Upload
banerjeea
View
32
Download
1
Embed Size (px)
Citation preview
EasyMultiFactorAuthenticationStrategiesandPCIDSS3.2
HELLO!I am Anirban Banerjee.I am the Founder and CEO of Onion ID.
https://calendly.com/anirban/enterprise-demo/
Two/Multi Factor Authentication
PCI DSS 3.2
Strategies
WhatisTwo-FactorAuthentication?
▸ Addsasecondlevelofverificationtothepassword-basedapproach.
▸ Example:atextmessagetoyourphone,avaluefromaRSAtoken.
▸ Ifahackergetsyourusernameandpasswordtheystillwon’tbeabletogetintoyouraccount.
Whydoweneedthis?
Usernames&Passwordscanbestolen!• Phishing attacks• Samecredentialsacrossapps• Key-loggers• Educatedguesses, socialengineering
2FApreventsattackersfromaccessingyouraccounteveniftheyobtainyourusernameandpassword.
MandatedinVersion3.2ofthePCIDataSecurityStandard
WhoUsesTwo-Factor?
MultiFactorAuthentication
AddingMoreFactors
• Increasethestrengthofauthenticationbyaddingfactors.
• Fivecategoriesofauthenticationmethods• whoyouare,• whatyouknow,• whatyouhave,• whatyoutypicallydo,• thecontext.
• Addingfactorsfromdifferentcategoriescanincreasestrengthonly iftheoverallsetofvulnerabilities isreduced.
Whatcanweadd?
PhysicalBiometric▸ immutableand
unique• Facial recognition• IrisScan• RetinalScan• FingerprintPalm
Scan• Voice• Livelinessbiometric
factorsinclude:• Pulse.
CAPTCHA;etc
Behavioral/Biometric • basedonperson’s
physicalbehaviouralactivitypatterns
• Keyboardsignature
• Voice
WhoYouAre
Biometric
whatyou
know
whatyou
have
whatyou
DoContext
• UserNameandPassword(UN/PW),
• Apassphrase• aPIN• Ananswertoa
secretquestion
• OneTimePassword(OTP)
• Smartcard• X.509and
PKI• Rarely
usedalone• Usedin
combinationwithUN/PWandaPIN
• Browsingpatterns
• Timeofaccess
• Typeofdevice
• UsedinCombinationwithothermethods
•
• Location;Timeofaccess;
• Subscriberidentitymodule(SIM)
• Frequencyofaccess;
• Usedwithothermethods
▸ Combiningtwoormoreauthenticationmethodscanpotentiallyincreaseauthenticationstrength.
▸ However!• Becarefulnottointroducevulnerabilities
• MorefactorsèMorecomplex/costlytoimplement&use.Themorethemerrier?
Themorethemerrier?
▸ Simplyaddingfactorsdoesnotguaranteemoreprotection
Source: Gartner
FindingtheBestFactorCombo
UseNeedsandConstraintstoDetermine• Authenticationstrength
• indicatedbythelevelofrisk• TotalCostofOwnership
• Constrainedbybudget• Easeofuse
• universallydesirable,but itislesscriticalthegreatertheconsistency
• Otherconstraints• consistencyandcontrolofthe
endpoint isaparticularconstraint;
Source - Gartner
PCIDSS3.2
▸ Feb12018
▸ MultiFactorauthentication foreveryone
▸ Needtoprotectbothconsoleandnonconsolebasedaccess
▸ Newrequirements10.8and10.8.1outlinethatservice providersneedtodetectandreportonfailuresofcritical securitycontrolsystems
▸ Newrequirement11.3.4.1indicatesthatserviceprovidersneedtoperformpenetration testingonsegmentationcontrolseverysixmonths
Highlights
▸ Serverdoesnotsupport2FAbydefault
▸ AppdoesnotsupportSAML/Oauth
▸ Apphasnonativesupportfor2FA
▸ Regularauditingofaccess
▸ DataPrivacyissues,datasegregationChallenges
▸ EnableMFAviaBrowserextensionsorWebFilters
▸ UseUXfriendlyMFA:Geo fencing,proximity,fingerprint
▸ SetupauditingsystemsbyparsingSIEMinfo
▸ SetupamonthlyPCImeeting togooverprocessandresults
▸ Commercial tools– OnionIDtodoprivilegemanagementStrategies
Conclusions
▸ Passwordbasedauthenticationisnotenoughanymore.
▸ MultiFactorauthentication isheretostay!
▸ Manydifferentoptions,eachwithitsowncostsandvulnerabilities.
▸ Besmart:addingmorefactorswilldefinitelyincreasecostandcomplexity,butmightnot(sufficiently)increasesecurity.
▸ Considerthetrade-offs,customize.Pickthecombinationthatworksforyou.
Conclusions
THANK YOU!Any questions?You can find more about us at:Onion ID – The Next Generation of Privilege Managementwww.onionid.com , [email protected]: +1-888-315-4745https://calendly.com/anirban/enterprise-demo/