This page contains a Flash digital edition of a book.
ASK AWAY


VIRTUAL PRIVATE NETWORKS


ARE VIRTUAL PRIVATE NETWORKS SECURE ENOUGH FOR REMOTE CORPORATE USERS, OR IS AN ADVANCED AUTHENTICATION SOLUTION NEEDED?


I


t’s one of the biggest questions when it comes to any type of security: how much is enough? To answer the question, you have to consider what you’re trying to protect and the risks of exposure. In today’s competitive and efficiency-driven climate, organizations


must provide their employees, contractors and business partners with secure remote access to data and applications. Many organizations secure this access via virtual private networks (VPNs) over Internet connections. But VPNs can only solve the security equation for remote access. VPNs ensure the privacy of data transmission through cryptology, but how does an organization first determine who the person is trying to gain access to VPN? Today, most VPNs are protected with a simple username and password. The tunnel of information created by a VPN keeps information pri-


vate en route, but it doesn’t prevent unauthorized access to an organi- zation’s network. What good is having data remaining private en route, but still going to the wrong person? Attacks known as Man-In-The-Middle, brute force or spyware can


compromise passwords and thus make VPNs much less useful. Once login credentials are compromised, attackers can gain access to an or- ganization’s internal network with the level of entitlement of the breached user. To reduce the risk of such a compromise, organizations should con- sider complementing or replacing the simple username/password com- binations with stronger forms of authentication. Advanced authentication is necessary to keep VPN-based defences


as strong as needed. Advanced authentication generally enables users to provide more than one authentication factor to prove their identity before they receive online access. These factors can include: • Something you know (e.g., PIN, password or answers to questions unique to a user);


• Something you have (e.g., smart card, digital ID or one-time pass- word token);


• Something you are (e.g., biometric factor, such as fingerprint or voiceprint). Advanced authentication solutions range from expensive (and tradi-


tionally more complex to set up and manage) hardware solutions to newer, more convenient and more cost-effective software solutions. The route you decide to take will depend on your budget, required


strength, and user impact that you are willing to accept to secure your organization’s applications and data.


Amandio Pereira is director of security sales at CA Technologies in Canada (www.ca.com).


PRIVACY DESIGN


I HEAR A LOT ABOUT PRIVACY DESIGN. WHAT IS IT?


P


rivacy design boils down to the notion of identifying the applicable privacy requirements prior to offering a


product or service. If you were, for example, using the Software Development Lifecycle, you would include gathering privacy re- quirements as part of the analysis and de- sign phases prior to implementation. For a company, this method is a great way of demonstrating that it has identified the ap- plicable legislation and included the informa- tion management processes necessary to meet the minimum requirements. If the process is documented, so much the better if and when there’s a privacy breach. As a data subject, though, the problem with


privacy design is that it further removes us from how our information is managed. Pri- vacy requires scrutiny. Using privacy design as a concept can enable a false sense of security. We know less, but we are somehow reassured because privacy has been “built in.” All that’s been built are the legal requirements for man- aging your information once it has been col- lected. And this is the point. It has already been collected! Video surveillance with data masking as a privacy design is still surveil- lance. Surveillance is fundamentally the an- tithesis of privacy. Technology can provide benefits, but our in-


formation is a commodity — allowing the col- lection of it is our decision. Privacy design might be able to protect our records, but only once we’ve decided to allow access to that informa- tion in the first place. Exercising our right to make that decision is the only way to determine whether our current law is satisfactory. Best advice: start small. The next time someone asks for your information, calculate the exact amount for which you are willing to sell.


Tracy Ann Kosa is an independent privacy researcher in Toronto, Ont. She can be reached at takosa@ bell.blackberry.net.


26 SECURITY MATTERS • NOVEMBER/DECEMBER 2010


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32