Date post: | 01-Jan-2016 |
Category: |
Documents |
Upload: | materia-perrin |
View: | 19 times |
Download: | 0 times |
Identity Assurance
Emory University Security Conference
March 26, 2008
RSA Company Confidential
Revenue Growth ComplianceCost Reduction Business ContinuityCustomer Retention
NetworkNetworkEndpointEndpoint App / DBApp / DB StorageStorageFS/CMSFS/CMS
RiskRisk
Security IncidentsSecurity Incidents
Sensitive InformationSensitive InformationWhat
information is important to
the business?How do we mitigate risks associated with
accessing the organization’s
information and IT resources?
Identity Assurance - A Key Element of Information Risk Management
RSA Company Confidential
What is Identity Assurance?
The set of capabilities and methodology that minimizes business risk associated with identity impersonation and inappropriate account use
Extends user authentication from a single security measure to a continuous trust model
Allows trusted identities to freely and securely interact with systems and access information
Provides enterprises new ways to generate revenue, satisfy customers, and control costs
RSA Company Confidential
Identity Assurance Enables Ubiquitous Security
Higher Risk
Lower Risk
Employees
More Control over PCs
PartnersConsumers
Less Control over PCs
Network Login
Workgroup solutions
Collaborative Forums
Social Networks
Information Portals
More weight on Authentication
Strength
Early Adopters of Strong
Authentication
Greater Weight on TCO
and Ease of Use
Super User Accounts
*Source: Gartner, Inc. “WWWW.Authentication: Why? When? What? Who?” by Ant Allan, November, 2007
System Administrators
Remote Access (VPN)
Online Business Banking
Online Retail Banking
RSA Company Confidential
Why Focus on Identity Assurance?
Identity assurance is the essential foundationfor trusted business process• Establishes trust by proving identities
of the participants in a transaction
• “On the Internet, nobody knows you’re a dog”
Identity Assurance is the essential foundation for other critical services• Access Management
• Audit
• Compliance
• Personalization
RSA Company Confidential
The State of Identity Assurance
Passwords still dominate, but continue to weaken
The need for strong authentication continues to grow• Increasing number of business processes moving online
• Employee mobility expanding – demand for anywhere anytime access to information
• Compliance and notification laws proliferate
• Phishing attacks have increased dramatically (see www.antiphishing.org)
Amongst strong authentication solutions,• Tokens continue to dominate in the enterprise
• Smart cards are getting more capable
• Biometrics are still getting press, and some large deployments
• Consumer-oriented strong authentication appears (e.g., E*Trade)
• Risk-based authentication emerges in consumer-facing markets
• New authenticators continue to appear
RSA Company Confidential
Enabling Identity Assurance
According to the value and criticality of the data, application, identity or transaction
For enterprises’ Workforce, Customers and Partners
While striking the right balance among Risk, Cost and Convenience
RSA Company Confidential
Credential Management
Identity Verification
• Positively identify and authenticate users before credential issuance
Identity and Credential Policy
• Create and enforce policy for issuance, access and end user self-service
Lifecycle management
• Comprehensively manage credentials throughout their entire lifecycle
RSA Company Confidential
Identity Assurance
A Range of Authentication Mechanisms
• Assures identities' access to systems, information or transactions, based on risk
Choice of Different Form Factors
• Provides organizations choice to optimize across security, end user convenience while reducing total cost of ownership
Delivery Platforms
• Delivered as on premise software, an appliance or as a service (SaaS)
RSA Company Confidential
Contextual Authorization
Access Control
• Enforces access to corporate resources based on role, risk and business context.
Step-Up Authentication
• Enables “The right Authentication at the right time”, assuring security throughout the session.
Federation
• Provides and shares trusted identities across applications and corporate boundaries.
RSA Company Confidential
Intelligence
Identity & Activity Verification
• Monitors Identities and activities
• Verifies credentials & prevents misuse
Proactive Threat Protection
• Detects and prevents credential theft
• Alerts on emerging threats
Real-time Information Sharing
• Facilitates intelligence sharing
• Enables enterprise collaboration
RSA Company Confidential
The Business Drivers for Identity Assurance
RSA Company Confidential
Enable Mobility
Trends:• Globalization and mobility of the workforce
• Rise in unmanaged devices and locations for remote access
• Passwords alone have limited effectiveness
Solution: • Secure and simplify remote access to network
resources
• Authenticate authorized mobile users to corporate resources
• Enable business continuity in outage situations
RSA Company Confidential
Secure Access
Trends:
• Employees, partners, contractors & customers requiring access to sensitive corporate information
• Proliferation of new information portals
• Careless or negligent insiders put sensitive data at risk
Solution:
• Authenticate authorized users to access critical information on the network
• Provide secure access for the right people to the right applications to the right level of information through role-based authorization
RSA Company Confidential
Prevent Fraud
Trends
• Identity theft and financial fraud are growing
• Enterprises need to inspire user confidence and encourage remote channel usage
Solutions
• External Threat and Identity Theft Mitigation
• Multi factor Authentication and Fraud Detection
• Identity and transaction Verification
RSA Company Confidential
Compliance
Trends
• Global compliance and regulatory environment is becoming increasingly complex
• Regulations are driving adoption of additional security measures
• Penalties for non-compliance are being enforced
Solutions
• Multi factor Authentication and Fraud Detection
• Transaction Monitoring and Access enforcement
• Reporting and auditing
RSA Company Confidential
Ease of Use
RSA Company Confidential
Secure Enterprise Access Technology SolutionsIt’s not one size fits all
RSA Company Confidential
On Demand Authentication
Support for Short Messaging Service (SMS) /Email delivered OTP
Minimal impact on end user
RSA Company Confidential
Information Risk Managementprotecting your most critical assets
Information-centricClarifies business context and reveals potential vulnerabilities
Risk-basedEstablishes a clear priority for making security investments
RepeatableBased on foundation of broadly applicable best practices and standard frameworks
Endpoint Network Apps/DB FS/CMS Storage
RiskRisk
Reveals where to invest, why to invest, and how security investments map to critical business objectives
RSA Company Confidential
Summary
There will be continued pressure on organizations to put business processes online
Hackers and thieves will continue to exploit vulnerable systems
The emphasis on information security will increase as will regulations and laws
Identity assurance should be considered as a piece of the overall security strategy
No single authentication method is a perfect solution for all situations
RSA Company Confidential
Information-centric Security