VeriSign Authentication Services Volunteer eHealth Initiative Security and Confidentiality Workshop

1
VeriSign Authentication ServicesVolunteer
eHealth InitiativeSecurity and Confidentiality
Workshop
2
VeriSigns Business
VeriSign operates intelligent infrastructure
services that enable enterprises and individuals
to find, connect, secure, and transact across
todays complex global networks.
Naming Directory Services
Security Services
Telecommunication Services

• Naming / DNS Services
• Emerging Directory
• IP Services

• Strong Authentication
• Perimeter Security

• Wireline
• Wireless
• Content Services

• 5 M Security Events Daily
• 40M SMS Messages Daily
• 50 of Roaming in NoAm
• 2M Downloads / day

• 5,000 Enterprise Customers
• 1,000 Carrier Customers
• 400,000 e-Commerce Sites
• Exclusive Registry for .com, .net
• 15B Daily Transactions

3
We Thrive in the Trusted Intermediary Role

Networks
Content Applications
Wireless, WAN, Broadband, LAN
Music, Video, Collaboration, Messaging, Commerce
Devices
Users
Phones, RF Tags, Modems, PCs, Server,
Routers/Switches
Government, Businesses, Service Providers,
Consumers

• Many-to-many connections
• Network / protocol diversity
• Natural mediation opportunity

• Security / privacy mandates
• Need for massive scale
• Trusted / neutral source

4
Intelligent Infrastructure for Healthcare
3. 2010 Interconnected national health network
1. Today Point to point
Patient
2. 2006-07 Regional health networks
RLS
5
How We Can Help
Enable regional and national health information
networks through the management of highly secure,
scalable and available verification,
authentication, discovery and validation services

• Synergistic services VeriSign can provide
• Federated Identity System
• Single-sign on for all actors authenticated
  within local circles of trust to participate in
  the broader ecosystem
• eHealth Network Intelligence
• Patient registration and identification service
• Record locator service
• Security
• Access controls
• Data encryption
• Managed security service

6
What Keeps Us Awake (So You Can Sleep)

• Regulatory Compliance
• HIPAA, CA SB1386, Sarbanes Oxley, ..
• Availability, Reliability, Services Continuity
• The Internet is becoming your infrastructure
• Overwhelming Complexity
• Point solutions that dont integrate millions of
  uncorrelated events
• New Technology Puts New Demands On Existing
  Networks
• From remote access anywhere to remote access
  everywhere
• Eroding User Confidence
• Crime follows users Phishing, spam, and
  Identity theft

7
Deploying Todays Security Solutions Is Difficult

• Cost
• Security hardware and infrastructure costs add up
• Who pays?
• Complexity
• New technology, new processes, new systems to
  operate
• Scaling to millions of individual participants
• Usability
• Security in the way an extra step or
  intrusion before transacting
• Narrow context of use (e.g. one credential
  secures only a single application)

8
Two-Factor Authentication Is Essential
HARD
SOFT
Digital Certificate
OTP Token
Desktop Soft Token
Smart Cards
Mobile Phone
Two-FactorAuthentication
Fixed Phone (voice)
Multi-Function Devices
Choice of Credentials Hard and Soft Choice of
Form-FactorExtensible Architecture
9
Integrated Identity and Authentication Services
10
Token Sharing to Drive Adoption

• Enable individual to use the same token at
  multiple sites
• e.g. PayPal and regional Health network
• Drives adoption
• Increases value of token to consumers (Universal
  Key)
• ATM-Like experience (VIP tokens accepted here ala
  Cirrus Network)
• Individuals demand security brand for their
  personal security
• Reduced Costs Complexity
• Costs Shared infrastructure hardware costs
• Complexity VIP Portal (06) to centralize
  payment, life-cycle management and support across
  across the Network
• From Costs to Gains
• Disrupt established costs models (per
  transaction, ala ATM)

11
Token Sharing The VIP Model

• OTP validation service in the cloud
• Two independent entities send OTP validation
  requests to common service.
• Simpler liability model sharing of
  authentication only.
• Neither party sees the other partys validation
  traffic.

12
One Intelligent Infrastructure for Different Uses
Public VIP
Enterprise VIP
Vertical VIP
Co-branded tokens
Private label tokens
Private label tokens
VeriSign Identity Protection Network