Delfigo Security - Strong Authentication

Matt Conroy does a great job of providing a clear description of multi factor security in his latest post Multi Factor Security Review. Matt clearly describes the key elements of multi factor - something you know (login credentials) something you have (token or smart card) and something you are (any form of biometric data). He is also spot on in pointing out the key challenge that prevents the majority of companies from  implementing biometric solutions - total cost of ownership.  Systems that utilize finger prints, retinal scans, and facial recognition are well beyond the typical security budget, and can be very challenging to deploy.

Where Matt's article falls short is by not mentioning keystroke dynamics as a biometric that is gaining acceptance in the market. The primary advantage of keystroke dynamics as a biometric option is that it directly addresses the two main challenges of cost and deployment logistics.  At Delfigo we have developed a zero footprint security platform that uses keystroke dynamics to deliver a multi factor authentication solution at very low cost. In addition, its novel architecture is web services based making it easier to deploy, integrates with existing security and network infrastructure, and does not require the installation of any hardware devices.

Bottom line, there is no reason why companies should defer or delay considering implementing a true multi factor security solution today.

Bharat Nair is Vice President of Business Development at Delfigo Security, www.delfigosecurity.com, Boston, MA. He can be reached at This e-mail address is being protected from spambots. You need JavaScript enabled to view it or by phone at 1.617.248.6501 

---

Gartner's four predictions for Identity and Access Management 

1. Hosted IAM and IAM as a service will account for twenty per cent of IAM revenue by 2011
   
2. Twenty per cent of smart-card authentication projects will be abandoned and thirty per cent scaled back in favour of lower-cost, lower-assurance authentication methods.
   
   (Key comment: "Gartner recommends that organizations with a free choice of authentication methods for local access should take a scenario-based approach to selecting new authentication methods, based on risk, end-user needs and total cost of ownership (TCO). ")
   
3. Thirty per cent of large corporate networks will become ‘identity aware' by controlling access to some resources via user-based policies by 2011
   
4. Approximately fifteen per cent of global organizations storing or processing sensitive customer data will use out-of-band OOB authentication for high-risk transactions by 2010.
   
   (Key quote: "Organizations that need to safeguard customer accounts should implement a three-pronged security strategy that includes risk-appropriate user authentication, fraud detection, and transaction verification for high-risk transactions."  - Ant Allan, VP, Research at Gartner)
   

---

Andrew Bartels, Vice President and Principal Analyst at Forrester Research recently made a presentation on the 2009/2010 IT spending outlook. He coined the term "Smart Computing" as the new name for the next generation of technology. He defined Smart Computing as one that is:  

1. Flexible, adaptable, responsive
2. Awareness (location, status, condition) and analytics for IT intelligence
3. Focuses on new business problems

Andrew's list of smart computing included, Smart Phones, Smart Utility Grids, Smart Roads, Smart Water Systems, to name a few. But what was missing in my opinion and I am taking the liberty to coin first, is a new term to include in Andy's list - "Smart Security". Smart applications that will fuel the next generation of technology must incorporate "Smart Security". I define Smart Security as a technology that co-relates device(s), user, and data to create a contextual framework for rendering smart solutions.

The key difference is to not just rely on user ID and password to define a "user". Smart security will leverage cognitive capabilities of a user (such as keystroke biometrics, reflective thinking, and behavioral aspects) and enable applications to dynamically authorize users and render content in a risk-assesed manner. Smart Security will ensure "Smart Applications" do not open itself to "smart crooks" in the cyberspace.

Bharat Nair is Vice President of Business Development at Delfigo Security, www.delfigosecurity.com, Boston, MA. He can be reached at This e-mail address is being protected from spambots. You need JavaScript enabled to view it or by phone at 1.617.248.6501

---

What is meant by authentication factors in identity management? Authentication factors are the characteristics or elements that are considered in determining whether the individual seeking access to information assets is authentic. It is a means of proving they are who they say they are, and not a fraudulent actor attempting to gain access to someone else's account.

Typical authentication factors fall under the following categories:

1. Personal - something you know (password, phrase or pin number)
2. Human - something you are (fingerprint, retinal scan or other biometric identifier)
3. Technical - something you have (id card or security token)

---

Multi-factor strong authentication simply makes good business sense

I recently attended The Wharton Entrepreneurs Conference (WEC25) in Philadelphia, PA. I took time to visit several companies that were part of the exposition.

The concepts and ideas were interesting and wide ranging. The atmosphere in the exhibition hall was one of optimism, hope, and grand visions. There were companies that had advanced algorithms to shake you out of bed just at the right time, shopping mall for kids, collecting money for good grades, finding and communicating with business associates more efficiently, electronic class room for teachers, and finding authentic sneakers for sale, among others. I felt odd and somewhat out of place (and it had nothing to do with my age!) but the fact that several of the companies I spoke to had not yet fully thought through a revenue model (some were even brash about not having the need to make money).  Several of the ideas I listened to were member based services hoping to attract flocks of users and then collect on ad revenues or a percent value of the transaction.

If there is one advice I would like to offer these startups it is they do more for identity protection and fraud prevention. The notion that I have to provide personal information when I sign up for anything these days is an inconvenience, but clearly more of a risk of identity theft. This advice is especially important to those startups that are specifically targeting members below the 18-year age group. Let me be very clear. I am not implying these companies hadn't thought of security (they all had user ID and password). Today, that is inadequate. It is important that these early stage companies bake in strong authentication solutions from the beginning. It is a lot easier to do it now rather than wait until something really bad happens and you have to rethink the entire notion of secure access to your platform. After all, as responsible citizens and entrepreneurs we owe it to our future generation, to protect them and keep them from harm's way. Have you seen this CNN clip about a recent Facebook identity theft?

