Two Factor Authentication - Squared
I was working with a large SI last week who does a lot of work for the government. I was there to prove out a solution to protect their DHCP servers from unatorized users getting an IP address and subsequently on their network, and their customer's network. I showed them how the solution worked in 15 minutes and was done with that part of the discussion.
The next part was around authentication. Part of it was academic discussion, part was to think through a business problem - authentication, and how much is enough. We were able to figure out that with the same solution we just used to solve one problem would also solve another, and one that is on the minds of anyone working on HSPD-12 initiatives.
Long story short - four factor authentication. Two factor authentication, squared, or 2F2.
Here is how it works:
I identify the user in two ways - PIV Card, and Login credentials (PAC & LAC Controls)
I identify the machine in two ways - by unique machine ID (hardware serial numbers encrypted in every packet), and certificate exchange.
Unalterable, proven, and deployed in days.
Why does this matter for PCI?
Audit - Be able to see every network layer event, by who, from what machine, in real time.
Control - Make policy based access decisions based on 4 different attributes providing the ultimate in flexibility and rollout options. For example - known/trusted user AND known trusted machine on my LAN - access to what they need to do their job from DAY ONE (email). Known user/unknown machine (vendors/guests) get access to Port 80 only so they can demo, check webmail, etc.
At the macro level -
You have just scoped down your threat vector area to only those you know and trust, be they machines and people.
Add to it the functionality of immediate real time alerting in the event something bad looks like it is happening, and reporting to understand exactly how they tried to do what they did, were blocked, but still logged - Priceless...
pcistuff@gmail.com
The next part was around authentication. Part of it was academic discussion, part was to think through a business problem - authentication, and how much is enough. We were able to figure out that with the same solution we just used to solve one problem would also solve another, and one that is on the minds of anyone working on HSPD-12 initiatives.
Long story short - four factor authentication. Two factor authentication, squared, or 2F2.
Here is how it works:
I identify the user in two ways - PIV Card, and Login credentials (PAC & LAC Controls)
I identify the machine in two ways - by unique machine ID (hardware serial numbers encrypted in every packet), and certificate exchange.
Unalterable, proven, and deployed in days.
Why does this matter for PCI?
Audit - Be able to see every network layer event, by who, from what machine, in real time.
Control - Make policy based access decisions based on 4 different attributes providing the ultimate in flexibility and rollout options. For example - known/trusted user AND known trusted machine on my LAN - access to what they need to do their job from DAY ONE (email). Known user/unknown machine (vendors/guests) get access to Port 80 only so they can demo, check webmail, etc.
At the macro level -
You have just scoped down your threat vector area to only those you know and trust, be they machines and people.
Add to it the functionality of immediate real time alerting in the event something bad looks like it is happening, and reporting to understand exactly how they tried to do what they did, were blocked, but still logged - Priceless...
pcistuff@gmail.com
posted by Mark Mac Auley at 6:52 AM
1 Comments:
I like the little reviews because I get a lot of good ideas,
.........
Cuala
Wow, check out this site called www.fluc.com
. Free SMS and free mobile ads!! Its fantastic
Post a Comment
<< Home