YOU ARE THE TARGET – BUT YOU DON’T HAVE TO BE

WITH EFFECTIVE AUTHENTICATION

INTRODUCTION

Any size organization can be a target, generally because of weak authentication. Password -

only protection is simply too risky. In addition, stolen passwords were responsible for

major thefts of records from Best Buy and Twitter.

With the adoption of cloud-based IT infrastructures, and the pervasive use of mobile

devices and mobile applications, IT organizations are being asked to secure what they

don’t own, manage or control. For more on how to reduce the risk and the

consequences of weak authentication, read on.

This paper will show why any size organization can be a target; and how the legal and

threat environment—combined with BYOD and cost factors—make multi-factor, risk-

based authentication the logical approach to solving the problem. Case studies are used

to illustrate.

Robust, multi-factor authentication, which can increase the validation steps required if

something seems out of the ordinary or if highly sensitive information is to be accessed,

is a necessary and cost-effective way to reduce your vulnerability as a target. Relying on

the leading vendor, RSA, is a proven strategy.

In gauging threats, intelligence professionals start with the nature of the threat. We start

with the most likely threat. Generally, this has meant that the target has employed poor

authentication products and practices.

We then move on to asking: who are they? What motivates them? What kinds of

resources do they have at their disposal? Today’s adversaries cover a wide range of

possibilities. At the top of the list are nation-states interested in learning defense secrets

and gathering valuable data and trade secrets that can give them an edge in the global

economy.

Next in threat capabilities would be multi-national, non-state actors—such as organized

crime—who target electronically stored information (ESI) that can either be resold or

monetized in other ways. High on the list of their targets are databases of Personally

Identifiable Information (PII), which would allow them or their customers to steal the

identities of their victims; and then systematically loot their digital assets; establish false

accounts to steal goods and services; while destroying the reputations and credit

worthiness of their victims.

Today’s competitive world means that organizations are keeping tabs on their

competition in legal and illegal ways. Using social media, such as Facebook and LinkedIn,

to learn about a competitor’s employees and plans is emerging as a common means of

competitive intelligence gathering and industrial espionage. Hijacking Twitter Handles and

other acts could have been prevented with robust authentication.

Other threats include individuals and groups who are moved to correct social conditions

they perceive as wrong. Dubbed “hacktivists,” these people have attacked a variety of

organizations. Many of these groups are loosely organized, with no formal leadership;

e.g., “Anonymous.” These groups can be especially dangerous because their very nature

changes day to day, and their lack of a formal organization makes it difficult to track

down individuals.

Lastly, the threat can be a single individual. Aggrieved former employees and contractors

are often unhappy about the circumstances of the termination of the relationship with

their former employer or client.

BAD THINGS HAPPEN TO GOOD PA$$WORDS—EVEN SECURE

PASSWORDS AREN’T ENOUGH PROTECTION IN TODAY’S

ENVIRONMENT

All too often, organizations of all sizes rely on passwords as the way to confirm the

identity of individuals who wish to access their electronic assets, as well as to guard

access to their information technology (IT) infrastructure. Yet, passwords, even the most

elaborate passwords, are not secure unless they are supplemented by other factors

associated with the individual. This was not always the case. In the early days of

computing, a user ID plus password was sufficient protection. This might have been fine

when mainframes were the only IT resources, and were kept behind locked doors in

special rooms. However, as Intel CEO Paul Otellini noted in his keynote speech at the

2012 Consumer Electronics Show, “Today your smartphone has more computing than

existed in all of NASA in 1969.”1

This means that organizations need authentication security measures that provide

appropriate security, can adapt to the dynamic threat environment, are easy for users to

adopt, scalable across various sizes of organizations, and that can be easily integrated

into complex and heterogeneous IT infrastructures.

SIZE DOESN’T MATTER—ANY ORGANIZATION CAN BE A TARGET

The adversary determines the target, and size does not matter; small sized organizations

can be just as important to the attacker’s plans as the large ones. The following examples

illustrate this point.

