Risk-based multifactor authentication implementation best practices

Identity and access management (IAM) -- the processes and technologies that manage user information and the relationship among users, networks and applications -- is enjoying more attention than ever before, and strong multifactor authentication is one of the core components of an enterprise IAM strategy.

Multifactor authentication is often the first port of call on the IAM journey. It's well understood: Everyone knows that relying solely on passwords is problematic, so the idea of replacing them is easy to relate to. Multifactor authentication also tops the list of IAM components that enterprises have already adopted.

But while executives are comfortable with the concept of implementing multifactor authentication, getting them to provide the necessary resources is a real struggle for security and risk professionals. Forrester Research Inc. recently interviewed several firms that have successfully completed a multifactor authentication implementation to learn the be...

RELATED CONTENT Risk management strategies Are you too small for an email retention and archiving policy? Enterprise data management: Prevent data loss and insider threats Improving software with the Building Security in Maturity Model (BSIMM) Preventing password fatigue with single sign-on (SSO) authentication Increasing information security awareness in the enterprise How to develop a culture of security in the enterprise Creating and enforcing a clear-desk policy Physical security threats: Don't gift your data away Using unique device identification for bank website security Benefits of ISO 27001 and ISO 27002 certification for your enterprise Secure User Authentication and Authorization Preventing password fatigue with single sign-on (SSO) authentication Gridsure finds global deal for its pattern-based authentication Physical security threats: Don't gift your data away Using unique device identification for bank website security Yahoo login credentials at risk to hijacking attack Single sign-on system removes password chaos at East Kent NHS Trust Tokenless two-factor authentication helps council with CoCo compliance Chip and PIN adoption serves lesson for U.S. payment industry Group to shed light on secure identity management threats Poor privileged account management practices leave security gap User Identities and Provisioning Microsoft's Charney details new botnet protection, IdM technology at RSA How to perform an Active Directory health check Windows management tips: How to backup and restore Active Directory Will physical security integrators work with IT departments? Tokenless two-factor authentication helps council with CoCo compliance Group to shed light on secure identity management threats Poor privileged account management practices leave security gap Content-aware IAM: Uniting user access and data rights Microsoft Windows 7 DirectAccess pros and cons Schneier-Ranum Face-off: Is perfect access control possible?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Chip and PIN  (SearchSecurityUK.com) UK Identity Cards Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

st ways of doing so. Four best practices emerged from these discussions:

1. Understand how users work.
The best security is that which people actually use -- and the key to user acceptance of security measures is to make those measures as unobtrusive and painless as possible. Security should not be an afterthought bolted onto an IT system; likewise, strong authentication measures must be integrated as deeply as possible into the fabric of employees' daily life.

Organizations should assess the actual effect on their users. Thoroughly understanding how people do their jobs and having a clear picture of what a day in the life of a typical user entails are key aspects of making sure employee productivity goes unhindered. Communication is the key to eventual user buy-in -- including warning them of the change well in advance -- regardless of the chosen technology.

As with other large-scale technology projects, incomplete research, insufficient testing and weak mandates can turn a multifactor authentication implementation into an expensive boondoggle. Usually these are technological problems, but issues on the personnel side can be just as troublesome. For instance, organizations sometimes mistake IT personnel and execs for typical users. While it's easy to keep a pilot program within the friendly confines of the IT department or the power-user community for efficiency's sake, it can result in wildly underestimating the support resources that the full rollout will require, costing time and money.

2. Determine what the business needs and be proactive.
On the business side, multifactor authentication can be seen as an irretrievable cost with no ROI -- a problem faced by CISOs around the globe when pitching security projects to non-IT execs. Security pros need to scour their organizations' business landscapes for opportunities to apply MFA to particular pressing business needs and to understand the business problems they are trying to solve. While this may seem obvious, it not only pertains to applying the appropriate technology, but also to marketing the multifactor authentication project internally. Depending on industry vertical, ensuring regulatory compliance may be a more powerful sales pitch, but there is the risk the project will be put off until the compliance deadline is uncomfortably close. Instead, try tying the project to protecting customer data and promoting this as a competitive advantage.

Many IT people have a tendency to view everything in terms of a technology widget that can solve security problems -- it beats the messy uncertainties of dealing with people and processes. Waxing poetic over the simplicity of this token or the elegance of that MFA solution will just make a CEO's eyes glaze over. When trying to sell an MFA implementation to senior executives, don't present authentication as a technology solution; rather, sell it as business solution that secures and protects the company's data.

3. Anticipate and mitigate technology challenges.
Nearly everyone interviewed in the Forrester survey, no matter how experienced an IT security pro, encountered some unexpected technology problems in the course of their multifactor authentication implementations. Their advice? Map the technology to the problem that needs solving; have a detailed picture of existing systems; don't underestimate the time and resources needed for the project; test early and often. Testing is key to a smooth implementation, and the more the better -- all the more reason to avoid doing the project in a rush. Testing will expose unexpected system interactions, up to and including the need to replace outdated technology, like legacy physical access systems or remote access software.

Glossing too quickly over the evaluation of existing installed technology, or assuming that once the MFA switch has been turned on it can be left to run by itself, can have negative consequences for the implementation, such as unexpected delays and unanticipated interactions with subsequently installed technology. Don't fall victim to testing and forgetting!

4. Develop a strategy to get support in the right places.
Start the internal sales process early, and get high-level sponsorship as soon as possible. The latter is usually easier said than done, but fortunately, in recent years security has finally received the C-level attention it deserves. The use of passwords as the sole means of gatekeeping access to IT resources is a large and well-defined security weakness -- put it at the forefront of a multiyear, multiproject IAM plan. And once the organization buys in, don't compromise trust by not delivering or by overpromising on the financial return.

Usability is a key concern here, so it's also important to win the users over, or risk spending a lot of time dealing with people who are unhappy with the technology after it's implemented. For large rollouts, initiate a groundswell of support by getting influential employees (team leaders, coaches, mentors, etc.) from all over the company on board at an early stage. Naturally, there will be criticisms and pushback -- so present the extensive research that identified the best technology option to the influencer group and solicit suggestions for improvement.

It'll pay dividends later on.

About the author:
Bill Nagel is an analyst at Forrester Research where he serves security & risk professionals. He focuses on digital identity and how companies can use the technologies, policies and processes that enable it to secure both internal-facing and external-facing business processes and ensure a greater degree of regulatory compliance.