Abstract image of a woman sitting on books and studying on a laptop

WP Best Practices For Multi-Factor Authentication

M
My-Ly Nguyen

The document presents best practices for implementing multi-factor authentication (MFA) to enhance security in accessing enterprise systems. It emphasizes the weaknesses of password-only authentication and outlines five key recommendations, including user experience considerations and leveraging cloud economics, to ensure effective and affordable MFA adoption. Additionally, it highlights the importance of verifying user identities and compliance with industry-specific security guidelines to mitigate risks.

Technology
1 of 8
Download to read offline
1
2
3
4
5
6
7
8
White Paper BESTPRACTICES FOR MULTI-FACTOR AUTHENTICATION HOWTO STRENGTHEN SECURITY, MINIMIZE COSTS AND SIMPLIFYTHE USER EXPERIENCE
Introduction Securemobileaccesstoenterprisesystemsandinformationcreatesacompetitiveadvantage. Productivityriseswhenemployeescanworkfromanywhere,onanydevice.Employeesand partnersaremoreresponsivewhentheycanaccessyoursystemsfromoutsidethebuilding insteadofwaitinguntiltheycangettoyouroffices.Jobsatisfactiontendstoimprovewhen employersintroducebring-your-own-device(BYOD)polices. Today’sdisappearingnetworkboundariesmagnifytheimportanceofuserauthentication, especiallyinregulatedindustriessuchasfinancialservices,healthcare,pharmaceuticals,andlife sciences.Weakauthenticationpracticescanleadtolossofintellectualproperty,branddamage, publicrelationsdebacles,revenuelossfromsystemoutages,andfinesforcomplianceviolations. The Problem with P@55word5 Theusername/passwordcombinationalonefailstoprotectenterpriseassets.Ina2016study ofmorethan64,000securityincidents,weakorstolenpasswordstoppedthelistofcauses.1 Frequentnewsheadlinesaboutdatabreachesunderscorethefactthatpasswordsareeasy toguess,easytocrack,andeasytoextractfromemployeesviaphishingschemes. Thesoberingtruthisthatyou’revulnerableevenifyouimplementthestrongestdatabase protectionsandenforcerequirementsforcomplexpasswords.Why?Despiterecommendations tothecontrary,manyemployeesusethesamepasswordformultiplesites.Therefore,abreach toanotherorganization’spassworddatabasecanexposepasswordsthatyouremployees usetoaccessyoursystems.Cybercriminalsexploitedthisfacttostealcustomercreditcard informationfromamajorU.S.retaileraftersnaggingaccesscredentialsfromoneofthe retailer’scontractors.2 Similarly,hackerswereabletotemporarilytakeovertwosocialmedia accountsofFacebookfounderMarkZuckerbergafterbreachingathirdsocialmediasite’s passworddatabase.3 Eighty-two percent of all web attacks target user credentials. Many succeed: 63% of confirmed data breaches involve weak, default, or stolen passwords. Financial gain or espionage motivated 89% of breaches. VerizonDataBreachInvestigations Report(DBIR),2016 1 Verizon,2016DataBreachInvestigationsReport 2 http://www.computerworld.com/article/2487425/cybercrime-hacking/target-breach-happened- because-of-a-basic-network-segmentation-error.html 3 http://www.nytimes.com/2016/06/07/technology/if-mark-zuckerberg-can-be-a-hacking-victim- so-can-you.html 1 synchronoss.com
Multi-factor Authentication Bolsters Security Multi-factor authenticationisexponentiallymoresecurethanpasswordsalone.Before accessingenterprisesystems,employeesandpartnersmustenteratleasttwocredentials: somethingtheyknow(passwordoranswertoaquestion), somethingtheyhave(one-time codefrom mobile app ortextmessage),orabiometric(typicallyafingerprint,voiceprint,or retinascan). Untilnow,strongersecuritycameattheexpenseofbudgetsandtheuserexperience.Multi- factorauthenticationmeantpayingupforhardwaretokensorsmartcards.Todayyoucanadopt multi-factorauthenticationaffordablyandwithoutcompromisingtheuserexperience.Follow thefiverecommendationsbelow. 1. FOCUS ON THE USER EXPERIENCE Giveusersachoiceofhowtoreceivetheirone-timepasscode—forexample,mobileapp, email,SMStextmessage,orautomatedcalltoaphonenumberonrecord.Aconvenientuser experienceencouragesadoption,whichacceleratesproductivitygainsfrommobilityandBYOD. Tousebiometricsasasecondorthirdfactor,considermobileapps.Biometricsappsarealready availableforscanningfingerprints,voices,faces,earprints,gestures,andretinas.Hands-free authenticationbasedonproximityrequiresevenlesseffortfromusers.Theworkstationverifies theuser’scredentialbyconnectingautomaticallytotheuser’smobiledevice.Topreventa criminalcarryingastolendevicefromgainingaccess,besuretosupplementproximity-based authenticationwithapassword. 