Title: Digital Identities: Liabilities or Valuable Business Assets
1Digital Identities Liabilities or Valuable
Business Assets?
Burt Kaliski, Chief Scientist, RSA Laboratories
Vice President of Research, RSA
Security IAM-1 November 14, 2005
YOUR LOGO HERE
2- Agenda
- The Market Digital Identities
- What is Identity and Access Management (IAM) and
Emerging Trends - Digital Identity Management
- Inside Outside the Enterprise
- Future of Identity Access Management
- Summary
3Information Security Has Never Been So Important
4Security Supports Key Business Objectives
- Manage Risk
- Ensure Corporate Governance
- Reduce Costs
- Improve Customer Experience
- Enhance Revenues
5Emergence of Digital Identities
- Internet becoming a standard business platform
- Increasing online transactions between
organizations, and their employees, customers
partners - Emergence of digital identities to support new
online business models - Digital identities need to be effectively managed
to mitigate security threats
6Threats and Points of Exposure
Passwords are not secure
Phishing attacks proliferate
- Existing passwords have been proven to easily be
compromised - Unrealistic burden placed on end users by
multiple passwords - Challenge of remembering so many different words
and numbers is already hindering online commerce
- 5,259 new phishing sites were reported in
August05 alone (Source Anti-Phishing Working
Group) - Nearly 1 million U.S. consumers were defrauded
via phishing between May 2003 2004 - This cost banks and card issuers more 1.2
billion in losses (Source Gartner)
7Identity Access Managementand Emerging Trends
8What is Identity Access Management?
A comprehensive approach and solutions to
identify users in a system (employees, customers,
partners, contractors etc.) and control their
access to resources within that system by
associating user rights and restrictions with the
established identity.
Source IDC, Identity Access Management Market
Forecast, 2005-2009, 2005
9Growing Need for Identity Access
ManagementProtecting Managing Digital
Identities
- Identity Access Management seen as a key
business enabler - Protection and management of digital identities
with IAM - reduces overall risk
- enhances business transaction confidence
- enhances competitiveness
10The Information Security LandscapeIAM
Protecting Controlling Legitimate Access Paths
11Identity Access Management Letting the Good
Guys InKeeping the Bad Guys Out
Sensitive Data
Access Management
12IAM Consists of 5 Major Categories
356M
754M
610M
629M
226M
All except Legacy Authorization show increased
customer investment
Source IDC, Identity Access Management
Forecast, 2005-2009, 2005Source Advanced
Authentication Figures IDC RSA
13The Need for a Trusted Identity
- Successful e-business interactions require a
trusted identity - To ensure trust in an online identity requires
authentication to establish identity - Access controls need to be established to
enforce business policy as to what that trusted
identity can do
14Trends in Identity Access ManagementEnsuring
Digital Identities are Assets, Not Liabilities
- Systematic application access controls
- IAM is a critical part of corporate governance
efforts - Growing focus on stronger authentication
- Secure assets involving Internal (employees)
External (customers partners) stakeholders - Automation for failure-prone security elements
- Single sign-on to minimize password confusion and
resets - Developing online trust relationships with
partners - Sharing trusted identities across business
boundaries - Supplemental security for online transactions
- Enhance user confidence
- Improving application and data storage protection
to block unauthorized entry paths
15Managing Digital Identities The Opportunity
.Digital Identities Managed Well Can serve as
business assets and take your business to the
next level .Digital Identities Managed
Poorly Can turn into liabilities and hinder you
from staying competitive
16Managing IdentitiesInside Outside the
Enterprise
17Managing Identities Inside the Enterprise vs.
Outside
Outside the Enterprise
Inside the Enterprise
- End-users
- Employees Contractors
- Key Objectives
- Ensure parties requesting access to critical
enterprise resources are authentic - Manage access to many web non-web applications
- Reduce password management burdens on employees
and help desk - Ensure rapid employee on-boarding off-boarding
processes
- End-users
- Customers, Suppliers, Partners
- Key Objectives
- Ensure parties requesting access to critical
resources are authentic - Improve the online experience enhance
confidence in online transactions - Know most profitable customers and offer them
appropriate online services - Enable close and rapid collaborative interactions
with partners
18Managing IdentitiesInside the Enterprise
Enablers
Constraints
- Easier to know who the key stakeholders are
homogenous group - Employees contractors
- Greater ability to enforce security policies
- Key stakeholders are within realm of
organizational/IT control - Can involve a desktop rollout
- Enterprise can help end-users adopt to new
security measures
- A variety of web and non-web applications
- Web, Client/Server, Host/Mainframe etc.
