Solutions    Authentication

Overview


Authentication is the process of determining whether someone or something is, in fact, who or what it is declared to be. In private and public computer networks (including the Internet), authentication is commonly done through the use of logon passwords. Knowledge of the password is assumed to guarantee that the user is authentic. Each user registers initially (or is registered by someone else), using an assigned or self-declared password. On each subsequent use, the user must know and use the previously declared password. The weakness in this system for transactions that are significant (such as the exchange of money) is that passwords can often be stolen, accidentally revealed, or forgotten.

For this reason, Internet business and many other transactions require a more stringent authentication process. The use of digital certificates issued and verified by a Certificate Authority (CA) as part of a public key infrastructure is considered likely to become the standard way to perform authentication on the Internet.

Logically, authentication precedes authorization (although they may often seem to be combined).

Authentication Types


These are the 3 methods of Authentication:

What you have -- keys, badges, ID, passcards, tokens.

These are physical objects and go towards identifying you by what you physically *own*. The obvious problem here is that objects can be taken and are not tied or "signed" to any particular person. This makes it easy to loan your verification for temporary uses like valet parking, but objects can be stolen. Keys can be duplicated, IDs can be faked, and nobody knows what the heck a valid badge looks like anyway.

What you are, your DNA, fingerprints, voice match, cadence of your typing, your walk, talk, act. Your smell, shoeprints, aura, your retinal scan, your vein patterns. Anything that leaves the impression of YOU, but nothing that can come from someone else. These are things that can be taken from you. They cannot be faked but can be stolen. Secondary level of security, What you are is better than what you have, but is nothing compared to what you know.

What you know. Passwords, passphrases.Things that cannot be beaten out of you. Passwords cannot be compelled to be told, they cannot be stolen (from your mind), they cannot be duplicated. Other examples include your memories.

The Advantages of Two Factor Authentication
  • Enhanced Security
  • Reduced Risk
  • Minimizing Trainings and help desk
  • Ensuring that only authorized persons can access resources remotely

Authentication Solutions


RSAoffers the only complete portfolio of Authentication, access control and key management solutions that extend protection and ownership across the lifecycle of sensitive data, as it is created, accessed, shared, stored and moved. From the datacenter to the cloud, organizations can remain protected, compliant and in control, no matter where their business takes them.

Solution Description
The RSASecurID authentication mechanism consists of a "token" — either hardware (e.g. a USB dongle) or software (a soft token) — which is assigned to a computer user and which generates an authentication code at fixed intervals (usually 60 seconds) using a built-in clock and the card's factory-encoded random key (known as the "seed"). The seed is different for each token, and is loaded into the corresponding RSASecurID server (RSA Authentication Manager, formerly ACE/Server) as the tokens are purchased.

The token hardware is designed to be tamper-resistant to deter reverse engineering. When software implementations of the same algorithm ("software tokens") appeared on the market, public code has been developed by the security community allowing a user to emulate RSASecurID in software, but only if they have access to a current RSASecurID code, and the original RSASecurID seed file introduced to the server. In the RSASecurID authentication scheme, the seed record is the secret key used to generate one-time passwords. Newer versions also feature a USB connector, which allows the token to be used as a smart card-like device for securely storing certificates.

A user authenticating to a network resource—say, a dial-in server or a firewall—needs to enter both a personal identification number and the number being displayed at that moment on their RSASecurID token. Some systems using RSASecurID disregard PIN implementation altogether, and rely on password/RSASecurID code combinations. The server, which also has a real-time clock and a database of valid cards with the associated seed records, computes what number the token is supposed to be showing at that moment in time, checks it against what the user entered, and makes the decision to allow or deny access

Solution Offerings

MORE INFORMATION http://www.emc.com/security/rsa-securid.htm

Websense Mobile Security

Websense TRITON Mobile Security is the only cloud-based security solution that extends your existing security policies to mobile devices to help secure your data, reduce your risk and enable your business — wherever you and your employees go.

See all
Trendmicro Deep Security

Delivers comprehensive, adaptive, highly efficient agentless and agent-based protection, including anti-malware, intrusion detection and prevention, firewall, web application protection, integrity monitoring, and log inspection.


See all
Popular Trainings
Certified Ethical Hacker (CEH)

CEHv7 provides a comprehensive ethical hacking and network security-training program to meet the standards of highly skilled security professionals

Certified Information Systems Security Professional (CISSP)

CISSP® certification is a globally recognized standard of achievement that confirms an individual's knowledge in the field of information security