Date post: | 17-Apr-2018 |
Category: |
Documents |
Upload: | nguyencong |
View: | 216 times |
Download: | 1 times |
Scorecard for AuthenticationScorecard for Authentication
TechnologiesTechnologies
Dow A. WilliamsonMarket Development Manager - Government Operations
“The Most Trusted Name in e-Security”
Authentication ScorecardAuthentication Scorecard
iWhy Focus on Authentication?
iWhat are the Requirements for Authentication?
iWhat is the State of Authentication Technology?
iWhat is the Authentication Scorecard?
“The Most Trusted Name in e-Security”
Understanding The ProblemUnderstanding The ProblemNo Single Technology Solves ALL The ProblemsNo Single Technology Solves ALL The Problems
IntercontinentalBallisticMissile
(Peacekeeper)
IntercontinentalBallisticMissile
(Peacekeeper)
Bomber(B2)
Bomber(B2)
BallisticMissile
Submarine(USS Maine)
BallisticMissile
Submarine(USS Maine)
United States
United States
Nuclear TRIAD
Nuclear TRIAD
“The Most Trusted Name in e-Security”
Understanding The ProblemUnderstanding The ProblemLeads to an Effective SolutionLeads to an Effective Solution
Public KeyInfrastructure
Public KeyInfrastructure
AuthenticationSystems
AuthenticationSystems
EncryptionTechnologyEncryptionTechnology
iE-Security requires solutionsin three key areas
iAuthentication for binding theuser to the digital identity
iEncryption for binding thedigital identity to the data andtransactions
iPKI to provide a managedservice to reduce operationalcosts
“The Most Trusted Name in e-Security”
Why Focus on Authentication?Why Focus on Authentication?
iAuthentication is theessential foundationfor e-governmentiEstablishes trust by proving
identities of the participants in atransaction
iAuthentication is thefoundation for otherimportant security servicesiAuthorization
iAudit
“On the Internet, no oneknows you’re a dog!”
“The Most Trusted Name in e-Security”
e-Security e-SecurityTechnologiesTechnologies
hUserID/Password,Kerberos/DCE,Hardware Tokens,Software Tokens,Digital Certificates(PKI), Biometrics
hEncryption
hDigital Signatures(e.g.,PKI,Encryption)
e-Security for e-Government …e-Security for e-Government …Authentication: A Piece of the PuzzleAuthentication: A Piece of the Puzzle
e-Government e-GovernmentRequirementsRequirements
iProve identities(establish trust)
iProtectcommunications
iSign transactions
e-Security e-SecurityServicesServices
iAuthentication,StrongAuthentication
iData Privacy,Data Integrity
iNon-Repudiation
“The Most Trusted Name in e-Security”
Source: RSAS, adapted from Frost & Sullivan “US Network Authentication Markets”
Authentication MarketAuthentication MarketDriversDrivers
iExpanding accessiIncreasing numbers of
mobile workers
iIncreasing numbers oftelecommuters
iExtension of theenterprise network tothird parties
iIncreasing network sizeand complexity
iNeed for portablecredentials
i“Willy Sutton effect”iIncrease in sensitive information
on intranets
iHigh levels of internalcompromise/theft
iGrowing security awareness inenterprise accounts
iThe problem w/ passwordsiPasswords provide weak
security
iUnmanageability of multiplepasswords
“The Most Trusted Name in e-Security”
Source: RSAS, adapted from Frost & Sullivan “US Network Authentication Markets”
Authentication MarketAuthentication MarketInhibitorsInhibitors
iCostsiPerception of high
deployment costs
iPerception of additionaladministrative burden
iLack of installed base ofsmart card readers
iConcern over lost /forgotten / brokentokens or smart cards
iDeployabilityiConcern over scalability
iInteroperability with currentsystems
iShort-term focus on Y2Kinitiatives
iBusiness JustificationiLack of security awareness
iDifficulty in quantifying ROI
“The Most Trusted Name in e-Security”
Market Forecast:Market Forecast:Authentication TechnologiesAuthentication Technologies
Source: Frost and Sullivan, US Authentication Market
$0
$500
$1,000
$1,500
$2,000
$2,500
$3,000
$3,500
$4,000
1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005
Year
Rev
enu
e ($
M)
Biometrics
Software Tokens
Hardware Tokens
Digital Certificates
TODAY
“The Most Trusted Name in e-Security”
Authentication ScorecardAuthentication Scorecard
iWhy Focus on Authentication?
