Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing Electronic Commerce: Identification & Authentication Douglas Graham UK Channel Technical Manager Security Dynamics Technologies, Inc.

Published byRosemary Loraine Phillips Modified over 9 years ago

Similar presentations

Presentation on theme: "Securing Electronic Commerce: Identification & Authentication Douglas Graham UK Channel Technical Manager Security Dynamics Technologies, Inc."— Presentation transcript:

1

2

3 Securing Electronic Commerce: Identification & Authentication Douglas Graham UK Channel Technical Manager Security Dynamics Technologies, Inc

4 Security Dynamics Technologies Inc. 3 million users of SecurID 3,000 companies 9,000 installations 300 million copies installed & in use worldwide 110,000 BoKS users Major OEM relationships SecurityDynamics RSA 2,000 companies 2,000 companies 250 + of the 250 + of the Fortune 500 Fortune 500

5 Key Business Trends Enhanced outreach and collaboration with employees, customers, partners, distributors and suppliers Enhanced outreach and collaboration with employees, customers, partners, distributors and suppliers Emergence of the “virtual enterprise” Emergence of the “virtual enterprise” “Market of One” interactive customer relationship “Market of One” interactive customer relationship eBusiness is no longer a competitive advantage, it is a necessity $ $ $

6 Moving rapidly to the Internet-enabled enterprise Key Technology Trends Rapid deployment of intranets and extranets Rapid deployment of intranets and extranets New generation of inexpensive, high-speed, IP-ready network capacity coming online New generation of inexpensive, high-speed, IP-ready network capacity coming online Broad adoption and continued evolution of mission- critical ERP applications Broad adoption and continued evolution of mission- critical ERP applications Continued outsourcing of network transport, Web hosting and application deployment Continued outsourcing of network transport, Web hosting and application deployment

7 Enterprise security is the key enabler for eBusiness Key Security Trends Enterprises supplementing perimeter defense with protection of applications and information Enterprises supplementing perimeter defense with protection of applications and information Increasing requirements for user authentication, authorization and intrusion monitoring and detection Increasing requirements for user authentication, authorization and intrusion monitoring and detection PKI emerging as a common architectural foundation for multiple security applications PKI emerging as a common architectural foundation for multiple security applications Security decisions driven by line-of-business needs Security decisions driven by line-of-business needs

8 What is Electronic Commerce ? Electronic Commerce is the temporary extension of a computer network over a Public or Private connection to facilitate business transactions. Electronic Commerce is the temporary extension of a computer network over a Public or Private connection to facilitate business transactions. – PSTN, ISDN, Internet Can be used by Individual users or to connect two or more networks together. Can be used by Individual users or to connect two or more networks together. – Notebook dial-in for email, small office to HQ connection

9 Mobile User Head Office Public Network Remote Access

10 Electronic Commerce Applications Home Banking Home Banking Quick Easy access to corporate information and services Quick Easy access to corporate information and services Sharing information between Business Partners & Customers Sharing information between Business Partners & Customers Telecommuters (Home working) Day Extenders Telecommuters (Home working) Day Extenders IT Support Staff IT Support Staff

11 Remote Access Benefits Productivity Productivity Cost Savings Cost Savings Easy Information Access Easy Information Access High Availability of Information High Availability of Information Competitive Advantage Competitive Advantage

12 Remote Access Growth 0 10,000,000 20,000,000 30,000,000 40,000,000 50,000,000 60,000,000 1997199819992000 US 56 million Source: Giga, September 1997

13 W. European e*Commerce, 1996-2001 Commerce Revenue/Year, Year Ending 214 681 1,795 4,343 8,809 136 421 14,794 1,278 3,123 11,115 6,469 - 2,000 4,000 6,000 8,000 10,000 12,000 14,000 16,000 199619971998199920002001BusinessConsumer $Million $Million Source: IDC, July ‘97 CAGR = 137 %

14 What are the risks? Protecting the network and data from abuse by authorised users Protecting the network and data from abuse by authorised users Protecting the network and data from abuse by unauthorised users Protecting the network and data from abuse by unauthorised users Data Privacy Data Privacy Data Confidentiality Data Confidentiality Complexity of service operation and delivery Complexity of service operation and delivery

15 Attacks from Inside & Out Source: 1998 CSI/FBI Computer Crime and Security Survey 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% Unauthorized access by employees System penetration from outside Reported Security Breaches

16 Cost of Security Breaches Source: 1998 CSI/FBI Computer Crime and Security Survey $0 $500 $1,000 $1,500 $2,000 $2,500 $3,000 Financial fraud Theft of proprietary information Unauthorized access by employees Reported Security Breaches Average loss (000)

