Upload File

building an identity management infrastructure for today…and tomorrow

  • Home
  • Documents
  • Building an Identity Management Infrastructure for Today…and Tomorrow
7
74 With the number and sophistication of e-crimes on the rise, businesses of all types are being forced to rethink the scope of their information security strategies. In recent years, businesses worldwide have directed significant attention to security for physical access, single sign on, and provisioning. Rapid escalation of phishing, pharming, and man-in-the-middle attacks, however, are forcing businesses to focus on the role of identity authentica- tion in their overall security infrastructure. Technology-based identity access solutions, which are often standalone, are no match for the modern hacker. Forget the image of a lone hacker waging attacks from his basement. Today’s hacker is well-funded, tech- nologically advanced, and extremely adept at taking advantage of even the most secure company’s weaknesses. In fact, many of today’s secu- rity breaches are internal, with employees utilizing the company’s own resources to wage attacks from within. Other hackers keep track of Internet Protocol (IP) addresses assigned by Internet service providers, scanning the addresses to find PCs that don’t have current security patches in place. Hackers also often work in conjunction with virus creators to plant viruses on susceptible computers. Today’s organizations require an infrastructure that provides globally accepted policies, legally binding contracts, and consistency of operations. This enables the access provided by the point solutions to be given, in a standardized way, to identities issued by financial institutions around the world. UNIVERSAL THREAT Phishing and pharming attacks against corporations and other organiza- tions are increasing in frequency and sophistication. In its August 2006 Phishing Trends Report, the Anti-Phishing Working Group (APWG) cited 26,150 unique phishing attacks for the month of August, nearly double the number reported in August 2005. In addition, the APWG detected almost 10,091 unique phishing Web sites during the month. Although security breaches are a major concern for all corporations, financial institutions are by far the most targeted, enduring 92 percent of all attacks. 1 Furthermore, smaller financial institutions, such as credit unions Address correspondence to Andrea Klein, IdenTrust Inc. Fax: 415-848-2745. Address correspondence to Andrea Klein, IdenTrust Inc. Fax: 415-848-2745. Building an Identity Management Infrastructure for Today…and Tomorrow Andrea Klein Chief Marketing Officer, IdenTrust Inc. Information Systems Security, 16:74–79, 2007 Copyright © Taylor & Francis Group, LLC ISSN: 1065-898X print/1934-869X online DOI: 10.1080/10658980701250083

Upload: andrea

Post on 09-Apr-2017

212 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Building an Identity Management Infrastructure for Today…and Tomorrow

74

With the number and sophistication of e-crimes on the rise, businesses of all types are being forced to rethink the scope of their information security strategies. In recent years, businesses worldwide have directed significant attention to security for physical access, single sign on, and provisioning. Rapid escalation of phishing, pharming, and man-in-the-middle attacks, however, are forcing businesses to focus on the role of identity authentica-tion in their overall security infrastructure.

Technology-based identity access solutions, which are often standalone, are no match for the modern hacker. Forget the image of a lone hacker waging attacks from his basement. Today’s hacker is well-funded, tech-nologically advanced, and extremely adept at taking advantage of even the most secure company’s weaknesses. In fact, many of today’s secu-rity breaches are internal, with employees utilizing the company’s own resources to wage attacks from within. Other hackers keep track of Internet Protocol (IP) addresses assigned by Internet service providers, scanning the addresses to find PCs that don’t have current security patches in place. Hackers also often work in conjunction with virus creators to plant viruses on susceptible computers.

Today’s organizations require an infrastructure that provides globally accepted policies, legally binding contracts, and consistency of operations. This enables the access provided by the point solutions to be given, in a standardized way, to identities issued by financial institutions around the world.

Universal ThreaT

Phishing and pharming attacks against corporations and other organiza-tions are increasing in frequency and sophistication. In its August 2006 Phishing Trends Report, the Anti-Phishing Working Group (APWG) cited 26,150 unique phishing attacks for the month of August, nearly double the number reported in August 2005. In addition, the APWG detected almost 10,091 unique phishing Web sites during the month.

