October is Cyber Security Awareness Month. In honor of Halloween, our own cyber security expert, Kathleen Grote, unmasks the mystery behind how to protect your customers' sensitive information through authentication and authorization.
Authentication and Authorization
by Kathleen Grote, Information Security Officer
The New York State Department of Financial Services (DFS), the National Institute of Standards and Technology’s (NIST) Cyber Security Framework (CFS) and the National Association of Insurance Commissioners (NAIC) provide guidance for financial institutions and insurance companies for protecting sensitive digital information accessed via the internet.
First – let’s review some definitions to distinguish between authentication and authorization.
Authentication is the process of validating the identity of a registered user who is accessing a service or application.
Authorization is the process of making sure an authenticated user has the necessary privileges to access a specific resource or operation within an application.
Under normal circumstances, an authenticated user is allowed to perform all of the operations they’re authorized to do. For instance, after logging into (authentication) an email account, the user can (authorized) view the inbox and send emails. When a user wishes to access a specifically sensitive resource or operations, additional steps must be taken to authorize the request. For instance, when users want to perform a payment, they will be asked to re-enter their credentials, or basically, repeat the authentication process. Some applications might take precautionary authorization methods when they see unusual behavior, such as access to an account from a new computer, or an attempt to make a high-value transaction.
Simple user names and passwords are used as authentication mechanisms. Passwords have grown increasingly cumbersome to manage and difficult to protect over time. They have distinct weaknesses which can make the authentication process of an application vulnerable to cyber-attacks, such as password theft, brute-force attacks, or man-in-the-middle attacks, leading to data breaches. For this reason, application access should be strengthened using Multi-factor Authentication (MFA).
MFA requires the user to prove ownership of more than one token (multi-factor) when logging into a service (authentication). Tokens are traditionally known as one of these: something you know, something you have or something you are.
- Something you know is the user name and password combination.
- Something you have could be a mobile device, dongle or an email address.
- Something you are could be a thumbprint, a retina scan or facial features.
Using more than one token helps ensure you are who you say you are when accessing sensitive information or services via the internet. Once authenticated to a website, authorization policies kick in to determine what resources may be accessed.
The actions taken by the New York DFS, NIST and NAIC reinforce the need for financial services – and all enterprises for that matter – to leverage modern technologies to protect sensitive information.
FHLBank Topeka will be leveraging these modern technologies with its soon-to-be upgraded member website. Watch for more information on the more secure Members Only site in the coming months.