17 “Casual Intruder - Disgruntled Employee” Shoulder surfing co-workers Shoulder surfing co-workers Finding written password Finding written password – Post-It Notes – DayTimer Guessing password Guessing password – “password” – Spouse/Dog/Kid’s name – Username

18 “Serious Hacker” All of the “casual” approaches All of the “casual” approaches “Social engineering” “Social engineering” Password cracking Password cracking – “Crack” – “L0phtCrack” – “Cracker Jack” Network sniffing Network sniffing

19 Passwords Are Not Secure Tools for defeating passwords abound Tools for defeating passwords abound Compromise is not detectable Compromise is not detectable Passwords can be snooped off the Net Passwords can be snooped off the Net Passwords & files are diverted off desktops or servers Passwords & files are diverted off desktops or servers Password protected credentials are compromised off-line Password protected credentials are compromised off-line

20 “Privacy” is NOT “Security” “Privacy” is NOT “Security” Encrypted Tunnel Through Public Network Who’s at the other end of the line?

21 Identification & Authentication Identification Who are you? ……. “John Smith” Authentication …….prove that you are John Smith

22 AuthenticationIdentification Prove It!

23 Methods of User Authentication Something you know Something you know – Password, PIN, “mother’s maiden name” Something you have Something you have – magnetic card, smart card, token, Physical key Something unique about you Something unique about you – Finger print, voice, retina, iris “1059” Bank 1234 5678 9010

24 + PIN Two Factor “Strong” Authentication

25 One Time Passcode SecurID Passcodes can only be used ONCE! Passcode Accepted Access Denied 345656 Locked 879845 Already Used Shoulder Surfing and Snoop will NOT work ! 568787 Locked 879845 Locked

26 Traditional Authentication Options Identification & Weakest Authentication Passwords Level of Security Identification & Weak Authentication Software Token Hardware Token Identification & Strong User Authentication

27 New Authentication Options Hardware Token Identification & Weakest Authentication Identification & Strong User Authentication Identification & Weak Authentication Passwords Level of Security Biometric Software Token Digital Certificate Smart Card

28 Secure Remote Access Let’s look at reducing the risks and complexity Let’s look at reducing the risks and complexity

29 Remote Access Complexity

30 The Internet Simplifies Remote Access Internet Global Access delivered by ISP

31 Reducing The Risks? The Internet is a collection of unsecured networks! The Internet is a collection of unsecured networks! Strong Authentication and Encryption can provide a solution Strong Authentication and Encryption can provide a solution New Technology New Technology – VPN

32 What is a VPN? VPN - “Virtual Private Network” VPN - “Virtual Private Network” Transport encrypted information via the Internet and public networks Transport encrypted information via the Internet and public networks Offer benefits of private network using “free” Internet infrastructure Offer benefits of private network using “free” Internet infrastructure Encryption means privacy not security Encryption means privacy not security A VPN can be owned and run locally, or delivered as a service from a Telco or ISP A VPN can be owned and run locally, or delivered as a service from a Telco or ISP

33 Firewall or RAS server Request Connection Request Passcode PIN + Send Passcode Send Session Key ACE/Server Secure VPN Creating a Secure VPN Internet

34 Internet VPNs Reduce Cost and Complexity Reduce leased line costs and dial access charges Reduce leased line costs and dial access charges Reduce user support Reduce user support Simplify remote access architecture Simplify remote access architecture Reduce help desk services Reduce help desk services Allow tracking / billing for usage Allow tracking / billing for usage Reduce equip. costs for remote access Reduce equip. costs for remote access

35 Increased Use of Authenticators Source: Giga EST., Sept. 1997 0 5,000,000 10,000,000 15,000,000 20,000,000 19961997199819992000 Internet users (177% CAGR) VAN users (132% CAGR) Dial-in users (52% CAGR)

36 VPNs Offer Estimated 60% Cost Savings Access Access $-$500$1,000$1,500$2,000$2,500$3,000$3,500 Traitional Remote Internet Remote Remote Access Cost Comparisons for 2000 Remote Users - ($000's) User Support Phone/ISP Charges Routers/Servers T1 Lines Source: Forrester Research 7/97

37 Secure Web Applications Home Banking Home Banking Business to Business Communication Business to Business Communication Price Lists to Partners Price Lists to Partners Human Resources Human Resources Product Support and Updates Product Support and Updates Using the WWW to share sensitive information

38 Secure Web Authentication & Privacy Issues Similar to Remote Access Issues Similar to Remote Access – User Identification & Authentication Passwords are not enough! Passwords are not enough! – Data Privacy during connection Prevent snooping Prevent snooping – Granular Access Grant access rights based upon service level Grant access rights based upon service level

39 Web Applications Security SecurWorld SecurCare Reseller SecurWorld Online Passcode ********** Customer Passcode **********

