Authenticate users, devices and services
Authentication concerns validating the identity of an individual or system. More specifically, authentication concerns what one knows, what one has or what one is (Vacca, 2013). When implemented, authentication is a combination of security policies, practices and technologies that collaborate to associate authorized access to restricted information resources (National Institute of Standards and Technology [NIST], 2013). Controlling the cycle of authentication is important to reducing security risks such as unsecured active computers.
The types of security measures employed when an individual steps away from an active device with running programs and services should be consistent with the risks associated with accessible resources (NIST, 2016). A computer that is connected to a privileged system such as an enterprise database will have different requirements than a general purpose computer used by hotel guests. Security measures will also differ depending on a system’s physical location and locally stored information. Authentication practices and appropriate measures should be holistically addressed for a whole device and its use in order to define the best security. This applies a defense-in-depth approach to achieving security (Vacca, 2013).
- For a system where an individual has logged in and has been authenticated by a system, there should be authentication controls such as automatic logout after a period of inactivity. Automatic logout after a period of activity reduces the risk of a threat actor gaining unauthorized access such as the case when an attacker hijacks an active web session in order to acquire a session ID and possibly authentication credentials (Nagpal & Nagpal, 2014). Another important consideration is reducing persistent login activity so that an individual does not re-authenticate between systems login events. The authentication credentials become cached such that future logins are automated.
- For privileged systems, an ideal scenario is dedicated machines with layered authentication such as individual and device authentication. (NIST, 2016). Privileged system users should utilize endpoint devices in their control, and the ideal scenario is that these devices are limited to privileged use. If devices used by privileged users are also shared by non-privileged users, additional security measures should be in place. This includes authentication policies of automatic logout for periods of inactivity and maximum session length times for any authenticated session.
- Authentication is not authorization, and authorizations should coordinate with authentication protocols (Vacca, 2013). Authentication enables a system to identify and verify an individual, but an authenticated individual does not necessarily have access to all resources in a system or a network. System resources are limited by access controls and using methods such as role-based access control (RBAC). When an individual is away from an active device, protocols for restricting authentication should also apply to accessing system resources.
- Computer applications that interact with or traverse the Internet should employ secure communication channels where application sessions are ended or suspended due to user inactivity. Authentication is directly associated with risks to session management. Internet and mobile applications should enable persistent Secure Socket Layer/Transport Layer Security (SSL/ TLS) connectivity to protect authentication and communication of data (Das & Samdaria, 2014). Layers of authentication should include public key certificate authentication, secure password use, two-factor authentication. Appropriate structuring of authentication mechanisms can reduce risk of attacks such as man-in-the-middle attacks.
- Shared computers should have added protections to minimize individuals having unauthorized access to data. This is particularly critical for computers that access sensitive data. For computer such as Windows operating system (OS) computers, centrally controlled user profiles can be used to control access. User profiles can have automated logout sessions, and save data to central servers. Internet browsers can be set to save no session data.
- Use of protective measures such as smart cards and encryption can also improve device security, but additional authentication intelligence is needed to maintain privacy and confidentiality in distributed computer environments (Wang, Wang, Wang, & Qing, 2015). One vulnerability of authentication schemes is that authentication tokens or keys can be compromised in use from theft or leakage. This compromise can result in identification of an individual and of respective personal data. If authentication is compromised, tracking variance in use may require heuristic analysis to identify the impact of the compromise.
References
Das, M., & Samdaria, N. (2014, January). On the security of SSL/TLS-enabled applications. King Saud University. Retrieved from http://dx.doi.org/10.1016/j.aci.2014.02.001
Nagpal, N. B., & Nagpal, B. (2014). Preventive measures for securing web applications using broken authentication and session management attacks: A study. In International Conference on Advances in Computer Engineering and Applications (ICACEA) (Vol. 2014).
NIST. (2016). Best practices for privileged user PIV authentication (Cybersecurity Strategy and Implementation Plan, Publication). Gaithersburg, MD: National Institute of Standards and Technology.
NIST. (2013, April) Security and privacy controls for federal information systems and organizations (NIST Special Publication 800-53 Revision 4). National Institute of Standards and Technology. Retrieved from: http://physics.net.gov/document811.pdf.
Vacca, J. (2013). Computer and information security handbook (Second Edition). Waltham, MA: Morgan Kaufmann.
Wang, D., Wang, N., Wang, P., & Qing, S. (2015). Preserving privacy for free: Efficient and provably secure two-factor authentication scheme with user anonymity. Information Sciences, 321(Security and privacy information technologies and applications for wireless pervasive computing environments), 162-178. Retrieved from http://www.sciencedirect.com.ezproxy.umuc.edu/science/article/pii/S0020025515002431