1 http://www.guardian.co.uk/technology/blog/2012/jan/11/ces-2012-intel-keynote-otellini

Small Company

Small companies face increased risks on a global scale. According to David Willetts,

British Minister of State for Universities and Science, “Companies are more at risk than

ever of having their cyber security compromised—in particular small businesses—and no

sector is immune from attack . . . But there are simple steps that can be taken to prevent

the majority of incidents.”2

According to the 2013 Information Security Breaches Survey, released 23 April 2013, 87

percent of all small businesses in the United Kingdom experienced a breach in the last

year. The survey indicated that breaches of small companies increased in the past year,

and that the cost associated with these breaches could range up to 6 percent of company

revenues.3

Small businesses can be targeted because they do business with larger businesses, such as

defense contractors, major banks, etc. Their role as gateways for attackers has been

shown in several major campaigns attributed to nation-states.

Statistics for small businesses in the United States also show that they are major targets.

According to Representative Chris Collins (R) of New York, himself a successful small

business owner, “Although attacks on small businesses don’t make the headlines, a recent

report shows nearly 20 percent of cyber-attacks are on small firms with less than 250

employees. Unlike a large company, small businesses may not be able to survive a cyber

attack. Washington has begun to realize the importance and immediacy of this threat, but

more must be done to help protect this vital segment of our economy from these

increasingly complex attacks.”4

A typical small company situation could be a supplier to a large company. The large

company is the real target; but it employs a layered security defense, including multi -

factor authentication. The attacker has determined that the small company doesn’t

employ any sort of security, other than passwords.

Through diligent research on LinkedIn, the attacker has come up with several names of

employees of the small company. The attacker employs a password cracker that he

downloaded for free from the Internet—one like Password Cracker 3.97, available from

Tucows.5

In short order, a suitable password is found. The attacker has gained access to the small

company’s IT infrastructure, and is now free to rummage about to download data or to

alter data, or even to destroy data essential to running the business. Essentially, small

businesses are often targeted because they are perceived as gateways to larger

businesses, in part, because they have weaker authentication mechanisms.

2 http://www.infosecurity-magazine.com/view/31999/infosecurity-europe-2013-technology-strategy-board-offers-money-to-

small-businesses/ 3 http://www.infosecurity-magazine.com/view/31999/infosecurity-europe-2013-technology-strategy-board-offers-money-to-small-businesses/

4 http://smallbusiness.house.gov/news/documentsingle.aspx?DocumentID=325034 5 http://www.tucows.com/preview/520041

Midsize Business

A midsized company manufactures equipment used in the testing of radar systems to be

installed on fighter jets. The company competes with much larger companies, and has had

to become innovative by developing unique processes to design its test algorithms.

Unfortunately, the company has not upgraded its security to multi -factor authentication.

Adding to the company’s vulnerabilities is its headquarters location —near popular coffee

shops and eateries that offer free Wi-Fi. While convenient for the company’s employees

to access IT resources, public Wi-Fi hotspots are also subject to sniffing attacks; attacks

that require little technical skill. For example, as explained in “How Logging On From

Starbucks Can Compromise Your Corporate Security,” 6 packet sniffing can easily vacuum

up sensitive data such as passwords. Once compromised, the passwords authorize access

as if the attacker was a legitimate end user.

Enterprises

While enterprises with 1,000 or more employees have more resources than their smaller

counterparts, it doesn’t necessarily follow that they are more secure. For instance, many

large enterprises have grown by acquisitions; often, integrating the new company into the

mainstream IT infrastructure of the acquiring company is not instantaneous. This

contributes to uneven authentication approaches; e.g., strong (multi -factor) for some

employees, but weak (e.g., password only) for others—yet both sets of employees can

access similar sensitive resources.

THE CHANGING ENVIRONMENT

This section addresses four key areas that are impacting the operating environment:

Legal, BYOD, Evolving Threats, and Cost Factors. One of the best ways that an

organization can insulate itself, its people, and its assets in the face of these dynamic

environmental factors is by employing robust authentication.