2. TAKE ADVANTAGE OF CLOUD ECONOMICS AND SCALABILITY Thecloudmodelshiftscapitalexpenseforserversandsoftwaretoapredictableoperational expense.Youpayasyougo.Savingsinclude: • Noon-premisesinfrastructure(servers,storage,andnetworkresources). • Nomaintenancefeesandhardwareandsoftwareupgrades.Youalwayshaveaccesstothe latestfeatures. • Noadditionalcapitalexpendituresasyouaddusers. • Avoidanceofproductivitylosswhenon-premisessystemsgodown.Cloudservice providerscantakeadvantageofeconomiesofscaletoimplementhigh-availability architectures. OutsourcingtoacloudproviderwithexpertiseinauthenticationalsofreesuptimeforyourIT teamtofocusonthecorebusiness. Gartner projects that the number of identity and access management purchases involving authentication as a service will double from 20% in 2016 to 40% in 2020. MagicQuadrantforIdentityand AccessManagementasaService, June6,2016 2 synchronoss.com
NISTLevel 1 NISTLevel 2 NISTLevel 3 Usernameandpassword Secondfactor,suchasone-timecode Usernameandpassword Secondfactor Fullsocialsecuritynumberanddateof birth,checkedagainstpublicdatabases Responsetoacalloremailtothe phonenumberoremailaddress onrecord Usernameandpassword Secondfactor Fullsocialsecuritynumber,dateof birth,andfinancialdata,checked againstpublicdatabases Responsetoacalloremailtothe phonenumberoremailaddress onrecord OneormoreKnowledgeBased Assessmentquestions,suchas monthlymortgagepaymentor makeandmodelofcarin2012 3. BEFORE ISSUING CREDENTIALS, VERIFY THAT USERS ARE WHO THEY SAYTHEY ARE Beforehiringemployeesyouverifytheiridentitybyreviewingofficialdocumentssuchasdriver’s license,socialsecuritycard,orpassport.It’smorechallengingtoverifyoffsitepartners’and contractors’identitybeforeissuingcredentials.HowcanyouverifythatJohnSmithisreally theJohnSmithwhoworksforyouraccountingfirm—notsomeoneelsemasqueradingasJohn Smith,orevenabot?Verifyingtheidentitiesofthirdpartiesisimportantinallenterprises, andmandatedforcertaintypesofusers.Examplesincludehealthcareproviderswhouse e-prescribingsoftwareandfinancialservicescustomerswhoconducthigh-valuetransactions. TheU.S.NationalInstituteofScienceandTechnology(NIST)definesthreelevelsofidentity proofing(levelsofassurance)thatdonotrequireanin-personvisit(Table1).Lookforacloud providerthatoffersNISTLevel3identityproofingandisapprovedbyFederalIdentity, Credential,andAccessManagement(FICAM). Table 1 — Sample User Experience ForThree Levels of Identity Proofing 3 synchronoss.com
4. CHOOSE A CLOUD SERVICE THAT MEETS YOUR INDUSTRY’S SECURITY GUIDELINES Table2listscommonsecurityrequirementsforregulatedindustries.Tomeetthese requirements,cloudprovidersinvestindatacenters,technology,andprocessesthatcomply withgovernmentstandardssuchasNISTandFederalInformationProcessingStandards(FIPS) intheU.S.,andEUGeneralDataProtectionRegulationintheEU. Table 2 — Data Security Requirements by Industry INDUSTRY SAMPLE REQUIREMENTS Financial Services U.S.PaymentCardIndustry(PCI) U.S.Gramm-Leach-BlileyAct(GLBA) U.S.SecuritiesandExchangeCommission(SEC) U.S.FinancialIndustryRegulatoryAuthority(FINRA) U.S.FederalFinancialInstitutionsExaminationCouncil(FFIEC) U.K.tScheme EuropeanBankingAuthority(EBA) EuropeanSecuritiesandMarketsAuthority(ESMA) EuropeanInsuranceandOccupationalPensionsAuthority(EIOPA) BaselCommitteeonBankingSupervision(BCBS) Healthcare U.S.HealthInformationPortabilityandAccountabilityAct(HIPAA) U.S.HealthInformationTechnologyforEconomicandClinicalHealth(HITECH) FederalIdentity,CredentialandAccessManagement(FICAM) Life sciences U.S.FoodandDrugAdministration(FDA) EuropeanMedicinesAgency(EMA) GoodAutomatedManufacturingPractice5(GAMP5) All enterprises Corporatesecuritypolicies Sarbanes-OxleyAct(SOX) 4 synchronoss.com
