Security Technology Executive

SEP-OCT 2018

Issue link:

Contents of this Issue


Page 9 of 59

10 SECURIT Y TECHNOLOGY E XECUTIVE • September/October 2018 • www. TECH TRENDS By Ray Coulombe • Ray Coulombe is Founder and Managing Director of Securit and RepsForSecurit y. com. Ray can be reached at ray@ Securit ySpecifiers. com, through LinkedIn at w w raycoulombe or followed on Twitter @RayCoulombe. E very so often, I hit a patch where I will run across a flurry of technologies wor- thy of mention in this column. Here are two that recently caught my eye: The first involves cryptography for two-factor net- work authentication; the second involves the "virtu- alization" of computing and storage resources. Let's take a closer look: Easier Authentication Hopefully, by now, most of you are using two-factor authentication for your apps and access to critical accounts. It is now common to receive a code by text or email, which combines the authentication fac- tor of "Something You Have" (phone or PC) with a password ("Something You Know") – the other factor being "Something You Are" (typically a biometric). What are you doing to protect your login process? Although it has been available for a while, I recently investigated and purchased a YubiKey 4 from Yubico, which is a USB key that is inserted into a computer that a user taps when prompted by the application. First, a little terminology: U2F is an emerging stan- dard for physical authentication tokens. A U2F USB key is a device inserted into a computer that auto- matically generates and fills in a special code when activated by touch – Yubico is such a key. FIDO is a set of protocols designed to reduce the sole reliance on passwords for authentication. According to the FIDO Alliance (http://fidoalliance. org), "FIDO protocols use standard public key cryptog- raphy techniques to provide stronger authentication. During registration with an online service, the user's client device creates a new key pair. It retains the pri- vate key and registers the public key with the online service. Authentication is done by the client device proving possession of the private key to the service by signing a challenge. The client's private keys can be used only after they are unlocked locally on the device by the user. The local unlock is accomplished by a user-friendly and secure action such as swiping a finger, entering a PIN, speaking into a microphone, inserting a second-factor device or pressing a button." The FIDO2 project is a set of initiatives to provide FIDO authentication for the web, including a stan- dard API – WebAuthN – to enable the embedding of this functionality in web-based services. WebAuthN may replace traditional passwords, and a USB key can provide the second authentication factor. Reduced reliance on passwords can help protect against phishing , man-in-the-middle and replay attacks using stolen passwords. With the YubiKey 4 (available for $40 on Ama- zon), a user touches it to trigger FIDO2, WebAuthN, U2F, smart card (PIV), challenge-response, or other authentication methods. It works with Windows and Mac login, gmail, GitHub, Dropbox, Dashlane, Last- Pass, Facebook, Salesforce and other services. I use it with LastPass, coupled with the LastPass Authentica- tor app on my iPhone. The instructions for set-up were easy to follow. Network Virtualization My good friend and former ex-collaborator at Cisco, Fernando Macias of VMWare, recently made me aware of the VMware NSX Data Center, which pro- vides network and network security entirely in soft- ware – abstracted from and regardless of the under- lying physical infrastructure. As most professionals know, VMware pioneered the virtualization of com- puting and storage resources. NSX is the next logical step. "Most IT security efforts focus on North-South traffic – traffic coming in through the perimeter from the outside; however, a big gap exists in multi-application environments once an intruder has gained access to the network," Macias explains. "Then, you worry about the escala- tion of privileges and movement from application to application, which we call East-West traffic." Deploying firewalls throughout the network is costly and time consuming , and it is extremely dif- ficult to effectively scale and reconfigure to meet changing needs. Stricter, more granular, security is needed, with the ability to tie security to individual workloads and to provision policies automatically. Using a concept called "microsegmentation," NSX enables fine-grained network controls for unit - level trust and flexible security policies that can be applied to network interfaces for individual workloads. It ties security policies directly to an application. Most IT departments rely on VLANs and subnets to partition their applications logically; however, they are often overly complex and easy to misconfigure. Protect Your Login Process Summer tech finds: A closer look at an effective method of two-factor authentication and more Continued on page 14

Articles in this issue

Links on this page

Archives of this issue

view archives of Security Technology Executive - SEP-OCT 2018