Identity Assurance Emory University Security Conference March 26, 2008
RSA Company Confidential Revenue GrowthComplianceCost ReductionBusiness ContinuityCustomer RetentionNetworkEndpoint App / DB StorageFS/CMS Risk Security Incidents Sensitive Information What information is important to the business? How do we mitigate risks associated with accessing the organization’s information and IT resources? Identity Assurance - A Key Element of Information Risk Management
RSA Company Confidential What is Identity Assurance? The set of capabilities and methodology that minimizes business risk associated with identity impersonation and inappropriate account use Extends user authentication from a single security measure to a continuous trust model Allows trusted identities to freely and securely interact with systems and access information Provides enterprises new ways to generate revenue, satisfy customers, and control costs
RSA Company Confidential Identity Assurance Enables Ubiquitous Security Higher Risk Lower Risk Employees More Control over PCs Partners Consumers Less Control over PCs Network Login Workgroup solutions Collaborative Forums Social Networks Information Portals More weight on Authentication Strength Early Adopters of Strong Authentication Greater Weight on TCO and Ease of Use Super User Accounts *Source: Gartner, Inc. “WWWW.Authentication: Why? When? What? Who?” by Ant Allan, November, 2007 System Administrators Remote Access (VPN) Online Business Banking Online Retail Banking
RSA Company Confidential Why Focus on Identity Assurance? Identity assurance is the essential foundation for trusted business process Establishes trust by proving identities of the participants in a transaction “On the Internet, nobody knows you’re a dog” Identity Assurance is the essential foundation for other critical services Access Management Audit Compliance Personalization
RSA Company Confidential The State of Identity Assurance Passwords still dominate, but continue to weaken The need for strong authentication continues to grow Increasing number of business processes moving online Employee mobility expanding – demand for anywhere anytime access to information Compliance and notification laws proliferate Phishing attacks have increased dramatically (see Amongst strong authentication solutions, Tokens continue to dominate in the enterprise Smart cards are getting more capable Biometrics are still getting press, and some large deployments Consumer-oriented strong authentication appears (e.g., E*Trade) Risk-based authentication emerges in consumer-facing markets New authenticators continue to appear
RSA Company Confidential Enabling Identity Assurance According to the value and criticality of the data, application, identity or transaction For enterprises’ Workforce, Customers and Partners While striking the right balance among Risk, Cost and Convenience
RSA Company Confidential Credential Management Identity Verification Positively identify and authenticate users before credential issuance Identity and Credential Policy Create and enforce policy for issuance, access and end user self-service Lifecycle management Comprehensively manage credentials throughout their entire lifecycle
RSA Company Confidential Identity Assurance A Range of Authentication Mechanisms Assures identities' access to systems, information or transactions, based on risk Choice of Different Form Factors Provides organizations choice to optimize across security, end user convenience while reducing total cost of ownership Delivery Platforms Delivered as on premise software, an appliance or as a service (SaaS)
RSA Company Confidential Contextual Authorization Access Control Enforces access to corporate resources based on role, risk and business context. Step-Up Authentication Enables “The right Authentication at the right time”, assuring security throughout the session. Federation Provides and shares trusted identities across applications and corporate boundaries.
RSA Company Confidential Intelligence Identity & Activity Verification Monitors Identities and activities Verifies credentials & prevents misuse Proactive Threat Protection Detects and prevents credential theft Alerts on emerging threats Real-time Information Sharing Facilitates intelligence sharing Enables enterprise collaboration
RSA Company Confidential The Business Drivers for Identity Assurance
RSA Company Confidential Enable Mobility Trends: Globalization and mobility of the workforce Rise in unmanaged devices and locations for remote access Passwords alone have limited effectiveness Solution: Secure and simplify remote access to network resources Authenticate authorized mobile users to corporate resources Enable business continuity in outage situations
RSA Company Confidential Secure Access Trends: Employees, partners, contractors & customers requiring access to sensitive corporate information Proliferation of new information portals Careless or negligent insiders put sensitive data at risk Solution: Authenticate authorized users to access critical information on the network Provide secure access for the right people to the right applications to the right level of information through role-based authorization
RSA Company Confidential Prevent Fraud Trends Identity theft and financial fraud are growing Enterprises need to inspire user confidence and encourage remote channel usage Solutions External Threat and Identity Theft Mitigation Multi factor Authentication and Fraud Detection Identity and transaction Verification
RSA Company Confidential Compliance Trends Global compliance and regulatory environment is becoming increasingly complex Regulations are driving adoption of additional security measures Penalties for non-compliance are being enforced Solutions Multi factor Authentication and Fraud Detection Transaction Monitoring and Access enforcement Reporting and auditing
RSA Company Confidential Ease of Use
RSA Company Confidential Secure Enterprise Access Technology Solutions It’s not one size fits all
RSA Company Confidential On Demand Authentication Support for Short Messaging Service (SMS) / delivered OTP Minimal impact on end user
RSA Company Confidential Information Risk Management protecting your most critical assets Information-centric Clarifies business context and reveals potential vulnerabilities Risk-based Establishes a clear priority for making security investments Repeatable Based on foundation of broadly applicable best practices and standard frameworks EndpointNetworkApps/DBFS/CMSStorage Risk Reveals where to invest, why to invest, and how security investments map to critical business objectives
RSA Company Confidential Summary There will be continued pressure on organizations to put business processes online Hackers and thieves will continue to exploit vulnerable systems The emphasis on information security will increase as will regulations and laws Identity assurance should be considered as a piece of the overall security strategy No single authentication method is a perfect solution for all situations
RSA Company Confidential Information-centric Security