The Case for Tactical Two-Factor Authentication

Over the years, I’ve worked with customers as they were designing and deploying a PKI. A common step for every project was to review and assess business requirements for certificates. The goal was to determine what types of certificates would be needed in the environment. This in turns ultimately drives the design, security and operation of the PKI. One area I would specifically inquire about is the use of Smart Cards for authentication in the environment. The authentication assurance provided by Smart Cards can be a very effective way of protecting environments. However, the perceived cost and logistics of deploying and managing a Smart Card infrastructure across large organizations typically meant this capability was ignored.

This wasn’t a completely unfounded behavior as many organizations lack any defined or enforced information security policies and controls. In fact, historically, the idea of attackers penetrating an organization’s network and stealing data was a largely a theoretical exercise. Many organizations simply wrote off the risks as “Nobody cares how we manufacture our widgets”. However, over the last several years the increase in data theft, information disclosure and corporate data hijacking have shown that any organization could be the next target.

As a result, a year ago I formulated a new approach to Smart Cards and have been strongly advocating that organizations look at Smart Cards again, but in a very different way. The cost and complexity of an organization wide infrastructure is largely unchanged, but in my opinion, this all or nothing approach is flawed.

A tactical two-factor authentication approach focuses on the systems and accounts that have the greatest network privileges and are most vulnerable. For most organizations, this means the elevated administrative accounts and perimeter network servers. Typically this accounts for less than a few dozen computers and accounts across the organization.

It has long been established as a security best practice to separate day to day accounts and elevated administrator accounts for network administrators. The elevated accounts are used to provide trusted privileges to network administrators, but they also represent an account of great interest to attackers. Focusing on these accounts enables an organization to not only ensure a higher level of protection for those privileges, but also ensures that credentials used or exposed on perimeter systems can’t be hijacked.

Perimeter servers afford outside attackers with not only accessible ports and services to compromise, but are home to cached credentials for administrators on the network. This makes them a prime target, but given the need to ensure access to the services, organizations are limited to what can be filtered or turned off.

Leveraging Smart Cards deployed in a tactical fashion, an organization can reap the rewards of higher authentication assurance with a much lower price point. Configuring elevated accounts to require Smart Cards is easily accomplished with very little effort. Pass-through authentication for Remote Desktop and other services mean very little change to the management of the network. The administrator’s day to day account remains unaffected so they can still access their email on mobile devices.

Perimeter servers can be configured to require Smart Card authentication for all interactive logons. This ensures that all users attempting to manage or log onto the server require a Smart Card. This greatly increases the security of these systems and requires no change to the applications, ports or firewalls. The use of USB based Smart Card “sticks” can be used so that Smart Card reader don’t have to be purchased and connected to each server.

As an organization works with these tactical Smart Cards, their comfort level with managing and operating a Smart Card infrastructure will develop. Over time, the prospect of deploying Smart Cards to a larger group of users or across the entire organization is far more likely. There will already be proven value from the tactical roll out and existing operating policy and controls can be leveraged for a broader deployment.

This tactical approach doesn’t solve all authentication issues and doesn’t offer the protection of requiring Smart Cards across the organization. However, it does afford a significant level of protection for some of the most vulnerable portions of the network. It also provides a foundation for the future to grow and expand Smart Cards in the organization.