Although security breaches are a major concern for all corporations, financial institutions are by far the most targeted, enduring 92 percent of all attacks.1 Furthermore, smaller financial institutions, such as credit unions

Address correspondence to Andrea Klein, IdenTrust Inc. Fax: 415-848-2745.

Address correspondence to Andrea Klein, IdenTrust Inc. Fax: 415-848-2745.

Building an Identity Management Infrastructure for Today…and Tomorrow

andrea Klein

Chief Marketing Officer, IdenTrust Inc.

Information Systems Security, 16:74–79, 2007Copyright © Taylor & Francis Group, LLCISSN: 1065-898X print/1934-869X onlineDOI: 10.1080/10658980701250083

Page 2: Building an Identity Management Infrastructure for Today…and Tomorrow

75 Building an Identity Management Infrastructure for Today…and Tomorrow

and community banks, tend to bear the brunt of these attacks, as their systems are often easier to infiltrate.

impacT of e-crimes on BUsinesses

While not always immediately evident, every e-crime attack has both short- and long-term con-sequences for the organization attacked and the broader business community. Immediate impacts include falling stock prices, revenue loss, negative media attention, legal fees, and the physical and administrative costs of notifying and reassuring the customer base. Longer term, an organization can face the loss of customer confidence, which can often outweigh all other ramifications, as a tarnished reputation and subsequent monetary losses are dif-ficult from which to recover.

A recent survey by the Ponemon Institute2 looked at the cost of security breaches to banks. While 68 percent of customers give their banks high marks for protecting their personal information, those cus-tomers report that only two security breaches would destroy that trust. Equally important, 34 percent of respondents said they would transfer their funds after a single security breach; 45 percent would leave after two security breaches.

Other types of organizations face similar risks. A 2005 study by the Ponemon Institute identified significant customer churn in the wake of security breaches.3 The study indicated that 20 percent of consumers who were notified by a company that their personal data were compromised said they “discontinued” their relationship with that company. Another 40 percent said they were thinking about doing the same. These numbers become significant when one considers that tens of millions of Ameri-cans have received notification that their personal data have been compromised.

With each attack, the business community as a whole suffers. As the rate and severity of phish-ing attacks against corporations and financial institutions continue to rise, we face the very real possibility that e-crime will ultimately stunt e-com-merce growth, preventing electronic services and commerce from reaching critical mass. With many high-profile breaches, we also see an immediate rally for new legislation. This not only helps protect

consumers and businesses but also places further cost and compliance burdens on organizations challenged to compete in the competitive global marketplace.

For example, many financial organizations struggled to decipher and comply with guidelines issued by the Federal Financial Institution Exami-nation Council4 (FFIEC) that called for U.S. banks to implement multi-factor authentication by the end of 2006. The Sarbanes-Oxley Act, USA Patriot Act, Single European Payment Area (SEPA), and Markets in Financial Instruments Directive (MiFID) also each contain provisions relating to identity authentication and information security.

In addition, the U.S. Office of Management and Budget (OMB) recently mandated that U.S. depart-ments and agencies follow the National Institute of Standards and Technology (NIST) recommendations for protecting online information through a separate, secure device. If passed, the Bennett-Carper Data Security Act of 2006 will require banks to disclose information on any type of security breach, regard-less of whether it directly affects the customer. The Financial Data Protection Act, Data Accountability and Trust Act, and Personal Data Privacy and Secu-rity Act are also pending in Congress; each deals with security breach prevention.

BenefiTs

Decreasing or eliminating crimes related to iden-tity is a goal of every corporation and financial insti-tution. But the benefits of a comprehensive identity infrastructure encompass more than protection from criminals. These benefits also include the ability to conduct e-business globally, uncover new rev-enue opportunities, and achieve new operational efficiencies.

A global identity authentication infrastructure, for example, enables corporations to rely on the authenticity of digital signatures for purchase orders, invoices, compliance, and other types of documents, and to finally automate the last part of the supply chain—whether they do business in the same coun-try or across borders.

