Understanding IDENTITY Assurance Securid ACCESS: Understanding IDENTITY Assurance Michael Dalton, Sr Identity Engineer, RSA CISSP, CISA, RSA CSE Addressing identity risk… so what does that mean? Identity risk can mean a lot of different things. There are many factors that contribute to identity risk, but all of these factors have an impact into how organizations manage and protect access to their data and their most prized crown jewels. I like to start out with talk about the shift we’re seeing across organizations today and some tangible approaches to managing the most critical identity risk factors. Identity has become a crippling attack vector—no question about it, leading to increased security, compliance and operation risk across all functions of the organization. With the growing reputation and financial costs of a breach, higher scrutiny on security investments, and the C-suite need to better understand the business impact of security events, identity has become a consequential enterprise business problem that can no longer be addressed solely as an IT security challenge.
Identity = the most consequential attack vector Confirmed data breaches involving weak, default or stolen passwords 81% Web application attacks where credentials are harvested from customer devices 95%+ Point–of–sale breaches featuring stolen credentials leveraging legitimate partner access 98% Verizon Data Breach Investigations Report (DBIR): 2017 2016, 2015
The greater of €10 million or 4% of global annual turnover With GDPR It only gets worse! The greater of €10 million or 4% of global annual turnover CONFIDENTIAL
User Resource CONFIDENTIAL
Traditional Authentication: User Name / Password Resource CONFIDENTIAL
Sacrifices Security for Convenience Traditional Authentication: User Name / Password User Resource Sacrifices Security for Convenience Security Convenience CONFIDENTIAL
Sacrifices Convenience for Security Traditional Authentication: Two Factor Authentication User Resource Security Convenience Sacrifices Convenience for Security CONFIDENTIAL
Sacrifices Convenience for Security Traditional Authentication: Two Factor Authentication User Resource Security Convenience Sacrifices Convenience for Security CONFIDENTIAL
How do we even the scales? Convenience Security CONFIDENTIAL
How do we even the scales? Easy To Use Any Device Any Location Any Resource Convenience Security CONFIDENTIAL
How do we even the scales? Easy To Use Any Device Any Location Any Resource Secure Repeatable Scalable Compliant ✅ Convenience Security CONFIDENTIAL
New Authentication: Identity Assurance User Identity Assurance Resource CONFIDENTIAL
Context and Risk now become part of the Equation New Authentication: Identity Assurance Context Risk User Identity Assurance Resource Context and Risk now become part of the Equation CONFIDENTIAL
Context and Risk now become part of the Equation New Authentication: Identity Assurance Context Risk User Groups Roles IP Address On Net Off the Net VPN Cloud App On-Prem App Infrastructure User Identity Assurance Resource Context and Risk now become part of the Equation This creates a level of Assurance Required for Access CONFIDENTIAL
USER EXPERIENCE Context Risk New Authentication: Identity Assurance Groups Roles IP Address On Net Off the Net VPN Cloud App On-Prem App Infrastructure User Identity Assurance Resource USER EXPERIENCE Level of Assurance IS Met Level of Assurance NOT Met Challenge Token (you may have already) CONFIDENTIAL
Context Risk New Authentication: Identity Assurance User Groups Roles IP Address On Net Off the Net Geo IP Device (Known?) Auth Method Trusted Location (un) Has Session? Browser / Auth Source VPN Cloud App On-Prem App Infrastructure User Identity Assurance Resource RSA SecurID Access Premium Features CONFIDENTIAL
RISK ENGINE Context Risk New Authentication: Identity Assurance User Groups Roles IP Address On Net Off the Net Geo IP Device (Known?) Auth Method Trusted Location (un) Has Session? RISK ENGINE VPN Cloud App On-Prem App Infrastructure User Identity Assurance Resource RSA SecurID Access Premium Features Additional Context for Better Policies and Risk Analysis Behavioral Analytics 🌑 Device Profiling 🌑 Login Frequency CONFIDENTIAL
IS THE PERSON WHO THEY CLAIM TO BE? New Authentication: Identity Assurance CHALLENGE ACCORDING TO THE RISK! Context Risk User Groups Roles IP Address On Net Off the Net Geo IP Device (Known?) Auth Method Trusted Location (un) Has Session? RISK ENGINE VPN Cloud App On-Prem App Infrastructure User Identity Assurance Resource RSA SecurID Access Premium Features Additional Context for Better Policies and Risk Analysis Behavioral Analytics 🌑 Device Profiling 🌑 Login Frequency CONFIDENTIAL
Intelligence driven identity assurance Location Role Network PASS Static User and Context Rules Device Session App Approve Tokencode RSA SecurID FIDO Fingerprint Identity Assurance Engine RISKY Access Pattern Location Behavior-based Confidence Device Network Deny Time App
Black Hat Observations: Authorizations go up even as Authentication challenges go down (NetWitness View of activity) CONFIDENTIAL
SecurID Access IN ACTION Approve SecurID OTP SecurID token Touch ID Trusted device Step-Up Authentication
Don’t take my word for it, take it for a test drive If you go to rsa.com at the top of the site you will see “ CONFIDENTIAL