Digital Identities: Liabilities or Valuable Business Assets - PowerPoint PPT Presentation

1 / 35
About This Presentation
Title:

Digital Identities: Liabilities or Valuable Business Assets

Description:

... capabilities in many types of devices (ranging from iPod to PC to mobile phones) ... RSA Security invented the core security technologies for the Internet and ... – PowerPoint PPT presentation

Number of Views:63
Avg rating:3.0/5.0
Slides: 36
Provided by: BurtKa6
Category:

less

Transcript and Presenter's Notes

Title: Digital Identities: Liabilities or Valuable Business Assets


1
Digital Identities Liabilities or Valuable
Business Assets?
Burt Kaliski, Chief Scientist, RSA Laboratories
Vice President of Research, RSA
Security IAM-1 November 14, 2005
YOUR LOGO HERE
2
  • Agenda
  • The Market Digital Identities
  • What is Identity and Access Management (IAM) and
    Emerging Trends
  • Digital Identity Management
  • Inside Outside the Enterprise
  • Future of Identity Access Management
  • Summary

3
Information Security Has Never Been So Important
4
Security Supports Key Business Objectives
  • Manage Risk
  • Ensure Corporate Governance
  • Reduce Costs
  • Improve Customer Experience
  • Enhance Revenues

5
Emergence of Digital Identities
  • Internet becoming a standard business platform
  • Increasing online transactions between
    organizations, and their employees, customers
    partners
  • Emergence of digital identities to support new
    online business models
  • Digital identities need to be effectively managed
    to mitigate security threats

6
Threats and Points of Exposure
Passwords are not secure
Phishing attacks proliferate
  • Existing passwords have been proven to easily be
    compromised
  • Unrealistic burden placed on end users by
    multiple passwords
  • Challenge of remembering so many different words
    and numbers is already hindering online commerce
  • 5,259 new phishing sites were reported in
    August05 alone (Source Anti-Phishing Working
    Group)
  • Nearly 1 million U.S. consumers were defrauded
    via phishing between May 2003 2004
  • This cost banks and card issuers more 1.2
    billion in losses (Source Gartner)

7
Identity Access Managementand Emerging Trends
8
What is Identity Access Management?
A comprehensive approach and solutions to
identify users in a system (employees, customers,
partners, contractors etc.) and control their
access to resources within that system by
associating user rights and restrictions with the
established identity.
Source IDC, Identity Access Management Market
Forecast, 2005-2009, 2005
9
Growing Need for Identity Access
ManagementProtecting Managing Digital
Identities
  • Identity Access Management seen as a key
    business enabler
  • Protection and management of digital identities
    with IAM
  • reduces overall risk
  • enhances business transaction confidence
  • enhances competitiveness

10
The Information Security LandscapeIAM
Protecting Controlling Legitimate Access Paths
11
Identity Access Management Letting the Good
Guys InKeeping the Bad Guys Out
Sensitive Data
Access Management
12
IAM Consists of 5 Major Categories
356M
754M
610M
629M
226M
All except Legacy Authorization show increased
customer investment
Source IDC, Identity Access Management
Forecast, 2005-2009, 2005Source Advanced
Authentication Figures IDC RSA
13
The Need for a Trusted Identity
  • Successful e-business interactions require a
    trusted identity
  • To ensure trust in an online identity requires
    authentication to establish identity
  • Access controls need to be established to
    enforce business policy as to what that trusted
    identity can do

14
Trends in Identity Access ManagementEnsuring
Digital Identities are Assets, Not Liabilities
  • Systematic application access controls
  • IAM is a critical part of corporate governance
    efforts
  • Growing focus on stronger authentication
  • Secure assets involving Internal (employees)
    External (customers partners) stakeholders
  • Automation for failure-prone security elements
  • Single sign-on to minimize password confusion and
    resets
  • Developing online trust relationships with
    partners
  • Sharing trusted identities across business
    boundaries
  • Supplemental security for online transactions
  • Enhance user confidence
  • Improving application and data storage protection
    to block unauthorized entry paths

15
Managing Digital Identities The Opportunity
.Digital Identities Managed Well Can serve as
business assets and take your business to the
next level .Digital Identities Managed
Poorly Can turn into liabilities and hinder you
from staying competitive
16
Managing IdentitiesInside Outside the
Enterprise
17
Managing Identities Inside the Enterprise vs.
Outside
Outside the Enterprise
Inside the Enterprise
  • End-users
  • Employees Contractors
  • Key Objectives
  • Ensure parties requesting access to critical
    enterprise resources are authentic
  • Manage access to many web non-web applications
  • Reduce password management burdens on employees
    and help desk
  • Ensure rapid employee on-boarding off-boarding
    processes
  • End-users
  • Customers, Suppliers, Partners
  • Key Objectives
  • Ensure parties requesting access to critical
    resources are authentic
  • Improve the online experience enhance
    confidence in online transactions
  • Know most profitable customers and offer them
    appropriate online services
  • Enable close and rapid collaborative interactions
    with partners