Legal & Regulatory

Data Privacy Laws

Currently, there are approximately 50 countries that have data privacy laws of various

types. The European Union, for example, is in the process of dramatically revising the

breach disclosure and other aspects of its data privacy regulations. 7 According to the

Financial Times of London, EU-based firms could be fined up to 2 percent of a company’s

global revenue for data breaches.

International law generally recognizes three main classes of personal data that require

special attention because they are legally regulated or scrutinized by an industry

6 http://www.securityweek.com/how-logging-starbucks-can-compromise-your-corporate-security

7 http://news.cnet.com/8301-1009_3-57573051-83/eu-feeling-pressure-to-tweak-data-privacy-legislation/#!

authority. Personal Health Information (PHI) 8 is almost universally considered among the

most sensitive types of data. This information concerns the health of specific individuals.

Specific relevant US laws include the Health Information Portability and Accountability

Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act

(HITECH).

Personally Identifiable Information (PII) is information that, if stolen, allows the thief to

masquerade as the individual. PII is protected by a number of United States state and

federal laws.

Japan is also taking measures to strengthen data privacy for its citizens, such as by

requiring strong authentication for online access. 9

A third class of protected data is information that is regulated by the Payment Card

Industry (PCI). This data is defined in PCI Data Security Standard 2.0, 10 and covers the

data used in digital payment and credit transactions. Confirming the identity of

authorized users must be a prerequisite to giving them access to the organization’s IT

resources.

In Singapore, the Monetary Authority of Singapore (MAS) requires financial institutions

to implement IT controls to protect customer information from unauthorized access and

disclosure. Moreover, with the growing use of mobile banking, the risk of unauthorized

access and disclosure is growing. Multi -factor authentication is one of the important and

proven security technologies that elevate the protection of sensitive data stored and

used by financial institutions, and that also contributes to building trust among mobile

banking users.

Breach Notification Laws

The EU is taking stronger action on data breaches, as noted above. Readers should be

aware that, as of August 2012, 46 states and the District of Colombia have enacted laws

requiring organizations to notify individuals if their PII has been breached, or if the data

controller (holder of the data) suspects there has been a breach. 11 These notifications

can be expensive, and they certainly raise questions of the organization’s trustworthiness

in the minds of the customers, employees, patients, and others who may receive the

notifications. Preventing such breaches can save organizations significant exposure. A

basic step such as requiring multi -factor authentication is sensible to ensure that only

properly authorized individuals are granted access.

Industry Specific Laws

A number of industries have specific laws that govern data security. The section on PHI,

above, includes two laws in the healthcare industry. Other industries with their own

regulations include, for example: the banking industry with its Gramm Leach Bliley Act

8 http://www.hrsa.gov/healthit/toolbox/HealthITAdoptiontoolbox/PrivacyandSecurity/underhipaa.html

9 http://www.infoworld.com/d/security-central/japan-tightens-personal-data-protection-356

10 https://www.pcisecuritystandards.org/security_standards/documents.php?document=pci_dss_v2-0#pci_dss_v2-0

11 http://www.ncsl.org/issues-research/telecom/security-breach-notification-laws.aspx

and Federal Financial Institutions Examination Council (FFIEC); the North American

energy industry, which is regulated by North American Electric Reliability Corporation

(NERC);12 and the United States energy industry, governed by the Federal Energy

Regulatory Commission (FERC).13

The point is simple—more regulations are likely to be enacted that will require enhanced

information security measures.

Bring Your Own Device (BYOD)

In order to attract a new and vibrant workforce, and as a means to enhance productivity,

organizations are allowing their employees and contractors to access the IT

infrastructure with their personal smartphones, tablets, and laptops. Multi -factor

authentication is necessary to ensure that authorized end users can access their IT

resources from any device, while protecting the integrity of the IT infrastructure.

