The What, Why and How of Two-factor Authentication (2FA): Decoded

Whether or not you know what it is called, you have likely used 2FA at least once in your life online.

Remember the time you tried logging into your email account from a new device and your email service provider sent you an SMS with a PIN (OTP), to re-validate that it was actually you attempting to login? You would have been allowed access to your inbox only after you entered the correct OTP.

Or the time you tried to transfer money to someone through internet banking. Even though you already entered your customer ID and password, your bank’s application would want to make sure that someone else hadn’t stolen your credentials. They do this by sending you an email with a PIN or a link to click on, for additional validation.

This is exactly what 2FA or two-factor authentication solution is all about.

Known by many names two-factor authentication, two-step authentication, two-step verification or dual factor authentication, 2FA refers to a second level of authentication added on in order to enhance security inherent to a login process. This is in addition to the username and password step, which is relatively susceptible to hacking.

When two or more layers are added to the login authentication process, it’s also known as multi-factor authentication or MFA.

Types of MFA security

A two or multi-factor authentication process typically asks you for ‘something you know’ in the first step, such as your email ID/username and password.

In the second step, it may ask you to authenticate your identity with ‘something you have’ or ‘something you are’.

Something you know the knowledge factor:

This could be your username and password, as in any ordinary login process, or it could be a PIN.

Something you have the possession factor:

This traditionally referred to hand-held token items, such as smart cards or Yubikeys embedded with a certificate to identify the user. Nowadays, a ‘possession’ could also be your smartphone, containing an app which sends a push notification or a TOTP. This is especially beneficial since tokens like smart cards are relatively more prone to being lost, stolen or misplaced.

Something you are the inherence factor:

Biometric authentication could involve the scanning of a biological element that is exclusively yours such as your fingerprint, hand geometry, retina, iris and so on. Voice recognition can also be used.

Two-factor authentication for your business

If your business relies on highly sensitive data or handles personal data of clients, you need to have an information security management system in place. This is especially crucial these days as several governments are imposing stringent regulations to ensure that the privacy of their citizens is not compromised. Some business standard certifications also require security compliances to certify your business and, therefore, it is important for you to protect sensitive data with more than just single-factor authentication (SFA).

By setting up 2FA or MFA security in all your business applications, you are assured of a higher degree of protection. In this manner, even if somebody does steal, guess or hack a password or even a list of passwords, through a brute force attack, they will be stopped at the second level as they attempt to log in to a specific individual’s account.

Multi-factor authentication solutions by Akku

When your business uses multiple applications, it may be both expensive and difficult to set up and streamline multi-factor authentication in each. That is where Akku comes in, with the promise to address all these concerns once and for all.

Once you opt for Akku, it becomes a common identity provider (IdP) across all your enterprise applications and creates a single sign-on (SSO) page through which your users can access them. Having brought all of your applications to a single platform through the SSO, Akku then seamlessly implements the multi-factor authentication functionality across them all.

With Akku, users can decide to use any of the following options as their second factor for re-validating their identity, giving them the power of choice:

    • A push notification delivered to their smartphone through the Akku mobile app
    • A time-based OTP (TOTP) which expires in 30 seconds through an authentication app (such as Google authenticator)
  • A PIN sent through an SMS to their registered mobile number

Interested to know more? Visit www.akku.work or get in touch with us through sales@akku.work

Akku – Secure your Enterprise Communication

Akku is a great way to control and authenticate communication channels for any enterprise.

One of the biggest threats to any organization is the possibility of a data breach, which can result in loss of data, loss of trust, and ultimately, loss of growth of the business. This makes data security a critical aspect to consider in any enterprise.

An important consideration, especially for SME businesses, is to secure their data – most companies still look for a way to do it in the traditional approach to data security – with an on-premise local environment.

Running the organization with an on-premise environment requires a dedicated workforce, this can be replaced with a secure cloud-based environment. But how does this fit in with Akku? Akku is a pure cloud Identity and Access Management solution that can be integrated with cloud, hybrid or on-prem applications.

