As part of the identity management process, internal auditors may be asked to evaluate a company's authentication tools and controls. Although much has been written about the types of authentication tools available today, beginner internal auditors may not be familiar with the pros and cons of using this type of technology. Therefore, it is in the auditor's best interest to learn the basics about authentication, their role when evaluating different authentication tools, and the different user and regulatory needs authentication tools and controls must address. Doing so will help auditors become more proficient in the authentication process and provide recommendations that match the organization's security needs.
What Is Authentication?
In many organizations, the function of verifying a user's identity — known as authentication — is important in establishing trust in critical business processes. In its simplest form, authentication is the act of verifying a person's claim on his or her identity and is usually implemented through a username and password combination when logging into an IT system or application. As this definition suggests, part of the authentication process consists of correctly identifying a user, application, or group. There are multiple ways by which users can provide their identity, such as typing a username and password, swiping a smart card, waving a token device, or using voice recognition. In fact, the basis of authentication lies in the principle that without a proper form of identification, a system will not be able to correlate an authentication factor with a specific subject.
The proper identification of a person, device, or group is vital for safeguarding and maintaining the confidentiality, integrity, and availability of the company's IT infrastructure. Based on business policies, access controls can be created for authenticated users and information. Audit capabilities can be used to further help organizations make users accountable for their actions by identifying who did what, when, and where, as well as determine whether the organization complies with internal and external requirements. Although security experts agree that no single technology completely protects consumers from fraud, the responsibility and the need to select a cost-effective, secure, and easy way to deploy an authentication solution has shifted to the organization.
The Auditor's Role
One of the key things auditors need to do as part of the authentication process is to understand the limitations of implemented identity management tools. Therefore, auditors need to learn what the organization's business requirements are and what authentication tools or controls are currently employed to better evaluate them or recommend different authentication best practices, if needed. Auditors also need to assess any inherent and residual risks that are part of the organization's authentication solution.
Although not entirely secure, usernames and passwords are one of the most popular methods for authenticating a person's identity. Because usernames remain static once they are assigned to an individual or created by a person, passwords become the best means of authenticating an individual's identity. Besides identifying the risks posed to an organization if a password is compromised, auditors can recommend that organizations keep in mind the following password characteristics:
Whether passwords are managed through a security procedure or control. Ideally, all password attributes (e.g., its complexity, length, and change frequency) should be driven by corporate policy or the user's application needs.
The password's change and replacement costs. This refers to the human effort involved to reset or assign new values to a password and the costs involved in communicating this information to the user. This task is usually handled by the help desk or another administrative function.
The presence of weak passwords. Weak passwords may be present if changes are voluntary or the authenticating system does not validate the password strength against the password management policy. Application-driven password controls are more reliable and consistent because they are designed to validate the password based on the company's policy, thereby forcing users to adhere to password-strength requirements.
The password's change frequency. How often a password is changed helps to reduce the effectiveness of attacks. As a general rule, the shorter the period of change the better. For instance, a password that is changed once every 180 days may be more susceptible to an attack than one that is changed every 60 days.
The password's complexity. Usually, the more complex the password is, the harder it is to guess during a brute-force attack. For instance, passwords should not consist of common dictionary words, which are easily guessed during a brute-force attack; they must be at least eight characters in length; and they should include a combination of upper and lowercases, alpha-numeric characters, and other special characters. In addition, the authentication tool or control should not allow users to recycle previously used passwords when prompted to change their existing passwords.
The environment in which the password is used. Where the password is used needs to be considered before approving the method of password transmission. For example, in a cyber café, the use of a one-time password is more secure than a regularly used password.
Authentication Tools and Controls
As mentioned earlier, organizations can use other authentication tools besides usernames and passwords. Following is a list of the main authentication tools or controls auditors can recommend:
- Hardware tokens. These devices display generated random numbers that change every 60 seconds and are synchronized with the authenticating system. Users simply type the number that is displayed on the token whenever they need to login.
- Software tokens. These software programs generate a unique string of characters that is identified by the authenticating system and resides in the computer's hard drive or another device, such as storage media, a personal digital assistance, or compact disc.
- Digital certificates on smart cards and USB tokens. These unique certificates are issued by a third-party certifying authority or by the operating system to ensure users are communicating with the right person or device. Digital certificates contain specific identifying information and are governed by an international standard, Standard X.509.
- Challenge response. This activity consists of a question-answer dialog where the user responds to a set of pre-recorded questions, such as the mother's maiden name, or a token device that generates passwords or responses based on a pre-determined algorithm. When using a token device, the authentication system displays a challenge in the form of a code or a password phrase. The user then enters the challenge into the token device, which provides a response containing the code or password phrase the user must reenter into the system for authentication.
- Biometric authentication. This is the use of technologies that measure and analyze a person's physical and behavioral characteristics (e.g., fingerprints, eye retinas and irises, facial patterns, and hand measurements) to authenticate the individual into a system.
- Out-of-band authentication. Under this method, the authentication device accepts the person's credentials and sends a secret password to the user through an out-of-band medium, such as an e-mail, short message service, or phone call. The password is then valid for a one-time use only.
Except for a username and password combination, each of the options mentioned above are regarded as a single factor, and a combination of any of the two is referred to as two-factor authentication. Because a large number of today's online commercial transactions are conducted with weak authentication controls, financial institutions and regulators worldwide, including the Federal Financial Institutions Examination Council (FFIEC), are recommending that companies implement two-factor authentication for all online users. To learn more about the pros and cons of the tools described earlier, readAdvantages and Disadvantages of Authentication Tools (PDF).
Before an authentication tool or control is implemented, auditors should recommend that managers use the following evaluation criteria to evaluate its effectiveness and efficiency:
Cost. This includes the total cost of ownership (e.g., procurement, installation, implementation, training, replacement, and maintenance costs).
