This is a multi-part blog entry on important criteria based on which enterprises must evaluate rights management technologies before investing significant amounts of time and money.Please note that not all criteria might be important for any given enterprise so you will have to pick and choose the ones which are important, give appropriate weight-ages and then decide on the best technology.
To view all the blog posts in this series please go to http://blog.seclore.com and then select "IRM evaluation" from the tag list.
Multi-factor authentication
In most cases, IRM systems do not have an identity store of their own i.e. They rely on a trust relationship with an existing identity system like LDAP. The fundamental basis of security of IRM systems is the credibility and security of the underlying identity establishment infrastructure. If the identity establishment and governance process is weak, then this weakness will have a cascading effect on the security of the IRM system.
As identity thefts become more brazen the need for stronger password protection is more important than ever before. The protection of other elements of IT infrastructure i.e. Networks, applications and even computers is governed by multi-factor authentication. Multi-factor authentication normally consists of a challenge to the user regarding :
1.What you know i.e. your user name, password, mother's maiden name, favorite color etc.
2.What you have i.e. Tokens, Magnetic cards, Mobile Phones, etc.
3.Who you are i.e. Fingerprints, voice biometrics, iris / face recognition etc.
In the context of IRM systems the support for multi-factor authentication system is normally a good-to-have but in cases of extremely confidential information being protected it can become critical.
Ideally an IRM system should allow for graduate "scaling up" of the multi-factor authentication requirements. In the order of cost and complexity the options are :
1.Basic 2 factor authentication system : This consists of a check on what you know (user name / password) and what you have (a specific computer or a specific network signature). For good IRM systems this is a built-in feature of the IRM system itself.
2.Support for token based 2 factor authentication system : This would consist of the regular user name/password with a (normally third party) OTP (one time password) based infrastructure backed by physical tokens given to each user. This method, specifically in the case of IRM systems is a little complex because IRM protected documents might go to external users and there is little control on the number of these external users. Provisioning a user in this case would take a long and in most cases unacceptable time.
3.Support for token-less 2 factor authentication system : This would consist of the regular user name/password with a mobile app or SMS based second factor. The user provisioning in such a case could be really fast but SMS delays and internet connection availability on the phone could be infrastructure issues in adoption.
Identity based access to information is the key to the value of IRM systems and there are many threats to identity today starting with simple SQL injection to globally co-ordinate service based attacks. The recent breaches of information from Sony and even failure of the second factor (RSA: SecureID Data) further online need to have stricter measures for validating identities.
In case of the user identity being compromised or malicious users sharing identities, the critical information of the enterprise can still be protected by using multi-factor authentication mechanism along with IRM. By allowing information to be optionally locked down to physical machines the most common needs of multi factor authentication system can easily be served.
Seclore and its partners regularly advise customers on their IRM requirements so please do not hesitate to contact us.
Posts
0 comments:
Post a Comment