So how can Akku help your organization?

Akku’s first great feature would be its Single Sign-on (SSO), where any enterprise’s user accounts and applications can be integrated into a single platform – making access easy for users and control easy for admins.

Unauthorized access is restricted by Akku, which is built on a certificate-based authentication architecture.

It is also possible to filter the content accessed by an organization’s users – DNS filtering to control websites that can be accessed, YouTube filtering to ensure only relevant video content is viewed, and even personal email blocking to improve productivity and security.

Akku also maintains highly granular logs, allowing for detailed reporting on user behavior – time, location, OS and so on for users logging in.

These are just a few of the functionalities that Akku brings to the table to add value to your organization’s data security.

So fight back against data breaches, and tell the world “My Data and Communication are secure!”

Is Your Data Secure? No…

As per a survey by Forrester Research (Forrester Consulting Thought Leadership Paper, February 2017), in the last 4 years, out of every three organizations, two have had an average of at least 5 breaches. There are nearly 6 billion data records that were stolen and lost in the past 10 years. According to www.breachlevelindex.com, an average of 165,000 records are compromised every hour. According to this article published on www.csoonline.com, global cybercrime related damage is expected to exceed US$ 6 trillion annually by the year 2021.

How can IAM help protect data?

  • Identification: Users make their claim on their identity by entering a username and verify through an authentication process
  • Authentication: Authentication may be a password or may rely on advanced technologies, such as biometric and token-based authentication
  • Authorization: The IAM system must then verify the user’s authorization to perform the requested activity and also ensure that users perform actions only within their scope of authority

Together, these three processes combine to ensure that specified users have the access they need to do their jobs, while unauthorized users are kept away from sensitive resources and information. Effective IAM solutions help enterprises facilitate secure, efficient access to technology resources across these diverse systems.

Identity and Access Management (IAM) is the information security discipline that allows users access to appropriate technology resources, at the right time. It incorporates three major concepts:

According to this article on BizTech magazine, improved data security is one of the three main reasons to deploy an IAM solution.

The article highlights the fact that consolidating authentication and authorization functionality on a single platform provides IT professionals with a consistent method for managing user access. And when a user leaves an organization, IT administrators may revoke their access in the centralized IAM solution with the confidence that this revocation will immediately take effect across all of the technology platforms integrated with that IAM platform.

So implement an identity and access management solution at your organization to take a major step towards improved data security.

Safer Interactions with the Internet through a Web Application Firewall

The internet represents a revolutionary step forward in the way data is stored and accessed, and in the way business is done. Most enterprises make use of user-friendly websites or web applications which allow their users to interact and transact.

But allowing users to seamlessly interact with your server and database presents some problems too. Primary among them is that it is difficult to differentiate between genuine users and hackers.

This is where a Web Application Firewall (WAF) comes in. A WAF allows you to protect your servers from online attacks on the internet.

For instance, there may be several nodes or entry points into your network, which security threats from the internet can penetrate. A robust security solution should ensure that these individual layers or nodes stay uniformly protected. Even if one of the layers is compromised, the impact of the breach could be severe. But micromanaging the security of every node in your network is time-consuming and invariably increases the latency of system operations.

A Web Application Firewall (WAF) can help you ensure the security of your network by monitoring and controlling all the HTTP conversations that your systems have with the internet.

What is a WAF and how does it work?

A Web Application Firewall comprises a set of instructions or protocols which have to be adhered to when using web-based applications. It protects your network and servers from websites whose scripts could be infected with malicious code intended to breach your security and access your data.

While using web applications, your searches and actions are considered client requests. These requests are processed by proxy servers which are kept in place to protect the client system. The proxy server receives the correct response from remote servers and transmits the data back to you.

A WAF acts a reverse proxy which protects your servers from attacks. It is an intermediary layer between the client and server, which makes it seem like the response is forwarded by an actual proxy server.