5. DON’T FORGET PEOPLE AND PROCESS Eventhemostsophisticatedauthenticationtechnologycannotpreventbreachesresultingfrom usersleavingtheirpasswordsinplainvieworreusingtheirworkpasswordforotherservices. Requireemployeestoattendmandatorycybersecurityawarenesstrainingthatcovers: • Regulatorycompliance. • Creatingstrongpasswordsandkeepingthemsecure. • Recognizingphishingattacks.Somecompanieskeepemployees’skillssharpby periodicallysendingoutafakephishingemail.Employeeswhoclickthelinkaretaken toawebpageexplainingthatthelinkcouldhavebeenmalicious. • Understandingthevalueofmulti-factorauthenticationandusingyour organization’ssolution. ImplementsecureITpracticesinconjunctionwithemployeetraining.Besuretosegmentthe networktolimitriskifacybercriminaldoesgainaccessusingstolencredentials.Inaddition, monitorthenetworkfordatatransfersoutsidetheorganizationtoidentifyandmitigate vulnerabilities. Synchronoss Universal Identity, Authentication in the Cloud SynchronossUniversalIdentity(ID)isacloud-basedservicethatreducestheriskoftargeted attacks,credentialtheft,andidentifyfraudbyprovidingapowerfullayerofauthentication security.Whetheryouextendaccesstoemployees,partners,vendors,orcustomers, Synchronossreliablyverifiesuseridentitiesandensuresthatonlytherightpeoplegain accesstoyournetwork.Theresult:yourcompanyandyouruserscanconductbusinesssafely, confidently,andsecurely. SIMPLE GROWTH, LOW PER-USER COSTS Asacloudservice,SynchronossUniversalIDrequiresnoon-premiseshardwareorsoftware. There’snoupfrontcapitaloutlay,andyoualwayshaveaccesstothelatestfeaturesandsecurity enhancements.Helpdeskcostsarenominalbecauseuserscanresettheirownpasswords.The pay-as-you-gomodelmakesiteasyandaffordabletoaddnewemployeesandotherusersas yourbusinessexpands. In the 2016Verizon study, 92% of all phishing attacks aimed for passwords. The most effective phishing websites succeed 45% of the time in enticing visitors to enter information.4 VerizonDBIR,2016 4 http://services.google.com/fh/files/blogs/google_hijacking_study_2014.pdf 5 synchronoss.com
FAST ONBOARDING OF NEW USERS NewuserscanbeginusingSynchronossUniversalIDwithinminutestosecurelysignin. Theyvisit a self-serviceportaltosignup,downloadingasimpleapplication.Thecloudservice verifies their credentialstotheneededNISTlevel.Ifyouhavealreadyverifiedtheidentity ofsome or all of your users,youcanaddthemtothecloudservicewithoutrepeatingthe identityproofingprocess. WIDE CHOICE OF AUTHENTICATION OPTIONS Synchronossoffersmoremulti-factorauthenticationoptionsthananyothervendor.Asyour secondfactor,choosefromasoftwaretoken,aone-touchmobileapp,QRcodescanning,email, SMSmessage,IVRcall,andotheroptions. SIMPLIFIED COMPLIANCE Industry-specific securityregulationsevolvecontinually.Synchronossexpertsmanagethe complexities, eliminatingtheneedtopurchaseregulation-specificsoftwareandhiretalent todeploy and maintainit.We’vedesignedourdatacenters,technology,andprocessesto meetthe most stringentgovernmentstandardsandindustryregulations.TheU.S.Federal Government and the U.K.GovernmentselectedSynchronossUniversalIDforstrong authentication based onourscalableplatformandportfolioofsecuritystandards. TheSynchronossUniversalIDserviceis: • FICAMLevel3certified,thefirstcloudservicetoreceivethiscertification • FederalInformationSecurityManagementAct(FISMA)approved • FederalBridgeCertificationAuthority(FBCA)certified • NIST800-63-2and800-53compliant • FIPS199and140-2compliant • HIPAAcompliant • U.S.AccessBoardSection508compliant • EUGeneralDataProtectionRegulationcompliant ©Synchronoss,Inc.AllRightsReserved 1-0616 6 synchronoss.com
About Synchronoss REALIZE THE PROMISE OF ENTERPRISE MOBILITY Uncompromised productivityandsecurity.OurSecureMobilityPlatformmeetstoday’sneeds andcan help make tomorrow’spossibilitiesareality.Itisdesignedtoenhanceandcomplement existing mobility investments,soyougetabetterROI—andcanfinallyrealizethetruepower ofmobility. Synchronoss Enterprisedeliversrealmobilityforenterpriseswiththemoststringentsecurity requirements.The SecureMobilityPlatformenableshighlyregulatedbusinesstobuildtoward modernmobilityinawaythatcomplementsexistinginvestments. SynchronossEnterprise,inajointventurewithGoldmanSachsandVerizon, isextending deeper into the enterprisetobridgethegapandsolvetheinherentcomplexityassociatedwith mobilityandidentity. Since2000, we’ve providedcloudsolutionsandsoftware-basedactivationtocommunication service providers acrosstheglobe.CompaniessuchasAT&T,VerizonWireless,Comcast,Time Warner Cable, Apple, andMicrosofthaveusedourscalabletechnologysolutionstoallowtheir customers to connect, synchronize,andactivateconnecteddevicesandservicesthatpower theconnectedworld. Weknowmobility.Weknowsecurity.Wecanhelpyourorganizationdosecurebusiness,everywhere. Learn More To find out how you can reduce risk, strengthen security, and confidently extend network access to employees, partners and customers, visit www.synchronoss.com/identity. synchronoss.com ©Synchronoss,Inc.AllRightsReserved 1-0716 7