Security solutions addressing BYOD need to work seamlessly, as software is embedded

with applications. Furthermore, the use of a Software Development Kit (SDK) to

integrate with a variety of applications that are core to the business is critical. A rich

ecosystem of partners, such as that offered by RSA, is a major strong point.

Many organizations have not considered the security aspects of this move, and have not

suitably protected access to their information resources with enhanced security

measures such as multi-factor authentication. Security principles hold that information is

to be protected according to its value, not its location. Consequently, organizations are

well advised to implement robust authentication across all means of entry into their IT

and network infrastructure.

Evolving Threats

While threats in the past were mostly static and slow to develop, today’s threat

environment is dynamic and unpredictable. Vulnerabilities are known to exist in today’s

complex software and Web applications. Attackers exploit known and unknown

vulnerabilities in several ways.

One instance of quickly evolving threats is Advanced Persistent Threats (APT). This type

of attack is highly targeted, adaptable, and designed to clandestinely yield long term

results. Often these sophisticated threats include the use of social engineering, to

compromise passwords, to gain access to networks as entry points for more robust

attacks.

Another threat is to attack vulnerabilities that even the product’s developers are

unaware of. These attacks are called “Zero Day Attacks” because attackers exploit

software code vulnerabilities before the vulnerabilities are known. These are just a

sampling of the dynamic and unpredictable nature of today’s threat environment. The

12 http://www.nerc.com/Pages/default.aspx 13 https://www.ferc.gov/

Stuxnet attack on the Iranian nuclear program is cited as a good example of this type of

attack, as were the cyber-attacks on the Saudi government in May 2013.

Organizations need to set policies based on risk, and implement those policies in a way

that, when the end-user activity seems out of the ordinary, they are challenged with

additional identity confirmation requirements, such as answers to security questions. Self -

learning risk engines are proving to be efficient at uncovering anomalous activity.

The ability to employ device and behavior characteristics, as well as identity

authentication factors, strengthens assurances that end users are who they say they are.

Cost Factors

Successful attacks can result in significant direct and indirect costs, including:

▪ Loss of Intellectual Property – Trends indicate that attacks are becoming

more focused. Organizations are often targeted because they have unique

advantages in trade secrets, patent development, or both. Attackers, ranging

from competitors to nation-states, seek access to intellectual property (IP). This

IP can give attackers economic or efficiency advantages, in addition to saving

them significant research and development (R&D) time and expense.

▪ Reputational Costs – Many businesses are based on trust. Organizations that

handle sensitive data, such as PHI, PII, and PCI, are in a critical position of

responsibility to safeguard this information. Breaches and unauthorized access to

this information can result in wide ranging publicity that will negatively impact

the public perception of the company. Lack of trust can lead not only to lost

business, but legal action.

▪ Legal Costs – Organizations entrusted with sensitive data have a legal duty to

protect that data. Failure to adequately protect can subject the company to

lawsuits on a variety of grounds. These lawsuits can result in financial damages

including retribution and fines. Failure to exercise due care, and adhere to the

standard of care within the industry, such as multi -factor authentication, can

strengthen plaintiff’s claims.

▪ Lost Employee Productivity – Considerable time can be spent in remediating

breaches and unauthorized access. This is employee time that would have been

better spent on other aspects of the business. It is also fair to say that employees

have a certain level of trust in their employers. Employers, after all, store quite a

bit of PII about their employees (e.g., salary information and performance

reviews). Yet, the effort to recover from a breach of employee sensitive

information can be just as taxing as a breach involving sensitive customer

information.

SOLVING THE PROBLEM

Classically, organizations address security shortfalls with a combination of people,

process, and technology. Multi-factor authentication snugly fits into this trifecta, and has

proven to be a measure that can address a variety of security gaps across a wide range of

organizations and industries.

Applicable to Different Size Organizations – Scale

A hallmark of leading edge technology is that it can be applied across organizations of

varying size. This is because the key is not so much the size of the organization, but the

ability of end users to conduct their work and access the resources they need in a secure

and efficient manner.