iWhat are the Requirements for Authentication?
iWhat is the State of Authentication Technology?
iWhat is the Authentication Scorecard?
“The Most Trusted Name in e-Security”
IATF AuthenticationIATF AuthenticationRequirementsRequirements
iIATF Chapter 6 - “Defend theEnclave Boundary/ExternalConnections”iFocus on “effective control”
iFirewalls
iGuards
iVirtual Private Networks (VPNs)
iIdentification & Authentication
iFocus on “effective monitoring”iIntrusion Detection Systems (IDS)
iVulnerability Scanners
iVirus Detection
“The Most Trusted Name in e-Security”
Authentication Maps to theAuthentication Maps to the“Defense in Depth Overview”“Defense in Depth Overview”
DIAPPLANNING
DOCUMENTS
DEFENSE-in-DEPTH
SPECIFICATIONSFOR THE
DETECT AND REACTELEMENTS
DETECT AND REACT
ELEMENTS
SITUATIONAWARENESS &
RESPONSE
HOST-BASEDMONITORING
NETWORK-BASEDMONITORING
SPECIFICATIONSFOR THE PROTECT
ELEMENTS
PROTECTELEMENTS
PROTECTION OFWANs
SECURITY-ENABLEDAPPLICATIONS
KMI SERVICES
SECURABLE HOST COMPUTEROPER SYSTEMS
PROTECTION OFENCLAVE
BOUNDRIES
Defense in Depth Overview, Figure 2,“Technical Elements of theDefense-in-Depth Strategy”
“The Most Trusted Name in e-Security”
What Our Government andWhat Our Government andCommercial Customers RequireCommercial Customers Require
iThe ability to strongly authenticate…ie-Government/e-Business
iProtect mission-critical applications, databases, files or web sites, whileenabling the sharing of highly valuable information
iLocal NetworksiProvide local network login protection and authenticate users to critical
network operating systems (e.g., Mainframe, workstation, and PC)
iRemote AccessiEnsure only authorized remote users can access information resources
via direct dial-in systems or Internet-based connections via VPN/Firewalls
“Protection for Network Access (PNA) addresses the requirement for authorized Local Area Network (LAN)users and administrators, and individual workstation/personal-computer users, to be able to safely-accessand to be-safely-accessed-by untrusted (potentially hostile) network connections.” Source: IATF, Section 6.1
“The Most Trusted Name in e-Security”
Strong Authentication:Strong Authentication:“Two or More Factors”“Two or More Factors”
iSomething you knowi Password
i PIN
i “Mother’s maiden name”
iSomething you havei Physical key
i Token
i Magnetic card
i Smart card
iSomething you arei Fingerprint
i Voice
i Retina
i Iris
“The Most Trusted Name in e-Security”
JWICS/SIPRNET/NIPRNET
Mainframe
Wintel
UnixApplications
& Resources
Defense Information Infrastructure-wideDefense Information Infrastructure-wide(DII-wide) Strong Authentication(DII-wide) Strong Authentication
RAS
RSARSAAgentAgent
Dial-Up Access
Internet
RSARSAAgentAgent
InternetAccess
VPN orFirewall
WebApplication RSARSA
ACE/ServerACE/Server
DII Access
Web Server
“The Most Trusted Name in e-Security”
Authentication ScorecardAuthentication Scorecard
iWhy Focus on Authentication?
iWhat are the Requirements for Authentication?
iWhat is the State of Authentication Technology?
iWhat is the Authentication Scorecard?