40 What about Certificates for Authentication? A Digital Certificate is a unique electronic identifier (complex password) associated with a user A Digital Certificate is a unique electronic identifier (complex password) associated with a user Browsers use certificates widely for establishing a level of authentication Browsers use certificates widely for establishing a level of authentication More and more applications will use certificates More and more applications will use certificates – Email, SSSO, E-commerce A user’s certificate can be used to check a Digital Signature - a unique electronic signature associated with the owner of the certificate A user’s certificate can be used to check a Digital Signature - a unique electronic signature associated with the owner of the certificate – essential for non-repudiation of messages and transactions

41 ? How can we be sure of a Certificate? A certificate is usually ‘signed for’ electronically by a Trusted Third party, e.g. Verisign A certificate is usually ‘signed for’ electronically by a Trusted Third party, e.g. Verisign – I.e. Two companies trust the integrity of a certificate issued by a jointly trusted external organisation Today most Certificates are stored electronically on servers (e.g. LDAP) Today most Certificates are stored electronically on servers (e.g. LDAP) – So how can we be sure that the person who is using a certificate is who they say they are! We Cannot unless they use Strong Authentication! We Cannot unless they use Strong Authentication!

42 Smartcards for Security Benefits Benefits – Two Factor ‘Strong Authentication’ – Secure storage of Private Credentials – Building Access – Photograph – Other Applications Downside Downside – Readers – Infrastructure

43 Soft Smartcards Host based secure electronic ‘wallets’ (or files) that contain a users security credentials Host based secure electronic ‘wallets’ (or files) that contain a users security credentials Downloaded to the user on successful authentication Downloaded to the user on successful authentication Two Factor Authentication to access Soft Smartcard Two Factor Authentication to access Soft Smartcard Excellent transitional solution to help companies migrate to smartcards for network access Excellent transitional solution to help companies migrate to smartcards for network access Available today Available today

44 Soft Smartcards for Secure Applications Access PIN + User dials-in Request for Passcode User Sends Passcode Authenticates and Credentials downloaded

45 Summary Local and Global Electronic Commerce can Local and Global Electronic Commerce can – increase productivity and communication – reduce costs of doing business – deliver competitive advantage Suffers from risk of abuse and fraud if not prudently secured Suffers from risk of abuse and fraud if not prudently secured User Authentication, Encryption of traffic and use of Certificates can deliver very secure applications including E-Commerce User Authentication, Encryption of traffic and use of Certificates can deliver very secure applications including E-Commerce

46

Download ppt "Securing Electronic Commerce: Identification & Authentication Douglas Graham UK Channel Technical Manager Security Dynamics Technologies, Inc."

Similar presentations

Security Controls and Systems in E-Commerce

Security Controls and Systems in E-Commerce
CS898T Mobile and Wireless Network Handheld Device Security By Yuan Chen July 25 th, 2005.

CS898T Mobile and Wireless Network Handheld Device Security By Yuan Chen July 25 th, 2005.
Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility.

Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility.
Enterprise Data Solutions A Better Network. A Better ROI. Martin Matthews Technical Sales Engineer.

Enterprise Data Solutions A Better Network. A Better ROI. Martin Matthews Technical Sales Engineer.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Principles of Information Systems, Sixth Edition Electronic Commerce Chapter 8.

Principles of Information Systems, Sixth Edition Electronic Commerce Chapter 8.
Internet, Intranet and Extranets

Internet, Intranet and Extranets
Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility. Simplify authentication.

Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility. Simplify authentication.
16254_08_2002 © 2002, Cisco Systems, Inc. All rights reserved. Cisco’s Security Vision Mario Mazzola Chief Development Officer August 29, 2002.

16254_08_2002 © 2002, Cisco Systems, Inc. All rights reserved. Cisco’s Security Vision Mario Mazzola Chief Development Officer August 29, 2002.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Authentication choices! Vincent van Kooten: Business Sales Manager Benelux Distributed by -

Authentication choices! Vincent van Kooten: Business Sales Manager Benelux Distributed by -
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
E-business Infrastructure

E-business Infrastructure
FIT3105 Smart card based authentication and identity management Lecture 4.

FIT3105 Smart card based authentication and identity management Lecture 4.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
In this section, we'll cover one of the foundations of network security issues, It talks about VPN (Virtual Private Networks). What..,Why..,and How….?

In this section, we'll cover one of the foundations of network security issues, It talks about VPN (Virtual Private Networks). What..,Why..,and How….?
SESSION 9 THE INTERNET AND THE NEW INFORMATION NEW INFORMATIONTECHNOLOGYINFRASTRUCTURE.

SESSION 9 THE INTERNET AND THE NEW INFORMATION NEW INFORMATIONTECHNOLOGYINFRASTRUCTURE.
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Similar presentations

Ads by Google