Security processes that consume end-user time or that are inconvenient are often

ignored by end users. Moreover, end users develop work-arounds that circumvent the

very processes and technologies that are designed to improve security.

In addition, the move to Web-based applications and cloud services means that

organizations must adopt security measures that can be operational as quickly as cloud

services, and in a cost effective manner.

Scalability costs are also important considerations, and include startup costs and ongoing

maintenance. Assessing both classes of costs is especially important to organizations that

are growing by acquisition.

Risk-Based Authentication – Adapting the Protection to the Threat

Security principles dictate that security measures should be applied based on the value of

the data to be protected and the likely risks. Risk-Based Authentication (RBA) is a logical

and proven technique for matching the level of protection with the risk. Key to success

of a Risk-Based Authentication schema is the ability to process information during the log

-in process, and to evaluate the level of risk of the particular end user seeking to be

granted access.

Conventional Risk-Based Authentication involves several steps:

▪ Device Validation – Devices can be identified by secure first -party cookies and

Flash Shared Objects (sometimes referred to as Flash cookies). When these two

components are used in tandem, there is a double layer of validation.

Alternatively, device characteristics can be analyzed to develop a unique

‘fingerprint’ to establish its identity and its users.

▪ Behavior Profiling – In this phase, the context of the log-in is compared to

known behavior and other factors, such as the sensitivity of the data. As the

context risk and data sensitivity increase, the identity validation steps required of

the end user to gain access are likewise increased.

Risk-Based Authentication can provide end users with some very solid benefits. RSA’s

Risk-Based Authentication can lower the authentication cost per user by up to 40

percent, when compared to traditional hardware authenticators. RBA can also

considerably speed up deployment time in large organizations, typically reducing

implementation across enterprise organizations from weeks to days. 14

Risk-Based Authentication is particularly relevant in situations where the organization

has privacy concerns, because this method of authentication is robust, yet does not

infringe on end-user privacy. RSA, the dominant player in the market, employs Risk -Based

Authentication which looks for anomalies based on historical patterns. Since it only

tracks the authentication process, there are no privacy issues with this proven approach.

Platform Agnostic

Another key aspect of authentication technology today is that it must be platform -

agnostic, meaning that the same level of authentication, and essentially the same process

of authentication, must be facilitated across the platforms favored by end users.

Also, some end users may be most comfortable with software on their desktop or laptop

computers. This is a staple of many organizations and many industries.

However, as industries evolve, so do their computing platforms. The authentication

technology must also be available, in a consistent form factor, to function on mobile

phones and tablets, so as to facilitate remote access 24x7 by authorized end users.

Interestingly enough, many end users still prefer the comfort of hardware tokens. In fact,

many large banks brand RSA hardware tokens for their large portfolio customers, to

control access to their accounts. RSA’s software tokens are used for similar purpose, and

add to choice and flexibility in strong authentication.

RSA’s ability to enhance the security based on the cumulative learning of the sum of the

authentication processes increases security—and is transparent to the user.

The ubiquity of smartphones, exacerbated by the growing popularity of BYOD, mandates

that authentication via SMS is another platform that must be part of the offering.

Considering the ever-present and on-person nature of smartphones, these devices, when

used with SMS, become an effective something-you-have authentication factor.

Easy to Integrate Into Existing Operations

End users do not want to be interrupted in their work; consequently, authentication

technology must be easily integrated into their routines. Ideally, this integration would be

at the lowest possible level in the technology stack, with native support being ideal.

Embedding the authentication is a proven way of enhancing security while facilitating

operations.

Many organizations are taking advantage of the SecurID platform version RSA ®

Authentication Manager 8.0. In particular, this release is optimized and certified as a

14 RSA Analysis

VMware® Ready Virtual Appliance for use with popular VMware tools such as snapshots,

VMotion and high availability. Now, with the release of RSA® Authentication Manager

8.1, those who wanted a hardware appliance have the option of either a virtual or

hardware appliance to take advantage of.

