Delfigo Security - Strong Authentication

  • Increase font size
  • Default font size
  • Decrease font size
Home IAMblog Strong Authentication
Identity and Authentication Blog

Risk Management Challenges In Information Security

Gunnar Peterson of the Arctec Group on the difficulty of valuating assets in the digital world:

"Risk management requires that you know your assets .....Unfortunately, in the digital world these turn out to be devilishly hard to identify and value."

"In a world that quite literally presents us with too much information, we need screens to sift out what is worth paying attention to. You can run your vulnerability assessment tool of choice on your system, and come back with hundreds or thousands of vulnerabilities, but which ones should you pay attention to and act on?"

A simple maxim - know your assets. However difficult, it is the starting point for aligning your information security budget with your business. 


Network World: Risk-based Authorization Scoring for Authentication

Network World features Delfigo solution in "Start-up measures users' trustworthiness for authentication into sites." Key quote:

"Boiled down, Delfigo does context- or risk-based authorization scoring. In other words, the product, DSGateway, calculates, in real time, a risk value - called the "confidence factor" - which reflects the trustworthiness of your authentication in much the same way your credit score reflects your credit worthiness.

Here's how it works, as Klein explained it to me:

a. User signs on with user ID and password.

b. User keyboard biometrics and geospatial data determine "are you who you say you are?"

c. System analyzes current information against user historical profile and assigns a confidence factor (CF).

d. If CF is weak, access is restricted and the user may elect to increase confidence using in-band and out-of-band methods.

e. If confidence factor is sufficient, user is granted access.

The service can continue to monitor the user's activity during the session and if it deviates too far (settable by the administrator) from the user's historical profile a flag can be raised and the user is asked to further authenticate using both in-band and out-of-band methods. Examples of in-band methods could be passwords, tokens, secret questions, keyboard dynamics, while examples of out-of-band methods could be SMS messages.

We've all experienced, I'm sure, services which ask us to periodically re-authenticate, but if the username and password are compromised it really doesn't matter how often the attacker needs to enter them, does it? How much better to use different methods, such as the in-band and out-of-band methods, all the while building up a better level of confidence that the user is who they say they are."


Securing Data From Former Employees

Remember the layoffs of 2001?Those fortunate to keep their jobs were met with a significant increase in their workload.  Not to make lite of the current economy and continued reductions in force, but according to David Griffeth in IAM Insights, here we go again. "The challenge for identity and access management professionals will be securing data from former employees who know the system from the inside out." Not only will IAM professionals have to pick up the slack resulting from reductions in staff, they will need to be aware that over 50% of security breaches come from insiders (or former insiders in  this case).



The Case for Strong Authentication

The Aberdeen Group recently published a study that found that most organizations still rely primarily on passwords to protect their assets. The study also found within its sample that 64 percent of organizations do not even require users to change their passwords, 45 percent allow standard dictionary terms, like "password," and 29 percent of organizations have no requirements for password length.

Resource: SANs Institute (characteristics of a weak v. strong password)


Page 7 of 7