• United States




What CIOs need to know about authentication

Jul 05, 20175 mins
CybercrimeHackingIT Governance

Email is so critical to business communications today that many assume it's a safe and trustworthy medium, but recent cyberattacks prove it's not. What CIOs need to know about authentication and DMARC, a key tool to address this shortcoming.

Over the past two or three decades the internet has enabled humans to reach far beyond their physical constraints. We log into our company from home, use banking services located thousands of miles away, store our photos who knows where in the cloud, and email our friends and coworkers across the globe.

Meanwhile, the organizations in whom we used to place our trust, such as banks, credit card processors, newspaper publishers, even the U.S. Postal Service have largely been replaced or supplemented by distributed networks where trust is no longer a given.

This disintermediation unfortunately has a dark side. How do you trust anyone? In other words, in the absence of a trusted entity that can vouch for people (or companies), how do you know that the party on the other side of a transaction really is who they say they are? How do you know what they should be allowed to do? Is that email really from your bank? Is that person logging into your company really an employee?

The harder these questions are to answer – and the more important those answers become–the more a given technology will begin to shift towards authentication.

How the credit card industry solved this problem

The evolution of credit cards from the 1970s to 1990s provides a crystal-clear template for how authentication tends to progress. With the very first credit cards, merchants would take an imprint of a card’s digits, they’d send a bill to the credit card processor, and the credit card company would add it to the consumer’s bill.

But then cards started getting stolen and used fraudulently. In other words, without the implicit certification of “legal tender” or of individual relationships between merchants and customers they knew personally, trust became an issue. Credit card companies responded by making lists of bad credit card numbers, which they printed out as booklets, so merchants could look up each card before accepting it. The booklets got thicker and thicker over the years, and eventually the system just got too unwieldy to be workable.

That’s when Verifone and other makers of electronic point-of-sale (POS) systems came in. Their proposition was simple: They built a real time system that authenticates each card before it can be used. The POS dials up a host, checks to see if the card is stolen, whether the card is allowed to do this type of transaction, whether there is enough money in the account to cover it, and so on. It’s a way to get an assurance that the card is actually authentic and the transaction will be honored, right at the moment the card is being used.

In short, the credit card system switched from a printed blacklist, in which cards were accepted unless they appeared on the blacklist, to a real-time digital whitelist system, in which cards were not accepted unless they were authenticated by the POS device.

Three key areas of authentication today

Fast forward to today, and we’re seeing Internet-based technologies evolve their authentication frameworks in a similar way, by creating cloud-based whitelists of people, cloud applications, and email services.

Authentication of people is possible now through infrastructure-as-a-service (IAAS) unified login products like Okta, Gigya, and OneLogin. These services give enterprises control over who is logging in and accessing key digital resources, whether those are employees using internal apps or customers accessing the public website. This protects those resources from people who don’t have the proper authorization. Equally important, they provide visibility into login attempts, and help ensure (and document) compliance with industry standards over privacy protection, data handling, and more.

In the cloud, cloud access service brokers (CASBs) like Skyhigh and Netscope help enterprises manage what resources various services can access. They provide a centralized point of control, detection, management, and enforcement for cloud services, giving IT staff simpler control and visibility into the various services used throughout the organization.

Authentication for communications is coming into its own as well, through services such as Proofpoint, Agari, and ValiMail. Email is so critical to business communications today that many assume email is already authenticated, yet it is not. Here, one of the key tools to addressing that shortcoming is an authentication standard called DMARC. As with Verifone’s credit card authorization network, DMARC moves email from an untrusted relationship to one where trust can be verified in real time, letting companies explicitly state a policy for all email sent using their domain name–in essence, publishing a whitelist of authorized senders. Critically, email authentication via DMARC also allows domain owners to collect daily feedback about any authorized or unauthorized attempts to use email messages with their domain names, enabling them to adjust their policies in real time.

As enterprises adopt authentication for the internet technologies they rely on, they will gain greater security, control, visibility, and compliance for these technologies. Authenticating people, cloud applications, and email services are just a few of the many spheres in which the technology world is moving toward greater and more effective authentication. As this trend progresses, we will see trust begin to reappear everywhere that disintermediation had previously dissolved it.


Alexander García-Tobar is CEO and co-founder of ValiMail, a leading provider of email authentication services for CIOs of large enterprises, located in San Francisco. Alexander has deep roots in the email authentication and cybersecurity space, as a global executive and advisor at Agari, ValiCert and Sygate.

A veteran entrepreneur, Alexander has held various positions at high tech companies such as Lattice3D, SyncTV and Individual. Prior to that he worked at leading research and consulting firms such as The Boston Consulting Group and Forrester Research.

The opinions expressed in this blog are those of Alexander García-Tobar and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.