Securing the Breach, Part 6 – Control Access and Authentication of Users

Last updated: 16 May 2016

Banner - Secure the Breach

As you have read so far in this series, the evolution of online threats has led to a new approach to data security.  This new strategy requires organizations to accept the ‘Secure the Breach’ message—that a data breach is not a matter of ‘if’, but ‘when.’  By assuming a breach will occur, organizations are encouraged to place safeguards around the data and keys and who has access to them.  To round out this series, we will conclude with step 3 of this approach and discuss the best way to control access and authentication of users.

Data access points, such as network or application login pages, should be protected by two-factor authentication, while the data itself should be encrypted (both at rest and in motion) to ensure it remains confidential—even in the event that a hacker gains access to it.

While this may seem straightforward, the identity and access management landscape has been warped in recent years by sweeping changes in the IT environment. No longer confined to the boundaries of on-premises IT, data now resides in the data center, as well as in public and private clouds. So how can organizations control access to data throughout the new IT ecosystem? And how can they ensure that a leaked or hacked password doesn’t lead to a full-blown breach?

The first part of access control is ensuring that resources are only accessible by those users who require them to do their job. Applications used by the CFO may not be required by SysAdmins, for example. To simplify matters, group-based policies can be easily created, where applicable, to leverage existing user repositories, such as Active Directory or MySQL.

After an access policy is instituted, the next step is to elevate trust—ensuring that users are who they claim to be. This is accomplished by adding strong authentication, which adds a ‘something you have’ factor to the ‘something you know factor.’ Single-factor authentication, which relies on static passwords, does not protect against guessing, phishing, database hacking and traffic sniffing. Two-factor-authentication, however, offers dramatically improved security, and can be achieved using multiple technologies:

  • One-time password (OTP) authentication
  • Out-of-band authentication
  • Certificate-based authentication (based on x.509 PKI certificates)

Other technologies, while not comprising ‘true’ two-factor authentication, also improve security dramatically. These include:

  • Pattern-based authentication (see GrIDsure)
  • Context-based authentication

The tricky part here is that strong authentication must be extended to ALL data belonging to an organization, not just the data residing within the enterprise perimeter. Such data may reside in:

  • Cloud applications like, Office 365, and DropBox
  • VDI applications such as VMware, Citrix XenApp, and AWS EC2
  • VPNs
  • Web portals, such as OWA

A good access control strategy requires strong authentication to all these resources, in addition to the local network. To eliminate the hassle of using a different password for each resource, technologies such as Identity Federation can be deployed.

To learn more about how an advanced two-factor authentication solution can help you control access to your data—wherever it may reside—see our Business Drivers for Next Generation Authentication ebook.

Throughout this series, we have uncovered a multitude of reasons why organizations can no longer solely rely on a strategy of prevention through network perimeter security, as provided by IPSs, WAFs, and firewalls. Rather, they need to adopt a strategy of breach management, which requires them to ask:

  • “Where is my data?”
  • “Where are my keys?”
  • “Who has access to my data?”

By addressing each area and incorporating these three steps into your data protection strategy, you can be sure your most sensitive data is safe in the event a breach does occur. To learn more, visit

Miss parts 1-5 of this series? Catch up on what you need to know about preparing for a data breach:

Leave a Reply

Your email address will not be published. Required fields are marked *