Why choosing authorization over authentication will kill your enterprise

Today, the majority of enterprises rely on employee authorization by means of keycards or passcodes. While this form of security is convenient, these methods don’t truly authenticate nor verify the identity of the person at the time and place of an access request. We’ve all seen how usernames and passwords can be easily stolen. When this inevitably occurs within an organization, that factor becomes useless and will allow an attacker to gain access to everything the employee was authorized for.

Employee authorization based on a single paradigm is highly flawed because it could easily be lost, stolen or duplicated. If you are relying on only one vector for authentication, then there will only need to be one point of failure. Outside of the increased risk of becoming victimized by a data breach, enterprises that rely on these single paradigm authorizations are opening themselves up to the potential of fraud, lawsuits and damaged reputation and relationships with both internal and external stakeholders.

The password-based security solutions that exist today depend on a model that is based on human trust. Even with the best of intentions, we all have trouble remembering passwords to access accounts, and we could all fall victim to social engineering schemes. Therefore, enterprises need both authentication and authorization protocols in order to provide comprehensive safeguards.

What’s the worst case scenario?

Nearly every major corporate data breach, from Target to Sony, can be traced back to poor policy and framework practices that are still being used by many organizations, and that’s a disaster waiting to happen.

There is great potential for immense financial loss if enterprises continue to implement authorization based on a single paradigm. In addition to this, the likelihood of an Internet of Things-focused attack could change the game altogether. As an example, let’s use a home automation company that allows millions of customers to use their mobile devices to turn electronics on and off. It’s certainly not out of the realm of possibility for an attacker to gain control of millions of Android phones that use this company’s app, and then replay instructions for each phone to turn on millions of lights at the same time. A massive power outage throughout the United States, on a scale never seen before, could easily occur.

What needs to be done

In general, all computing systems have authentication built in for every user. Even if the system is designed to log on automatically, like in some people’s homes, they are still being authenticated by a username and password.  So why are organizations not implementing more stringent forms of authentication before authorizing access to certain areas? You can generally blame it on poor IT practices, negligence or just plain ignorance and laziness.

It is imperative to implement employee authentication --  a positive ID of the user -- based on multiple factors. Authentication is about who you are, and with more advanced forms of authentication, such as biometrics -- employees are the password.

Types of authentication, implemented as a combination of two or more categories of credentials to achieve a higher degree of security through multi-factor authentication, can include the following:

• Knowledge: Something you know (username, password, PIN)
• Inherence: Something you are (biometric data)
• Ownership: Something you have (mobile phone)
• Location: Somewhere you are (confirmation of user’s whereabouts)
• Time: Tracking when you are somewhere, typically used with location
• Context: Something you do, based on analytics of behavior patterns and device patterns

Why the difference matters

Because the security of corporate data is the top priority of any business, proper identification of staff who are permitted access to corporate data is critical to protecting and maintaining key information assets, and ultimately, a competitive edge. An end-to-end security framework allows for a reduced attack surface and frequency of attack, all of which contributes to protecting brand reputation and trust among stakeholders.

Authorization, the process of specifying access rights to resources, should occur after successful authentication. In today’s heightened cybersecurity risk environment, enterprises must ensure that the correct person is verified to access vital resources at that time and place. Otherwise, we are heading into a certain catastrophe that will not only impact the organization, but also its employees and its customers.

Photo Credit: Khongtham/Shutterstock

Dr. John Callahan is CTO at Veridium and responsible for the development of the company’s world class enterprise-ready biometric solutions, leading a global team of software developers, computer vision scientists and sales engineers. He has previously served as the Associate Director for Information Dominance at the U.S. Navy’s Office of Naval Research Global, London UK office, via an Intergovernmental Personnel Act assignment from the Johns Hopkins University Applied Physics Laboratory. John completed his PhD in Computer Science at the University of Maryland, College Park.