Website Filtering using WAF

A robust WAF comes with advanced DNS filtering features which examine every request from your network and send back only relevant and secure results. In addition to providing a layer of security to your servers and filtering websites based on its security loops, an effective web filtering solution should also simply allow you to blacklist websites because they could be irrelevant to the work done by your employees. Unmoderated internet access can have serious repercussions in terms of productivity drain.

Akku from CloudNow Technologies is a comprehensive solution to all your website filtering needs. It is a cloud-based web filtering software which allows you to specify which domains need to be blocked, for any reason – especially security or productivity concerns.

Password Security Threats

Most people use a Password Manager to save their account passwords. A password manager is an app or device which serves as a single collection point for all of a user’s account credentials. LastPass and Dashlane are two well-known password managers in the market. The usage of a password manager presents a security risk in case of a data breach. In fact, as per the Independent, the password manager LastPass was hacked and a data breach did occur, compromising user credentials.

Another high-risk method that many users follow is to save their passwords in their browsers, and use auto-fill for convenience.

In today’s world, data breaches are the highest level of threat – don’t forget, all your data is being protected by your passwords! No security initiative can come with 100% convenience – but it is important to understand and prioritize security.

This is even more important for enterprises, where the tools they are providing their users to manage their passwords are eventually protecting the company’s data.

There are enterprise IAM tools available in the market which help enterprises to provide a secure single sign-on (SSO) and other access control lists such as IP- and device restrictions, time and location restrictions, and multi-factor authentication. These functionalities help end users as well as administrators to protect company data with additional layers of protection.

Delving deeper into MFA as a means to improve password security, the trend today is that many leading SaaS providers have started deprecating SMS as the medium to send the OTP, since this is an old-school method and comes with dependencies in order to serve its purpose. The modern and more convenient way to run an MFA is using TOTP and push notification.

Implementing a single sign-on (SSO) with an MFA is a powerful way to boost the security of your passwords while ensuring a minimal compromise on the convenience front. And of course, type your password each time instead of saving it in your browser or a password manager to minimize the security risk.

Protecting Your Vault: Safeguard your Data Center with an IAM Solution

At most enterprises, data centers are a repository of information contained within a network of servers from where data is transmitted to other touch points for processing. While these data centers could be cloud-based or on-premise, the security of such business-critical data is of paramount importance.

There could be several vulnerabilities in your network in the form of entry points that seem like they can be ignored. While there are several measures you can implement to physically secure your data center, it takes a lot more to secure remote or even on-premise servers from virtual attacks. An effective data center security solution will allow you to intuitively monitor all the entry points for possible attacks and ensure that you are protected against any breach.

One major part of the solution is the implementation of an Identity and Access Management (IAM) solution as part of your security system.

Staying Protected Online using an Identity and Access Management Solution

The two biggest focus areas for any security solution are authentication and authorization. Although there are overlaps in the usage of the two terms, there are distinct in the way they allow access of data.

Authentication determines if the user trying to enter a system is in fact who he/she is claiming to be, while authorization determines whether the user has the permission to access the data or application that he/she is attempting to access.

A comprehensive IAM solution should be able to intelligently allow you to do both by acting as the Identity Provider (IdP) for your cloud, on-premise or hybrid network and interact with the servers in the data centers to check for authentication and authorization using advanced, yet easy to implement, system architectures.

The Akku Solution

CloudNow’s Akku is an enterprise-grade IAM solution that plays this role perfectly using its custom SAML to provide a robust Single Sign-on (SSO) solution, or to integrate with an SSO solution already in place for your other applications. As an IdP, Akku communicates with the server at the time of login to carry out authentication and validate authorization.

By using a high-end security solution, you can effectively control access to your network and data center and reduce the number of resources dedicated to data center security.

Akku also removes any need for any middleware which could otherwise complicate or even corrupt the security system.

The implementation of an efficient and cost-effective security solution like Akku can go a long way in allowing you to focus on improving the operational efficiency of your organization instead of being caught up with the security threats to your data.

