Target … DigiNotar … LinkedIn …
What do all of these high-profile data breaches have in common?
Authentication gone wrong.
Target and LinkedIn are still dealing with aftermath of their data breaches. Dutch public CA, DigiNotar, immediately ceased operations and a few months later filed for bankruptcy, in the wake of an intruder gaining control of its servers.
What happened to these businesses may sound like every IT professional’s worst nightmare, but in today’s era of bring-your-own device and unsecured wireless networks, it’s easy for your data to fall into the wrong hands.
According to Wade Baker, creator and principal analyst of the Verizon 2014 Data Breach Investigations Report, attackers hack targeted networks within days, while it takes much longer for victims to realize that they were breached. Baker states, “the bad guys are winning at a faster rate than the good guys are winning and we’ve got to solve that; we’ve got to do something different.”
The first thing you should do differently is change how you manage your authentication. This means using two authentication technologies in tandem – Microsoft public key infrastructure (PKI) and Cisco Identity Services Engine (ISE) – to better protect your network and keep your data secure.
Microsoft PKI: Provide strong Proof of Identity
Microsoft PKI allows you to issue strong proof of identity, in the form of digital certificates, to trusted devices and users. This means that only enrolled and managed devices will have access to your network. With PKI, you also may revoke certificates if an employee leaves the company or loses a device, without necessarily forcing password changes.
PKI does have its limitations. According to Daniel Petri, “A PKI usually does not (and probably should not) handle authorization. Authorization services should be provided by a PMI (Privilege Management Infrastructure).” He also states that “A PKI does not automatically make a system secure.” Factors such as human error and malicious code may put you in danger even if you use a PKI.
Since PKI runs on a commercial OS, it also must be patched and maintained on a regular basis. You need to monitor all certificates as they are issued and revoked to ensure that you are keeping your data secure and remaining in compliance with your industry regulations and organizational practices.
Cisco Identity Services Engine: Strengthen Your Network Authentication
Cisco Identity Services Engine (ISE) provides you with strong network authentication by giving you a single policy control point for access control to all of your networks. When you use ISE for authentication, every device that accesses sensitive networks must receive a proof of identity certificate to do so. This is beneficial if you are in a regulatory environment where you must limit your liability and prove who or what connects to your network.
However, ISE doesn’t create the strong proof of identity – which is why you need to run it in conjunction with PKI.
Microsoft PKI and Cisco ISE: Why Two is Better Than One in the Fight Against Hackers
When you use PKI and ISE in tandem, all of the devices and users that access your network must be known, trusted and have proof of identity to access your network.
ISE provides an administrative portal that makes it easier for you to manage certificates issued to users and devices for network authentication. For example, it issues warnings when certificates are about to expire. Meanwhile, the PKI-issued certificates provide secure communication between your endpoints and management server, as well as between Cisco ISE nodes.
The Data Breach Investigation Report found that a number of high-profile breaches occurred because organizations failed to segment their networks. For example, the Target data breach happened when hackers acquired remote access credentials belonging to an HVAC contractor and used these to laterally access the network containing Target’s point-of-sales terminals, which they then infected with malicious code. This showed a basic segmentation flaw, as the contractor should not have been able to access the networks containing POS systems and, therefore, sensitive data. Had Target used ISE in conjunction with PKI, it could have enforced stronger controls over who could access sensitive areas of it’s network; this would have made it a lot harder for hackers to break in.
Contact your Softchoice Account Manager and to learn how to use both Microsoft PKI and Cisco ISE to build an integrated authentication system that helps you pass audits and avoid data leakage.