Awareness and resistance. Awareness refers to the proper training of staff on the tool's proper use, while resistance refers to the system's ability to withstand malicious attacks, including spyware, keylogging, Trojan, denial-of-service, and virus attacks.
Strategic fit. This refers to the authentication method's ease of use; its ability to address the needs of different users and support existing operating systems, platforms, and applications; its roll-out period; centralized administration capabilities; and availability of customer support.
The effectiveness of the authentication process. This refers to the authentication system's level of confidence. For instance, have user and customer confidence levels increased after the authentication mechanism's implementation?
Scalability. This is the solution's ability to cater to existing and future users and business needs without changing the hardware's or the network's architecture and its capacity to address e-mail security and physical access to a particular system.
Reliability. This refers to the algorithm's and technology's strength, the authentication tool's adequacy in protecting confidential information, its ability to address regulatory requirements, and its overall safety.
Management support. This refers to senior management's support of the authentication mechanism in use. One way management can show support is by establishing the proper tone at the top and ensuring that employees have the right technical competencies to use the authentication tool effectively.
Different User and Regulatory Considerations
When deciding which authentication mechanism to employ, auditors can recommend that organizations consider the tool's or control's reliability to authenticate users. Key factors that may affect the tool's or control's reliability include its capacity to handle many transactions with significant business value across complex networks; its ability to access sensitive information remotely; and its mechanism for authenticating users or applications to a system.
In addition, how the tool or control is deployed and the total cost of ownership (TOC) are important factors to consider when deciding which authentication mechanism to implement companywide. TOC components that should be determined include the cost of acquisition, the cost of integration and deployment, and the cost of maintaining the solution (i.e., recurring costs).
How the authentication tool or control will affect the performance of users is a key driver that should be taken into account when deciding which solution to implement. Below is a brief summary of the different considerations auditors and organizations need to keep in mind when reviewing the effectiveness of authentication tools and controls from the user's standpoint.
End-user expectations to keep in mind include the tool's:
Ease of use and convenience (e.g., can users learn the new technology easily?).
Integration and use with multiple environments (e.g., can users access the system from anywhere and anytime?).
Use by different functions and for different purposes.
Security personnel and IT administrator expectations include the solution's:
Security (i.e., the solution should not introduce additional vulnerabilities).
Robustness (i.e., the sturdiness of the hardware device, including its water and fire resistance and its ability to withstand system crashes or other operating system malfunctions).
Scalability (i.e., the ability of the solution to address future user and business growth).
Integration and interoperability (i.e., the ability of the product to work with existing applications, coexist with multiple products, and integrate with back-end resources).
Flexibility (i.e., the ability of the solution to integrate at any stage of the authentication process).
When used by customers and general company staff, the application should:
Not cost anything to use.
Protect users from all sorts of attacks.
Prevent non-administrators from installing additional hardware and software in their computers.
After evaluating the authentication tool or control based on the target audiences mentioned above, auditors should evaluate whether the solution fits into the current business environment, the vendor has enough experience and offers technical support and training (i.e., if an authentication solution is purchased), and the technology is secure and reliable. Finally, apart from the cost and ease of use, the product's capability to integrate easily into the existing IT infrastructure should play a key role when deciding which solution to purchase. Any major architectural or design changes to existing applications or systems may not be viable to accommodate the authentication solution.
From a compliance and regulatory perspective, auditors should recommend that organizations consider the following standards and legislation as authentication needs are discussed.
Section 404 of the U.S. Sarbanes-Oxley Act of 2002
Section 404 implies that:
Management needs to assess the risk level that is mitigated by key controls and determine if authentication is required. In the context of maintaining confidentiality requirements, two-factor authentication may be evaluated as a form of identity management to avoid any compromise of normal authentication methods, such as the use of a password.
Authentication areas may need to apply to access of any sensitive or regulated financial data.
The U.S. Gramm-Leach-Bliley Act (GLBA) of 1999
GLBA specifically mentions that:
GLBA key controls require authentication.
The areas that need to be addressed as part of the organization's compliance efforts include authentication methods, access control methods, and the administration of access to networks, operating systems, applications, remote users, and other IT systems.
The U.S. Health Insurance Portability and Accountability (HIPAA) Act of 1996
HIPAA implies that:
Key controls that manage access to electronic personal health information do not need to have two-factor authentication because the authentication requirements in the legislation are fairly broad.
High-level compliance may be useful for remote access or virtual private network (VPN) use, Web applications, and authentication to security devices such as firewalls and intrusion detection systems.
The Payment Card Industry (PCI) Data Security Standard
The PCI specifically mentions that:
PCI key controls require two-factor authentication.
Authentication is required for remote access of credit card processing environments.
The International Standards Organization (ISO) 27001 Standard
Standard 27001 implies that:
ISO 27001 key controls require two-factor authentication for high-value assets such as routers, VPNs, and firewalls.
The standard is applicable to companywide or specific environments (e.g., two-factor authentication is required for high-valued assets, such as routers, firewalls, and VPNs).
Besides the regulations mentioned above, other external requirements organizations should keep in mind include:
All of these legislation mandate the protection of personal data through the use of multi-factor authentication.
A system for authenticating users must be designed and implemented properly for the organization to achieve established business goals and security control objectives. Internal auditors need to understand how the process works so they can properly evaluate, certify, and provide recommendations that serve to enhance existing authentication activities and controls. Because no single authentication mechanism will act as a panacea that provides total security from all threats, auditors need to recommend that the organization adopts a layered approach to protect the privacy of its users and assets. Doing so will maximize the company's security controls and the authentication tool's return on investment.