More Related Content

DOCX
Jon Cohn Exton PA - Healthcare - Enterprise Architecture
Jon Cohn
 
DOCX
Jon Cohn Exton PA - Next Gen Enterprise Information Technology
Jon Cohn
 
DOCX
Jon Cohn Exton PA - ERP Predictions
Jon Cohn
 
DOCX
Jon Cohn Exton PA - Rationalizing Application Portfolios
Jon Cohn
 
PDF
The 2009 Global Outsourcing
Nair and Co.
 
PDF
Is your data safe Infographic by Symantec
Cheapest SSLs
 
PDF
Taking Control of the Digital and Mobile User Authentication Challenge
EMC
 
PDF
Eliminate Password Fatigue with Smart Authentication Solutions.pdf
ensuritytech1
 
Jon Cohn Exton PA - Healthcare - Enterprise Architecture
Jon Cohn
 
Jon Cohn Exton PA - Next Gen Enterprise Information Technology
Jon Cohn
 
Jon Cohn Exton PA - ERP Predictions
Jon Cohn
 
Jon Cohn Exton PA - Rationalizing Application Portfolios
Jon Cohn
 
The 2009 Global Outsourcing
Nair and Co.
 
Is your data safe Infographic by Symantec
Cheapest SSLs
 
Taking Control of the Digital and Mobile User Authentication Challenge
EMC
 
Eliminate Password Fatigue with Smart Authentication Solutions.pdf
ensuritytech1
 

Similar to WP Best Practices For Multi-Factor Authentication (20)

PDF
Security Privacy & Compliance for mHealth Apps 2014 ISRM Conference 2014
Symosis Security (Previously C-Level Security)
 
PPTX
Best Practices for Multi-Factor Authentication: Delivering Stronger Security ...
Sirius
 
PDF
5 Reasons Why Your Business Should Consider Strong Authentication!
Caroline Johnson
 
PDF
Why Passwords are not strong enough
EMC
 
PDF
3 steps security
brightfire-slides
 
PDF
Securing corporate assets_with_2_fa
Hai Nguyen
 
PPT
Dr. Alan Shark
NextgovPrime
 
PDF
Strong Authentication: Securing Identities and Enabling Business
SafeNet
 
PDF
A Better Method of Authentication
Osterman Research, Inc.
 
ODP
Passwords
Charles Southerland
 
PDF
2 Factor Authentication for Wordpress
Askkiz - Security, Cloud & Social Media GRCS
 
PPT
You Can't Spell Enterprise Security without MFA
Ping Identity
 
PDF
Multi Factor Authetification - ZendCon 2017
Philippe Gamache
 
PDF
IRJET- Password Management Kit for Secure Authentication
IRJET Journal
 
PPTX
attack vectors by chimwemwe.pptx
JenetSilence
 
PPTX
Best Practices for Password Rotation and Tools to Streamline the Process
Bert Blevins
 
PDF
What is two factor or multi-factor authentication
Jack Forbes
 
PDF
Security 101: Multi-Factor Authentication for IBM i
Precisely
 
PDF
Passwords don't work multifactor controls do!
FitCEO, Inc. (FCI)
 
PDF
5 Ways to Stay #CyberSecure
Media Sonar
 
Security Privacy & Compliance for mHealth Apps 2014 ISRM Conference 2014
Symosis Security (Previously C-Level Security)
 
Best Practices for Multi-Factor Authentication: Delivering Stronger Security ...
Sirius
 
5 Reasons Why Your Business Should Consider Strong Authentication!
Caroline Johnson
 
Why Passwords are not strong enough
EMC
 
3 steps security
brightfire-slides
 
Securing corporate assets_with_2_fa
Hai Nguyen
 
Dr. Alan Shark
NextgovPrime
 
Strong Authentication: Securing Identities and Enabling Business
SafeNet
 
A Better Method of Authentication
Osterman Research, Inc.
 
