Critical considerations for planning your IT security strategy

22 May 2014 | John Proctor, VP, Global Cyber Security, CGI

Like today’s enterprises, city agencies are increasingly looking at IT security strategy, and for good reason. They need to reduce the likelihood and impact of threats to sensitive data and facilities even as the attack surface is constantly increasing. This challenge is exacerbated by an influx of devices in the workplace and the rise of a constantly connected workforce. Bring-your-own-device (BYOD) is a great convenience for employees and field workers but presents unique challenges to information security professionals.

The solution to these problems starts with Identity and Access Management (IAM). Strong authentication of identities allows city agencies to know who is accessing sensitive resources and information, and to grant permissions on a fine-grained basis.

Many agencies focus on the Access Control aspect of this discipline while overlooking Identity Resolution. That is, they often lock down access to resources by role, attribute, or group, but disregard the process by which user identities are authenticated. Allowing users to log in simply with user name and password is a grave error, as attackers are finding it increasingly easy to crack passwords of all types. Frankly, the password is dead.

In this day and age, we need to do what we can to mitigate the risk of identity theft and impostors in our enterprise systems while bringing much needed efficiency gains across the enterprise. I believe that a complete IAM solution must address strong Identity Resolution, and that multi-factor authentication is the key to strong identities. Many IT professionals are familiar with the cryptographic token, which provides two-factor authentication, but even these have been successfully attacked in recent years. The best authentication mechanisms offer robust three-factor authentication based on something you have (smart card or token), something you know (PIN or password), and something you are (biometrics).

Smart card-based solutions are especially interesting because they enable strong logins to laptop and desktop computers, supported by Microsoft Windows and Microsoft Active Directory. Windows has supported smart card logins for over a decade, and support is growing for smart cards on other platforms too.

As enterprise web applications proliferate, Single Sign-On (SSO) is becoming increasingly important because users dislike typing passwords multiple times each day. Also of value is re-use of a single identity (and credential) across an entire city agency, for both physical and logical access, which reduces complexity of the Access Management part of IAM. Leading SSO providers offer solutions that enable strongly authenticated SSO for enterprise web apps, including Microsoft SharePoint and other web apps served from the Microsoft IIS platform.

I also believe that government and business processes will move towards electronic document and transaction signatures and encrypted email. A smart card-based solution can enable this by containing X.509 Public Key Infrastructure (PKI) encryption keys that enable electronic signatures, email encryption, and other identity-based cryptographic actions. While PKI can be done with just a password, PKI protected by a three-factor smart card is stronger and more secure.

Another important feature of IAM systems of the future will be “converged” identities that support physical access control as well as logical access control. Smart cards can replace your current “prox” cards for controlling employee access to facilities. The cards also support multi-factor authentication for users seeking to gain entry to highly sensitive areas. A critical, but often overlooked, benefit to such a system is the increased reliability of the audit trail that is created with a combination of a single token combined with strong authentication. This single benefit can increase security while bringing efficiency benefits when using a common identity across the operating environment.

Finally, mobile computing is becoming increasingly important. The potential attack surface of unmanaged mobile devices is enormous, but employees who bring their own device to work are generally unwilling to allow the IT department to manage their phones or tablets. Mobile Device Management (MDM) solutions that include full containerization are a great solution, but weak authentication is a problem there too. I believe that multi-factor authentication, including biometrics, is required to get the best security from an MDM solution, delivering the promise of the mobile work force and BYOD while still offering high security for your city’s information resources.

In my view, the IT security market space is growing larger and more complex every day, but the solutions all start with strong identities. It’s critical for city leaders to consider this when planning a long-term security posture.

Have a comment or opinion on this post? Let me know @Microsoft_Gov. Or e-mail us at

John Proctor
VP, Global Cyber Security, CGI