From Identity Management to Authentication: Technology Evolution to Meet Cyber Threats

1
From Identity Management to Authentication
Technology Evolution to Meet Cyber Threats

• ITAA IdentEvent 2008
• Bret Hartman, Chief Technology Officer, RSA

2
The Attacks Continue
3
The Challenge

• Cyber security is major national and economic
  security issue
• Assuring and managing user identities has never
  been more important
• Do our current authentication technologies meet
  the threats?

4
The Growth of the Internet

• ARPANET 1971

5
The Growth of the Internet

• 600,000,000 hostsand growing

You Are Here!!
6
The Rapidly Expanding Digital Universe
Digital Information Created and Replicated
Worldwide

• 281 exabytes (billion gigabytes of digital
  information created and replicated in 2007, 10
  more than previously estimated
• Close to two zettabytes (1021) of digital
  information in 2011
• Over 95 of the digital universe is unstructured
  data

Source IDC White Paper, "The Diverse and
Exploding Digital Universe," Sponsored by EMC,
March 2008
7
Phishing and Fraud An Explosion in Internet
crime

• Fraudsters are not just one big group of bad guys
• Different fraudsters perform different parts of a
  scam
• No longer kiddie scripts but organized
  professionals
• A full criminal ecosystem and several online
  marketplaces

8
Business Opportunities Not Always for Good
9
What is Identity Assurance?

• The set of capabilities and methodology that
  minimizes risks to your organization associated
  with identity impersonation and inappropriate
  account use

Allows trusted identities to freely and securely
interact with systems and access information
Extends user authentication from a single
security measure to a continuous trust model
Provides enterprises new ways to generate
revenue, satisfy customers, and control costs
10
Identity Assurance Enables Flexible Security
Higher Risk
More weight on Authentication Strength
Early Adopters of Strong Authentication
Super User Accounts
Online Business Banking
System Administrators
Online Retail Banking
Remote Access (VPN)
Consumers Less Control over PCs
Employees More Control over PCs
Network Login
Collaborative Forums
Greater Weight on TCO and Ease of Use
Social Networks
Workgroup solutions
Information Portals
Lower Risk
Source Gartner, Inc. WWWW.Authentication Why?
When? What? Who? by Ant Allan, November, 2007
11
The Problem with Passwords

• April 2004 (London)
• 70 revealed their computer password for a bar of
  chocolate
• 34 volunteered their password when asked without
  even needing to be bribed

• May 2005 (San Francisco)
• 67 turned over their passwords for 3 coffee
  coupons
• 79 said they use the same password for multiple
  Web sites

• April 2006 (London)
• 81 revealed personal information for chance to
  win Easter chocolate
• People offered up identity info like birth date,
  mothers maiden name, first school
• 86 gave up pets name
• 90 gave up home phone number

12
Authentication Tiers Combinations
Authentication Tiers Likely combinations of
factors Low end to high
13
Authentication is No Longer a Binary Decision

• It use to be good enough to decide if the
  password was valid
• With the advent of phishing and malicious
  activity, authentication can no longer be a
  binary decision
• Need to apply shades of grey to the
  authentication decision
• Similar to credit card risk scoring
• Dynamic risk-based scoring models provide
  statistical information for authentication
• Shared knowledge of fraudulent activity gives
  visibility into fraud and other nefarious on the
  Internet

14
Risk-Based Authentication

• Balancing security with usability
• Challenge the user only after suspicious activity

15
Use of Strong Authentication as Part of
Layered-Security Strategy

• 2008 Verizon Data Breach Investigations Report
  87 percent were considered avoidable through
  reasonable controls
• OMBs 6-16 and 7-16 Guidance (Federal Govt)
• Control Remote Access Allow remote access only
  with two-factor authentication
• FFIECs Guidance for Authentication in an
  Internet Banking Environment
• Assess risks to online banking channel
• Based on those risks, put something in place that
  is stronger than a user-name and password
• American Banker, Dec. 2007 noted that preliminary
  results of FFIEC guidance showed up to 40 percent
  reduction in account hijacking in online channel

16
Product Assurance is Critical

• Art Coviello, EVP of EMC/President of RSA at
  the end of the day, we can say confidently that
  it doesnt matter where our software and hardware
  are developed in terms of its assurance, because
  our product security initiatives provide
  consistency in how EMCs technology is developed
  delivering a level of assurance that our
  customers have come to expect and depend on.
• Industry Leadership EMC co-founded SAFECode , a
  non-profit organization that brings together
  technical experts from our company and leading IT
  vendors such as Microsoft and Juniper, to share
  lessons learned about secure coding and
  technology development processes and approaches.
  www.safecode.org

17

• SAFECode A Global, Industry-led Effort to
  Promote Broad Adoption of Product Assurance
  Practices
• Increase understanding of the secure development
  methods and integrity controls used by vendors
• Promote proven software assurance practices among
  vendors and customers to foster a more trusted
  ecosystem
• Identify opportunities to leverage vendor
  software assurance practices to better manage
  enterprise risks
• Foster essential university curriculum changes
  needed to support the cyber ecosystem
• Catalyze action on key research and development
  initiatives in the area of software assurance

18
I3 Identity, Infrastructure, and InformationThe
Foundation of Information-Centric Security
Information
At RestIn MotionIn Use
Information
Information
Secure Devices Secure Access
Infrastructure
Authenticity Entitlement
Identity
19
Identity Assurance Principles in
anInformation-Centric World

• Dynamic Intelligent
• Behavior-based
• Content-based
• Transparent to the Enterprise and the User
• Embedded in the fabric
• Built into products and infrastructure
• Risk-Based, Aligned with Your Organizations
  Mission
• Driven by policy
• Framework-based
• Holistic and Layered
• Endpoint to datacenter
• Integrated and orchestrated

20
(No Transcript)