By Joe Schembri
I recently wrote about what should be included on a remote access security checklist. A reader, very aptly, asked why identification and authentication were not on the list. I’d like to take a moment to address this – and retroactively amend my prior list to include identification and authentication. Here’s a basic overview of what identification and authentication entails.
As we know, companies today are increasingly turning to remote workforces or allowing telecommute options for existing staff. As the number of offsite staff increases, companies must provide remote access in order to optimize workflow and efficiency. Of course, along with the benefits of remote access come additional security risks that companies must take appropriate measures to guard against. This is where identification and authentication become crucial to managing access and keeping the corporate network protected.
In order to be authorized to access a specific system or set of data, users typically must supply some sort of identification to prove that they are who they say they are. Identification can be any type of machine-readable name, such as user ID and email address.
Once a user supplies their identification, a remote access system must then authenticate the identification in order to determine whether or not the user is authorized. Authentication is simply a process that verifies the identity of a user and the validity of their identification credentials.
There are three types of authentication:
- What users know – includes passwords, PINs, and answers to security questions.
- What users have – includes ID cards, keys, and badges.
- What users are – includes retinal scans, fingerprints, and other biometrics.
User ID and password combinations are the most frequently used type of identification and authentication for remote access. Once the system authenticates users, it then determines their specific level of authorization and the content they are allowed to access. Ideally, the level of authentication should increase along with the sensitivity of the data being accessed.
Now that we have the very high-level basics out of the way, I’ll dive deeper into how to strengthen identification and authentication methods in part two.