Regulation, Reputation And Retribution – The CISO 3Rs

By now you all know about the dangers of doing anything on-line. The only way to be 100% secure is to never power on the very system that facilitate business. This of course is impractical on all fronts.

The regulatory requirements for data protection are clearly expanding and reach around the globe. Since 2017 Australia, Canada, The EU, Singapore, United States and many others have implemented enforcement of harsh penalties for failure to comply. These always include some monetary consequences and can even result in imprisonment for high level executives.

These same regulations make the breaches public knowledge. This is damaging to a corporation’s reputation. Often loss of reputation is of more concern to companies than any levy. Any monetary penalty is one-time event that may be insured or otherwise offset. Reputation, once damaged, is difficult to repair and will almost certainly have long term financial implications.

CISOs accept that some 60%-75% of data breaches can be tracked back to insider threats. Simply stated, rouge and careless authorised users create opportunities for breaches. These can often be categorised as disgruntled to opportunistic types of retribution. Add to that the number of under educated (in security) or simply the human factor. Careless, non-deliberate users are potentially more dangerous than third-party cybercriminals.

With hundreds or even thousands of touch points and users with access to key applications and storage CISOs are quickly looking to implement Multi-Factor Authentication (MFA). This is often an attempt to eliminate the 60%-75% human factor in combination with effort to meet regulatory requirements.

As you know, Micro Focus (through its acquisitions) has been supplying MFA solutions for over 18 years. Today’s Advanced Authentication 6.2 (AA) is a mature enterprise ready solution offering a number of unique selling propositions. AA provides a wide set of interfaces from SAML and OAuth2 to zOS Mainframe.

AA has a wealth of authentication factors that provide customers the ability to tailor how resources are protected while maintaining ease of use. AA also integrates well with other large players like Cisco, Citrix, VMWare, Microsoft and others.

Advanced Authentication v6.2 has a new licensing model which aligns closer to the way that customers deploy and use the product. This is a simplified approach that clarifies for customers which license type to buy. The new model has two distinct parts. First, the base is named Advanced Authentication and contains the server and associated functions. An Advanced Authentication license is required for each user. The second part is the Advanced Authentication Clients which is made up of the workstation components. Advanced Authentication Clients is an add-on that is only required for users of the workstation components (Windows Login, Linux Login, Mac OSX Login, Authentication Agent, Windows OTP application, etc.). This model should be much easier for customers to execute upon.

aal-fig1
The new AA licensing model

Introducing Advanced Authentication Limited

In addition to the above license model change we have introduced a new version of AA named Advanced Authentication Limited. This version is being provided to fill a gap in Micro Focus products. Certain authentication methods have become commodities. Google Auth, Microsoft Live Auth and others have begun supplying authentication free of charge. Our clients are turning to these and sometimes making demands for us to integrate with these free providers. As each Micro Focus product group attempts to satisfy these demands we hurt our future potential. If a client is already using another product it becomes harder to interest them in our offering.

Advanced Authentication Limited will not be seen on any part number list as an item for sale. It is provided as an entitlement to (API Level) integrated internal applications. An entitlement means that this version is free of charge to all customers who are current on maintenance with qualifying products that includes:

  • SecureLogin
  • Access Manager
  • Privileged Account Manager
  • Directory and Resource Administrator
  • Self Service Password Reset
  • Micro Focus Filr
  • Micro Focus iPrint
  • Micro Focus Host Access Management and Security Server customers

AA Limited supports a sub-set of common authentication methods:

  • One Time Password (OTP via Hard or Soft Token)
  • SMS OTP
  • Email OTP
  • RADIUS Client
  • Emergency Password
  • LDAP Password.

Further information on Advanced Authentication solutions is available at www.netiq.com/products/advanced-authentication/.

A brief comment for Micro Focus partners: if you have customers with qualifying product this is a great opportunity to re-engage with them and make sure they know they now have a great new tool to use. If you are currently engaged in the sale of qualifying product you now have a bonus for these potential customers. If you know a customer that owns a qualifying product and might be headed to RFP, they own AA Limited (entitlement) and you have a great opportunity to satisfy their need or if they have additional requirements, they can upgrade to full AA by simply applying a license.

If you need more information contact: Troy Drewry: troy.drewry@netiq.com, +1.813.505.4921

This article was first published in OHM43, 2019.1, p32-33.

Add a Comment