Using such an infrastructure, financial institutions can leverage their position as a trusted third-party in the traditional off-line world and offer new, fee-based

Page 3: Building an Identity Management Infrastructure for Today…and Tomorrow

Klein 76

services as a third-party issuer of digital certificates in the online world. Multi-national corporations that must manage relationships with financial institutions around the world can open and close accounts elec-tronically. Conversely, financial institutions have full confidence that their digital signatures are secure and have not been compromised.

Secure identity authentication also creates oppor-tunities for Reverse Factoring, a type of financing that relies on trusted third parties. For example, pur-chasers can use third parties, such as financial insti-tutions, to verify the trustworthiness of a supplier, facilitating financing and e-commerce between enti-ties not known to each other.

pasT approaches To idenTiTy aUThenTicaTion

While many technologically advanced solutions have been created to combat identity fraud, such as Public Key Infrastructure (PKI) and tokens, none has gained a solid foothold. Understanding why previ-ous approaches to identity authentication have not been as successful as possible enables corporations and financial institutions to implement an identity infrastructure that bypasses many challenges.

pKi approach

PKI was one of the first technologies to address the issue of identity management and has been successfully implemented within many large enter-prises, such as the U.S. Department of Defense. PKI showed promise with its ability to legally bind sig-natures through digital authentication. However, few business applications require identity authentication with digital certificates and signatures. While a robust technology, PKI implementations historically have resulted in fragmented, siloed security and identity management systems that did not easily support interoperability. To bring true value to government agencies, corporations, and financial institutions, a PKI-based infrastructure must have interoperability both with other systems and with other countries’ government-mandated schemes. Also, users must be able to rely on the policies and procedures used for issuing the certificates.

Two-factor authentication

As global business interactions became more cus-tomary and e-crime grew more prevalent, corpora-tions and financial institutions worked quickly to establish security measures. Many turned to two-fac-tor authentication, coupling a password with another type of identification. This method, however, is not a certain solution. For example, thieves can eas-ily steal personal identification numbers (PINs) by looking over a victim’s shoulder, leaving the victim unaware of the theft until a crime is committed.

Two-factor authentication has also proved to be unsuccessful at thwarting man-in-the-middle attacks because fraudulent sites can be inserted into the workflow through techniques such as phishing or hacking into the link between the user and their ISP, thus compromising the data being transferred (Figure 1).

Man-in-the-middle attacks occur when a hacker intercepts confidential messaging between a bank and a customer without either party knowing that the link between them has been compromised. The hacker then uses the acquired information, usu-ally a user ID and password, to gain access to the customer’s account. This type of attack is successful because the victim usually unknowingly plays a part in the scam.

To fully protect against man-in-the middle attacks, the user must be authenticated to the site and the site authenticated to the user. Two-factor authentication does not necessarily achieve this goal. A recent man-in-the-middle attack involving a large, multi-national financial institution highlights the shortcomings of one-time passwords, which are sometimes used in two-factor authentication. In this attack, the crimi-nals spoofed the token key hardware used by the bank’s customers to generate one-time passwords, tricking the customers into entering their passwords into a faux banking login site. The criminals then used the stolen passwords to access thousands of accounts via the bank’s real Web site.

In addition to one-time passwords, several authentication methods are being used, with varying degrees of success, to help thwart man-in-the-mid-dle attacks, including public keys, stronger mutual authentication, secret keys, and other criteria, such as voice recognition or other biometrics. Man-in-the-middle attacks are very rare for PKI, as the issuing

Page 4: Building an Identity Management Infrastructure for Today…and Tomorrow

77 Building an Identity Management Infrastructure for Today…and Tomorrow

bank performs public key checks to ensure that they are valid.

Token solution

Security experts agree that one of the most effec-tive approaches to identity authentication is through the use of a secure individual device, such as a smart card or token, that authenticates and validates each user. Others argue that this approach has several challenges, including consumer resistance to using a token and the cost of issuing and replacing such security devices, which can be easily misplaced. However, these arguments are no longer valid. Devices such as iPods and other gadgets that make use of USB ports are common and can easily serve double-duty as security devices. The only missing link is an easy, inexpensive way to educate users and transition them to using more secure devices, such as tokens, USB devices, or smart cards.

