Despite the fact, eDiscovery deals almost exclusively with highly sensitive data at the intersection of legal and tech, security remains one of the murkier aspects of the eDiscovery model. Understanding the myriad of corporate security postures, where they stand today, and where corporate security is headed can be understandably daunting as companies bring these tools in-house.
First for fundamentals: let’s look at authentication, how it’s used to control access to both public (internet, cloud-based) and private networks, and how authentication differs critically from authorization.
Authentication is the process of determining who (or what) the initiator of an incoming connection request is, while Authorization is the process of determining what that requester should have access to.
To help illustrate how these two terms differentiate we can use an example at the airport. The TSA officer checks your photo ID against the name on the boarding pass, ensuring your pass is valid for travel that day and at the terminal, you’re looking to enter i.e. you’re being authenticated.
Once through security, it will be confirmed at the gate that you are indeed able to board that particular flight to a specific location, from that particular gate. Voilà, you are now authorized.
Now down to the finer details. Let’s look at the eight types of authentication in play, and the strengths and weaknesses of each:
Ah, passwords—you promised yourself you’d write it down on notes this time. Typically, password-based authentication includes the submission of a user ID value, followed by the entry and submission of a passcode to gain access. Experience has shown that even the most seemingly airtight of capital/number/exclamation point combos are vulnerable to hacking. Skilled cybercriminals use programs that try thousands upon thousands of potential passwords in an attempt to gain access.
To reduce this risk, we have seen the escalation of password complexity as one measure to reduce the effectiveness of automated password cracking (guessing) tools, and the cost in time and effort for users and administrators has grown.
Two-Factor Authentication (2FA):
Two-factor authentication builds on passwords to create a more robust security solution. It requires both a password and possession of a specific physical object to gain access to a network— known only to you, like your password (ideally), and typically accessed through your phone. ATMs were an early system to use two-factor authentication i.e. combination of physical card and password (pin).
In computer security, 2FA follows the same principle. After entering their username and a password, users must clear an additional hurdle to log in: a one-time code from a physical device. The code may be sent to their cell phone via text message, or it may be generated using a mobile app. 2FA is being implemented on an increasing number of banking, email, and social media websites. It’s an order of magnitude more secure, but by no means ironclad.
Each additional hurdle you place in the way of those seeking to illicitly access your sensitive data dramatically increases the chance they will seek less vigilant targets. As the old adage goes, when fleeing from a bear you don’t have to be faster than the bear, just faster than someone else running from it.
Some companies prefer not to rely on cell phones for their additional layer of authentication protection and have instead turned to token authentication systems. Token systems use a purpose-built physical device for their 2FA. This may be a dongle inserted into the computer’s USB port, or a smart card containing a radio frequency identification. If you have a token-based system, keep careful track of the dongles or smart cards to ensure they don’t fall into the wrong hands.
CAPTCHAs don’t verify a particular user but rather seeks to determine whether a user is indeed human. Coined in 2003, the term CAPTCHA is an acronym for “completely automated public Turing test to tell computers and humans apart.” We happen to prefer “CAPTCHA” ourselves. The system displays funky images of letters and numbers to the user and asks them to verify what they see. Innovations in defeating CAPTCHAs have become commonplace. Offshore labour has been used to easily and quickly identify CAPTCHAs for a small fee via apps.
Transaction authentication takes a different approach from other methods. Rather than relying on information the user provides, it instead compares the user’s characteristics with known user info and scans for discrepancies. For example, say a customer’s home address is in Canada. When the user logins in, the transaction authentication system will check that the IP address is in Canada. If so, all is well. If not, additional verification steps will be triggered. Transaction authentication does not replace password-based systems; instead, it provides an additional layer of protection. Unfortunately, it has become increasingly easy for bad actors to falsify their location using once-sophisticated VPN software techniques, which has increased in popularity because of many law-abiding individuals wanting to watch a show only licensed only for, say, UK Netflix.
Computer Recognition Authentication:
Computer recognition authentication is similar to transaction authentication. Computer recognition verifies that a user is who they claim to be by checking that they are on a particular device. These systems install a small software plug-in on the user’s computer the first time they login containing a cryptographic marker. The next time the user logs in, the marker is checked to make sure they are on the known device. The upside of this system is that it’s invisible to the user, who simply enters their username and password are verified immediately.
The disadvantage of computer recognition authentication is that users will of course at times switch devices. Such a system must enable logins from new devices using other verification methods (e.g., text codes).
Single Sign-On (SSO):
As the name would suggest, SSO enables a user to enter their credentials once to gain access to multiple applications. Consider an employee who needs access to both email and cloud storage on separate websites. If the two sites are linked with SSO, the user will automatically have access to the cloud storage site after logging on to the email client. While SSO saves time and keeps users happy, it comes with security risks. An unauthorized user able to access one system has free reign of all others linked. A related technology, single sign-off, logs users out of every application when they log out of any individual application, in turn enhancing security.
On the cutting-edge of authentication methods, biometric systems rely on a user’s physical characteristics for identification, including fingerprints, eye scans, voice recognition and face detection. Biometric authentication is particularly handy in that users don’t have to bring a separate card, dongle, or phone—not to mention, the cool factor for the user.
Despite their security advantages, biometric systems also have considerable downsides. First, they are expensive to install, requiring specialized equipment like fingerprint readers or eye scanners. Second, they come with worrisome privacy concerns. Users may baulk at sharing their personal biometric data with a company or the government unless there is a good reason to do so. Thus, biometric authentication makes the most sense in environments requiring the highest level of security, such as intelligence and defence contractors.
Wrapping it up (We Promise)
Congratulations! You’ve just navigated a dauntingly long blog entry. And, for those that jumped to the end for the editorially mandated summary for the growing TL: DNR crowd, you missed out on an Amazon gift card opportunity*!
While there are many increasingly complex and versatile Authentication technologies available to those of us who build eDiscovery tools and secure the data these tools access, the bad actors are striving just as hard to circumvent these techniques. It’s the age-old balance between security and access; any system 100% secure would be entirely inaccessible.
At Vertical, we are adopting and integrating these versatile tools to allow our users access to sensitive information in a controlled and automated fashion. As our CISO friends will tell you – security remains an evolving challenge that is never complete.
Products like Optimum from Vertical are designed with security in mind, using the latest API technology to connect and integrate into these clouds and SaaS data sources.