Identity Assurance

Emory University Security Conference

March 26, 2008

RSA Company Confidential

Revenue Growth ComplianceCost Reduction Business ContinuityCustomer Retention

NetworkNetworkEndpointEndpoint App / DBApp / DB StorageStorageFS/CMSFS/CMS

RiskRisk

Security IncidentsSecurity Incidents

Sensitive InformationSensitive InformationWhat

information is important to

the business?How do we mitigate risks associated with

accessing the organization’s

information and IT resources?

Identity Assurance - A Key Element of Information Risk Management

RSA Company Confidential

What is Identity Assurance?

The set of capabilities and methodology that minimizes business risk associated with identity impersonation and inappropriate account use

Extends user authentication from a single security measure to a continuous trust model

Allows trusted identities to freely and securely interact with systems and access information

Provides enterprises new ways to generate revenue, satisfy customers, and control costs

RSA Company Confidential

Identity Assurance Enables Ubiquitous Security

Higher Risk

Lower Risk

Employees

More Control over PCs

PartnersConsumers

Less Control over PCs

Network Login

Workgroup solutions

Collaborative Forums

Social Networks

Information Portals

More weight on Authentication

Strength

Early Adopters of Strong

Authentication

Greater Weight on TCO

and Ease of Use

Super User Accounts

*Source: Gartner, Inc. “WWWW.Authentication: Why? When? What? Who?” by Ant Allan, November, 2007

System Administrators

Remote Access (VPN)

Online Business Banking

Online Retail Banking

RSA Company Confidential

Why Focus on Identity Assurance?

Identity assurance is the essential foundationfor trusted business process• Establishes trust by proving identities

of the participants in a transaction

• “On the Internet, nobody knows you’re a dog”

Identity Assurance is the essential foundation for other critical services• Access Management

• Audit

• Compliance

• Personalization

RSA Company Confidential

The State of Identity Assurance

Passwords still dominate, but continue to weaken

The need for strong authentication continues to grow• Increasing number of business processes moving online

• Employee mobility expanding – demand for anywhere anytime access to information

• Compliance and notification laws proliferate

• Phishing attacks have increased dramatically (see www.antiphishing.org)

Amongst strong authentication solutions,• Tokens continue to dominate in the enterprise

• Smart cards are getting more capable

• Biometrics are still getting press, and some large deployments

• Consumer-oriented strong authentication appears (e.g., E*Trade)

• Risk-based authentication emerges in consumer-facing markets

• New authenticators continue to appear

RSA Company Confidential

Enabling Identity Assurance

According to the value and criticality of the data, application, identity or transaction

For enterprises’ Workforce, Customers and Partners

While striking the right balance among Risk, Cost and Convenience

RSA Company Confidential

Credential Management

Identity Verification

• Positively identify and authenticate users before credential issuance

Identity and Credential Policy

• Create and enforce policy for issuance, access and end user self-service

Lifecycle management

• Comprehensively manage credentials throughout their entire lifecycle

RSA Company Confidential

Identity Assurance

A Range of Authentication Mechanisms

• Assures identities' access to systems, information or transactions, based on risk

Choice of Different Form Factors

• Provides organizations choice to optimize across security, end user convenience while reducing total cost of ownership

Delivery Platforms

• Delivered as on premise software, an appliance or as a service (SaaS)

RSA Company Confidential

Contextual Authorization

Access Control

• Enforces access to corporate resources based on role, risk and business context.

Step-Up Authentication

• Enables “The right Authentication at the right time”, assuring security throughout the session.

Federation

• Provides and shares trusted identities across applications and corporate boundaries.

RSA Company Confidential

Intelligence

Identity & Activity Verification

• Monitors Identities and activities

• Verifies credentials & prevents misuse

Proactive Threat Protection

• Detects and prevents credential theft

• Alerts on emerging threats

Real-time Information Sharing

• Facilitates intelligence sharing

• Enables enterprise collaboration

RSA Company Confidential

The Business Drivers for Identity Assurance

RSA Company Confidential

Enable Mobility

Trends:• Globalization and mobility of the workforce

• Rise in unmanaged devices and locations for remote access

• Passwords alone have limited effectiveness

Solution: • Secure and simplify remote access to network

resources

• Authenticate authorized mobile users to corporate resources

• Enable business continuity in outage situations

RSA Company Confidential

Secure Access

Trends:

• Employees, partners, contractors & customers requiring access to sensitive corporate information

• Proliferation of new information portals

• Careless or negligent insiders put sensitive data at risk

Solution:

• Authenticate authorized users to access critical information on the network

• Provide secure access for the right people to the right applications to the right level of information through role-based authorization

RSA Company Confidential

Prevent Fraud

Trends

• Identity theft and financial fraud are growing

• Enterprises need to inspire user confidence and encourage remote channel usage

Solutions

• External Threat and Identity Theft Mitigation

• Multi factor Authentication and Fraud Detection

• Identity and transaction Verification

RSA Company Confidential

Compliance

Trends

• Global compliance and regulatory environment is becoming increasingly complex

• Regulations are driving adoption of additional security measures

• Penalties for non-compliance are being enforced

Solutions

• Multi factor Authentication and Fraud Detection

• Transaction Monitoring and Access enforcement

• Reporting and auditing

RSA Company Confidential

Ease of Use

RSA Company Confidential

Secure Enterprise Access Technology SolutionsIt’s not one size fits all

RSA Company Confidential

On Demand Authentication

Support for Short Messaging Service (SMS) /Email delivered OTP

Minimal impact on end user

RSA Company Confidential

Information Risk Managementprotecting your most critical assets

Information-centricClarifies business context and reveals potential vulnerabilities

Risk-basedEstablishes a clear priority for making security investments

RepeatableBased on foundation of broadly applicable best practices and standard frameworks

Endpoint Network Apps/DB FS/CMS Storage

RiskRisk

Reveals where to invest, why to invest, and how security investments map to critical business objectives

RSA Company Confidential

Summary

There will be continued pressure on organizations to put business processes online

Hackers and thieves will continue to exploit vulnerable systems

The emphasis on information security will increase as will regulations and laws

Identity assurance should be considered as a piece of the overall security strategy

No single authentication method is a perfect solution for all situations

RSA Company Confidential

Information-centric Security