“The Most Trusted Name in e-Security”
Authentication TechnologiesAuthentication TechnologiesUnder Re-evaluationUnder Re-evaluation
iMost significant authenticationissuesi Password maintenance
i 20%-50% of Help Desk calls
i Password security
i Password costi Average $80 per Help Desk call 58%
48%
38%
78%
"What applications are causing you to re-evaluate your authentication strategy?"
e-Commerce
Partner Extranet
EmployeeRemote Access
Internal Network/Application Login
Source: Forrester Research, “A Digital Certificate Road Map”
Coalition Partner WANs
e-Government
TDYs/Deployments
JWICS/SIPRNET/NIPRNET DII
Co
nte
xt
“The Most Trusted Name in e-Security”
Authentication Status QuoAuthentication Status QuoEmployeesEmployees
Employees
98%
8%
4%
2%
0%
0%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
1999
OtherBiometricsCertificatesSmart CardsTokensPasswords
Source: Forrester Research, “A Digital Certificate Road Map”
“The Most Trusted Name in e-Security”
Authentication Status QuoAuthentication Status QuoPartnersPartners
Partners
64%
4%
18%
22%
0%
10%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
1999
OtherBiometricsCertificatesSmart CardsTokensPasswords
Source: Forrester Research, “A Digital Certificate Road Map”
“The Most Trusted Name in e-Security”
Authentication Status QuoAuthentication Status QuoCustomersCustomers
Customers
72%
2%
12%
6%
0%
6%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
1999
OtherBiometricsCertificatesSmart CardsTokensPasswords
Source: Forrester Research, “A Digital Certificate Road Map”
“The Most Trusted Name in e-Security”
The Problem with Passwords (I)The Problem with Passwords (I)
iShoulder-surfing coworkers
iFinding written passwordsiPost-It notes
iDay-Timer
iGuessing passwordsi“password”, “secret”
iSpouse/dog/kid’s name
iUsername
“The Most Trusted Name in e-Security”
The Problem with Passwords (II)The Problem with Passwords (II)
i“Social engineering”
iPassword cracking toolsi“Crack”
i“L0phtCrack”
i“Cracker Jack”
iNetwork sniffing
iAll of the “casual”approaches
“The Most Trusted Name in e-Security”
The Problem with Passwords (III)The Problem with Passwords (III)
iPasswords are surprisingly expensivei20 - 50% of Help Desk calls are password related
iHelp Desk calls cost an average of $80 each
iLost user productivity from lack of network access
iExposure to loss from password breaches far greaterthan Help Desk costs
iSecurity fears keep organizations from pursuing newe-government opportunities
“The Most Trusted Name in e-Security”
Strong Authentication In UseStrong Authentication In UseToday with DII ComponentsToday with DII Components
i7+ million users at 4500+companies
i150+ strongauthentication-ready COTSproducts from 100+vendors
i Firewalls/RAS
i VPNs
i Operating Systems
iScalable to 100,000s ofusers
iBroad range of formfactors
IATF, Figure 6-1, “Defend the Enclave Boundary/External Connections”
“The Most Trusted Name in e-Security”
U.S. GovernmentU.S. GovernmentStrong Authentication UsersStrong Authentication Users
iOffice of the President of the United States
iEvery Cabinet Department
iSeveral Independent Agencies and Commissions
iUnited States House of Representatives
iUnited States Senate
iUnited States Supreme Court
iUnited States Court of Appeals
iUnited States Federal Courts
Exe
cuti
veL
egis
lati
veJu
dic
ial
“The Most Trusted Name in e-Security”
SeedTime
482392482392
Access ServerHardware or SoftwareToken
Algorithm
SeedTime
482392482392
Algorithm
Same SeedSame Time
State-Of-The-ArtState-Of-The-ArtTime-Synchronous TokensTime-Synchronous Tokens
“The Most Trusted Name in e-Security”
Serial Number: 6cb0dad0137a5fa79888f
Validity: Nov.08,1997 - Nov.08,1998
Subject / Name / OrganizationLocality = InternetOrganization = VeriSign, Inc.Organizational Unit = VeriSign Class 2 CA - IndividualSubscriberOrganizational Unit = www.verisign.com/repository/CPSIncorp. by Ref.,LIAB.LTD(c)96Organizational Unit = Digital ID Class 2 - NetscapeCommon Name = Keith H ErskineEmail Address = [email protected] Address = 160 Boston Rd Chelmsford
Status: Valid
Public Key:ie86502hhd009dkias736ed55ewfgk98dszbcvcqm85k309nviidywtoofkkr2834kl
Signed By: VeriSign, Inc.:kdiowurei495729hshsg0925h309afhwe09721h481903207akndnxnzkjoaioeru10591328y5
State-Of-The-ArtState-Of-The-ArtDigital CertificatesDigital Certificates
Public Key
CertificateAuthority
Private Key
“The Most Trusted Name in e-Security”
Where is it stored? How is the store protected?