The challenge today with consumers is that they have little incentive to sign up for digital certificates and signatures since few applications demand them for authentication. Equally important, financial insti-tutions are skittish about enforcing device-based security, without being able to show a value add. Another disincentive for consumers is the $50 liability limit associated with most card transactions. Believ-ing that they will only lose $50, many consumers do not feel extra protection is necessary. As identity fraud continues to grow in prevalence, consumers

will begin to understand that the $50 liability limit is no help when their identity has been stolen and someone else is using their social security number to apply for new credit cards or to finance large pur-chases such as homes, planes, and boats.

Corporations have a different perspective from the average consumer. Entities involved in supply chain commercial transactions are liable for greater losses. They are, therefore, more eager to implement greater security.

GloBal idenTiTy infrasTrUcTUre

New threats and risks continue to emerge almost daily that increasingly require an end-to-end approach to identity authentication. For example, now that many debit card networks are moving from proprietary networks to an IP-based platform, fraud-sters are increasingly engaging in money laundering by establishing legitimate businesses in a country as a front for their illicit activity. They establish a bank account and obtain credit and debit cards under the name of the “front business.” Funds from their illicit activities are deposited into the bank accounts they have created in the United States and other countries. While in another country, in which their U.S.-based bank has affiliates, they make withdrawals from their U.S. bank account using credit and debit cards. Money is deposited by one of their accomplices in the United States and is transferred to pay off the credit card loan or even prepay the credit card. The

fiGUre 1 Usernames and one-time passwords alone will not guarantee against man-in-the-middle attacks because fradulent sites can be inserted into the workflow through techniques such as phishing, thus compromising the data being transferred.

Page 5: Building an Identity Management Infrastructure for Today…and Tomorrow

Klein 78

bank’s online services make it possible to transfer funds between checking and credit card accounts without connecting all of the activities related to the total transaction.

The bank that opened the account for the busi-ness should conduct appropriate due diligence as part of the account opening process. It should under-stand the nature of the business and the type of activity expected of the business, including the size, frequency, and types of payments anticipated. The bank should then be able to track those expectations against the account holder’s actual usage, monitor-ing deposit and withdrawal activity. By being able to track all activity associated with the identity, the bank can monitor patterns and trends on the account for significant changes, such as prepayments going to credit cards. It can also detect suspicious activity and send it off for further analysis through a Suspi-cious Activity Report (SAR). It is also able to tie all transaction activity together based on identity rather than a specific account.

solvinG The idenTiTy manaGemenT pUzzle

A majority of identity management solutions pro-vide only one piece of the entire puzzle. For exam-ple, corporations and financial institutions have already implemented numerous security measures to address everything from physical access to single sign on and provisioning. They now need to move their focus to identity authentication—the new front line in the security battle. To have the flexibility to respond to new types of fraud and resulting regula-tions, a comprehensive approach to identity manage-ment needs to incorporate a globally interoperable solution for identity authentication.

While it is promising that first steps have been taken in the United States to comply with guidelines such as those from the FFIEC, most of those steps relate to authenticating the user to the site, rather than authenticating the site to the user. Corporations and financial institutions must do both, and they must then sign both the data and the container in which it is transported.

What is also needed today is a phased approach to identity authentication that will expand and strengthen as needed, rather than a solution that

works briefly but must then be retrofitted to protect against more sophisticated attacks.

A comprehensive system for identity authentica-tion cannot rely on a device or signature alone. It requires policies, legal infrastructure, operational consistency, and reliable technology for access. Of special importance are procedures and guidelines that work across multiple institutions and geo-graphic borders. For identity authentication to really provide the trusted environment that both corporate and retail customers require for doing business, the legal framework must be acceptable both domesti-cally and across borders. Otherwise, a corporation or its financial institution could face the prospect of adjudicating possible disputes in jurisdictions around the world should a security breach arise, risking that the contracts being relied upon are not binding—an expensive and cumbersome prospect.

