transitional technolgy slide for roadshow

1
(No Transcript)
2
Securing Electronic CommerceIdentification
Authentication
Douglas Graham UK Channel Technical
Manager Security Dynamics Technologies, Inc
3
Security Dynamics Technologies Inc.
110,000 BoKS users Major OEM relationships
3 million users of SecurID 3,000 companies
9,000 installations
2,000 companies 250 of the Fortune 500
4
Key Business Trends

• Enhanced outreach and collaboration with
  employees, customers, partners, distributors and
  suppliers
• Emergence of the virtual enterprise
• Market of One interactive customer relationship

eBusiness is no longer a competitive advantage,
it is a necessity
5
Key Technology Trends

• Rapid deployment of intranets and extranets
• New generation of inexpensive, high-speed,
  IP-ready network capacity coming online
• Broad adoption and continued evolution of
  mission-critical ERP applications
• Continued outsourcing of network transport, Web
  hosting and application deployment

Moving rapidly to the Internet-enabled enterprise
6
Key Security Trends

• Enterprises supplementing perimeter defense with
  protection of applications and information
• Increasing requirements for user authentication,
  authorization and intrusion monitoring and
  detection
• PKI emerging as a common architectural foundation
  for multiple security applications
• Security decisions driven by line-of-business
  needs

Enterprise security is the key enabler for
eBusiness
7
What is Electronic Commerce ?

• Electronic Commerce is the temporary extension of
  a computer network over a Public or Private
  connection to facilitate business transactions.
• PSTN, ISDN, Internet
• Can be used by Individual users or to connect two
  or more networks together.
• Notebook dial-in for email, small office to HQ
  connection

8
Remote Access
Head Office
Mobile User
Public Network
9
Electronic Commerce Applications

• Home Banking
• Quick Easy access to corporate information and
  services
• Sharing information between Business Partners
  Customers
• Telecommuters (Home working) Day Extenders
• IT Support Staff

10
Remote Access Benefits

• Productivity
• Cost Savings
• Easy Information Access
• High Availability of Information
• Competitive Advantage

11
Remote Access Growth
Source Giga, September 1997
12
W. European eCommerce, 1996-2001Commerce
Revenue/Year, Year Ending
Million
16,000
14,794
14,000
12,000
11,115
CAGR 137
10,000
8,809
8,000
6,469
6,000
4,343
4,000
3,123
1,795
2,000
1,278
681
214
421
136
-
1996
1997
1998
1999
2000
2001
Source IDC, July 97
13
What are the risks?

• Protecting the network and data from abuse by
  authorised users
• Protecting the network and data from abuse by
  unauthorised users
• Data Privacy
• Data Confidentiality
• Complexity of service operation and delivery

14
Attacks from Inside Out
Reported Security Breaches
Unauthorized access by employees
System penetration from outside
Source 1998 CSI/FBI Computer Crime and Security
Survey
15
Cost of Security Breaches
Average loss (000)
Reported Security Breaches
Financial fraud
Theft of proprietary information
Unauthorized access by employees
Source 1998 CSI/FBI Computer Crime and Security
Survey
16
Casual Intruder - Disgruntled Employee

• Shoulder surfing co-workers
• Finding written password
• Post-It Notes
• DayTimer
• Guessing password
• password
• Spouse/Dog/Kids name
• Username

17
Serious Hacker

• All of the casual approaches
• Social engineering
• Password cracking
• Crack
• L0phtCrack
• Cracker Jack
• Network sniffing

18
Passwords Are Not Secure

• Tools for defeating passwords abound
• Compromise is not detectable
• Passwords can be snooped off the Net
• Passwords files are diverted off desktopsor
  servers
• Password protected credentialsare compromised
  off-line

19
Privacy is NOT Security
Encrypted Tunnel Through Public Network
?
Whos at the other end of the line?
20
Identification Authentication
Identification Who are you? . John
SmithAuthentication .prove that you are
John Smith
21
Prove It!
22
Methods of User Authentication

• Something you know
• Password, PIN, mothers maiden name
• Something you have
• magnetic card, smart card, token, Physical key
• Something unique about you
• Finger print, voice, retina, iris

1059
23
Two Factor Strong Authentication
PIN
24
One Time Passcode

• SecurID Passcodes can only be used ONCE!