Software
Hard DriveNothing, orPassword
Authenticatorof Choice
Smart Card PIN
Digital CertificatesDigital CertificatesHow Secure is the Private Key?How Secure is the Private Key?
“The Most Trusted Name in e-Security”
State-Of-The-ArtState-Of-The-ArtMulti-Application Smart CardsMulti-Application Smart Cards
iHighest securityiOn-card digital signatures
iSupports latest application featuresiDual keys and certificates
iMobilityiCredential store on-card with keys,
certificates, network logininformation, and software token seed record
iVersatileiSupports PKI applications and traditional token-protected systems
iMagnetic stripe for physical access
iPersonalization for employee identification
“The Most Trusted Name in e-Security”
State-Of-The-ArtState-Of-The-ArtBiometricsBiometrics
iBiometric authenticationdepends on something uniqueabout you personally
iFingerprints
iIris pattern
iVoiceprint
iFaceprint
iRetinal Pattern
iA pattern of the physicalcharacteristic is recorded inadvance
iThe physical characteristic isre-read at the time ofauthentication
iThe read characteristic iscompared with the storedversion
iIf the match is good enough,the access is granted
“The Most Trusted Name in e-Security”
Confusing Market MessagesConfusing Market Messages
iIndustry Analysti “Use proprietary random PIN
tokens only where they arealready deployed or areurgently needed in the next6-9 months.”
i “Expensive.”
i “Smart cards … can do moreat a lower cost.”
iIndustry Analyst (4 months later)i “Implementing certificate-based
solutions is complex and costly atthis time, and will take 12 - 24months to be widely deployed.Consider other mechanisms forauthentication such as ...proprietary tokens in the interim”.
A consistent framework for comparison is needed!
“The Most Trusted Name in e-Security”
Authentication ScorecardAuthentication Scorecard
iWhy Focus on Authentication?
iWhat are the Requirements for Authentication?
iWhat is the State of Authentication Technology?
iWhat is the Authentication Scorecard?
“The Most Trusted Name in e-Security”
Authentication ScorecardAuthentication ScorecardWhy??Why??
iCompanies are reevaluating authenticationstrategies
iSeveral authentication technologies are availableiHow to objectively position alternatives?
iHow to objectively choose most appropriate?
iHow to objectively allocate investments?
