Multi-factor authentication in the data center - what should it be?

Continuing the conversation on the topic of information security, today we offer to discuss such an important topic as multi-factor authentication in the corporate network. Last time we wrote about what a “trap for a person” is in a data center. Authentication of employees in a large company, and in particular the data center of the company, where all the most valuable information is located, is the most important factor in protecting against information leakage.

In a company where more than a dozen people work, it is necessary to assign different levels of access to users to protect information. Usually, several levels of protection are used, including authentication (proof of identity), authorization (access control), and account for actions (logging). Access to any critical information or equipment must be through multifactor protection. Let's see how this can work in a company network.

So, any device that gives access to shared resources that are critical, often requests a login and password. In the simplest form, this data is recorded in a local database, from which information is taken to verify data and confirm the rights of a particular user to access specific resources.
')
But in large companies, using local authentication is impractical. Any changes (for example, if the user moves to a new position or leaves the company) then it is necessary to make to all local bases in each of the access points. Better to use a common base.

Server authentication

In a corporate network, access devices are better connected to a common base that is hosted in a cloud or remote server. The device, as in the case of local authentication, works with a bunch of login / password, but the data for checking the correctness of user data is taken from the server. If you need to make changes about the user, you need to do this only once.

Now one of the most popular protocols for remote authentication of users, independent of suppliers, is Radius. It was developed by Livingston Enterprises Corporation as an authentication and accounting protocol for the access server. On the Web, you can easily find both proprietary and open-source protocol implementations. There are other options — for example, LDAP (usually used in the Microsoft product environment) and TACACS (used in the Cisco environment).

LDAP (Lightweight Directory Access Protocol) is an application level protocol for accessing the X.500 directory service, developed by the IETF as a lightweight version of the ITU-T developed DAP protocol.

TACACS (English Terminal Access Controller Access Control System) is a session protocol used on ARPANET access servers. The central server that decides whether or not to allow a specific user to connect to the network.

Authentication factors: what you know, what you have and what you are

Most simple security systems use information that is known to a certain category of users for protection. This is usually a password and login. In order to gain unauthorized access to resources or equipment, an attacker needs to obtain this data. The data centers of the vast majority of companies have not one, but several levels of protection.

The second level of protection usually uses something that belongs to the user. This is, for example, a one-time password generated by a token card, or the same password sent to the user's smartphone via SMS. To gain access to closed resources, an attacker now needs not only to know a bunch of username and password, but also to get some equipment from an authorized user, which is already more difficult. This type of protection is already two-tier.

And finally, the third level of protection is biometrics. Fingerprint, iris pattern, voice analysis are all biometrics. Adding a third layer of protection makes it very difficult for intruders to gain access to critical resources for the company.

Multifactor authentication for infrastructure management

System engineers and administrators usually have privileged status in the system. To access the company's resources, they go through all three levels of access. Ordinary users are usually given only a bunch of username / password, providing access to the least critical resources needed for work.

Two-factor authentication systems usually work with the Radius protocol. Two examples of such a system are RSA SecurID and Duo Security. The user receives a token card (looks like a small calculator) or a mobile application. Both the device and the program do the same thing - they give out a one-time password to access the resources. This password has a specific expiration date.

Now there are two trends in the issue of multifactor authentication:

• The IT infrastructure of companies is losing geographic location. Company employees, including administrators and system engineers, are not in the same building. Moreover, employees of the same company may be located in different regions of one country or even in different countries on different continents. But they should all have access to the company's general resources. In this case, setting the system of priorities, access levels and the formation of a multi-factor authentication system is very important.
  
  
• Multi-factor authentication system is gradually evolving. Even social networks and other web services have long since begun the introduction of two-factor authentication, not to mention corporations and internal corporate services. Now another trend is noticeable - the gradual abandonment of card tokens in favor of mobile applications or web services. Access passwords are sent via SMS to the user's phone, which removes the need to use card tokens, which can be lost.

Some companies are gradually moving away from Radius, starting to use PAM modules, which in some cases are easier to install and configure. However, in this case, the joint work of software and hardware developers is necessary, or you need to implement open-source solutions like Google Authenticator.

In the coming years, we will see the rapid development of multifactor authentication technologies, the gradual simplification of solutions with their simultaneous cheapening. These solutions will also gradually move to the "cloud", providing the opportunity to work with them from anywhere in the world. Actually, this is already happening.

Share experience:

• Working with Big Data with the help of GPU: accelerating the work of databases dozens of times
• Cable Management: Some Tips From Your Own Experience
• Was there a boy? Our servers and hacker attack on the US Democratic Party
• PaaS, DBaaS, SaaS ... What does all this mean?