Authentication and Security - webpublishing.agimo.gov.au http://webpublishing.agimo.gov.au/ en-au 60 Authentication and Security http://webpublishing.agimo.gov.au/Authentication_and_Security

Authentication and Security

Australian Government agencies must consider the security implications of their electronic information systems and devise policies and plans to ensure the systems are appropriately protected. Even unclassified systems with no special attributes or financial implications should have some degree of protection if a reliable or accurate service is to be maintained.

The installation of web server technology creates a 'window' into an agency's network that can potentially be misused by attackers. A poorly organised or poorly maintained web server is likely to introduce problems that allow unauthorised attackers to perform actions outside the scope of legitimate activity, impacting on confidentiality, integrity or availability.

Authentication is the solution to the need for certainty in the identity of the other party to a transaction. It is the process of confirming a user's identity to determine what access and services they are authorised for.

It is important to note that authentication is not the same as security. Authentication must operate in conjunction with an organisation's overall security framework.

Tell Me About?

Authentication Overview

Failure to properly authenticate a transacting party may lead to situations such as the illegal transfer of funds, unauthorised ordering of goods or the mischievous or malicious alteration of data. Authentication therefore underpins confidence in electronic transactions and is a vital component of e-commerce, which depends upon transactions being accepted as valid and binding.

Broadly speaking, authentication relies on one or more of the following:

  • something you know, such as a password or PIN number;
  • something you have, such as a smart card or hardware token; or
  • something you are, such as a fingerprint or iris scan.

Where services are provided via traditional, non-electronic systems, various authentication mechanisms are used. Clients are required to sign forms or letters or other types of correspondence as proof that they supplied the information contained in those documents. Clients may be required to supply an identification number or a case number, and they may be required to provide evidence that they are who they say they are, such as a driver's licence or a birth certificate. In some cases, clients may need to attend the relevant government office in person.

Most of these methods will not work online. Where services are provided online, agencies will need to reassess how they authenticate users. Notably, the use of existing methods of authentication requiring physical presence may reduce or eliminate the convenience of the online service.

It is expected that authentication will be implemented progressively by agencies as authentication solutions are required for new services or as upgrades to existing services.

Authentication Business Decisions

An effective approach to authentication is to understand that technology is not the sole solution. Authentication is as much about management and cultural issues as it is about technical solutions. One of the early issues for consideration is that online authentication may be a costly exercise in comparison to a manual authentication process. Agencies will need to consider cost in relation to an identified level of risk associated with failure to properly authenticate a party to an online transaction.

The likelihood and consequences of such a failure, set against the cost of implementing authentication, should be fully analysed. The consequences may be measured in a number of ways including financial, legal/liability and political outcomes. If managed as a business issue rather than a technical issue, agency authentication needs can be effectively addressed then implemented in a cost-effective manner as the benefits of transacting online are realised.

Agencies must firstly consider whether or not their online services require authentication solutions. Some online services may only require simple authentication techniques such as the use of logins and passwords. For more complex online services that involve data interchange or financial transactions, agencies may choose to use digital certificates. The authentication solution adopted should be determined by the outcome of a risk assessment and subject to the preparation of an associated business case. Agencies should also consider the needs and expectations of their customers.

Why Must I?

Australian Government agencies are required by the Protective Security Manual to consider the security implications of their IT systems and to devise policy and plans to ensure the systems are appropriately protected.

The Australian Government Information and Communications Technology Security Manual (also known as ACSI 33) has been developed by the Defence Signals Directorate (DSD) to provide policies and guidance to Australian Government agencies on how to protect their IT systems.

Related requirements

How Do I?

Other resources

Who Can Help?

For online security issues:

DSD Infosec Group
assist@dsd.gov.au
Tel: (02) 6265 0197

Or:

Better Practice
Australian Government Information Management Office
Department of Finance and Deregulation
better.practice@finance.gov.au

For authentication and Gatekeeper issues:

Authentication and Gatekeeper Team
Australian Government Information Management Office
Department of Finance and Deregulation

Related Topics?

]]>