INTERVIEW TRANSCRIPT Barriers to Adopting Multifactor Authentication

Transcription

1 INTERVIEW TRANSCRIPT Barriers to Adopting Multifactor Authentication Crossmatch s Trytten on the Latest MFA Trends for Financial Institutions

2 Chris Trytten, Director of Product Marketing at Crossmatch Despite understanding the need for multifactor authentication (MFA), many financial institutions struggle with the complexity of implementing effective solutions. Let s talk about what this complexity looks like...the average MFA initiatives have been ongoing for six years. On average, four point solutions are deployed because no one solution secures all IT assets. Organizations incrementally adopt new, partial solutions as they become aware of new threats and as new systems are brought online, says Chris Trytten, Director of Product Marketing at Crossmatch. Historically, multifactor authentication systems required everything to be custom-built, Trytten explains. Managing the growing number of systems and the ever-increasing number of employees, partners and customers all from multiple access points is difficult at best. In an interview discussing the latest multifactor authentication trends, Trytten offers insights and strategies on: The primary barriers preventing financial institutions from adopting multifactor authentication; The ways in which multifactor authentication helps deter cyberattacks; and How Crossmatch simplifies identity and access management for financial institutions. Trytten is Director of Product Marketing at Crossmatch. With over two decades of technical and managerial experience in systems and security in the financial and retail spaces, Trytten guides Crossmatch s product and and marketing teams to address the security needs of these industries. Prior to joining Crossmatch, Trytten worked at leading companies in Silicon Valley, including DigitalPersona, Interlink Networks, Siemens and Apple. He is also a recognized musician, having won the prestigious Villa Lobos International Guitar Competition in Barriers to Adopting Multifactor Authentication 2

3 Biggest Barriers to MFA Adoption ROBYN WEISMAN, ISMG: Chris, let s start the conversation by discussing some of the barriers preventing financial institutions from adopting multifactor authentication. What are some of the biggest barriers you see in your experience? CHRIS TRYTTEN, CROSSMATCH: It is now a requirement to adopt multifactor security. We continue to be breached. We are painfully aware of the costs, and we know the central cause of data breaches is compromised credentials. So, the question is: Why hasn t this problem been solved? What is preventing organizations from adopting MFA? Historically, solving this problem has not been trivial. You have many diverse systems with incompatible interfaces and security plumbing. Because of this, they are very difficult to properly secure and achieve governance and business agility. Just look at the number of the systems; the diversity of the systems; the number and diversity of types of users, employees, vendors and partners; the number and diversity of access points; the amount of manual work typically required of IT to install and maintain multifactor authentication; and the number of IPs that must be involved for all these systems. Plus, historically, multifactor authentication systems have required everything to be custom-built: account definition, authorization roles, business logic, workflow and approvals, and authentication policies. If you look at some of the statistics, the average MFA initiative has been ongoing for six years. This is from a survey of about 2,200 institutions. On average, four point solutions are deployed for MFA. You start with the requirement to lock down certain systems. You might have gotten a hard token authorization platform, but that doesn t extend to all your platforms, so you develop another one. Maybe you go to SSO (Single Sign-On), but of course, that doesn t touch all systems either, and so you continually expand the number of systems to manage this problem. What does this complexity look like? On average, the surveyed companies supported 198 applications. That s 198 places where accounts must be set up and managed, 198 different passwords and password policies for those systems that don t have multifactor authentication applied to them, and dozens of IT professional support users on all of these applications. Now, if only half of these required unique passwords, how many users can remember even 13 different passwords? Historically, MFA has been very expensive. A lot of companies are investigating multifactor authentication, and there are a lot of solutions out there. And these companies are balking at the complexity and the choice involved. Those are the barriers. Historically, MFA has been very expensive... And these companies are balking at the complexity and the choice involved. The Need for Credentials Management WEISMAN: Nowadays, there are so many ways for threat actors to attack digital assets of financial institutions, as you know. How can credential management help banks protect themselves from these attacks? TRYTTEN: It s getting increasingly difficult to secure digital assets, given the complexities of the modern data center, which includes cloud computing. In the past you were either behind the firewall or outside the firewall. If you went inside the firewall, you were safe. If you were outside, you had to have some increased level of security to access corporate assets. Cloud computing destroys that model, and so perimeter security is no longer adequate. To make it worse, more individual line of business units go out and contract with their own cloud services unbeknown to IT. Meanwhile, a vastly increased number of devices are attaching to the data center, while non-employee actors such as vendors, partners, service providers and even customers have expanded access to IT resources. So you have all these actors and developments allowing unfettered access to applications, many of which are accessed outside the traditional security perimeter, using uncontrolled mobile platforms by just about anyone, anytime, anywhere. What could possibly go wrong? The linchpin in all of these security breaches are passwords, and they are at the heart of the data breach epidemic. Users typically create weak passwords to manage this complexity, which can be shared or stolen. Therefore, you need to manage your credentials and find alternative ways to authenticate. This is why we are talking about multifactors like smart cards, tokens even hardware tokens and biometrics. It is very hard to share those authentication factors with other people, especially bad actors. Barriers to Adopting Multifactor Authentication 3

