Cheat sheet: Access management solutions and their pros and cons

News Analysis

Cheat sheet: Access management solutions and their pros and cons

Joel Dubin

There are a number of different access management solutions available to security and IT managers these days, and the list keeps growing. The following is a cheat sheet of the most common solutions with a brief description, and their risks and pros and cons to help you choose the system that is right for your organisation.

 

Access management solution Risks Pros and cons
User IDs and passwords If not properly managed or protected, user IDs and passwords can be easily stolen and provide easy access to your network or systems.

Risk Level: HIGH

Pros:
  • Easy to implement and commonly used for both network and system access.
  • Users are most familiar with user ID and password systems than any other authentication system.

Cons:
  • Passwords can be guessed if based on common words or names.
  • User IDs and passwords can be easily stolen with freely available hacking tools, or by Trojans and keystroke loggers.
Key fobs and one time password (OTP) tokens If the value on the OTP token is stolen after a user ID and password are stolen, as in a man-in-the-middle (MITM) attack, system access could be compromised.

Risk Level: MEDIUM

Pros:
  • Easy to use system requiring only a small token displaying a changing PIN or password.
  • Provides an extra layer of security to a user ID and password. Like a user ID and password, can be used for both network and system access.
Cons:
  • Can require significant development effort and require additional hardware to implement.
  • Proliferation of tokens for multiple systems can be a problem.
  • Susceptible to MITM attacks.
  • If the user ID and password are compromised and then the token stolen, a malicious user has full access to the system.
Smartcards The possibility of tampering with the card's chip to get user information or login credentials.

Risk Level: LOW

Pros:
  • Smartcards are portable and easy to integrate into a two-factor authentication system. They can be used for either network or system access.
  • They can safely hold and store lots of data, including encryption keys and other user authentication information.
Cons:
  • Still not widely used because of the effort and cost to install readers on user's desktops.
  • There are tools that can sift data and authentication credentials from stolen smartcards.
Biometrics In the case of fingerprint scanners, the possibility of copying the user's fingerprint. There's also the possibility of replaying the stored digital data representing the biometric reading.

Risk Level: LOW

Pros:
  • One of the strongest access management technologies - it's nearly impossible to steal someone's iris scan, face pattern or fingerprint.
  • Best used as the second factor in a two-factor system to augment a user ID/password or smartcard system.
  • Best used for physical access to a system, but use is increasing as a stand alone authentication system for network or system access.
Cons:
  • Requires significant hardware cost to implement.
  • The technology still isn't foolproof and is subject to false readings.
Digital certificates (DC) DCs stored on a user's desktop can be stolen or spoofed.

Risk Level: MEDIUM

Pros:
  • Behind the scenes system that is passive and invisible to the user.
  • Requires no action on the user's part.
Cons:
  • The distribution and implementation of DCs can be costly and require the set up of an internal PKI system.
VPNs Though secure, the connection can also be an encrypted tunnel for malware if the PC connecting to the corporate network isn't secure.

Risk Level: LOW

Pros:
  • Provides a highly secure and encrypted private tunnel for connecting to the corporate network through the internet.
  • Proven technology with a choice of suppliers offering reliable implementations.
Cons:
  • Can just as easily be a secure connection for malware from an infected PC connecting from outside the network.
  • If not configured properly for laptop users, a stolen laptop can be used for network access.
SSL Credentials can sometimes be stolen in a MITM attack using a proxy server.

Risk Level: LOW

Pros:
  • Proven technology with strong 128-bit encryption for transactions from websites.
Cons:
  • On rare occasions, SSL has had vulnerabilities that hackers can take advantage of.
  • Only encrypts the transmission itself and not the data flowing through the SSL tunnel, allowing malware, as well, to be sent "securely" to the web application server.
Two-factor authentication The rare possibility that both of the two authentication methods are cracked simultaneously.

Risk Level: LOW

Pros:
  • Provides an extra layer of protection by requiring two types of authentication. For example, user ID and password, and OTP token. If one is breached, the other is still intact and provides protection.
Cons:
  • Requires additional software or hardware to set up two different authentication systems working in tandem.
Single sign on (SSO) If the user ID and password to the SSO system are stolen, multiple systems accessed by the SSO system could be compromised.

Risk Level: MEDIUM

Pros:
  • Easy-to-use system that requires only one password to access multiple systems, replacing separate passwords for each system.
Cons:
  • If compromised, the attacker has the keys to the entire castle.
  • Requires costly software and hardware installations and upgrades.
  • Since it basically uses a single user ID and password, it has the same potential to be hacked as a user ID and password.

About the author
Joel Dubin is an independent computer security consultant based in Chicago. He is an expert on web and application security and the author of The Little Black Book of Computer Security available on Amazon.

This tip originally appeared on SearchSecurity.com

Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy