450 likes | 565 Views
Securing Electronic Commerce: Identification & Authentication. Douglas Graham UK Channel Technical Manager Security Dynamics Technologies, Inc. Security Dynamics. RSA. 300 million copies installed & in use worldwide. Security Dynamics Technologies Inc. 110,000 BoKS users
E N D
Securing Electronic Commerce:Identification & Authentication Douglas Graham UK Channel Technical Manager Security Dynamics Technologies, Inc
SecurityDynamics RSA 300 million copies installed & in use worldwide Security Dynamics Technologies Inc. 110,000 BoKS users Major OEM relationships 3 million users of SecurID 3,000 companies 9,000 installations 2,000 companies 250 + of the Fortune 500
$ $ $ Key Business Trends • Enhanced outreach and collaboration with employees, customers, partners, distributors and suppliers • Emergence of the “virtual enterprise” • “Market of One” interactive customer relationship eBusiness is no longer a competitive advantage, it is a necessity
Key Technology Trends • Rapid deployment of intranets and extranets • New generation of inexpensive, high-speed, IP-ready network capacity coming online • Broad adoption and continued evolution of mission-critical ERP applications • Continued outsourcing of network transport, Web hosting and application deployment Moving rapidly to the Internet-enabled enterprise
Key Security Trends • Enterprises supplementing perimeter defense with protection of applications and information • Increasing requirements for user authentication, authorization and intrusion monitoring and detection • PKI emerging as a common architectural foundation for multiple security applications • Security decisions driven by line-of-business needs Enterprise security is the key enabler for eBusiness
What is Electronic Commerce ? • Electronic Commerce is the temporary extension of a computer network over a Public or Private connection to facilitate business transactions. • PSTN, ISDN, Internet • Can be used by Individual users or to connect two or more networks together. • Notebook dial-in for email, small office to HQ connection
Remote Access Head Office Mobile User Public Network
Electronic Commerce Applications • Home Banking • Quick Easy access to corporate information and services • Sharing information between Business Partners & Customers • Telecommuters (Home working) Day Extenders • IT Support Staff
Remote Access Benefits • Productivity • Cost Savings • Easy Information Access • High Availability of Information • Competitive Advantage
56 million 60,000,000 50,000,000 40,000,000 30,000,000 US 20,000,000 10,000,000 0 1997 1998 1999 2000 Remote Access Growth Source: Giga, September 1997
Business Consumer W. European e*Commerce, 1996-2001Commerce Revenue/Year, Year Ending $Million 16,000 14,794 14,000 12,000 11,115 CAGR = 137 % 10,000 8,809 8,000 6,469 6,000 4,343 4,000 3,123 1,795 2,000 1,278 681 214 421 136 - 1996 1997 1998 1999 2000 2001 Source: IDC, July ‘97
What are the risks? • Protecting the network and data from abuse by authorised users • Protecting the network and data from abuse by unauthorised users • Data Privacy • Data Confidentiality • Complexity of service operation and delivery
45% 40% 35% 30% 25% 20% 15% 10% 5% 0% Attacks from Inside & Out Reported Security Breaches Unauthorized access by employees System penetration from outside Source: 1998 CSI/FBI Computer Crime and Security Survey
$3,000 $2,500 $2,000 $1,500 $1,000 $500 $0 Cost of Security Breaches Average loss (000) Reported Security Breaches Financial fraud Theft of proprietary information Unauthorized access by employees Source: 1998 CSI/FBI Computer Crime and Security Survey
“Casual Intruder - Disgruntled Employee” • Shoulder surfing co-workers • Finding written password • Post-It Notes • DayTimer • Guessing password • “password” • Spouse/Dog/Kid’s name • Username
“Serious Hacker” • All of the “casual” approaches • “Social engineering” • Password cracking • “Crack” • “L0phtCrack” • “Cracker Jack” • Network sniffing
Passwords Are Not Secure • Tools for defeating passwords abound • Compromise is not detectable • Passwords can be snooped off the Net • Passwords & files are diverted off desktopsor servers • Password protected credentialsare compromised off-line
“Privacy” is NOT “Security” Encrypted Tunnel Through Public Network ? Who’s at the other end of the line?
Identification & Authentication IdentificationWho are you? ……. “John Smith”Authentication…….prove that you are John Smith
Identification Authentication ProveIt!