4 How Multifactor Authentication Prevents Data Breaches WEISMAN: How can organizations better prepare to prevent data breaches and what role does multifactor authentication play in that? TRYTTEN: There is no one single thing you can do that will cure all woes and ills, although you can do some basic housekeeping. Surprisingly, a lot of organizations don t do such things like evaluating all systems and data and their security requirements. You have to identify where they are. You need to look inside your network and segment it so that if somebody does get into your network, they don t have free rein on everything. You also need to develop access control policies that govern who can access your systems and when. Not only is that an internal requirement, mandates and regulations like SOX, GLB and PCI, to name a few, require that you demonstrate you have access control policies in place. The latest version of PCI requires you to have multifactor authentication, not just for systems that hold card data, but other systems in that environment. And the mandates are getting more tightly controlled. You need to apply policybased multifactor authentication access controls once you define your asset and policy, and you need to apply them and use them. Once you have done that, closely monitor your event logs for suspicious activity like failed authentication requests, multiple failed authentication attempts and system lockout. Most security breaches and security exposures come from humans, largely employees, that [D]evelop access control policies that govern who can access your systems and when. Not only is that an internal requirement, mandates and regulations like SOX, GLB and PCI...require that you demonstrate you have access control policies in place. inadvertently not often maliciously, but inadvertently expose the company to security breaches of all sorts. In addition to all the processes and technologies, you also have to educate your employees. Studies are showing that educating employees is one of the most powerful things you can do, even if you don t have multifactor authentication implemented. At the very least, start there. Barriers to Adopting Multifactor Authentication 4

5 WEISMAN: Can you give a real-world example of how multifactor authentication can help deter things like phishing attacks or ransomware attacks? TRYTTEN: Again, the most common avenue of attack gets down to humans. We are wired to cooperate. It might seem implausible when you look at the people you have to deal with in your life, but we are actually hardwired to cooperate with each other. Another hardwired characteristic in human beings is to respect authority. Your boss comes in with that glint in his eye, and you know that he is not messing around. He asks you to do something, and you say Yes, how soon? That s exactly what bad actors are preying on. They are stealing trust. They understand enterprise technology, and they understand enterprise processes and organizations. So, they will study an organization to see who is the vice president of what, what is the reporting structure, and what else is going on. They do a lot of what they call wet work, understanding, on the ground, what is happening to the corporation. Then they will impersonate a vice president, typically via an , saying I need you to open the attachment and respond to it in the next hour. You have a very believable , and, guess what, it s malware. This malware scrapes the system and finds cached credentials. As long as you are trading in these very insecure authentication credentials, you are going to be subject to spear-phishing attacks and malware. By the way, spear-phishing attacks are very inexpensive to launch, and they are soaring in terms of just the sheer numbers perpetrated against the industry. So you need authentication factors that aren t subject to those types of threats. I can t tell the system admin my fingerprint. I can t give them my smart card. They can t scrape that from my system. Those are things that cannot be shared or stolen. You go even further. You have a credential that can t be shared or stolen. To make matters even more interesting, you add two of them that require the attacker to compromise the credential in different ways. So, yes, maybe you use a biometric, and maybe you also use Bluetooth authentication from your smart phone. At that point, you have made it extremely difficult to attack the system. An important thing to remember: Attackers and crooks are opportunistic. They are looking for the easy kill. They don t want to work hard. They have businesses to run themselves. So, if you make it very difficult with several factors that can t be shared or stolen to attack your network or your assets, they are going to go someplace else. [Y]ou need authentication factors that aren t subject to [spear phishing and ransomware]. I can t tell the system admin my fingerprint. I can t give them my smart card. They can t scrape that from my system. Crossmatch: Simplifying Multifactor Authentication WEISMAN: For our final question, Chris, please describe how Crossmatch can simplify identity and access management for financial institutions in particular. TRYTTEN: At Crossmatch, we like to say, We make the complex simple. We ve studied this. We ve lived with our customers. We understand the challenges. We understand the systems, and we have developed a multifactor system that customers can install and be up and running within days. They do not need to modify any application or platform. Applications can be integrated in minutes instead of hours. Users can be provisioned in minutes instead of hours. You have all the most common authentication factors included, so organizations don t need to deploy multiple point solutions. Barriers to Adopting Multifactor Authentication 5

