensure that the third party has appropriate security and privacy controls in place. To help organizations develop standards for third-party risk mitigation, ISACA is presenting the “An Effective Framework for Third-party Information Security and Privacy Oversight and Risk Management” webinar. The webinar will take place on 28 May at 11AM CDT (UTC -5 hours). Members can earn 1 continuing professional education (CPE) hour by attending the webinar and passing a related quiz.

Rebecca Herold, CISA, CIPM, CIPP/US, CIPT, CISSP, FLMI, founder and CEO of The Privacy Professor, will share her experience and research on the most common risk third parties present. She will cover risk associated with big data analytics, cloud computing, mobile computing and smart devices. To mitigate this risk, Herold will provide a framework to better understand the risk third parties can pose.

To learn more about the webinar or to register for it, visit the An Effective Framework for Third-party Information Security and Privacy Oversight and Risk Management page of the ISACA web site.


Knowledge Center Topic Leader Rewarded With a Trip to EuroCACS/ISRM


Congratulations to Knowledge Center topic leader Ian Cooke, CISA, CGEIT, CRISC! Cooke leads 3 topics in the ISACA Knowledge Center: Audit Tools and Techniques, SQL Server and Oracle Database. Since becoming a topic leader of Audit Tools and Techniques, participation in the topic has doubled. Cooke is also active in his local ISACA chapter and is a member of ISACA’s Communities Committee. As a thank you for Cooke’s dedication and his efforts engaging these topics throughout the year, he will be flown to Copenhagen, Denmark, and attend EuroCACS/ISRM at ISACA’s expense.

Visit one of Cooke’s topics and ask him a question or browse the Knowledge Center for a topic that interests you. If you are interested in becoming a topic leader, please visit the Become a Topic Leader page for more information. Your ISACA community is waiting.


Vote Now on ISACA’s Revised Bylaws


ISACA members have until 6 June at 2AM CDT (UTC -5 hours) to vote on the revised bylaws.

Voting can be done electronically. Members should have received an email from Votenet, ISACA’s vendor for this election, containing information on how to access a ballot. Members may also vote in person at the ISACA annual meeting of the membership from 8 to 9AM CEST on 6 June at the Steigenberger Grandhotel, 71 Avenue Louise, 1050 in Brussels, Belgium.

Questions? Contact bylaws@isaca.org.


Using the CISM Certification to Create a Better Future

Jonathan McMahon, CISM, ITILv3 Foundation, Director of Information Technology at the County of Fluvanna, Virginia, USA, Shares His Experience as a CISM

Jonathan McMahon describes the Certified Information Security Manager (CISM) certification as having given him credibility in the security field. “The best part of being a CISM is the clear recognition it provides of my value as a business asset—I have been through an independent audit, testing and certification process to demonstrate and substantiate my skills in information security,” he says. “It is one thing to assert, ‘I'm an information security professional.’ It is quite another to have that statement endorsed by a global professional information security organization, such as ISACA.”

In his free time, McMahon enjoys grilling and “protecting information technology assets from my young son, Declan.” McMahon knows that his work in local government is helping to make the world a better place for Declan and generations to come. “The best part of my job is working within a local government to build a legacy for us citizens, our children and future generations,” he says. “Good government starts at the local level; if I am not part of the solution, I am part of the problem. I want to provide a cost-effective technology program that allows my organization to serve our citizens with maximum efficiency and effectiveness.”

While McMahon knows the importance of information security, he acknowledges the challenge of having the enterprise value security. He finds that clear communication between security professionals and the organization’s leadership is essential in promoting the value of information security. “In any information security program, stakeholder buy-in is a critical success factor,” he says. “Education, communication and relationship-building are the keys. If stakeholders understand and believe that we are protecting their interests, information security is perceived as a valuable partner and security professionals will naturally find themselves at the table for decision making in all parts of the IT life cycle.”

McMahon has several suggestions for anyone planning on taking the CISM exam. “Read the CISM Review Manual cover to cover at least two or three times. As you read, mentally relate the concepts to your organization,” he says. “Knowledge is much better retained by tying it to an existing framework in your mind. By far, the most effective study tool that I used was ISACA's CISM Review Questions, Answers & Explanations Database. Just get it. It is invaluable toward passing the exam. Follow the study plan laid out by the software.”

To learn more about ISACA certifications, visit the Certification page of the ISACA web site.


Book Review:  Securing Cloud and Mobility: A Practitioner’s Guide

Reviewed by Horst Karin, Ph.D., CISA, CRISC, CISSP, ITIL

Cloud access is now a mobile capability. Is this a nightmare for information security? It depends. Most people know of the security paradox between security and access to data: Data are extremely secure if no one can access them at all. Data are fully insecure if they are available in the public domain. Of course, a balance between these extremes needs to be established. This balance depends on data classification on one side and the ability to implement/the actual security controls that are in place on the other. Cloud computing and mobile access have benefits, but also introduce an enormous increase in information security risk. Because of this increase, cloud data and mobile security need special attention.

Securing Cloud and Mobility: A Practitioner’s Guide provides a great deal of information on how to better combat this increase in risk. Part 1 is titled “Rethink IT and Security.” This rethinking is important because corporations and organizations often want to use the newest IT resources to conduct business, even before IT security, law and regulations can adapt to them.

The second part of the book, “Deconstructing Cloud Security,” analyzes the potential cloud impacts on IT and the business and makes it clear that business and IT security need to have a meaningful conversation before the mobile cloud computing endeavor even begins. The book shows which fundamentals need to be considered to build an IT security framework that supports mobile cloud computing. Threats are first analyzed for private and public clouds, and appropriate mitigating security controls are explained. Finally, a mobile security infrastructure supporting cloud computing concludes this helpful 120-page book.

The book is divided into 5 parts, 16 chapters, and has numerous figures and tables. Various references provide extra information for the reader who is looking for additional insights from other sources. The book’s index makes finding specific content easy and efficient. Blackberry, iOS, Android and Windows operating systems are all covered in this book.

The book strikes a balance between technical detail and general content, which gives the business-minded reader a strong insight into the risk and IT security framework available to support the business in mobile cloud computing efforts. While published in 2013, the book will remain relevant for the next few years, despite quickly changing technology, because it looks at the fundamentals of the IT security framework enabling mobile cloud computing.

Securing Cloud and Mobility is available from the ISACA Bookstore. For information, visit the ISACA Bookstore online or email bookstore@isaca.org.

Horst Karin, Ph.D., CISA, CRISC, CISSP, ITIL, is president of DELTA Information Security Consulting Inc. He has been working in SAP/IT security and risk management for 16 years. He served as chair of the ISACA publishing committee for 3 years, has authored several book reviews for the ISACA Journal and is coauthor of SAP Security and Risk Management.