Two Factor Authentication - Squared
The next part of the discussion was around authentication. Part of it was academic discussion, part was to think through a business problem - authentication, and how much is enough?
We were able to figure out that with the same solution we just used to solve one problem would also solve another, and one that is on the minds of anyone working on HSPD-12 initiatives.
Long story short - four factor authentication. Two factor authentication, squared, or 2F2.
Here is how it works:
I identify the user in two ways - PIV Card (something they have), and Login credentials (PAC & LAC Controls)
I identify the machine in two ways - by unique machine ID (hardware serial numbers encrypted in every packet), and certificate exchange. Unalterable, proven, and deployed in hours.
Why does this matter?
Audit - Be able to see every network layer event, by who, from what machine, in real time and know that the data is irrefutable and will hold up in court vs. spoofable MAC addrress/IP address.
Control - Make policy based access decisions based on some combination of 4 different attributes providing the ultimate in flexibility and rollout options.
For example - known/trusted user AND known trusted machine on my LAN - access to what they need to do their job from DAY ONE (email). Known user/unknown machine (vendors/guests) get access to Port 80 only so they can demo, check webmail, etc.
At the macro level -You have just scoped down your threat vector area to only those you know and trust, be they machines and people.
Add to it the functionality of immediate real time alerting in the event something bad looks like it is happening, and reporting to understand exactly how they tried to do what they did, were blocked, but still logged - Priceless...