Examples of embedded authentication include SanDisk integration of RSA authentication

into its flash drives; Privaris’s implementation with its biometric devices; and Juniper

Networks working with RSA to enable mobile security services that unite strong

authentication with secure remote access, to extend the security model and streamline

the mobile user experience when accessing both corporate and cloud-based resources.

RSA continues to revolutionize its multi-factor authentication portfolio, both organically

and through acquisitions—such as PassBan, a visionary leader in mobile and cloud-based

multi-factor authentication. There are also over 400 partners that have established RSA

interoperability with their products and services, including Check Point, Cisco, Citrix,

and IBM. Collectively, these examples illustrate that an authentication technology must

be embraced by a robust ecosystem of interoperable products in order to drive

widespread adoption.

HOW SUCCESSFUL COMPANIES ARE MEETING THE

AUTHENTICATION CHALLENGE

This section provides highlights of how organizations of various sizes have solved their

authentication challenges by employing RSA products.

Grupo Bancolombia

▪ The Business – One of the largest banks in Latin America, founded nearly 70 years

ago—and the largest in Colombia—the bank provides banking services to

approximately 60,000 organizations and over 1.5 million retail customers. One of the

bank’s key initiatives was to leverage the competitive advantages of its online banking

portal. The portal is used by approximately 90,000 people in the organizational

sector, and about two-thirds of its retail customers.15

▪ The Security Challenge – A number of years ago, the bank noticed a significant

increase in fraudulent access attempts to the online portal. According to Carlos

Rodriques, Internet Manager of Bancolombia, “We knew we needed to respond

quickly and effectively, both for the sake of our customers and to preserve the

integrity of our offerings. Until that point, we had relied on applications we had

developed in-house to prevent attacks. However, the severity of the fraud activity we

were starting to see highlighted the need to strengthen our defenses with dedicated

security solutions.”

▪ The Solution – The company wanted to be able to offer software-based

authenticators to its retail customers, and hardware authenticators to its corporate

15 http://www.grupobancolombia.com/webcorporativa/

clientele. The availability of both approaches was critical because retail customers

want the convenience of not installing special software or having a hardware token;

while corporate clients want the security, durability, reliability, and standardization

that comes with hardware tokens.

▪ The Impact – Subsequent to installing the solution, the bank saw a marked decrease

in fraudulent activity targeting its online platform. According to Rodriguez, “Fraud

fell by around 90 percent after we added the technology, and has remained constant

ever since.”

Banco Popular De Puerto Rico

▪ The Business – This largest commercial bank in Puerto Rico has 174 branches,

almost 600 ATMs, and more than 27,000 Point of Sale (POS) terminals. The bank also

provides a variety of Internet banking services, including: Internet Banking, e -

Commercial Statement, and WebCash Manager. 16

▪ The Security Challenge – The bank had developed its own version of a three-step

password process. Requirements of the Federal Financial Institutions Examination

Council (FFIEC) mandated the use of multi -factor authentication as a prerequisite to

enter online banking systems.

▪ The Solution – After performing a risk assessment, the bank decided that the

combination of a Risk-Based Authentication system for its customers and a hardware-

based authentication system for its internal network would be the optimal solution.

RSA was chosen, after a vendor qualification process. The bank felt that the powerful

nature of the RSA Risk Engine—tracking over 100 fraud indicators—would be the

most effective way to manage security at the individual log-in level, with minimal

interruptions and inconvenience to customers.

According to Miguel Mercado Torres, CISO and VP Operational Risk management at

the Bank, “We were keen to upgrade our solution, in light of the increase of cyber

threats and cyber fraud activity. By adding an extra layer of security for access into

the corporate Intranet, RSA SecurID authentication enables us to increase the

number of people who are able to work from home, and also enables the sales team

to complete more transactions while out in the field.”

▪ The Impact – The Bank has noticed a significant reduction in attacks on their

customers’ accounts, and a corresponding increase in customer confidence and

satisfaction with the bank.

