Page 237 - DCAP311_DCAP607_WIRELESS_NETWORKS
P. 237

Unit 14: Authentication




               communities  in a multitenancy model,  without compromising  overall and individual   Notes
               security and usability.
               Thus, the focus on authentication systems becomes one of the primary evaluation factors for
               organizations that are looking to adopt cloud-based services. Organizations must ensure that
               service providers provide the flexibility to deliver varying levels of strong authentication to
               meet required security policies, or extend existing security implementations by leveraging
               identity federation (via SAML or WS-Federation) or authentication delegation to support
               single sign-on (SSO) or reduced sign-on (RSO). However, in these cases, organizations must
               incur the costs to deploy secure and accessible identity-federation and/or authentication-
               delegation services.
               From a capabilities perspective, many of the authentication architecture components are
               being deployed as cloud-based services—for example, identity-proofing services that are
               deployed by credit bureaus, consumer-identity frameworks and providers, vulnerability-
               management networks, PKI and certificate-management services, secondary-factor channel
               providers  (voice  telephony, SMS  messaging,  speech  recognition, patterns recognition,
               and so forth), fraud detection, strong-authentication service providers, and so on. These
               services provide much-needed capabilities to compose  a strong-authentication  system;
               however, the same integration-security concerns remain such that any one weak link in the
               connected-systems architecture will compromise the overall security posture.
          2.   Identity Metasystems: The consumer-identity frameworks that are available now as cloud-
               based platforms and their growing adoption means that organizations eventually will
               need to integrate these identity metasystems to improve user convenience—for example,
               OpenID identity providers, Google Account, Windows Live ID, Yahoo! ID, and so on—
               although, in order to integrate these online communities, the authentication strengths that
               are implemented for these services must be evaluated against the security policies and
               requirements for the organizations that are looking to leverage them.
               Similarly, online identity providers increasingly will need to add flexibility to configure
               varying levels of authentication strengths for different user segments, in addition to
               integrating various authentication form factors and standards (Higgins, PKCS, OpenID,
               Windows Cardspace, and so on) if they  intend to provision services to data-sensitive
               organizations.
          3.   Smart-Card Proliferation: With the availability of more sophisticated smart-card solutions
               and ecosystem  support, more physical credentials are adopting smart-card  (standard
               plastic cards embedded with microprocessors and/or integrated circuits) deployments.
               For example, many countries and states (for example, Austria, Belgium, Estonia, Hong
               Kong, and Spain) already have rolled out government-sponsored electronic ID programs to
               national citizens. Subsequently, smart cards are becoming another form of authentication
               factor, where smart-card readers are available and are integrated into authentication
               systems.

               Furthermore, many vendors are consolidating multiple authenticators into the ISO 7816
               smart-card  form  factor—for  example,  integrated  LCDs  to  display  OTPs,  and  biometric
               (fingerprint) readers. We might find smart-card deployments materialize in more cases,
               such as from financial institutions that already are issuing physical credentials (that is,
               credit cards, debit cards, and so on). Cryptographic smart cards that use biometric readers
               provide very high identity assurance, as they tightly bind the private keys to the users'
               biometrics (multifactor authentication).

          4.   Mobile Identity: From a physical-hardware perspective, SIM (Subscriber Identity Module)
               cards have improved significantly in terms of storage capacity and capability to perform
               cryptographic processing. Computing power and memory capacity also have improved
               exponentially in mobile devices. Subsequently, the SIM card and mobile phone have become
               the smart card and smart-card reader that constitute the most ubiquitous "something held"
               (or in-possession) authentication factor.

                                           LOVELY PROFESSIONAL UNIVERSITY                                   231
   232   233   234   235   236   237   238   239   240   241   242