Balancing Customer Privacy with Strong Authentication

1
Balancing Customer Privacy with Strong
Authentication

• David Strom
• david_at_strom.com
• (516) 944-3407
• TISC Boston 11/13/1999

2
The challenge

• Customers want simplicity
• Store operators want security

3
The old method SSL/credit cards

• How to deal with returning customers?
• How to deal with breaks in shopping session?
• How to deal with peak loads?
• Are they really secure? (Perception vs. reality)

4
Current authentication methods

• Passwords
• Cookies
• Database logins
• Certs and PKI infrastructure
• Single sign on system products

5
Keeping track of passwords is tough

• We all have too many of them
• Where to store them?
• Using same strings can compromise security
• Different sites have different requirements for
  length, numeric characters, etc.

6
Technology to the rescue

• Lucent Web Assistant (lpwa.com8000)
• Compuserve RPA (www.compuserve.com/rpa)

7
Cookies

• Not everyone likes them (I do)
• Not good if you use multiple machines or use
  public PC
• Not good when you upgrade/change browsers

8
Do you really want to do this?

• Setup CA server
• Generate a secure root CA
• Train Reg Authorities to manage certs
• Develop customer cert policies

9
Solution Single sign-on systems

• Password synch
• Login automation/scripting
• Centralized security admin
• Kerberos/tokens
• Web interfaces?

10
Products

• Axent WebDefender
• CyberSafe TrustBroker Suite
• enCommerce
• Gradient NetCrusader
• HP Praesidium Domain Guard
• IBM Snare Works
• Internet Dynamics Conclave
• Netegrity SiteMinder
• Security Dynamics Technologies Keon Suite

11
Panel

• Deepak Taneja, Netegrity
• Michael Onders, enCommerce