Lazio Innovazione Technologica (LAit)

▪ The Business – LAit is the IT development arm charged with working with Regione

Lazio17 in Italy, to help the government in automating services and to stimulate

adoption of digital services. These services include: healthcare, e -mail, and data

16 http://www.popular.com/en/business-online-services#GA=Online_Services__Business_Services__LP

17 http://www.regione.lazio.it/rl_sanita/?vw=contenutidettaglio&id=43

transfers. One example was the Farmarecup project. This project provides

consumers choice in pharmaceutical products from 170 pharmacies in Lazio, and

provides patient online scheduling of medical appointments through a self -service,

Web-based appointment system.

▪ The Security Challenge – LAit needed an authentication mechanism that would

integrate with existing systems, improve security, be patient -friendly, and that would

be cost effective.

▪ The Solution – The company opted for a two-factor authentication system from

RSA, because of its ease of use and management capabilities. The Technical Director

of LAit, Vittorio Gallinella, explained, “We evaluated the performance of the systems

in real-life scenarios. This was necessary to verify the compatibility and integration

with LAit’s systems, as well as ease of installation.”

▪ The Impact – According to Regino Brachetti, President of LAit S.P.A., “Secure

remote access and collaboration has enabled us to accelerate the process for

booking medical appointments and exams, providing more efficient public services to

Regione Lazio’s citizens. What’s more, thanks to two -factor authentication, we have

reduced management costs by 70 percent.”

The government found that the authentication system created the means to expand

the range of services it offered. Separately, as noted by Mr. Gallinella, “We, above all,

recognize the versatility of RSA SecurID—besides the simplicity of installation,

management and use. Because of these characteristics, we have adopted this solution

for other purposes too; in particular, providing remote access to a number of

services for some Directorates and Departments, for system management and to give

access to some resources. The solution enables us to unify password management

and consolidate authentication management with a unique tool.”

NTT Com Asia

▪ The Company – NTT Com Asia Limited is a wholly owned subsidiary of NTT

Communications, which is the international and long distance arm of NTT (Nippon

Telegraph and Telephone Company). NTT Com Asia serves as the regional

headquarters of East Asia, covering Hong Kong, Macao, Taiwan, and Korea. The

company provides multinational companies with end-to-end network and IT

solutions. These solutions include cloud hosting, managed services, integrated

solutions IP connectivity, and data center support. The company also provides local

connectivity and services for small and midsize businesses. 18

▪ The Security Challenge – The company needed a strong authentication system to

protect sensitive customer information, while ensuring compliance with local financial

regulations. Due to its role as a communications provider, the company needed a

security solution that would offer high availability and dependability on a 24x7 basis.

According to Jonathan Wong of NTT Com Asia, “The goal of the project was to

provide a system that enabled mobile workers at our customer sites to access

18 http://www.hk.ntt.com/en/index.html

sensitive information stored on their internal servers, from a remote location,

whenever they needed it. The process had to be secure, but also needed to be simple

enough to implement to a potential workforce of hundreds of thousands.”

▪ The Solution – NTT Com Asia selected the RSA SecurID solution to implement a

two-step authentication process.

▪ The Impact – the company found that the implementation of the robust

authentication system gave its customers a higher level of customer confidence and

trust. Mr. Wong felt that the system was responsible for strengthening customer

relationships. He noted, “Since we deployed RSA SecurID, the feedback has been

very positive. The key theme coming through is reliability. Our customers trust the

solution to deliver against their security requirements.”

Red Bull Racing

▪ The Company – The Red Bull Racing team, based in United Kingdom’s Milton

Keynes, is a double Formula 1 World Champion.

▪ The Security Challenge – The Red Bull Racing team regularly competes in Grand

Prix events all over the world, and many employees are often traveling. Indeed,

individuals frequently need to access the Red Bull corporate network from

challenging locations and under significant time pressure—particularly those based in

the pit lane on race day.

In a fiercely competitive field like F1 racing, however, providing employees with fast

and reliable access to critical applications and e-mail is just half the story. At the

same time, Red Bull must ensure that any unauthorized attempts to access its

network are effectively prevented, to keep team secrets from being leaked.