Everything You Need to Know About Secure Passwords

Your password – your secret passphrase or PIN that you use for your email, social media profile, or applications at work – is necessary for you to gain access to your accounts. But more importantly, your password plays a critical role in ensuring that no one else has access to your accounts, ensuring the security and privacy of your own as well as your organization’s data and applications.

With advancements in technology, it is important to be aware that there are equally advanced ways in which people steal information belonging to others, and even more ways through which they can misuse that information. Therefore, it goes without saying that secure passwords are of prime importance.

Common Password-Related Mistakes

You can’t blame yourself for being naturally inclined to choose a simple password that will be easy to remember. Unfortunately, these are the very same passwords that are also easy to guess or crack with a hacking software. Remember that, if information about you that can be found online – your date of birth, favourite colour, pet’s name, and so on – is incorporated into your password, it becomes even more vulnerable.

Another mistake made by most people is that a common password is used across multiple online accounts. The problem with doing this is, if someone manages to crack your password to one account, you are giving them free access to the rest!

Writing down your password or saving it somewhere online? This is a very naive act that can put your entire online data at risk of being accessed and stolen easily. Some of the other mistakes you might be making when it comes to passwords is that you don’t change the factory-set or default password, you use the same password for too long, and so on.

Tips to Set Up a Secure Password

    • Create a long password with a minimum length of 10-12 characters
    • Use a combination of uppercase letters, lowercase letters, numbers, and special characters
    • Special characters need to spread out across the password and not be limited to the first or last place
    • Do not use the same password for multiple security points
    • Change your passwords every 1-3 months
    • Avoid using words with obvious references to your personal life
    • Avoid using dictionary words as a whole

Passwords in the Workplace

In the workplace, the importance of a secure password is further amplified because the breach of a corporate network can have consequences that will affect the entire business.

Employees, who are otherwise the biggest assets to a company or business, also become the weakest link in the security chain protecting its data. The reason? Poor password selection and the subsequent compromise to data security. A single password, if compromised, can open the security gates and let intruders in.

Combating Weak Passwords in the Workplace

A good password policy is the weapon of choice when it comes to combating the threat of weak passwords.

A password policy is a set of guidelines that help users set up strong and secure passwords. When a password policy is enforced, a user is not allowed to create a password that does not abide by these guidelines.

Some essential features of a password policy are:

1) Password Length & Complexity Requirement

The password policy ensures that every password created is of a minimum length (for example, at least 6 characters long) and needs to use a variety of character types (uppercase letters, lowercase letters, numbers, special characters).

2) Minimum & Maximum Password Age

This part of the password policy decides how often a password is to be changed. Ideally, a good password policy ensures the expiry of a password once in 3 months, so the user is forced to create a new password. However, if a policy prompts the user to change their password too often, they may be tempted to write it down or store it elsewhere. This, again, will compromise security.

3) Password History

When a user is prompted to change a password, he/she may tend to reuse a password they had earlier used for the same application. By enforcing a good password policy, users will not be allowed to reuse an old password at least for another 5 times.

4) Number of Failed Attempts

A password policy also establishes the maximum number of invalid attempts allowed before an account will be locked out temporarily. Once locked, the account may need administrator support to be unlocked and made accessible again.

Beyond Password Security

For companies and businesses that use highly-sensitive data, it may be required to go one step beyond just a good password policy that enforces strong passwords. In such cases, a two-factor or multi-factor authentication functionality may be enforced, where additional layers of security are integrated into the sign-in process.

With such a functionality, users will be required to re-validate their identity using one or more of the following:

    • A one-time password or PIN
    • A thumbprint or retina scan
    • A Yubikey, smart card, USB token, or magnetic strip card

Usually, a good Identity and Access Management (IAM) like Akku by CloudNow Technologies will provide companies and businesses with the security features they require by enforcing strong password policies, multi-factor authentication functionalities, and other advanced security features like IP and device-based restrictions.

Are your users’ weak passwords keeping you up at night? Speak to us to see how Akku can help with Password Policy Enforcement and Multi-factor Authentication.

Secure and Easy User Management: SCIM through the Fundamentals

What is SCIM?