A comprehensive solution establishes and cooper-ates with these legal infrastructures in conjunction with the identity authentication solutions them-selves, a process that can be difficult and costly for a corporation or its financial institution to create and maintain. Equally important, a hosted infrastructure offers the scalability to rapidly introduce new secu-rity features to respond to new types of crime and regulations. For example, an increasingly important feature, in the wake of the emergence of phishing and pharming, is the ability to validate the user to the site and the site to the user, and the ability to sign both the data and the container in which it is sent. Traditional solutions focus on a single method of authentication and then combine it with a PIN or password to meet the multi-factor authentication guidelines. PKI-based approaches, in conjunction with a second authentication method, combines two strong authentication approaches, thus providing the strongest authentication (Figure 2).

Solutions that simply authenticate the user to the site, and not the site to the user, while good first attempts, simply do not guarantee secure infrastruc-ture, and are not in compliance with FFIEC guide-lines and other regulations. To provide security on the highest level possible, multi-factor authentication must be performed across all levels, using a single, comprehensive solution that cross-authenticates the user with the site, and secures the two through digitally-issued certificates. It is also critical to have validation of certificates against a real-time updated

Page 6: Building an Identity Management Infrastructure for Today…and Tomorrow

79 Building an Identity Management Infrastructure for Today…and Tomorrow

list that indicates whether or not the certificate has expired or been revoked. PKI-based approaches incorporate a protocol used to provide real-time val-idation of a certificate’s status. An Online Certificate Status Protocol (OCSP) responder is used to respond to certificate status requests and can issue one of three responses: Valid, Invalid, or Unknown. An OCSP responder replies to certificate status requests on the basis of Certificate Revocation Lists (CRL) provided by certification authorities. Authentication across institutions or borders requires a real–time validation check in order to ensure the strongest level of trust.

Relying on multiple approaches and systems for authentication results in irregularity and inconsis-tency in the system, and promotes identity fraud and other e-crimes. Furthermore, proper implementation of multi-factor authentication ensures approval from auditors and allows for an effortless transition to digi-tal certificates. It also creates a return on investment, because customers are willing to pay more when they trust that their confidential information will be kept secure. Customers rely on their banks for secure financial transactions and communications.

Banks that are attacked by fraudsters and hackers lose that trust.

Without the assurance that both parties are secure, e-crime will continue to tear down the finan-cial services industry and will limit the expansion of business worldwide. When a company utilizes a solution that provides access to a worldwide net-work of trusted credentials based on global stan-dards for real-time identity authentication, it allows for interoperability among applications and helps to build an identity authentication infrastructure today that will continue to work tomorrow.

endnoTes1. Anti-Phishing Working Group (APWG)2. 2006 Privacy Trust Study for Retail Banking, Ponemon Institute,

20063. National Survey on Data Security Breach Notification, Ponemon Insti-

tute, 20054. An organization established by Congress in 1987 to coordinate

and unify regulations, standards and report forms among the five member federal agencies that regulate savings institutions, commer-cial banks and credit unions: Office of Thrift Supervision, Office of the Comptroller of the Currency, Board of Governors of the Fed-eral Reserve System, Federal Deposit Insurance Corporation, and National Credit Union Administration

fiGUre 2 Using key pairs — which combine a public and a private key with something known to the user — provides the strongest authentication available today.