▪ The Solution – Hardware tokens were issued to around 400 employees, who

adopted the new technology enthusiastically, thanks to the user -friendly easy-to-read

design. In addition to the robust and reliable hardware element, Red Bull Racing was

impressed by the fact that the RSA Authentication Manager integrated smoothly with

its existing IT environment.

▪ The Impact – The new authentication system integrated well into the existing

infrastructure. Neil Bailey, Red Bull Racing IT Infrastructure Manager, commented,

“We were pleasantly surprised by how well the solution integrated with our Citrix

Access Gateway VPN. It also works very well with our Cisco Secure Remote Access

solution, enabling smooth delivery of applications. This effortless interoperability

meant that migrating our user base to the RSA platform was quick and hassle -free.”

Where new tokens needed to be allocated—for example to new employees—the

process is now much simpler and more efficient. Previously, a skilled security expert

would need to spend about 30 minutes in the authentication management console,

setting up a new user and allocating them a new token. Using the RSA Authentication

Manager console, new users can now be set up in just a few minutes.

Frost & Sullivan

The Last Word

This paper has explained why any size organization can be a target for hackers and at

risk of data breaches due to weak authentication. We have also shared how the legal

and threat environment, combined with new operating necessities, such as BYOD,

make multi-factor, Risk-Based Authentication a logical approach to reducing these

risks. We included five RSA customer case studies showing the various ways that

organizations are meeting their security challenges with RSA’s SecurID authentication

platform. RSA’s SecurID is the most widely deployed one -time password platform,

with over 25,000 customers worldwide and 40+ million tokens actively in use.

Currently, over 350 million online identities are protected with Risk -Based

Authentication by RSA.

Robust authentication that is intuitive for users and available across multiple

platforms is critical to effective utilization of today’s networks. Characteristics such

as adaptability across a range of organizations, with a common interface and an over -

arching management system are vital to insuring optimal security in today’s dynamic

threat environment.

877.GoFrost • myfrost@frost.com

http://www.frost.com

ABOUT FROST & SULLIVAN

Frost & Sullivan, the Growth Partnership Company, works in collaboration with clients to leverage visionary

innovation that addresses the global challenges and related growth opportunities that will make or break today’s

market participants. For more than 50 years, we have been developing growth strategies for the Global 1000,

emerging businesses, the public sector and the investment community. Is your organization prepared for the next

profound wave of industry convergence, disruptive technologies, increasing competitive intensity, Mega Trends,

breakthrough best practices, changing customer dynamics and emerging economies? Contact Us: Start the

Discussion

For information regarding permission, write:

Frost & Sullivan

331 E. Evelyn Ave. Suite 100

Mountain View, CA 94041

Silicon Valley

331 E. Evelyn Ave., Suite 100

Mountain View, CA 94041

Tel 650.475.4500

Fax 650.475.1570

London

4, Grosvenor Gardens,

London SWIW ODH,UK

Tel 44(0)20 7730 3438

Fax 44(0)20 7730 3343

San Antonio

7550 West Interstate 10, Suite 400

San Antonio, Texas 78229-5616

Tel 210.348.1000

Fax 210.348.1003

Auckland

Bahrain

Bangkok

Beijing

Bengaluru

Bogotá

Buenos Aires

Cape Town

Chennai

Colombo

Delhi / NCR

Detroit

Dhaka

Dubai

Frankfurt

Hong Kong

Iskander Malaysia/Johor Bahru

Istanbul

Jakarta

Kolkata

Kuala Lumpur

London

Manhattan

Mexico City

Miami

Milan

Moscow

Mumbai

Oxford

Paris

Rockville Centre

San Antonio

São Paulo

Seoul

Shanghai

Shenzhen

Silicon Valley

Singapore

Sophia Antipolis

Sydney

Taipei

Tel Aviv

Tokyo

Toronto

Warsaw

Washington, DC