Last updated: 19 March 2014
To borrow another sentiment from the Wizard of Oz, we’re not in Kansas anymore. It seems the last six months have been filled with news of significant compromises to what was traditionally thought to be secure data exchanges and data stores. Even security companies have suffered from advanced persistent and evolving attacks resulting in compromise, which highlights a need to evaluate the type of security controls in place and the sensitivity of data these controls are protecting. With these threats combined with regulatory pressures, increased cyber-terrorism and waning consumer confidence, layered security is no longer a nice to have – it is a must.
Gartner’s Avivah Litan was recently quoted in Fahmida Rashid‘s eWeek story on the lessons of a significant breach saying:
“A layered security approach is always best.” While OTP systems “raise the bar for the criminals,” they were already vulnerable to compromise. “Maybe this incident will wake up companies to the need for more controls than just OTP authentication.”
I couldn’t agree more. A layered security approach begins with evaluating the sensitivity of information that needs to be protected. Username and password are no longer acceptable as “good enough” security. While OTP, from an authentication standpoint is a significant step-up compared to static username and password, certificate-based authentication raises the bar even further. Certificate-based authentication should be employed when protecting sensitive information and it enables a wide range of security services in the process (document or transaction signing, email encryption, etc.). See my blog from last week on this topic here.
Our recommendation is: ditch your ruby slippers and focus on layered security with stronger authentication technology for your high-risk populations.