1 / 22

Identity Assurance

Identity Assurance. Emory University Security Conference March 26, 2008. Revenue Growth. Cost Reduction. Customer Retention. Business Continuity. Compliance. HR Records-Card Holder Data-Health Records-Financial Results. Intellectual Property-Financial Transactions.

Download Presentation

Identity Assurance

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Identity Assurance Emory University Security Conference March 26, 2008

  2. Revenue Growth Cost Reduction Customer Retention Business Continuity Compliance HR Records-Card Holder Data-Health Records-Financial Results Intellectual Property-Financial Transactions Personal Identifiable Information Grades-Exams-Contracts-SSN Risk Unavailability - Data Corruption - Denial of service Eavesdropping - Media Loss - Data theft Device failure - Denial of Service - Unautorized activity Device takeover - Intercept - Unavailability Lost Laptops-Unauthorized Access-Data theft Identity Assurance - A Key Element of Information Risk Management Sensitive Information What information is important to the business? How do we mitigate risks associated with accessing the organization’s information and IT resources? Security Incidents Endpoint Network App / DB FS/CMS Storage

  3. What is Identity Assurance? The set of capabilities and methodology that minimizes business risk associated with identity impersonation and inappropriate account use Allows trusted identities to freely and securely interact with systems and access information Extends user authentication from a single security measure to a continuous trust model Provides enterprises new ways to generate revenue, satisfy customers, and control costs

  4. Identity Assurance Enables Ubiquitous Security Higher Risk More weight on Authentication Strength Early Adopters of Strong Authentication Super User Accounts Online Business Banking System Administrators Online Retail Banking Remote Access (VPN) Consumers Less Control over PCs Employees More Control over PCs Partners Network Login Collaborative Forums Greater Weight on TCO and Ease of Use Social Networks Workgroup solutions Information Portals Lower Risk *Source: Gartner, Inc. “WWWW.Authentication: Why? When? What? Who?” by Ant Allan, November, 2007

  5. Why Focus on Identity Assurance? • Identity assurance is the essential foundationfor trusted business process • Establishes trust by proving identitiesof the participants in a transaction • “On the Internet, nobody knows you’re a dog” • Identity Assurance is the essential foundation for other critical services • Access Management • Audit • Compliance • Personalization

  6. The State of Identity Assurance • Passwords still dominate, but continue to weaken • The need for strong authentication continues to grow • Increasing number of business processes moving online • Employee mobility expanding – demand for anywhere anytime access to information • Compliance and notification laws proliferate • Phishing attacks have increased dramatically (see www.antiphishing.org) • Amongst strong authentication solutions, • Tokens continue to dominate in the enterprise • Smart cards are getting more capable • Biometrics are still getting press, and some large deployments • Consumer-oriented strong authentication appears (e.g., E*Trade) • Risk-based authentication emerges in consumer-facing markets • New authenticators continue to appear

  7. Enabling Identity Assurance • According to the value and criticality of the data, application, identity or transaction • For enterprises’ Workforce, Customers and Partners • While striking the right balance among Risk, Cost and Convenience

  8. Credential Management • Identity Verification • Positively identify and authenticate users before credential issuance • Identity and Credential Policy • Create and enforce policy for issuance, access and end user self-service • Lifecycle management • Comprehensively manage credentials throughout their entire lifecycle

  9. Identity Assurance • A Range of Authentication Mechanisms • Assures identities' access to systems, information or transactions, based on risk • Choice of Different Form Factors • Provides organizations choice to optimize across security, end user convenience while reducing total cost of ownership • Delivery Platforms • Delivered as on premise software, an appliance or as a service (SaaS)

  10. Contextual Authorization • Access Control • Enforces access to corporate resources based on role, risk and business context. • Step-Up Authentication • Enables “The right Authentication at the right time”, assuring security throughout the session. • Federation • Provides and shares trusted identities across applications and corporate boundaries.

  11. Intelligence • Identity & Activity Verification • Monitors Identities and activities • Verifies credentials & prevents misuse • Proactive Threat Protection • Detects and prevents credential theft • Alerts on emerging threats • Real-time Information Sharing • Facilitates intelligence sharing • Enables enterprise collaboration

  12. The Business Drivers for Identity Assurance

  13. Enable Mobility • Trends: • Globalization and mobility of the workforce • Rise in unmanaged devices and locations for remote access • Passwords alone have limited effectiveness • Solution: • Secure and simplify remote access to network resources • Authenticate authorized mobile users to corporate resources • Enable business continuity in outage situations

  14. Secure Access • Trends: • Employees, partners, contractors & customers requiring access to sensitive corporate information • Proliferation of new information portals • Careless or negligent insiders put sensitive data at risk • Solution: • Authenticate authorized users to access critical information on the network • Provide secure access for the right people to the right applications to the right level of information through role-based authorization

  15. Prevent Fraud • Trends • Identity theft and financial fraud are growing • Enterprises need to inspire user confidence and encourage remote channel usage • Solutions • External Threat and Identity Theft Mitigation • Multi factor Authentication and Fraud Detection • Identity and transaction Verification

  16. Compliance • Trends • Global compliance and regulatory environment is becoming increasingly complex • Regulations are driving adoption of additional security measures • Penalties for non-compliance are being enforced • Solutions • Multi factor Authentication and Fraud Detection • Transaction Monitoring and Access enforcement • Reporting and auditing

  17. Ease of Use

  18. Secure Enterprise Access Technology SolutionsIt’s not one size fits all

  19. Support for Short Messaging Service (SMS) /Email delivered OTP Minimal impact on end user On Demand Authentication

  20. Information-centric Clarifies business context and reveals potential vulnerabilities Risk-based Establishes a clear priority for making security investments Repeatable Based on foundation of broadly applicable best practices and standard frameworks Risk Information Risk Managementprotecting your most critical assets Business Initiatives Sensitive Information Security Incidents IT Systems Endpoint Network Apps/DB FS/CMS Storage Reveals where to invest, why to invest, and how security investments map to critical business objectives

  21. Summary • There will be continued pressure on organizations to put business processes online • Hackers and thieves will continue to exploit vulnerable systems • The emphasis on information security will increase as will regulations and laws • Identity assurance should be considered as a piece of the overall security strategy • No single authentication method is a perfect solution for all situations

  22. Information-centric Security

More Related