OTP

Identity and Access Management

May 9th, 2016

Research director Felix Gaehtgens at the Gartner Identity and Access Management (IAM) Conference in London mentioned that issuing one-time password (OTP) tokens to third-party organizations can cause many problems. He mentioned that some third-party organizations even hang one-time password tokens on a wall with the name of the companies they belong to, facing a webcam.

“For employees or contractors working internally who need privileged access, having OTP is great. But not for external third party workers,” he said. “Why? Because third parties leave OTPs on their desks; when they go on holiday they leave them for other people to use. It happens all the time.”

Also with shared password comes the biggest risk of accountability. Companies can take various steps to secure there data.

Phone

He suggested to call instead of OTP tokens.

“What you need to do is choose something that is hideous to share, like something linked to a particular mobile phone,” he said. “That’s because a worker isn’t going to leave his phone behind when he goes away on holiday.”

Many Phone-based authentication systems are available in the market.

Dedicated person for IAM

He suggested sponsorship approach where internal employees act as sponsors for external workers and keeps track of them.

“When I suggest this people say ‘Ooh, are you going to delegate third-party privileged access to a third party?’ said Gaehtgens. “The answer is ‘no.’ They have to make a request to your organization for access for a particular employee. But they can de-authorize their own people (for example when they leave the organization).”

Third Party Access

Providing short term access for related resources will secure the data after the work is done.

“So you need to be able to say ‘You can access this system for four hours’ and give out privileges in small chunks,” Gaehtgens said. “Instead of the general sys admin model, you need to give them just what they need.”

Access Management

One can use privilege access management (PAM) and shared account password management (SAPM) tools. to manage third-party access privileges.

IAM on the Record

When third parties have privileged access to your systems, Gaehtgens said it’s important to record at least some of their sessions. “You should let everyone know they are being recorded; at the very least this should make people less sloppy,” he advised.

“Every so often you will see a complete idiot who you never want on your systems again, as they clearly don’t know what they are doing,” he said. “But you may also learn something. Third parties may do something better than you, so you can watch what they do and use it to build up your best practices.”

————————————————————————————————————————————————————-

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.