Strong authentication is not about strong passwords (look for an interesting experiment I did on this topic using my Facebook account in an upcoming post) Strong authentication solutions should leapfrog, in my opinion, the old paradigm of "what you know" or "what you have" and leverage new technologies and computing capabilities to authenticate and authorize users using a new paradigm of "who you are" and "what you do". The benefits of this approach is not just in being able to sleep well at night knowing you have done the right thing. By integrating these concepts into the platform, companies can build solutions that are risk-based and manage media and content rendering based on user preference and behaviors.

We at Delfigo Security have been thinking about this for several years and have developed an interesting and proven artificial intelligence based capability that does just that. We welcome the opportunity to have discussions with entrepreneurs and seasoned executives alike on how you can leverage these concepts and our research to improve your product and provide peace of mind to your members and their parents.

Bharat Nair is Vice President of Business Development at Delfigo Security, http://www.delfigosecurity.com/, Boston, MA. He can be reached at This e-mail address is being protected from spambots. You need JavaScript enabled to view it or by phone at 1.617.248.6501

---

Relentless technology advancement, the push for Electronic Medical Records (EMR) and integrating diagnostic device data, treatments, and patient history and response are priorities for healthcare facilities today. The challenge is not limited to systems and technologies within a facility, but across facilities because physicians and specialists often practice or share patients across facilities depending on the treatment course. With medical transcription increasingly getting outsourced, much information is managed and compiled externally but access is required when the patient visits.

While the intent of this advancement in technology is to provide ready access to information at the time of service delivery, healthcare practitioners (physicians, nurses, dieticians, specialists) must access multiple systems to get the information they need. Doctors find their productivity reduced by the time it takes them to log in and out. HIPAA compliance mandates patient information be available on a "need" basis to protect the privacy of the patients. Yet, it is not uncommon to find user IDs and passwords posted on or near the computer.  With patient care -- not data security -- the primary objective, it is not uncommon for practitioners to stay logged on to a system for extended periods, even when they step away and give others access. The challenge, therefore, is to leverage technology to increase the quality of healthcare while improving the productivity of the practitioners, without compromising the privacy of the patient.

Remembering more passwords or using single-sign-on (SSO) technology may not be the answer for healthcare. Second factor authentication increases security without impacting productivity.  Second factor authentication using external devices such as tokens, or proximity cards requires significant upfront investment for acquisition, integration, and training. Moreover, external devices tend to get lost or "borrowed", compromising the security of systems and the patient.

Consider, instead, using the behavioral characteristics of practitioners as a second factor. Individuals are products of many variables in unique combination that define specific cognitive capabilities.  Given how a person responds to the environment - from typing on a keyboard, to thinking, and behavior given certain external stimuli, it is possible to capture behavioral characteristics, match them with environmental and system variables to assemble a unique digital imprint of a user.

This goes beyond identifying an individual based on what a person knows (User ID and Password) and what a person has (cell phone, token ID). Systems can identify an individual based on "who they are" and "what they do".

Albert Einstein said, "The significant problems that we face cannot be solved at the same level of thinking we were at when we created them". Leveraging the capabilities available requires a paradigm shift in thinking.  Security does not have to be physically bolted on to an individual. It can be the individual, using keystroke dynamics, reflective thinking, environmental, and system variables. The system must provide identity verification for the user in real time. The solution must monitor multiple factors and assess risk based on business policies and guidelines to provide a true multi-factor risk-based authentication solution that protects the system from fraudulent attack and increases the user productivity.

Delfigo Security offers a zero footprint security solution platform that helps companies provide strong authentication to protect against identity and data theft.

Bharat Nair is Vice President of Business Development at Delfigo Security, http://www.delfigosecurity.com/, Boston, MA. He can be reached at This e-mail address is being protected from spambots. You need JavaScript enabled to view it or by phone at 1.617.248.6501

---

Matt Flynn reviewed a recent moderated discussion on ESM (Enterprise Security Management) and SEM (Security Event Management).  His conclusion - "The consensus seemed to be that vendors do a good job of gathering and storing logs to meet compliance requirements that mandate storage of those logs. What customers really need and want from these vendors, however, is actionable intelligence."

From the actual session he quotes Armit Williams, CTO of BigiFix, who offers a  definition of the goal of information security:

"to limit the possibility of an incident from occurring... and when it does occur, to limit its impact (by identifying it quickly and responding)......what the ultimate goal of an intelligence system would be is that it's able to detect what are seemingly innocuous events and provide some actionable level of intelligence that shows that that's actually an incident occurring and you can respond to it and limit its impact on the environment - that's what they'd like to be, but they're not that."

Sounds like real time, multi-factor, risk based authentication to me. 

---

Larry Dignan finds no argument with Google's Cem Paya, who  made the "passwords are useless, outdated and a security risk" comment at Wharton's Information Security Best Practices conference.

So why are passwords still a primary form of security? According to Dignan, Paya offered the following reasons:

• There's no business model for issuing IDs to consumers.
  
• Limiting user choice may annoy people. 
  
• Service providers can't rely on third parties to manage identities-if that third party screws up it's your problem.
  
• Strong authentication has to be mandatory, but mandating an emerging technology risks losing customers.
  
• An opt-in policy can do harm to customer satisfaction problems. What happens when you need a driver for your USB token?   

Interesting.

---