For SANS Critical Controls: Authentication Missing In Action

Authentication is the gateway to privilege and authorization. Consider how many portions of your life, digital and otherwise, revolve around authentication. Whether you want to do Internet banking, tweet a friend, or buy a present, some sort of authentication likely occurred to allow you to do so.

An important list of critical IT security controls gives short shrift to authentication, says Mark Stanislav of the firm Duo Security.
An important list of critical IT security controls gives short shrift to authentication, says Mark Stanislav of the firm Duo Security.


But when it comes to one of the most widely used sources of advice for organizations to improve their security, authentication is absent. I’m speaking about The SANS Institute’s “20 Critical Security Controls.” This list represents a great public-private partnership effort with SANS, the Center for Internet Security, and Center for Strategic and International Studies all involved in its production and maintenance.

The goal of the document is to help provide organized guidance and actionable improvements for organizations wanting to strengthen their security posture. Because of the separation of subject matter into individual control areas, the document is quite useful at conveying why a control needs to exist and how to implement, automate, and measure its effectiveness. However, within the 20 controls authentication security is notably absent.

This is especially surprising because the scope of the 20 controls is broad, ranging from penetration testing to malware defense to data recovery. With any list like this, it is hard to outright state that any certain control area isn’t actually important. But omitting authentication security as an explicit control while including others, such as “boundary defense” is puzzling. That’s not to say that boundary defense isn’t important. Rather, the sum of many other controls can adequately represent what’s required by “boundary defense,” whereas authentication should be treated as a first-class citizen in nearly all contexts of security.

By segmenting authentication security into its own control, you need less guidance on a per-control basis related to that subject area. Not only does this make the whole Controls list more efficient, it also provides an adequate amount of space to cover such a crucial and complex topic. Of course, many of the 20 security controls also require authentication security to be strong — from “wireless device control” to “controlled use of administrative privileges.” But the 20 Critical Security Controls List offers few specific guidelines for authentication security beyond basic ‘strong password’ tips or calls to use two-factor authentication.

Mark Stanislav
Stanislav is Security Evangelist at the firm Duo Security.


With continuing growth in cloud computing, organizations will have to focus even more on authentication security as a way to offset the lack of perimeter security such as a firewall or intrusion prevention system (IPS). Because authentication is still a viable control, especially for cloud service providers, it represents one of the few places for strong security to be implemented across all environments. The Cloud Security Alliance (CSA) noted in recent guidance that stolen credentials were one of the top threats of 2013. (PDF) The security firm Mandiant observed that valid credentials were used in 100% of the “advanced persistent threat” (or APT)-style breaches the company investigated in 2012. Recent hacks, including the theft of 150 million passwords from customers of the software firm Adobe, ensure that the problem of stolen credentials isn’t going away.

By not putting a distinct focus on this large and impactful area of control, the “SANS 20 Critical Security Controls” is failing to accurately represent how much effort organizations should be putting into this key piece of information security.

Comments are closed.