Presentation is loading. Please wait.

Presentation is loading. Please wait.

This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner.

Similar presentations


Presentation on theme: "This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner."— Presentation transcript:

1 This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other authorized recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates. © 2013 Gartner, Inc. and/or its affiliates. All rights reserved. Ant Allan Twitter: @G_ant Gartner Authentication Methods Evaluation Scorecards (GAMES)

2 Why GAMES? To assist Gartner clients in evaluating (and choosing) new authentication methods Published guidelines (eg NIST SP800-63-1) focus on authentication strength (assurance, risk, or trust levels) -GAMES also considers UX and TCO Published guidelines might rank some available methods, but with little transparency -Why does X provide greater assurance than Y? -How can I rank P, Q,… that aren’t explicitly mentioned? Why is Gartner doing this? Because no-one else is!

3 GAMES Timeline First iteration -Gartner Authentication Method Evaluation Scorecards, 30 Sep 2008 -Toolkit: Gartner Authentication Method Evaluation Scorecards, 8 Sep 2009 Second iteration -Gartner Authentication Method Evaluation Scorecards, 2011: Overview, 7 Mar 2011 -  : Total Cost of Ownership, 7 Mar 2011 -  : User Experience, 23 May 2011 -  : Assurance and Accountability 5 Mar 2012 [sic] Third iteration… ?

4 Changes in GAMES General discussion of TCO elements  chart of accounts Ease of use  UX Authentication strength … multiple changes: -V2 has explicit discussion of accountability, not completely orthogonal to assurance -Scrapped complex, effortful quantitative approach (implying a precision that is really unattainable in this kind of evaluation) for a simpler, more qualitative approach -Two parts: A1: The method's resistance to attack — that is, how difficult is it for an attacker to directly compromise or undermine the authentication method (without the user's knowing collusion)? A2: The method's resistance to willful misuse — that is, how difficult is it for a user to deliberately allow colleagues and others to share his or her account?

5 Basic GAMES Framework for Evaluating Assurance and Accountability Particularity (Uniqueness  Mapping) Binding Raw resistance to masquerade attack Effective resistance to masquerade attack Accountability Assurance People, processes and compensating controls Address weaknesses 124 35 6 The guiding principle of the evaluation of authentication strength is to find weaknesses in the authentication method: How could users share credentials? What vulnerabilities are there, and how could an attacker exploit them? What user behaviors increase those vulnerabilities or make exploitation easier? How can we break this?

6 5 Combining Characteristics (  Operations) Level of first characteristic HighMediumLowMinimal Level of second charac- teristic High MediumLow Medium LowMinimal Low Minimal LowMinimal Mathematically, we assign the values 1-4 to the levels minimal-high. The resultant value is the geometric mean of the two input values; that is, the square root of the product. The resultant level is taken from the integer part of that value. For example, combining medium with low, the resultant value is √(3× 2) = 2.449… so the resultant level is low. If we’re combining three values simultaneously, the resultant value is the cube root of the product, and so on.

7 Particularity  Binding  Accountability Particularity: To what degree are the authentication attributes — and the authentication information derived from them: -Unique? -Uniquely mapped to the user? Binding: How difficult is it for the user to willingly share authentication attributes with others? -Or: How tightly are the authentication attributes bound to the user? Accountability: An expression of resistance to willful misuse. (A2) 6

8 How Difficult Is it For an Attacker to Execute a Masquerade Attack? (A1) This decomposes into four more-granular questions, each of which addresses a different attack mode: B1: How difficult is it for an attacker to gain possession of (a copy of) the authentication attributes the user possesses? B2: How difficult is it for an attacker to capture and successfully reuse the authentication information? B3: How difficult is it for an attacker to directly or indirectly modify the stored authentication attributes? B4: How difficult is it for an attacker to directly or indirectly modify an authentication decision or how a decision is enforced? Any chain is only as strong as its weakest link! 7

9 Evaluating the Attack Mode Questions Consider the following*: C1: The attack vector — Where does an attacker have to be to execute the attack? If it's local (that is, physically present), the difficulty is high; if on a local network, medium; if on the Internet, minimal. C2: The access complexity — What level of effort is required? This can be directly expressed as minimal to high. C3: The novelty** — How unusual is the attack? If this is seen in the wild, the novelty is minimal; if it exists as a proof of concept, low; if it is unproven, medium. * Much simplified version from the Common Vulnerability Scoring System ** Note that this replaces "exploitability of the attack" used in the original GAMES research, in order to have the scoring in the "right direction.") 8

10 Evaluating an Authentication Method's Effective Resistance to Attack A method's inherent or "raw" resistance to masquerade attack can be modified — strengthened or weakened — by external considerations that will vary from one implementation to another: D1: How can user behavior facilitate or mitigate an attack? D2: How can administrative processes and administrator behavior facilitate or mitigate an attack? D3: How can additional compensating controls mitigate an attack? 9

11 10 Example of a Summary Scorecard CharacteristicValueComments AUniquenessHigh[Rationale for high uniqueness value here] BMapping uniquenessMedium[Rationale for medium mapping uniqueness here] CParticularity (A  B)MediumDerived value DBindingMedium[Rationale for medium binding here] EAssurance (C  D)MediumDerived value FResistance to attacks of the first kindHighSee attatched worksheet. GResistance to attacks of the second kind LowSee attatched worksheet. [See example in Figure 4] HResistance to attacks of the third kindHighSee attatched worksheet. JRaw resistance to masquerade attacks (lowest of F, G and H) LowDerived value: Lowest of F, G and H.. KEffective resistance to masquerade attacks Medium[Details of complementary safeguards that mitigate the risk of attacks of the second kind. Might reference additional documentation.] LAssurance (E  K)MediumDerived value

12 11 Example of a Scorecard Evaluating Resistance to Attacks of the Second Kind Attack vector Access complexity NoveltyResistance (cube root of product) Comments Eavesdropping at the endpoint Medium (3)High (4)Medium (3)3.302  Medium[Rationale here. Might reference additional documentation.] Eavesdropping on the network Minimal (1)High (4) 2.520  Low[Rationale here. Might reference additional documentation.] Minimum resistance to attack LowDerived value

13 Basic GAMES Framework, Redux Particularity (Uniqueness  Mapping) Binding Raw resistance to masquerade attack Effective resistance to masquerade attack Accountability Assurance People, processes and compensating controls Address weaknesses 124 35 6

14 Learnability Usability Utility Aesthetic appeal Privacy concerns* Universal Design Principles Equitable use Flexibility in use Simple and intuitive Perceptible information Tolerance for error Low physical effort Size and space for approach and use 13 UX Considerations A person's perceptions and responses impact security and risk, TCO, corporate image and business outcomes. * Not in published research. h/t Mary Ruddy

15 Authentication infrastructure components: -Hardware -Software -Services IT operations -Implementation -Support -Identity administration -Logistics Target system components End-user and endpoint components Administration -Management -Training End users -Training -Downtime 14 TCO Considerations (High Level!)

16 Q&A

17 This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other authorized recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates. © 2013 Gartner, Inc. and/or its affiliates. All rights reserved. Ant Allan Twitter: @G_ant Gartner Authentication Methods Evaluation Scorecards (GAMES)


Download ppt "This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner."

Similar presentations


Ads by Google