CIS502 Discussion Reply
CIS502 discussion post responses.
Respond to the colleagues posts regarding:
Authentication Factors
The three primary factors of authentication are something you know, something you have, and something you are. Multifactor authentication uses more than one authentication factor and is stronger than using a single authentication factor. You are the security professional assigned to design the authentication process for your company. The goal is to secure very sensitive customer data. Thinking about what you know about factors of authentication, provide an example of the process you would implement for users to authenticate to the company’s intranet. How might employee access differ from customer access? Be sure to fully explain your reasoning.
DP’s post states the following:Top of Form
I would start the authentication process by asking questions for security parameters.
· Who are you?
· What is your title?
· Where are you located (GPS)?
Who you are is your user email and last name with the last for of your SSN.
What your title is, is your employee ID number and password.
Where you are located is tagged by the application you are logging into, to see if you have permissions to access company software off site.
A good reason for the location based services to be incorporated is to follow the rules of least privilege. You wouldn't need an hourly based sales employee to access company software other that their schedule while they are off work. However, you may need a Salary based manager to access their employees time and attendance to approve payroll.
TS’s post states the following:Top of Form
The three primary factors of authentication are something you know, something you have, and something you are. Multifactor authentication uses more than one authentication factor and is stronger than using a single authentication factor. You are the security professional assigned to design the authentication process for your company. The goal is to secure very sensitive customer data. Thinking about what you know about factors of authentication, provide an example of the process you would implement for users to authenticate to the company’s intranet. How might employee access differ from customer access? Be sure to fully explain your reasoning.
I would use a Two-factor authentication, or 2FA as it is commonly abbreviated would be different for users versus customers. 2FA adds an extra step to the basic log-in procedure. This extra step is in addition to the user’s password. Having a second authentication method boosts security and lowers risk.
For customers, I might consider whitelisting their IP address. Although transparent to the customer, IP whitelisting allows the company to create lists of trusted IP addresses or IP ranges from which the users can access company domains (GoodData Staff, 2019). IP whitelist is a security feature often used for limiting and controlling access only to trusted users (GoodData Staff, 2019). I select this method because in my current field we deal with less than 50 different clients. IP whitelisting is a manageable process. This is not the way to go for many users.
Another method of 2FA is with one of the leaders in the industry, Google. The Google Authenticator is a free app that requires the user to set up their details, and then validates the user’s details. The codes provided by the authenticator app sync across the user’s accounts, by entering or scanning a QR code from a mobile device it provides a six-digit access code to be entered into the application (Griffith, 2018). Having remote users accessing loan level details through a Citrix portal, 2FA is useful for securing private customer information and validating access is restricted to only the authorized users.
References
GoodData Staff. (2019). IP Whitelisting. Retrieved from GoodData Help: https://help.gooddata.com/display/doc/IP+Whitelisting
Griffith, E. (2018, 2 16). Two-Factor Authentication: Who Has It and How to Set It Up. Retrieved from PC: https://www.pcmag.com/feature/358289/two-factor-authentication-who-has-it-and-how-to-set-it-up