6 As I said before, all this has to be managed and governed by policy, so we offer a wide range of authenticators that secure systems from mainframe applications all the way up to cloud applications. They can be applied based on customer policy choices or authentication workflows. Complexity can be managed to risk-based authentication policies. As you start to add authentication factors, you secure your systems. You want to look at your systems and say, You know, these systems and these people accessing the systems are relatively low security import and exposure, so we are just going to let them access them maybe through a simple SSO transaction. But then you say, Here s an accounting system with all sorts of financial data. You have to access that using two, maybe even three, factors. And we can do that. Most other systems only allow you to add two factors. We allow you to scale up to three factors, depending on the security need. You don t impose this security burden on all your users. You make it pretty simple for people that need to do just standard, run of the mill things, and then really lock down your highly secure systems and data. [Our] multifactor system that customers can install and be up and running within days....you have all the most common authentication factors included, so organizations don t need to deploy multiple point solutions. We don t require that you install any new hardware to manage. Crossmatch does not require specialized staff to care and feed its authentication system. Your IT staff can use their standard Active Directory tools that they know well and are comfortable with. We have a password management for people who choose to continue to use passwords. The policy is automatically enforced and users can self-serve a password reset. Bringing on new systems to change the existing ones is accelerated by the easy application and administration of provision and authentication policies. Of course, things are always changing, and so you have new security exposures and new authenticators entering the market. You don t want to be on a system that locks you into a specific technology. Our flagship product, DigitalPersona Altus, is an open, extensible platform that doesn t lock you into a particular authentication technology. You are future-proofed because most of Atlus technology was developed over the past 10 years. You cover all applications with all authentications for all users in a very easy way to install and manage, and it is very easy to add new authenticators and new functionality because of its platform architecture. It also gives you a central repository of event loggings to satisfy your regulatory mandates for auditing and reporting. We looked at this very carefully, we ve got all bases covered and we really have cracked the nut of the complexities that have kept people from adopting MFA. Listen to the full interview: Barriers to Adopting Multifactor Authentication 6

7 About ISMG Headquartered in Princeton, New Jersey, Information Security Media Group, Corp. (ISMG) is a media company focusing on Information Technology Risk Management for vertical industries. The company provides news, training, education and other related content for risk management professionals in their respective industries. Contact (800) sales@ismgcorp.com This information is used by ISMG s subscribers in a variety of ways researching for a specific information security compliance issue, learning from their peers in the industry, gaining insights into compliance related regulatory guidance and simply keeping up with the Information Technology Risk Management landscape. About Crossmatch Crossmatch helps organizations solve their identity management challenges through biometrics. Our enrollment and authentication solutions are trusted to create, validate and manage identities for a wide range of government, law enforcement, financial institution,retail and commercial applications. Our solutions are designed using proven biometric technologies, flexible enrollment and strong multi-factor authentication software, and deep industry expertise. We offer an experienced professional services capability to assess, design, implement and optimize our identity management solutions for a customer s individual challenges. Our products and solutions are utilized by over 200 million people in more than 80 countries. Contact (866) Carnegie Center Princeton, NJ