Rhand Leal
January 16, 2017
Access control is one of the cornerstones of security. If you cannot control who access what, you cannot ensure security at all. Because of that, access control stays in the main focus of security teams and wrongdoers.
Today, simple use of passwords, tokens, or biometrics is not enough to prevent unauthorized access. The complexity of the attacks and the value of assets require more, so organizations are turning to multi-factor authentication, especially two-factor authentication.
But, while this represents a clear security improvement, how does it fit into the already existing security frameworks? This article will present which controls from ISO 27001 can benefit from adoption of two-factor authentication access controls.
First of all, it must be understood that a robust access control process comprises these three concepts (performed exactly in this sequence):
Identification: methods to provide a subject (entity that requests access) with a recognizable identity (e.g., user account, VAT, social security number, passport, etc.).
Authentication: methods to ensure that a subject is who he claims to be (e.g., password, token, fingerprint, etc.).
Authorization: methods to control what actions a subject may perform on an object (entity that is being accessed) (e.g., list of subject permissions and list of object permissions).
Regarding authentication methods, the following concepts (or factors) may be used, separately or in combination:
So, when talking about two-factor authentication, we mean using any two of these three concepts together to ensure a subject is who he claims to be.
It is important to note here that when a device provides the information the user must input by himself as part of the authentication process (e.g., a token that gives the user a random number to be used as a one-time password), this is not considered something you have. This situation is considered an authentication by knowledge in two steps (in our example, the password known by the user is one step and the random number provided by the token to the user is the other). To be considered something the user has, the device itself must provide the authentication information during the authentication step (e.g., the smart card must be inserted in the merchant’s card reader to provide its authentication code to validate a physical transaction).
Relying only on one authentication factor leaves your solution with a single point of failure, in the sense that if the knowledge, device, or biometric pattern is compromised, anyone who has it can impersonate the user. Think about these situations:
By using two-factor authentication, you create an additional layer of protection against anyone seeking to obtain unauthorized access, because even if a wrongdoer compromises the information regarding one factor, it will be useless without the information of the second authentication factor.
The selection of a proper pair of authentication factors to be used will depend upon the results of risk assessments, the desired security level, implementation costs, and resources available. The most commonly used are a combination of something you know and something you have (e.g., passwords and smart cards).
Although ISO 27001 controls described in Annex A basically refer to secret information (i.e., passwords, or authentication codes produced by smart cards) as a means of authentication, ISO 27002, which details recommendations for ISO 27001 controls, recommends the use of authentication practices in a lot of other controls, with the goal being to make them more robust and enhance their effectiveness to protect information. These are the ones that can make use of two-factor authentication:
Security controls | Rationale |
A.9.1.1 – Access control policy A.10.1.1 – Policy on the Use of Encryption A.11.2.9 – Clear desk and clear screen policy A.14.1.1 – Information security requirements analysis and specification A.14.1.2 – Securing application services on public networks A.14.1.3 – Protecting application services transactions A.14.2.5 – Secure system engineering principles |
Policies and processes that drive the need of two-factor application use according to business requirements. Here you can define the combination of factors most suitable for your organization. |
A.9.1.2 – Access to networks and networks services A.13.1.2 – Security of network services A.13.1.3 – Segregation in networks A.13.2.3 – Electronic messaging |
Two-factor authentication can be applied to ensure secure access to the most sensitive network services (e.g., credit card online payment). Additionally to user authentication, you can consider authentication of network devices. |
A.9.4.2 – Secure log-on procedures A.9.4.4 – Use of privileged utility programs |
Two-factor authentication can be applied to ensure secure access to the most sensitive information systems, applications, and programs (e.g., research and development systems and security applications). |
A.11.1.2 – Physical entry controls | Two-factor authentication can be applied to ensure secure access to the most sensitive areas and facilities (e.g., datacenters). |
As security solutions grow stronger in all areas (e.g., more secure codes, protocols, and infrastructure, etc.), wrongdoers work even harder to compromise valid access to explore an organization’s assets, and traditional access control practices are not able to keep up proper security levels.
Multi-factor authentication – two-factor at this moment – is the next logical step to maintain security levels, and by associating this practice with controls and recommendations of the ISO 27001 series, an organization can keep its information and systems away from unauthorized people while maintaining compliance with the standard’s requirements.
To learn more on how to improve your overall information security, try this online Security Awareness Training.