The System for Cross-domain Identity Management (SCIM) is an open standard specification, designed to make user management easy. It essentially allows admins of cloud and on-premise networks to move users in and out of their systems quickly and easily. The system builds on inputs from existing user management schemas and allows the integration of powerful authentication models. It uses a common user schema in coordination with an extension model which allows for seamless migration of user data between different nodes of the system.

SCIM transmits user data between identity providers (like Akku by CloudNow) and service providers (SaaS applications) using a secure protocol. When this is used in conjunction with a robust authorization system, it gives rise to a powerful identity and access management solution. If not for SCIM, the IT departments of every organization would have to dedicate time and resource to managing access control, instead of simply automating the process.

How does SCIM help in Creating a Powerful Identity and Access Management Solution?

Like we mentioned earlier, SCIM enables the communication between the identity provider and an enterprise SaaS application which needs user information to process, create, modify or remove users from accessing a network. SCIM is built using REST and JSON to define and establish the roles of the client and server – in this case, the identity provider acts as the client and the SaaS application acts as the server.

Identity providers like Akku contain a directory of user identities which is normally extracted by the server. In most cases, the server can extract information from directories other than the identity providers as well. But migrating the data to an identity provider can significantly improve the security of the user management system. When the client or identity provider makes changes to any user information, it immediately reflects in the server or SaaS application by using the SCIM protocol. With SCIM, you can create, replace, delete, search and update user information.

The client or identity provider can also view the data present on the server and record any mismatches. If irregularities between the client and server are not immediately noticed and rectified, it could lead to a potential security breach.

How can Akku help you?

With organizations moving their operations to the cloud at breakneck speeds, the need to streamline and implement a Single Sign-on solution is constantly rising. Akku is one of the best Identity and Access Management Solutions available in the market, allowing you to integrate with third party applications as well as our own suite, to take your identity and user management efforts to the next level. This simplifies the work of your organization’s cloud or on-premise network administrators to grant access to several users and applications. For your users, this means remembering only one set of credentials for several applications.

Speak to us to see how Akku’s Single Sign-on can help you manage your users more efficiently.

A Step Closer to GDPR Compliance: A Strong Password Policy

The European Union enforced the General Data Protection Regulation (GDPR) in May 2018 with three main aims: to harmonize data privacy laws across Europe, to protect and empower the data privacy of all EU citizens and to reshape the way organizations across the region approach data privacy. As you can see “data privacy” is the keyword in all three of the above mentioned aims. With multiple data breaches coming to light in the recent years, even from several of the world’s biggest corporates, the European Union has enforced stringent measures to regulate the use and prevent the misuse of citizens’ data through the GDPR.

Compliance and Consequences

As stated specifically in the GDPR, all enterprises (whether businesses or organizations) must take a “high level of protection of personal data” as one of their top priorities so that the “abuse or unlawful access or transfer” of such data may be prevented. If data is breached, or if GDPR procedures are compromised, the enterprise will face serious penalties. The fine for the non-compliance to GDPR for breach of data could be up to €20 million or 4% of annual global turnover, whichever is higher, depending on the type and extent of the breach.

This applies not only to enterprises within the EU, but also to those that may be located outside and offer goods or services of any type to the EU. The GDPR rules also apply to cloud controllers and processors.

The Emphasis on Passwords

Interestingly, the GDPR does not place any direct regulations on the way passwords are created or used. However, when it comes to the protection of online data, it’s hard to argue against securing passwords being the logical first step. On the one side, businesses that provide access to customers through an online portal typically ensure that they are creating secure passwords to sign in to by enforcing password policies that define their length and other parameters.

However, the slip often occurs when the employees of these enterprises are allowed to create weak passwords for accessing in-house applications. What is often forgotten is that these applications also carry sensitive data that belong to both the enterprise and its customers. A compromise here can cost the enterprise more than just the data; it will cost its credibility as well.

A strong password policy, therefore, becomes a key first step in the path to GDPR compliance.

