Authentication & Reputation, Adding Business Value In The Real World
Post on 01-Nov-2014
DESCRIPTIONTrack: SECURITY, PRIVACY, COMPLIANCE | 1:30 PM - 2:30 PM S3: Authentication and Reputation: Adding Business Value in the Real World It's not a secret that the adoption of authentication and reputation standards is hitting critical mass in organizations around the globe. Almost 40 percent of all email is authenticated with Sender ID and/or DKIM, but what does that mean to an organization? Is authenticated email helping businesses improve efficiencies and protect their inboxes? Attendees will learn the direct impact authentication and reputation can have on business goals and bottom lines. From brand protection to deliverability to curtailing spam, learn how adopting and taking action based on authentication and reputation can dramatically affect businesses on many levels. MODERATOR: Patrick Peterson, VP Technology, IronPort PANELIST: Barry Abel, VP of Field Operations, Message Systems PANELIST: Bill McInnis, Director, Message Level PANELIST: Alberto Mujica, President and CEO, Reputation Technologies Inc.
- 1. Authentication & Reputation Adding Business Value in The Real World
- Introductions & Agenda Review
- The Big Picture
- IP-based Blocklists and Reputation
- Domain-based Authentication & Reputation
- The Future
- Patrick Peterson, Vice President Technology, IronPort Systems
- Alberto Mujica, President and CEO, Reputation Technologies, Inc
- Barry Abel, VP of Field Operations, Message Systems
- Bill McInnis, Director, Message Level
4. The Big Picture REPUTATION CERTIFICATION 1 4 Who do you claim to be? Validate Identity Risk of badness/probability of goodness based on historical factors Third-party affirmation Make decision, take action IDENTITY ACTION 2 AUTHENTICATION 3 5. Identity
- Patrick Richard Peterson
- Allow onto airplane?
- Allow into USA?
- Owner of house on Whitney Street, San Francisco, CA?
- IronPort Systems
- Credit worthy?
- Authorized resellers?
6. Authentication (of Identity)
- Signature, Notary
- Retina scan
7. Consumer Credit Reputation
- Three Credit Bureaus sell credit reports
- Fair Isaac provides underlying technology
- Fair Isaac Corporation (NYSE: FIC) is the leading provider of decision management solutions powered by advanced analytics. Today, the companys solutions, software and consulting services power more than 180 billion smarter business decisions each year for companies worldwide.
8. Business Credit Reputation
- D&B ( NYSE:DNB ) is the worlds leading source of commercial information and insight on businesses, enabling companies to Decide with Confidence for over 165 years.
- Third-party that certifies (accredits) that an entity complies with certain standards or practices
10. Facts about IP Based Authentication
- Not really authentication, better referred to as identification
- Difficult or impossible to spoof
- IP based identification runs into limitations when
- Senders are on shared email servers (Like giving a license to a car and not a person)
- Behind proxies
- Senders would like to send different kinds of messages from the same IP
- RBLs provide Good/Bad responses, not a range of responses
11. Current Situation with IP Based Authentication
- DKIM and/or SPF authentication are prerequisites for domain based authentication and therefore reputation
- Once either SPF and/or DKIM are widely adopted reputation can be based on domain names
- Email reputation providers like ReturnPath, Habeas and Reputation Technologies require static IP addresses
- Because SPF and DKIM are not yet over the tipping point email reputation providers like ReturnPath, Habeas and Reputation Technologies have to use IP identification instead of domain authentication
12. Barry Abel, Message Systems VP Field Operations 13. Authenticating Domains
- SenderID and DKIM
- Both work to verify that every e-mail message originates from the Internet domain from which it claims to have been sent.
14. SenderID 15. DKIM 16. Current Status of DKIM & Sender ID
- The Internet Engineering Task Force (IETF) made DKIM a standard in May 2007
- Already in wide use
- Sender ID*
- Every day, 20 million forged messages are detected by Sender ID-enabled domains.
- Reputable marketers that have adopted Sender ID have realized improved deliverability, with up to 85 percent fewer messages mistakenly marked as spam in Windows Live Hotmail.
- With spam increasing 40 percent in the past 12 months, spam in Hotmail users inboxes has actually been reduced by 50 percent; Sender ID contributed 8 percent of that reduction.
- *Microsoft news release dated 5/18/07
17. Why Use Domain Authentication
- ISP are using various technologies to protect their customers and themselves.
- Like going into battle ISP need multiple layers of protection
- Policy Enforcement
- To gain access through these lines of defense you need to have the same technologies.
- Bill McInnis
- Director, Message Level
19. DO SOMETHING!!!
- Strongly worded suggestions being offered by Associations for members to implement SPF and DKIM
- DMA, BITS, ESPC
- Example: BITS is recommending TLS, SPF, SIDF and DKIM within 18 months
- Associations can talk 10x faster than their constituents can move
- Many ISPs are committed to using authentication to evaluate email
20. SPF and DKIM pros
- Allows companies to identify mail servers where mail is authorized to come from
- Relatively easy for senders to support
- Many ISPs utilize SPF as a factor in email delivery
- More heavyweight solution
- Allows a company to cryptographically sign an email
- Allows ISPs to identify signatures and associated messages that compute correctly and handle those messages different
21. SPF and DKIM Cons
- Breaks some current use cases of email Forwarding, etc
- Senders dont know what receivers are doing,if anything
- Doesnt not protect anything the end users sees 2821 address (xyz.com) 2822 address (chase.com) Does this make SPF worth much of anything?
- Doesnt break forwarding - No reliable replay protection
- Potential for signature breakage
- Cannot reliable detect bad messages
- No data for senders
- Many traditional problems associated with PKI key propagation and changes
22. Authentication Alone Creates a False Sense of Security Delivered-To:[email_address] Received: by 10.67.65.8 with SMTP id s8cs550968ugk; Tue, 8 May 2007 10:05:35 -0700 (PDT) Received: by 10.90.105.19 with SMTP id d19mr6545698agc.1178643934853; Tue, 08 May 2007 10:05:34 -0700 (PDT) Return-Path:[email_address] Received: from mail03.bankofamerica.cl (mail03.bankofamerica.cl [126.96.36.199]) by mx.google.com with ESMTP id 14si2200432wrl.2007.05.08.10.05.33; Tue, 08 May 2007 10:05:34 -0700 (PDT) Received-SPF: pass (google.com: domain of email@example.com designates 188.8.131.52 as permitted sender) From: "Bank of America"[email_address] To:[email_address] Subject: Reactivate your Account