Bank 1234 5678 9010 Methods of User Authentication • Something you know • Password, PIN, “mother’s maiden name” • Something you have • magnetic card, smart card, token, Physical key • Something unique about you • Finger print, voice, retina, iris “1059”
One Time Passcode 345656 Locked SecurID Passcodes can only be used ONCE! Passcode Accepted 568787 Locked Passcode Accepted Passcode Accepted 879845 Locked 879845 Already Used Access Denied Shoulder Surfing and Snoop will NOT work !
Traditional Authentication Options Identification & Strong User Authentication Hardware Token Level of Security Software Token Identification & Weak Authentication Identification & Weakest Authentication Passwords
New Authentication Options Biometric Smart Card Digital Certificate Identification & Strong User Authentication Hardware Token Level of Security Software Token Identification & Weak Authentication Identification & Weakest Authentication Passwords
Secure Remote Access • Let’s look at reducing the risks and complexity
Internet The Internet Simplifies Remote Access Global Access delivered by ISP
Reducing The Risks? • The Internet is a collection of unsecured networks! • Strong Authentication and Encryption can provide a solution • New Technology • VPN
What is a VPN? • VPN - “Virtual Private Network” • Transport encrypted information via the Internet and public networks • Offer benefits of private network using “free” Internet infrastructure • Encryption means privacy not security • A VPN can be owned and run locally, or delivered as a service from a Telco or ISP
Secure VPN Send Session Key Request Passcode Request Connection PIN + Send Passcode Creating a Secure VPN ACE/Server Firewall or RAS server Internet
Internet VPNs Reduce Cost and Complexity • Reduce leased line costs and dial access charges • Reduce user support • Simplify remote access architecture • Reduce help desk services • Allow tracking / billing for usage • Reduce equip. costs for remote access
Increased Use of Authenticators Internet users (177% CAGR) 20,000,000 VAN users (132% CAGR) 15,000,000 Dial-in users (52% CAGR) 10,000,000 5,000,000 0 1996 1997 1998 1999 2000 Source: Giga EST., Sept. 1997
User Support Phone/ISP Charges Routers/Servers T1 Lines VPNs Offer Estimated 60% Cost Savings Remote Access Cost Comparisons for 2000 Remote Users - ($000's) Internet Remote Access Traitional Remote Access $- $500 $1,000 $1,500 $2,000 $2,500 $3,000 $3,500 Source: Forrester Research 7/97
Secure Web Applications Using the WWW to share sensitive information • Home Banking • Business to Business Communication • Price Lists to Partners • Human Resources • Product Support and Updates
Secure Web Authentication & Privacy • Issues Similar to Remote Access • User Identification & Authentication • Passwords are not enough! • Data Privacy during connection • Prevent snooping • Granular Access • Grant access rights based upon service level
SecurWorld Customer Reseller SecurCare SecurWorld Online Passcode Passcode ********** ********** Web Applications Security
What about Certificates for Authentication? • A Digital Certificate is a unique electronic identifier (complex password) associated with a user • Browsers use certificates widely for establishing a level of authentication • More and more applications will use certificates • Email, SSSO, E-commerce • A user’s certificate can be used to check a Digital Signature - a unique electronic signature associated with the owner of the certificate • essential for non-repudiation of messages and transactions
How can we be sure of a Certificate? • A certificate is usually ‘signed for’ electronically by a Trusted Third party, e.g. Verisign • I.e. Two companies trust the integrity of a certificate issued by a jointly trusted external organisation • Today most Certificates are stored electronically on servers (e.g. LDAP) • So how can we be sure that the person who is using a certificate is who they say they are! • We Cannot unless they use Strong Authentication! ?
Smartcards for Security • Benefits • Two Factor ‘Strong Authentication’ • Secure storage of Private Credentials • Building Access • Photograph • Other Applications • Downside • Readers • Infrastructure
Soft Smartcards • Host based secure electronic ‘wallets’ (or files) that contain a users security credentials • Downloaded to the user on successful authentication • Two Factor Authentication to access Soft Smartcard • Excellent transitional solution to help companies migrate to smartcards for network access • Available today
PIN + Soft Smartcards for Secure Applications Access User dials-in Request for Passcode User Sends Passcode Authenticates and Credentialsdownloaded
Summary • Local and Global Electronic Commerce can • increase productivity and communication • reduce costs of doing business • deliver competitive advantage • Suffers from risk of abuse and fraud if not prudently secured • User Authentication, Encryption of traffic and use of Certificates can deliver very secure applications including E-Commerce