Knowing employees, authenticating users and provisioning access across networks and in the cloud
In the olden days, logical access control was a reference to accessing computers, email and networks. An employee would sit down at their computer in the morning, enter a username and password and unlock Microsoft Windows to access the device.
The term “logical access” originated as a counter to physical access – the control of interactions with buildings and physical facilities. For years the security and smart card industries sought the convergence of physical and logical access – a single smart card or credential that could be used for both access to physical facilities and logical resources. Outside of federal agencies and large government contractors, however, convergence has been something of a unicorn – often discussed but rarely seen.
SSO manages 100s of username and password combos in one secure login process
Back in the day, gaining access to Windows was the first step. As systems evolved employees would use that same process and have access to email and secure network drives through Active Directory. As systems grew more advanced and the need for greater security arose, one-time passcode tokens would be issued for access to specific applications or web sites. Smart cards and readers would also be deployed for access to devices and sites and for controlling digital signatures.
But logical access is much more than inserting a smart card into a reader, using a token to generate a passcode or authenticating with a mobile device. It extends well beyond the opening the front door for access to a system. It also governs what the employee can access once inside the front door.
Clearly a lot has progressed since the days when logical access was limited to initial operating system login. But the term still persists and today encompasses a broad approach to enabling access to enterprise IT resources. Integrating initial and ongoing access to a growing list of devices – mobile, tablet, laptop, PC – is only the beginning. Granting access to email, network resources, data stores and an array of cloud-based applications often come next.
Redefining authentication in the enterprise
In order to control logical access one must authenticate, and the evolution of the various authentication factors is interesting, says Pam Dingle, principal technical architect at Ping Identity.
The “what you know” area has plummeted in value, Dingle says. Hardly a day goes by when the phrase “kill the password” isn’t seen somewhere. But “what you know” also includes knowledge-based authentication, or KBA.
There are two common approaches to KBA – static and dynamic. Static KBA consists of something a user preselects and, in essence, enrolls as their answer to a specific question – such as mother’s maiden name, high school mascot or favorite movie. It is commonly used for password-reset types of applications. Understandably, static KBA can be fooled with some limited social engineering.
The other approach, dynamic KBA, consists of quizzes that ask various biographical questions to which the user alone should have the answer – for instance, what bank carries your mortgage or how much is your monthly car payment. These authentication systems obtain the true answers to the questions from data sources like credit bureaus and public records.
“A lot of people use (static) KBA for password recovery, but social engineering has turfed that as a standalone method,” Dingle says. Even dynamic KBA has proven vulnerable in a number of highly publicized attacks. “Unfortunately, what you know, everyone else knows, and now this factor receives a failing grade.”
At the head of the class is “what you have,” Dingle says. Using a mobile device for multi-factor authentication is no longer just the discussion of technicians in server rooms. Its importance is now reaching consumers.
One-time passcodes delivered via text messages, however, are no longer considered sufficient, Dingle says. Usernames can be phished and then OTPs can be intercepted in transit or hacked in other ways, she explains. Mobile apps, such as Google Authenticator, have changed the game removing the opportunity for the OTP to be intercepted in delivery.
Fortunately, authentication factors continue to evolve. Push notification via a mobile app – where the user is prompted to swipe or take action based on a message generated on screen by the app or service – will become the standard, says Dingle. “The approach is much more secure and also far easier to use,” she says.
Certainly, the cloud has further complicated matters, forcing enterprises to figure out how to enable access to applications and data that reside outside their normal realm of control.
But even that does not complete the picture. Generic access isn’t enough as modern logical access control also involves the assignment of roles and privileges – provisioning what an individual can do within a network or application.
Knowing your employees
In both physical and logical access environments, enterprises have realized that vetting the individual is key. Before issuing a credential, enterprises – no matter the market – want to know the person receiving it, says Abrar Ahmed, CIO and senior vice president of technical services at SureID. “You have to know that identity and have it proofed before attaching it to a multi-factor credential,” he explains.
The federal government has been doing identity proofing for a long time and has well-established practices. Agencies have also been issuing smart cards for a long time and using them for a variety of logical access applications. It started with identifying employees through a rigorous vetting process, issuing them a smart card for authentication and enabling access, says Patel.