The Inevitability of a Password Policy

By enforcing a strong password policy, administrators can ensure that users of an enterprise’s applications set up and use only passwords that are secure and, therefore, much less susceptible to brute force attacks and other hacking attempts.

A password policy defines and enforces a set of rules that include the minimum length, acceptable combination of small and upper case letters, use of numbers and special characters, expiration period of passwords and so on.

Without a password policy, the administrators of an enterprise would have no control over the type of passwords their users set, and would have their hands tied when it comes to situations that lead to a data breach, making it hard to demonstrate the GDPR’s requirement of a “high level of protection of personal data”.

This makes a strong password policy a critical requirement for every on-premise as well as cloud-based application, both for data security and to work towards complying with this aspect of the GDPR.

The Hybrid and Multi Cloud Conundrum

Unfortunately, setting in place a password policy across all of an enterprise’s applications is much easier said than done.

Most enterprises use a wide range of applications across different platforms – both cloud-based and on-premise – with each application operating on different technologies and each with its own identity management and password policy, controlling how users set up passwords in each application can often be an expensive and time consuming process.

Implementing a common bridge layer across of the applications used by the enterprise in the form of an Identity and Access Management (IAM) solution to act as the identity provider (IdP) across all applications is the best way to overcome this challenge.

The Akku Solution

Akku is an identity and access management solution that integrates all of the on-premise and cloud-based applications of an enterprise, providing a single platform for administrators to control employee access, permissions, and levels of control within its different applications.

With Akku playing the role of the identity provider (IdP), it enables administrators to set up a single password policy that will instantly be applied to all of the applications that are accessed by a user at the workplace. This password policy holds good, irrespective of whether the application is on-premise or cloud-based, or across different platforms. Akku also allows for the secure resetting of passwords, as specified by GDPR standards. Besides password policy enforcement, Akku also utilizes a custom salted-hash function, users’ credentials are also encrypted to ensure a high level of security.

Want to explore a quick and hassle-free password policy implementation across your enterprise applications? Get in touch with us today at sales@akku.work

Addressing Challenges in Implementing “The Use of Company Property” policy at a Leading Insurance Company

Company X is a leading insurance company which provides laptops to all employees for their work, regardless of their grade in the organization’s hierarchy.

The company has deployed a gateway firewall, incorporated with a DNS filter to blacklist or whitelist access to certain websites. In this manner, users are denied access to malicious websites, and threats due to unauthorized website use is prevented while users are within the office network.

How DNS Filtering Works?

Whenever a user makes an internet search, a request is passed on to the network through an IP. However, when DNS filtering is implemented in an organization, the relevant web page is redirected to the firewall where the restrictions are verified. If it has been blacklisted, access to the webpage is blocked.

Loophole Causing Security Concern

When more and more users beginning to work from home or work while travelling using the laptops provided by the company, Company X began facing new security concerns.

Although the firewall’s DNS filter was effective when users were within the office network, the user’s laptops were outside of the firewall’s reach. This meant that users could access any site or download any software without any restrictions, exposing the company-owned devices (COD) at risk due to unauthorized websites. This, in turn, threatened to compromise both the devices and the data stored in them.

It also made the devices non-compliant to the Company Owned Device (COD) policy.

Prognosis

The DNS filtering rules set by the company no longer applied when users took their devices outside their network and firewall. Addressing this issue, CloudNow’s Identity and Access Management (IAM) solution was deployed. With its website filtering feature, maintaining DNS filter rules was made possible, even outside the firewall.

With Akku, requests made by users to access any website goes through its DNS filter, which checks for restrictions and blocks unauthorized web pages. Here, the router acts only as the connecting bridge to the internet. This makes it possible to maintain website blocking instructions for devices, disregarding where the users access them from through the internet.

Why is DNS Filtering Outside your Firewall is a Necessity?

It is a vital for all organizations to increase the security of their data by preventing access to malicious websites in CODs. Additionally, this feature ensures that all CODs comply with security standards and remain audit-ready.

Maintain your DNS filter rules even outside your office premises with AKKU’s website filtering feature.