iMarket buzz ≠ Market reality, e.g.,iBiometrics gets hugely disproportionate share of press
coverage relative to actual deployment
i“Year of the PKI”: 1997 1998 1999 2000
i“Tokens are Dead” vs “Long Live Tokens”
“The Most Trusted Name in e-Security”
Authentication ScorecardAuthentication ScorecardMethodologyMethodology
iSelect key authentication technologies for evaluation
iEstablish consistent evaluation criteria
iFor each authentication technology, assign values(scale of 1-10) for each evaluation criteria
iWeight evaluation criteria according to relativeimportance for a particular application or environment
iCompare results
“The Most Trusted Name in e-Security”
Authentication ScorecardAuthentication ScorecardTechnologies ConsideredTechnologies Considered
iUserID / Password (baseline)i Near-universal use
i Growing awareness ofinadequacy
i Growing problems with scale
iTwo-factor authentication(Time-Synchronous Tokens)
i Hardware(multiple form factors)
i Software(multiple platforms)
iDigital certificates(standalone)
i PKI
iTwo-factor authentication(use with certificates)
i Smart cards
i Biometrics
i Tokens
“The Most Trusted Name in e-Security”
Source: RSAS, adapted from Giga Information Group, “The Hows and Whys of Online Authentication”
Authentication ScorecardAuthentication ScorecardEvaluation Criteria (I)Evaluation Criteria (I)
iInteroperabilityiDoes the authentication method work natively with multiple products,
or does it work only if all parties install additional software on theirdesktops or servers?
iBack-end integrationiHow easy is it to integrate into the access control mechanisms of the
back-end resources or applications?
iPortabilityiHow portable is the authentication method?
Can it be used to gain access from multiple systems?
iScale/RobustnessiDoes the authentication solution scale to the degree required now?
Three years from now?
“The Most Trusted Name in e-Security”
Authentication ScorecardAuthentication ScorecardEvaluation Criteria (II)Evaluation Criteria (II)
iEase of deploymentiHow easy is it to deploy the technology? This includes the distribution
of any necessary hardware or software; ease of installation; ease ofconfiguration; etc.
iEase of adoption / Ease of useiHow easy is it for end-users to learn how to use the authentication
method? How convenient is it for end-users to use the authenticationmethod, day in and day out?
iMulti-PurposeiCan the authentication method be used for more than one purpose?
E.g., physical access, network access, application access, digitalsignature, etc.
Source: RSAS, adapted from Giga Information Group, “The Hows and Whys of Online Authentication”
“The Most Trusted Name in e-Security”
Authentication ScorecardAuthentication ScorecardEvaluation Criteria (III)Evaluation Criteria (III)
iInitial costsiWhat are the initial acquisition and deployment costs? This may
include additional hardware, software, servers, readers, services, etc.associated with acquiring and deploying the authentication solution.
iOperating costsiWhat are the ongoing operating costs? This may include costs for
replacement (e.g., expired / lost / stolen / broken) authenticationmechanisms; ongoing management; upgrades; support; help desk; etc.
iRelative strengthiHow strong is the authentication? Is it adequate for the information
being protected? Does it meet regulatory requirements (if any) for theprotection of information?
Source: RSAS, adapted from Giga Information Group, “The Hows and Whys of Online Authentication”
“The Most Trusted Name in e-Security”
4.0
4.5
5.0
5.5
6.0
6.5
7.0
UserID/Password Hardware Tokens Software Tokens Digital Certificates Smart Cards +Certificates
Biometrics + Certificates
Authentication Mechanism
Wei
gh
ted
Sco
re (
0-10
)Authentication ScorecardAuthentication ScorecardExampleExample
Source: RSAS, adapted from Giga Information Group, “The Hows and Whys of Online Authentication”
“The Most Trusted Name in e-Security”
Authentication Scorecard