Passwords
Charles Southerland
 
2 Factor Authentication for Wordpress
Askkiz - Security, Cloud & Social Media GRCS
 
You Can't Spell Enterprise Security without MFA
Ping Identity
 
Multi Factor Authetification - ZendCon 2017
Philippe Gamache
 
IRJET- Password Management Kit for Secure Authentication
IRJET Journal
 
attack vectors by chimwemwe.pptx
JenetSilence
 
Best Practices for Password Rotation and Tools to Streamline the Process
Bert Blevins
 
What is two factor or multi-factor authentication
Jack Forbes
 
Security 101: Multi-Factor Authentication for IBM i
Precisely
 
Passwords don't work multifactor controls do!
FitCEO, Inc. (FCI)
 
5 Ways to Stay #CyberSecure
Media Sonar
 
Ad

Recently uploaded (20)

PDF
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
PPTX
Configure Apache Mutual Authentication
Antonino Piraino
 
PPTX
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
PPTX
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
PDF
OpenACC and Open Hackathons Monthly Highlights July 2025
OpenACC
 
PDF
Flame analysis and combustion estimation using large language and vision assi...
IAESIJAI
 
PDF
Taming the Chaos: How to Turn Unstructured Data into Decisions
Safe Software
 
PDF
Two-dimensional Klein-Gordon and Sine-Gordon numerical solutions based on dee...
IAESIJAI
 
PDF
A Late Bloomer's Guide to GenAI: Ethics, Bias, and Effective Prompting - Boha...
Mindy Bohannon
 
PDF
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
PDF
STKI Israel Market Study 2025 version august
Dr. Jimmy Schwarzkopf
 
PDF
Abstractive summarization using multilingual text-to-text transfer transforme...
IAESIJAI
 
PDF
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
PDF
A proposed approach for plagiarism detection in Myanmar Unicode text
IAESIJAI
 
PDF
Convolutional neural network based encoder-decoder for efficient real-time ob...
IAESIJAI
 
PDF
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
PDF
A review of recent deep learning applications in wood surface defect identifi...
IAESIJAI
 
PPTX
Modernising the Digital Integration Hub
Daniel Toomey
 
PPT
Galois Field Theory of Risk: A Perspective, Protocol, and Mathematical Backgr...
Melanie Swan
 
PDF
TrustArc Webinar - Click, Consent, Trust: Winning the Privacy Game
TrustArc
 
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
Configure Apache Mutual Authentication
Antonino Piraino
 
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
OpenACC and Open Hackathons Monthly Highlights July 2025
OpenACC
 
Flame analysis and combustion estimation using large language and vision assi...
IAESIJAI
 
Taming the Chaos: How to Turn Unstructured Data into Decisions
Safe Software
 
Two-dimensional Klein-Gordon and Sine-Gordon numerical solutions based on dee...
IAESIJAI
 
A Late Bloomer's Guide to GenAI: Ethics, Bias, and Effective Prompting - Boha...
Mindy Bohannon
 
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
STKI Israel Market Study 2025 version august
Dr. Jimmy Schwarzkopf
 
Abstractive summarization using multilingual text-to-text transfer transforme...
IAESIJAI
 
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
A proposed approach for plagiarism detection in Myanmar Unicode text
IAESIJAI
 
Convolutional neural network based encoder-decoder for efficient real-time ob...
IAESIJAI
 
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
A review of recent deep learning applications in wood surface defect identifi...
IAESIJAI
 
Modernising the Digital Integration Hub
Daniel Toomey
 
Galois Field Theory of Risk: A Perspective, Protocol, and Mathematical Backgr...
Melanie Swan
 