- Provisioning can be complex
- Can involve infrastructure change
- Protecting applications from within the
enterprise not seen to be as critical except for
admin operations - Lesser perceived threat of breach from within
the organization
19Managing IdentitiesOutside the Enterprise
Enablers
Constraints
- Generally involves only web-based applications
- Higher perceived threat of security breaches from
outside the organization - Easier to get buy-in from decision-makers
- Simpler rollout
- Browser-based
- Limited control over external stakeholders
heterogeneous group - Customers, partners, suppliers
- Lesser ability to enforce security policies
- Harder to dictate security policies to groups
outside of the enterprises control - Confidence-building element to rollout
- Address end user attitudes towards supplemental
security
20Managing Identities Inside Outside the
EnterpriseKey Supporting Technologies
21Key Supporting Technologies
Inside the Enterprise
Outside the Enterprise
- Strong Authentication
- Web Access Management
- Web Single Sign-On
- Enterprise Single Sign-On
- Provisioning
- Data Protection
- Strong Authentication
- Web Access Management
- Web Single Sign-On
- Federation
- Data Protection
- Managed (outsourced) and on-premise options
22Strong Authentication, ESSO, Web SSO,
Federation, Provisioning Data Protection
How do you manage user identity life cycle?
Who are you?
Provisioning
Employees
Web SSO / Web Access Mgmt.
Company 1Web Non-Web Apps
Federated SSO
SSO
ESSO
Partners
Customers
23Consumer Authentication Approaches
24Future Evolution of Identity Access Management
25IAM Strategy to Include All Actors in IT
Infrastructure
- Identity Management strategy will be built to
include all actors in the IT infrastructure - IAM will grow to encompass process identities
(web services) device identities (e.g. Cisco
NAC) - IAM will provide the critical authentication and
authorization infrastructure for web services
security
26Explosion in Authentication Choices
- Explosion in the types variations of
authentication available - Embedding latent or ready-to-be activated
enhanced authentication capabilities in many
types of devices (ranging from iPod to PC to
mobile phones) - Different combinations of authentication criteria
will emerge - Financial Services industry will especially
benefit from choices
27Proliferation of Authentication Choices Unique
characteristics for different environments
Authentication Tiers Likely combinations of
factors Low end to high
28Integration Points for Stronger
AuthenticationRSA Laboratories One-Time
Password Specifications (OTPS)
(EAP-POTP)
(OTP-WSS-Token, (OTP-Validation Service)
349382
(OTP-PKCS11, OTP-CAPI)
Authentication Server
(CT-KIP)
29Smarter Knowledge-based Authentication
- Better use of fewer, better passwords
- Systems to hide the complexity of passwords, and
sometimes to hide the passwords completely - Chaining one strong authentication to many legacy
passwords - Password change automation
- Improved reset and emergency access
- Designs based on science, not guesswork
- New kinds of knowledge based authentication
- Recognition versus recollection
30Identity Begins to Transcend Organizations
- Federation plays an increasingly important role
- Businesses will form trusted relationships to
further revenue objectives and reach new
customers - Strong authentication will establish a trusted
identity before it is shared between many
organizations - Federation facilitates interconnection and
compliance with outsourcing partners - Credential sharing provides an intermediate step
without requiring cross-organizational trust - Common credentials, but not shared identity
31IAM becomes a part of Every Security Strategy
- Identity Access Management completes the
security strategy by protecting and controlling
legitimate access paths - Identity Access Management goes beyond
security, acting as a foundation for real-time
interaction with employees, partners, and
customers.
32The New Security Perspective
From
To
- Technical Problem
- Owned by IT
- Expense-driven
- Practice-centric
- Security and survivability
- Business Problem
- Owned by the organization
- Investment
- Process-centric
- Enterprise resiliency competitive advantage
Source CERT Coordination Center, Carnegie Mellon
University
33QA
34About RSA Security
35The Expert in Protecting Identities Digital
Assets
RSA Security is the expert in protecting
identities and digital assets. RSA Security
invented the core security technologies for the
Internet and continues to build on its 20 year
history of innovation.
ContactBurt KaliskiRSA Labs VP of Research
bkaliski_at_rsasecurity.com
35
35