18
Managing IdentitiesInside the Enterprise
Enablers
Constraints
  • Easier to know who the key stakeholders are
    homogenous group
  • Employees contractors
  • Greater ability to enforce security policies
  • Key stakeholders are within realm of
    organizational/IT control
  • Can involve a desktop rollout
  • Enterprise can help end-users adopt to new
    security measures
  • A variety of web and non-web applications
  • Web, Client/Server, Host/Mainframe etc.
  • Provisioning can be complex
  • Can involve infrastructure change
  • Protecting applications from within the
    enterprise not seen to be as critical except for
    admin operations
  • Lesser perceived threat of breach from within
    the organization

19
Managing IdentitiesOutside the Enterprise
Enablers
Constraints
  • Generally involves only web-based applications
  • Higher perceived threat of security breaches from
    outside the organization
  • Easier to get buy-in from decision-makers
  • Simpler rollout
  • Browser-based
  • Limited control over external stakeholders
    heterogeneous group
  • Customers, partners, suppliers
  • Lesser ability to enforce security policies
  • Harder to dictate security policies to groups
    outside of the enterprises control
  • Confidence-building element to rollout
  • Address end user attitudes towards supplemental
    security

20
Managing Identities Inside Outside the
EnterpriseKey Supporting Technologies
21
Key Supporting Technologies
Inside the Enterprise
Outside the Enterprise
  • Strong Authentication
  • Web Access Management
  • Web Single Sign-On
  • Enterprise Single Sign-On
  • Provisioning
  • Data Protection
  • Strong Authentication
  • Web Access Management
  • Web Single Sign-On
  • Federation
  • Data Protection
  • Managed (outsourced) and on-premise options

22
Strong Authentication, ESSO, Web SSO,
Federation, Provisioning Data Protection
How do you manage user identity life cycle?
Who are you?
Provisioning
Employees
Web SSO / Web Access Mgmt.
Company 1Web Non-Web Apps
Federated SSO
SSO
ESSO
Partners
Customers
23
Consumer Authentication Approaches
24
Future Evolution of Identity Access Management
25
IAM Strategy to Include All Actors in IT
Infrastructure
  • Identity Management strategy will be built to
    include all actors in the IT infrastructure
  • IAM will grow to encompass process identities
    (web services) device identities (e.g. Cisco
    NAC)
  • IAM will provide the critical authentication and
    authorization infrastructure for web services
    security

26
Explosion in Authentication Choices
  • Explosion in the types variations of
    authentication available
  • Embedding latent or ready-to-be activated
    enhanced authentication capabilities in many
    types of devices (ranging from iPod to PC to
    mobile phones)
  • Different combinations of authentication criteria
    will emerge
  • Financial Services industry will especially
    benefit from choices

27
Proliferation of Authentication Choices Unique
characteristics for different environments
Authentication Tiers Likely combinations of
factors Low end to high
28
Integration Points for Stronger
AuthenticationRSA Laboratories One-Time
Password Specifications (OTPS)
(EAP-POTP)
(OTP-WSS-Token, (OTP-Validation Service)
349382
(OTP-PKCS11, OTP-CAPI)
Authentication Server
(CT-KIP)
29
Smarter Knowledge-based Authentication
  • Better use of fewer, better passwords
  • Systems to hide the complexity of passwords, and
    sometimes to hide the passwords completely
  • Chaining one strong authentication to many legacy
    passwords
  • Password change automation
  • Improved reset and emergency access
  • Designs based on science, not guesswork
  • New kinds of knowledge based authentication
  • Recognition versus recollection

30
Identity Begins to Transcend Organizations
  • Federation plays an increasingly important role
  • Businesses will form trusted relationships to
    further revenue objectives and reach new
    customers
  • Strong authentication will establish a trusted
    identity before it is shared between many
    organizations
  • Federation facilitates interconnection and
    compliance with outsourcing partners
  • Credential sharing provides an intermediate step
    without requiring cross-organizational trust
  • Common credentials, but not shared identity

31
IAM becomes a part of Every Security Strategy
  • Identity Access Management completes the
    security strategy by protecting and controlling
    legitimate access paths
  • Identity Access Management goes beyond
    security, acting as a foundation for real-time
    interaction with employees, partners, and
    customers.

32
The New Security Perspective
From
To
  • Technical Problem
  • Owned by IT
  • Expense-driven
  • Practice-centric
  • Security and survivability
  • Business Problem
  • Owned by the organization
  • Investment
  • Process-centric
  • Enterprise resiliency competitive advantage

Source CERT Coordination Center, Carnegie Mellon
University
33
QA
34
About RSA Security
35
The Expert in Protecting Identities Digital
Assets
RSA Security is the expert in protecting
identities and digital assets. RSA Security
invented the core security technologies for the
Internet and continues to build on its 20 year
history of innovation.
ContactBurt KaliskiRSA Labs VP of Research
bkaliski_at_rsasecurity.com
35
35
Write a Comment
User Comments (0)
About PowerShow.com