Well, you should care. And you know what. They are more expensive in the long run! The threat landscape has changed. Attackers are smart, aggressive, persistent, and they WILL get in. User names and passwords, aren’t difficult for them to expose……… To name just a few…here are some breaches, in case you weren’t living on earth!!! Episilon sends out over 40B emails per year for 2500 or so clients – the email address database of their clients were breached / exposed Sony 70 Million subscribers affected (leaked usernames/Passwords, etc.) with the explosion of cloud apps – both consumer and business centric / users are creating usernames and password stored in the cloud – often times, because passwords are re-used, if there is a breach in one place, the credentials can be harvested and used to get into other cloud applications
MORE BREACHES…
*TechCrunch
Presenter
Presentation Notes
Here is one that happened not too long ago…. 6.5 million passwords leaked……. -If they used an OTP you would still need to reset your password. But it would be much less urgent, as they would need your OTP in order to access your account. -Another interesting note, they don’t have a CISO….or a head of IT sec. I am sure that will change (if it hasn’t already!) http://techcrunch.com/2012/06/06/6-5-million-linkedin-passwords-reportedly-leaked-linkedin-is-looking-into-it/
Another fairly recent one…. They used a union-based SQL injection technique to penetrate the Yahoo subdomain http://news.cnet.com/8301-1009_3-57470878-83/yahoo-breach-swiped-passwords-by-the-numbers/
Before looking ahead. Let’s look back….and really look at what many companies are doing today. -Let’s have a look at some of the most common legacy authenticators that are in use today.
EVALUATING THE AUTHENTICATORS: TRANSPARENT AUTHENTICATION
Pro Con
• Minimal user involvement– high usability
• User interaction only when Risk level higher
• No authenticator to deploy
• More complex to initialize • User confusion when prompted • Still requires an additional
• Proven / familiar • No hardware to deploy to read
OTP
• Single purpose • Lost / forgotten tokens • Seed file security • Cost / distribution
EVALUATING THE AUTHENTICATORS: PAPER (INERT) TOKENS – GRID CARDS
Pro Con
• Easy to use • Multiple forms • Combine with identity badge • Cost effective
• Easier to copy • Should replace more often
• Single purpose
EVALUATING THE AUTHENTICATORS: BIOMETRICS
Pro Con
• Very secure / hard to clone • There always with us- we hope! • Shared readers
• Expensive & technically complex • Capture and storage of personal
data. • Reliability of readers
EVALUATING THE AUTHENTICATORS: PKI (CERTIFICATES)
Pro Con
• Very secure (hard to clone) • Easy to use (transparent) • Extensible to other applications
/ use cases
• Technically complex without PKI experience
• Where to store certificates • If the root is compromised – all
bets are off!
EVALUATING THE AUTHENTICATORS: SMART CARDS
Pro Con
• Very secure • Easy to use • Multipurpose (LACs, PACS,
Employee badge, flash pass)
• Higher cost • Can require a myriad of products
to provision • Card readers required • Lost / stolen cards
AS THE WORLD PROGRESSES… WHAT’S NEXT
more Secure
more Cost effective
more Multi purpose
more Convenient
MOBILE IS POISED TO DISRUPT THIS SPACE!
Presenter
Presentation Notes
Ok, so that has been the authentication world as we know it for quite some time…… Let’s talk about the future…..
MOBILE HOLDS THE PROMISE FOR THE NEXT GENERATION OF IDENTITY
Geo Location
Biometrics
Secure Element
Crypto
Application Platform
“Out of Band”
• Users want to carry them • Always in hand • Always connected • Convenient • Support work / personal balance
• Deployment / use continues to grow at an outstanding pace
• Computing power means they are multi-purpose
Presenter
Presentation Notes
Ok, so why mobile devices as authenticators? -it’s a Swiss army knife of capabilities that can be leveraged for security Animation 1: So, why mobile. -Users want to carry them. It is becoming increasingly valuable to all users (personal communication, mobile apps, etc.). -Users are familiar with them…and they check them every minute! (When was the last time you checked for your wallet? Or your OTP hard token? Building pass……exactly…) -And thanks to Moore’s law, they are cheaper and more powerful……. Animation 2: Thus allowing organizations to tie useful real time data together for a better Identity Security picture….. Things like: -Geo location -I am here or there? -Biometrics -Voice, facial (Google phone), and with attachments, finger -Secure Element -Thanks to the heavy investment in mobile wallet technology; the secure element is a chip that acts as a safe…thus storing credit cards, and “ID cards”. It is secure, and can only be accessed with authorization (PIN, etc.) -OOB -Phones are multi-channel. One good way to mitigate the risk of man-in-the middle is to send an out of band confirmation…… -OTP -Phones can do OTPs transparently, or by displaying the OTP . This is a cost effective way to directly replace Hard tokens -Crypto -Since these devices are being ever more powerful….they can handle a lot of complex cryptographic functions…thus increasing security across the board.
WHAT CAN IT DO?
Mobile devices can easily be provisioned with additional or temporary authenticators
Soft Token
OOB Transaction Verification
SMS OTP eGrid
Mobile as a smart card
Presenter
Presentation Notes
So leveraging your mobile devices……… Look at 3 ways we can leverage mobility to enhance security - What we are talking about here is using the device to secure transactions, to authenticate into physical/logical systems….. It just makes sense (what we talked about previously) -Can do… -Physical Building access -Logical access, thru Bluetooth, NFC -And when married with federation, cloud based access can be achieved (i.e. Salesforce.com, etc.)