TrustArc Webinar - Click, Consent, Trust: Winning the Privacy Game
TrustArc
 
Ad

WP Best Practices For Multi-Factor Authentication

  • 1. White Paper BESTPRACTICES FOR MULTI-FACTOR AUTHENTICATION HOWTO STRENGTHEN SECURITY, MINIMIZE COSTS AND SIMPLIFYTHE USER EXPERIENCE
  • 2. Introduction Securemobileaccesstoenterprisesystemsandinformationcreatesacompetitiveadvantage. Productivityriseswhenemployeescanworkfromanywhere,onanydevice.Employeesand partnersaremoreresponsivewhentheycanaccessyoursystemsfromoutsidethebuilding insteadofwaitinguntiltheycangettoyouroffices.Jobsatisfactiontendstoimprovewhen employersintroducebring-your-own-device(BYOD)polices. Today’sdisappearingnetworkboundariesmagnifytheimportanceofuserauthentication, especiallyinregulatedindustriessuchasfinancialservices,healthcare,pharmaceuticals,andlife sciences.Weakauthenticationpracticescanleadtolossofintellectualproperty,branddamage, publicrelationsdebacles,revenuelossfromsystemoutages,andfinesforcomplianceviolations. The Problem with P@55word5 Theusername/passwordcombinationalonefailstoprotectenterpriseassets.Ina2016study ofmorethan64,000securityincidents,weakorstolenpasswordstoppedthelistofcauses.1 Frequentnewsheadlinesaboutdatabreachesunderscorethefactthatpasswordsareeasy toguess,easytocrack,andeasytoextractfromemployeesviaphishingschemes. Thesoberingtruthisthatyou’revulnerableevenifyouimplementthestrongestdatabase protectionsandenforcerequirementsforcomplexpasswords.Why?Despiterecommendations tothecontrary,manyemployeesusethesamepasswordformultiplesites.Therefore,abreach toanotherorganization’spassworddatabasecanexposepasswordsthatyouremployees usetoaccessyoursystems.Cybercriminalsexploitedthisfacttostealcustomercreditcard informationfromamajorU.S.retaileraftersnaggingaccesscredentialsfromoneofthe retailer’scontractors.2 Similarly,hackerswereabletotemporarilytakeovertwosocialmedia accountsofFacebookfounderMarkZuckerbergafterbreachingathirdsocialmediasite’s passworddatabase.3 Eighty-two percent of all web attacks target user credentials. Many succeed: 63% of confirmed data breaches involve weak, default, or stolen passwords. Financial gain or espionage motivated 89% of breaches. VerizonDataBreachInvestigations Report(DBIR),2016 1 Verizon,2016DataBreachInvestigationsReport 2 http://www.computerworld.com/article/2487425/cybercrime-hacking/target-breach-happened- because-of-a-basic-network-segmentation-error.html 3 http://www.nytimes.com/2016/06/07/technology/if-mark-zuckerberg-can-be-a-hacking-victim- so-can-you.html 1 synchronoss.com
  • 3. Multi-factor Authentication Bolsters Security Multi-factor authenticationisexponentiallymoresecurethanpasswordsalone.Before accessingenterprisesystems,employeesandpartnersmustenteratleasttwocredentials: somethingtheyknow(passwordoranswertoaquestion), somethingtheyhave(one-time codefrom mobile app ortextmessage),orabiometric(typicallyafingerprint,voiceprint,or retinascan). Untilnow,strongersecuritycameattheexpenseofbudgetsandtheuserexperience.Multi- factorauthenticationmeantpayingupforhardwaretokensorsmartcards.Todayyoucanadopt multi-factorauthenticationaffordablyandwithoutcompromisingtheuserexperience.Follow thefiverecommendationsbelow. 1. FOCUS ON THE USER EXPERIENCE Giveusersachoiceofhowtoreceivetheirone-timepasscode—forexample,mobileapp, email,SMStextmessage,orautomatedcalltoaphonenumberonrecord.Aconvenientuser experienceencouragesadoption,whichacceleratesproductivitygainsfrommobilityandBYOD. Tousebiometricsasasecondorthirdfactor,considermobileapps.Biometricsappsarealready availableforscanningfingerprints,voices,faces,earprints,gestures,andretinas.Hands-free authenticationbasedonproximityrequiresevenlesseffortfromusers.Theworkstationverifies theuser’scredentialbyconnectingautomaticallytotheuser’smobiledevice.Topreventa criminalcarryingastolendevicefromgainingaccess,besuretosupplementproximity-based authenticationwithapassword. 2. TAKE ADVANTAGE OF CLOUD ECONOMICS AND SCALABILITY Thecloudmodelshiftscapitalexpenseforserversandsoftwaretoapredictableoperational expense.Youpayasyougo.Savingsinclude: • Noon-premisesinfrastructure(servers,storage,andnetworkresources). • Nomaintenancefeesandhardwareandsoftwareupgrades.Youalwayshaveaccesstothe latestfeatures. • Noadditionalcapitalexpendituresasyouaddusers. • Avoidanceofproductivitylosswhenon-premisessystemsgodown.Cloudservice providerscantakeadvantageofeconomiesofscaletoimplementhigh-availability architectures. OutsourcingtoacloudproviderwithexpertiseinauthenticationalsofreesuptimeforyourIT teamtofocusonthecorebusiness. Gartner projects that the number of identity and access management purchases involving authentication as a service will double from 20% in 2016 to 40% in 2020. MagicQuadrantforIdentityand AccessManagementasaService, June6,2016 2 synchronoss.com