Evaluation Criteria Weight UserID/Password Hardware Tokens Software Tokens Digital Certificates Smart Cards + Certificates Biometrics + CertificatesInteroperability 10.0% 8 3 3 4 4 2Back-end Integration 10.0% 7 8 8 5 5 3Portability 5.0% 9 8 2 4 6 6Multi-Purpose 5.0% 2 5 5 5 9 5Scale/Robustness 10.0% 4 7 7 7 7 3Ease of Use 10.0% 4 6 6 8 9 7Ease of Deployment 10.0% 9 7 6 6 4 3Initial Costs 10.0% 8 6 7 6 3 3Operating Costs 15.0% 3 8 7 6 5 7Relative Strength 15.0% 4 8 8 5 8 8Weighted Score 100.0% 5.60 6.75 6.30 5.70 5.90 4.90
SUMMARY UserID/Password Hardware Tokens Software Tokens Digital Certificates Smart Cards + Certificates Biometrics + CertificatesWeighted Score 5.60 6.75 6.30 5.70 5.90 4.90
Source: RSAS, adapted from Giga Information Group, “The Hows and Whys of Online Authentication”
Authentication ScorecardAuthentication ScorecardExampleExample
iMake your own evaluation - Interactive Authentication Scorecardi Visit the RSA booth at the Conference
i Visit the RSA Web site
“The Most Trusted Name in e-Security”
ScorecardScorecardUserIDUserID/Password/Password
iPros
iEasy to use
iPlatform/hardwareindependent
iNo acquisition cost
iInteroperable
iMinimal end-user training
iCons
iWeak securityiStatic value - can be intercepted,guessed, spoofed, cracked
iMost are poorly chosen
iHigh operating costsiHelp Desk for forgotten passwords
iEnd-user aggravationiInconsistent formats betweenapplications
iHard to remember if frequentlychanged
“The Most Trusted Name in e-Security”
ScorecardScorecardHardware TokensHardware Tokens
iPros
iStrong securityiTwo-factor
iDynamic value; difficult to hack orpredict; negates replay attacks
iPlatform-independent
iPortable
iNo desktop softwarerequired
iHigh interoperability
iNo passwordadministration
iCons
iEnd-user trainingrequired
iAcquisition anddeployment cost
iReplacement cost forlost, stolen or expiredtokens
iSingle-purpose deviceiCannot be used as ID badge orphysical access
“The Most Trusted Name in e-Security”
ScorecardScorecardSoftware TokensSoftware Tokens
iPros
iLow acquisition cost
iStrong securityiMechanisms to bind token to specificmachine
iHigh interoperability
iEnd-user does not haveto carry separate device
iCons
iNeed to install softwareon desktop
iPlatform-dependent
iNot portable
“The Most Trusted Name in e-Security”
ScorecardScorecardDigital CertificatesDigital Certificates
iPros
iLow acquisition cost
iSupport for Web-basedapplications
iMultiple useiSSL, S/MIME, IPSec
iDigital signature
iScaleability
iCons
iMedium securityiPrivate key often unprotected, orprotected by password
iNo copy protection
iLimited certificate-enabled applications
iHigh administrative costs
iComplex to deploy
“The Most Trusted Name in e-Security”
ScorecardScorecardSmart Cards + CertificatesSmart Cards + Certificates
iPros
iMulti-purposeiID badge
iPhysical security
iStrong securityiTwo-factor
iEasy end-user adoption
iCons
iHigh acquisition cost
iLimited certificate-enabled applications
iNeed to deploy hardwareand software to eachuser
iLimited interoperabilityiStandards emerging
“The Most Trusted Name in e-Security”
ScorecardScorecardBiometrics + CertificatesBiometrics + Certificates
iPros
iPerceived ease-of-useiMinimal end-user training
iAlways have it with you
iStrong securityiTwo-factor
iCons
iMaturity of technology
iEnd-user acceptance
iVery high acquisition anddeployment cost
iHard to scale
iLimited interoperability
“The Most Trusted Name in e-Security”
ConclusionsConclusions
iAuthentication is the essential foundationfor e-governmentiEstablish trust
iOrganizations should understand tradeoffs betweenauthentication alternativesiBalance tradeoffs with security requirements
iAvoid evaluation based on a single criteria (price, scale,etc.)
iMarkets and technologies will continue to evolveiNear-term: tokens
iLonger-term: digital certificates and smart cards
“The Most Trusted Name in e-Security”
How To ContactHow To Contact
Dow WilliamsonRSA Security, Inc
36 Crosby Drive, Bedford, MA 01730Telephone: 781-301-5381
Fax: 781-301-5310E-Mail: [email protected]
Web Site: www.rsasecurity.com