Passcode Accepted
345656 Locked
Passcode Accepted
568787 Locked
Passcode Accepted
879845 Locked
879845 Already Used
Access Denied
Shoulder Surfing and Snoop will NOT work !
25
Traditional Authentication Options
26
New Authentication Options
Identification Strong User Authentication
Hardware Token
Level of Security
Software Token
Identification Weak Authentication
Identification Weakest Authentication
Passwords
27
Secure Remote Access

• Lets look at reducing the risks and complexity

28
Remote Access Complexity
29
The Internet Simplifies Remote Access
Global Access delivered by ISP
30
Reducing The Risks?

• The Internet is a collection of unsecured
  networks!
• Strong Authentication and Encryption can provide
  a solution
• New Technology
• VPN

31
What is a VPN?

• VPN - Virtual Private Network
• Transport encrypted information via the Internet
  and public networks
• Offer benefits of private network using free
  Internet infrastructure
• Encryption means privacy not security
• A VPN can be owned and run locally, or delivered
  as a service from a Telco or ISP

32
Creating a Secure VPN
ACE/Server
Firewall or RAS server
Internet
33
VPNs Reduce Cost and Complexity

• Reduce leased line costs and dial access charges
• Reduce user support
• Simplify remote access architecture

• Reduce help desk services
• Allow tracking / billing for usage
• Reduce equip. costs for remote access

34
Increased Use of Authenticators
Internet users (177
CAGR)
20,000,000
VAN users (132
CAGR)
15,000,000
Dial-in users (52
CAGR)
10,000,000
5,000,000
0
1996
1997
1998
1999
2000
Source Giga EST., Sept. 1997
35
VPNs Offer Estimated 60 Cost Savings
Remote Access Cost Comparisons for 2000 Remote
Users - (000's)
Internet Remote
Access
Traitional Remote
Access
-
500
1,000
1,500
2,000
2,500
3,000
3,500
Source Forrester Research 7/97
36
Secure Web Applications
Using the WWW to share sensitive information

• Home Banking
• Business to Business Communication
• Price Lists to Partners
• Human Resources
• Product Support and Updates

37
Secure Web Authentication Privacy

• Issues Similar to Remote Access
• User Identification Authentication
• Passwords are not enough!
• Data Privacy during connection
• Prevent snooping
• Granular Access
• Grant access rights based upon service level

38
Web Applications Security
39
What about Certificates for Authentication?

• A Digital Certificate is a unique electronic
  identifier (complex password) associated with a
  user
• Browsers use certificates widely for establishing
  a level of authentication
• More and more applications will use certificates
• Email, SSSO, E-commerce
• A users certificate can be used to check a
  Digital Signature - a unique electronic signature
  associated with the owner of the certificate
• essential for non-repudiation of messages and
  transactions

40
How can we be sure of a Certificate?

• A certificate is usually signed for
  electronically by a Trusted Third party, e.g.
  Verisign
• I.e. Two companies trust the integrity of a
  certificate issued by a jointly trusted external
  organisation
• Today most Certificates are stored electronically
  on servers (e.g. LDAP)
• So how can we be sure that the person who is
  using a certificate is who they say they are!
• We Cannot unless they use Strong Authentication!

?
41
Smartcards for Security

• Benefits
• Two Factor Strong Authentication
• Secure storage of Private Credentials
• Building Access
• Photograph
• Other Applications
• Downside
• Readers
• Infrastructure

42
Soft Smartcards

• Host based secure electronic wallets (or files)
  that contain a users security credentials
• Downloaded to the user on successful
  authentication
• Two Factor Authentication to access Soft
  Smartcard
• Excellent transitional solution to help companies
  migrate to smartcards for network access
• Available today

43
Soft Smartcards for Secure Applications Access
User dials-in
Request for Passcode
User Sends Passcode
Authenticates and Credentials downloaded
44
Summary

• Local and Global Electronic Commerce can
• increase productivity and communication
• reduce costs of doing business
• deliver competitive advantage
• Suffers from risk of abuse and fraud if not
  prudently secured
• User Authentication, Encryption of traffic and
  use of Certificates can deliver very secure
  applications including E-Commerce

45
(No Transcript)