  • 4. NISTLevel 1 NISTLevel 2 NISTLevel 3 Usernameandpassword Secondfactor,suchasone-timecode Usernameandpassword Secondfactor Fullsocialsecuritynumberanddateof birth,checkedagainstpublicdatabases Responsetoacalloremailtothe phonenumberoremailaddress onrecord Usernameandpassword Secondfactor Fullsocialsecuritynumber,dateof birth,andfinancialdata,checked againstpublicdatabases Responsetoacalloremailtothe phonenumberoremailaddress onrecord OneormoreKnowledgeBased Assessmentquestions,suchas monthlymortgagepaymentor makeandmodelofcarin2012 3. BEFORE ISSUING CREDENTIALS, VERIFY THAT USERS ARE WHO THEY SAYTHEY ARE Beforehiringemployeesyouverifytheiridentitybyreviewingofficialdocumentssuchasdriver’s license,socialsecuritycard,orpassport.It’smorechallengingtoverifyoffsitepartners’and contractors’identitybeforeissuingcredentials.HowcanyouverifythatJohnSmithisreally theJohnSmithwhoworksforyouraccountingfirm—notsomeoneelsemasqueradingasJohn Smith,orevenabot?Verifyingtheidentitiesofthirdpartiesisimportantinallenterprises, andmandatedforcertaintypesofusers.Examplesincludehealthcareproviderswhouse e-prescribingsoftwareandfinancialservicescustomerswhoconducthigh-valuetransactions. TheU.S.NationalInstituteofScienceandTechnology(NIST)definesthreelevelsofidentity proofing(levelsofassurance)thatdonotrequireanin-personvisit(Table1).Lookforacloud providerthatoffersNISTLevel3identityproofingandisapprovedbyFederalIdentity, Credential,andAccessManagement(FICAM). Table 1 — Sample User Experience ForThree Levels of Identity Proofing 3 synchronoss.com
  • 5. 4. CHOOSE A CLOUD SERVICE THAT MEETS YOUR INDUSTRY’S SECURITY GUIDELINES Table2listscommonsecurityrequirementsforregulatedindustries.Tomeetthese requirements,cloudprovidersinvestindatacenters,technology,andprocessesthatcomply withgovernmentstandardssuchasNISTandFederalInformationProcessingStandards(FIPS) intheU.S.,andEUGeneralDataProtectionRegulationintheEU. Table 2 — Data Security Requirements by Industry INDUSTRY SAMPLE REQUIREMENTS Financial Services U.S.PaymentCardIndustry(PCI) U.S.Gramm-Leach-BlileyAct(GLBA) U.S.SecuritiesandExchangeCommission(SEC) U.S.FinancialIndustryRegulatoryAuthority(FINRA) U.S.FederalFinancialInstitutionsExaminationCouncil(FFIEC) U.K.tScheme EuropeanBankingAuthority(EBA) EuropeanSecuritiesandMarketsAuthority(ESMA) EuropeanInsuranceandOccupationalPensionsAuthority(EIOPA) BaselCommitteeonBankingSupervision(BCBS) Healthcare U.S.HealthInformationPortabilityandAccountabilityAct(HIPAA) U.S.HealthInformationTechnologyforEconomicandClinicalHealth(HITECH) FederalIdentity,CredentialandAccessManagement(FICAM) Life sciences U.S.FoodandDrugAdministration(FDA) EuropeanMedicinesAgency(EMA) GoodAutomatedManufacturingPractice5(GAMP5) All enterprises Corporatesecuritypolicies Sarbanes-OxleyAct(SOX) 4 synchronoss.com
  • 6. 5. DON’T FORGET PEOPLE AND PROCESS Eventhemostsophisticatedauthenticationtechnologycannotpreventbreachesresultingfrom usersleavingtheirpasswordsinplainvieworreusingtheirworkpasswordforotherservices. Requireemployeestoattendmandatorycybersecurityawarenesstrainingthatcovers: • Regulatorycompliance. • Creatingstrongpasswordsandkeepingthemsecure. • Recognizingphishingattacks.Somecompanieskeepemployees’skillssharpby periodicallysendingoutafakephishingemail.Employeeswhoclickthelinkaretaken toawebpageexplainingthatthelinkcouldhavebeenmalicious. • Understandingthevalueofmulti-factorauthenticationandusingyour organization’ssolution. ImplementsecureITpracticesinconjunctionwithemployeetraining.Besuretosegmentthe