Dave Martin, Vice-President and Chief Security Officer, EMC, says that authentication process for employees or general users must not be invasive, but light and transparent. He spoke to Business Line on the trends in the security space in the sidelines of the RSA Conference in San Francisco. Excerpts:

Is two factor or two levels of authentication enough in areas such as Internet banking, given the increasing threats in the cyberspace?

I think multi-factor would be a better term to refer to in the case of authentication.

The ways in which we are going to challenge our customers and users for additional information is going to change.

We want to get to a point where we don't have to challenge them often for additional information. It is easier to accomplish this in an enterprise environment, where may be we challenge them once.

If they reconnect from the same space, same machine and same fingerprints, may be won’t challenge them the next time. We can use other things that we know.

Most employees in companies have a PC and a smartphone. So if I know that the PC is near the smartphone then that is another indicator that that identity is specific to the employee.

The goal is to provide a rich set of authentication rules that many of which the users won't even know that we are doing. In a banking environment, it becomes a bit easier as there only a limited set of transactions generally carried out.

In the enterprise side, the activities are much wider in scope and so authentication is more challenging. The aim here is make it a part of workflow rather than appearing to be an intrusion.

Is your USB device RSA Secur ID, which generates a code number for authentication of employees, suitable for all types of environments?

Our users have the option to use the Secur ID in some instances. In other cases, we may use other forms of authentication.

I would rather have light and transparent authentication. There are cases when we may need a multi-factor authentication, say in the cases where access to servers is sought by an user. The challenge again is to weave it into the workflow of the employee so that it does not seem invasive. You need to be clear about what and why you are asking for from the user or the employee. It might be username and password or user name and Secur ID. We may ask different things at different times, but we need to be predictable.

How evolved is predictive analytics in the case of cyber security, which can help prevent attacks?

We have kind of formalised the process of answering many questions. Going back to the authentication example, it is important to know when you should be challenged. It should not be at a discreet point but when you start to do things that were not done earlier. We are focussing on questions in high risk areas. What is the usage frequency of high risk data by an employee in a company for example? It still has a long way to go to become efficient.

How much of the onus rests on companies and users for managing security?

It is too hard and complicated for users to manage security by themselves. I think there will be some responsibility on the user, but not too much. But we as an industry must try to make security less invasive, particularly in the consumer space. It is not possible for users to manage risks to operating systems and applications.

Is offering of identity-as-a-service a growing trend?

As a trend it is going to be growing. The importance of mapping identity into our log streams has to be made more pervasive.

With more traffic exchanged from mobile devices to the cloud network and back. So increasingly identity management has to be offered as a service.

How will pricing be done for these services?

There are a number of business models being worked out. An enterprise is likely to be paying for a suite of services such as on-boarding, authentication component, threat augmented log feeds.

Related Topics
comment COMMENT NOW