Page 7: Building an Identity Management Infrastructure for Today…and Tomorrow

Identity-aware Infrastructure

TCG Infrastructure WG TPM Keys for Platform Identity for … · 3 TPM Keys for Platform Identity ... infrastructure across the different TCG solution sets ... TCG TCG Infrastructure

Today ’ s Emerging Platforms, Tomorrow ’ s Cyber Infrastructure

Acting European: Identity, Belonging and the EU of Tomorrow davie… · Acting European: Identity, Belonging and the EU of Tomorrow Mafalda Dâmaso, Luke John Davies, Kuba Jablonowski,

Identity and Access Management Infrastructure for Oxford …old.ictf.ox.ac.uk/conference/2011/presentations/wks02... · 2011. 7. 28. · Identity and Access Management Digital Identity

Building Tennessee's Tomorrow...26 Building Tennessee’s Tomorrow: Anticipating the State’s Infrastructure Needs Project Type Conceptual Planning & Design + Construction Law Enforcement

IDENTITY & GROWTHmagazine.fassi.online/download/lifting-tomorrow/en/lifting-tomorrow … · The project was carried out in collaboration with Volvo Trucks Italy and will lead to the

Nunavut Energy Infrastructure Today & Tomorrow

The Emerging Infrastructure for Identity and Access Management · • Enterprises should develop an identity and access management architecture and migration strategy. 8 Identity

Defining Identity and Identity Infrastructure Web viewAn identity infrastructure is a collection of processes, technologies, and policies for managing digital identities and controlling

Identity & Infrastructure Applications Development & Release Plans Tim Purkiss

MQ Infrastructure of Today and Tomorrow

VO Identity, Attributes, and Infrastructure: Some Basics

The identity of things & the smart cities of tomorrow webinar may 2015

Developing Infrastructure for Better Tomorrow

Building Tennessee's Tomorrow County Summaries...26 Building Tennessee’s Tomorrow: Anticipating the State’s Infrastructure Needs Project Type Conceptual Planning & Design + Construction

InCommon and Your Identity Management Infrastructure: Strategies from CIOs (242312596)

Plan for Tomorrow: Critical Infrastructure Risk and

Secure Modern Enterprise€¦ · SECURE MODERN ENTERPRISE Identity Apps and Data Infrastructure Devices Identity Embraces identity as primary security perimeter and protects identity

Software.symbol.com Creating Wireless Applications Today, Building Infrastructure for Tomorrow

Building Tennessee's Tomorrow - TN.gov...Building Tennessee’s Tomorrow: Anticipating the State’s Infrastructure Needs July 2011 through June 2016 Catherine Corley, M.A. Research

INFRASTRUCTURE FOR TOMORROW

TXLF: Chef- Software Defined Infrastructure Today & Tomorrow

Building Our Tomorrow: The Future of Ontario’s Infrastructure · 8 Building Our Tomorrow: The Future of Ontario’s Infrastructure rccao.com Both Mr. Fenn and the RCCAO wish to

Infrastructure Solutions for Today and Tomorrow · the requirements for your data center today and tomorrow. Rack infrastructure from Dell helps you create an efficient design for

End-to-End Identity Management: From Access to …...• Okta secures identity access • SailPoint ensures identity governance • Okta, SailPoint integrate with app infrastructure

Building Tennessee's Tomorrow...Building Tennessee’s Tomorrow: Anticipating the State’s Infrastructure Needs July 2008 through June 2013 Lynnisse Roehrich-Patrick, J.D. Associate

Ethernet Over Any Infrastructure Today and Tomorrow...Ethernet Over Any Infrastructure Yesterday, Today and Tomorrow Tower Cloud, Inc.. –Ronald Mudry, Chief Executive Officer Intellifiber

Identity management in the European Grid Infrastructure · EGI‐InSPIRE RI‐261323 EGI‐InSPIRE Identity management in the European Grid Infrastructure Established solutions, new

Is Legacy Identity Infrastructure Holding Your Enterprise ... · Is Legacy Identity Infrastructure Holding Your Enterprise Back? 5 In talking with many of the world’s largest organizations,

How to Establish a Business Case for Identity and Access ... · Consumer identity and access management … Role design Identity infrastructure consolidation Multifactor authentication

Identity At The Center Of Today's IT Infrastructure

VO Identity, Attributes, and Infrastructure: Some Basics

EUROPEAN IDENTITY STRATEGY 1 NICOLE HARRIS e-Infrastructure Summer Workshops, Federated Identity Technology

Sun Infrastructure Solution for Network Identity