networktolimitriskifacybercriminaldoesgainaccessusingstolencredentials.Inaddition, monitorthenetworkfordatatransfersoutsidetheorganizationtoidentifyandmitigate vulnerabilities. Synchronoss Universal Identity, Authentication in the Cloud SynchronossUniversalIdentity(ID)isacloud-basedservicethatreducestheriskoftargeted attacks,credentialtheft,andidentifyfraudbyprovidingapowerfullayerofauthentication security.Whetheryouextendaccesstoemployees,partners,vendors,orcustomers, Synchronossreliablyverifiesuseridentitiesandensuresthatonlytherightpeoplegain accesstoyournetwork.Theresult:yourcompanyandyouruserscanconductbusinesssafely, confidently,andsecurely. SIMPLE GROWTH, LOW PER-USER COSTS Asacloudservice,SynchronossUniversalIDrequiresnoon-premiseshardwareorsoftware. There’snoupfrontcapitaloutlay,andyoualwayshaveaccesstothelatestfeaturesandsecurity enhancements.Helpdeskcostsarenominalbecauseuserscanresettheirownpasswords.The pay-as-you-gomodelmakesiteasyandaffordabletoaddnewemployeesandotherusersas yourbusinessexpands. In the 2016Verizon study, 92% of all phishing attacks aimed for passwords. The most effective phishing websites succeed 45% of the time in enticing visitors to enter information.4 VerizonDBIR,2016 4 http://services.google.com/fh/files/blogs/google_hijacking_study_2014.pdf 5 synchronoss.com
  • 7. FAST ONBOARDING OF NEW USERS NewuserscanbeginusingSynchronossUniversalIDwithinminutestosecurelysignin. Theyvisit a self-serviceportaltosignup,downloadingasimpleapplication.Thecloudservice verifies their credentialstotheneededNISTlevel.Ifyouhavealreadyverifiedtheidentity ofsome or all of your users,youcanaddthemtothecloudservicewithoutrepeatingthe identityproofingprocess. WIDE CHOICE OF AUTHENTICATION OPTIONS Synchronossoffersmoremulti-factorauthenticationoptionsthananyothervendor.Asyour secondfactor,choosefromasoftwaretoken,aone-touchmobileapp,QRcodescanning,email, SMSmessage,IVRcall,andotheroptions. SIMPLIFIED COMPLIANCE Industry-specific securityregulationsevolvecontinually.Synchronossexpertsmanagethe complexities, eliminatingtheneedtopurchaseregulation-specificsoftwareandhiretalent todeploy and maintainit.We’vedesignedourdatacenters,technology,andprocessesto meetthe most stringentgovernmentstandardsandindustryregulations.TheU.S.Federal Government and the U.K.GovernmentselectedSynchronossUniversalIDforstrong authentication based onourscalableplatformandportfolioofsecuritystandards. TheSynchronossUniversalIDserviceis: • FICAMLevel3certified,thefirstcloudservicetoreceivethiscertification • FederalInformationSecurityManagementAct(FISMA)approved • FederalBridgeCertificationAuthority(FBCA)certified • NIST800-63-2and800-53compliant • FIPS199and140-2compliant • HIPAAcompliant • U.S.AccessBoardSection508compliant • EUGeneralDataProtectionRegulationcompliant ©Synchronoss,Inc.AllRightsReserved 1-0616 6 synchronoss.com
  • 8. About Synchronoss REALIZE THE PROMISE OF ENTERPRISE MOBILITY Uncompromised productivityandsecurity.OurSecureMobilityPlatformmeetstoday’sneeds andcan help make tomorrow’spossibilitiesareality.Itisdesignedtoenhanceandcomplement existing mobility investments,soyougetabetterROI—andcanfinallyrealizethetruepower ofmobility. Synchronoss Enterprisedeliversrealmobilityforenterpriseswiththemoststringentsecurity requirements.The SecureMobilityPlatformenableshighlyregulatedbusinesstobuildtoward modernmobilityinawaythatcomplementsexistinginvestments. SynchronossEnterprise,inajointventurewithGoldmanSachsandVerizon, isextending deeper into the enterprisetobridgethegapandsolvetheinherentcomplexityassociatedwith mobilityandidentity. Since2000, we’ve providedcloudsolutionsandsoftware-basedactivationtocommunication service providers acrosstheglobe.CompaniessuchasAT&T,VerizonWireless,Comcast,Time Warner Cable, Apple, andMicrosofthaveusedourscalabletechnologysolutionstoallowtheir customers to connect, synchronize,andactivateconnecteddevicesandservicesthatpower theconnectedworld. Weknowmobility.Weknowsecurity.Wecanhelpyourorganizationdosecurebusiness,everywhere. Learn More To find out how you can reduce risk, strengthen security, and confidently extend network access to employees, partners and customers, visit www.synchronoss.com/identity. synchronoss.com ©Synchronoss,Inc.AllRightsReserved 1-0716 7