Post on 09-Feb-2016
description
Securing Electronic Commerce:Securing Electronic Commerce:Identification & AuthenticationIdentification & Authentication
Douglas GrahamDouglas GrahamUK Channel Technical ManagerUK Channel Technical Manager
Security Dynamics Technologies, IncSecurity Dynamics Technologies, Inc
Security Dynamics Technologies Inc.Security Dynamics Technologies Inc.
3 million users of 3 million users of SecurID SecurID
3,000 companies 3,000 companies
9,000 installations9,000 installations
300 million 300 million copies installed copies installed & in use & in use worldwideworldwide
110,000 BoKS 110,000 BoKS usersusers
Major OEM Major OEM relationshipsrelationships
SecuritySecurityDynamicsDynamicsRSARSA
2,000 companies2,000 companies
250 + of the 250 + of the Fortune 500Fortune 500
Key Business TrendsKey Business Trends• Enhanced outreach and collaboration with employees, Enhanced outreach and collaboration with employees,
customers, partners, distributors and supplierscustomers, partners, distributors and suppliers
• Emergence of the “virtual enterprise”Emergence of the “virtual enterprise”
• ““Market of One” interactive customer relationshipMarket of One” interactive customer relationship
eBusiness is no longer a competitive eBusiness is no longer a competitive advantage, it is a necessityadvantage, it is a necessity
$$$$$$
Moving rapidly to the Moving rapidly to the Internet-enabled enterpriseInternet-enabled enterprise
Key Technology TrendsKey Technology Trends• Rapid deployment of intranets and extranets Rapid deployment of intranets and extranets
• New generation of inexpensive, high-speed, IP-ready New generation of inexpensive, high-speed, IP-ready network capacity coming onlinenetwork capacity coming online
• Broad adoption and continued evolution of mission-Broad adoption and continued evolution of mission-critical ERP applicationscritical ERP applications
• Continued outsourcing of network transport, Web Continued outsourcing of network transport, Web hosting and application deploymenthosting and application deployment
Enterprise security is the key Enterprise security is the key enabler for eBusiness enabler for eBusiness
Key Security TrendsKey Security Trends
• Enterprises supplementing perimeter defense with Enterprises supplementing perimeter defense with protection of applications and informationprotection of applications and information
• Increasing requirements for user authentication, Increasing requirements for user authentication, authorization and intrusion monitoring and detectionauthorization and intrusion monitoring and detection
• PKI emerging as a common architectural foundation PKI emerging as a common architectural foundation for multiple security applicationsfor multiple security applications
• Security decisions driven by line-of-business needsSecurity decisions driven by line-of-business needs
What is Electronic Commerce ?What is Electronic Commerce ?
• Electronic Commerce is the temporary extension of a computer network over a Public or Electronic Commerce is the temporary extension of a computer network over a Public or Private connection to facilitate business transactions.Private connection to facilitate business transactions.– PSTN, ISDN, InternetPSTN, ISDN, Internet
• Can be used by Individual users or to connect two or more networks together.Can be used by Individual users or to connect two or more networks together.– Notebook dial-in for email, small office to HQ connectionNotebook dial-in for email, small office to HQ connection
Mobile User
Head Office
Public Network
Remote AccessRemote Access
Electronic Commerce ApplicationsElectronic Commerce Applications
• Home BankingHome Banking
• Quick Easy access to corporate information and servicesQuick Easy access to corporate information and services
• Sharing information between Business Partners & CustomersSharing information between Business Partners & Customers
• Telecommuters (Home working) Day ExtendersTelecommuters (Home working) Day Extenders
• IT Support StaffIT Support Staff
Remote Access BenefitsRemote Access Benefits
• ProductivityProductivity
• Cost SavingsCost Savings
• Easy Information AccessEasy Information Access
• High Availability of InformationHigh Availability of Information
• Competitive AdvantageCompetitive Advantage
Remote Access GrowthRemote Access Growth
0
10,000,000
20,000,000
30,000,000
40,000,000
50,000,000
60,000,000
1997 1998 1999 2000
USUS
56 million56 million
Source: Giga, September 1997Source: Giga, September 1997
W. European e*Commerce, 1996-2001W. European e*Commerce, 1996-2001Commerce Revenue/Year, Year EndingCommerce Revenue/Year, Year Ending
214214 681681
1,7951,795
4,3434,343
8,8098,809
136136 421421
14,79414,794
1,2781,278
3,1233,123
11,11511,115
6,4696,469
-
2,0002,000
4,0004,000
6,0006,000
8,0008,000
10,00010,000
12,00012,000
14,00014,000
16,00016,000
19961996 19971997 19981998 19991999 20002000 20012001
BusinessBusinessConsumerConsumer
$Million$Million
Source: IDC, July ‘97Source: IDC, July ‘97
CAGR = 137 %
CAGR = 137 %
What are the risks?What are the risks?
• Protecting the network and data from abuse by Protecting the network and data from abuse by authorised usersauthorised users
• Protecting the network and data from abuse by Protecting the network and data from abuse by unauthorised usersunauthorised users
• Data PrivacyData Privacy
• Data ConfidentialityData Confidentiality
• Complexity of service operation and deliveryComplexity of service operation and delivery
Attacks from Inside & OutAttacks from Inside & Out
Source: 1998 CSI/FBI Computer Crime and Security Survey
0%5%
10%15%20%25%30%35%40%45%
Unauthorized access by employees
System penetration from outside
Reported Security BreachesReported Security Breaches
Cost of Security BreachesCost of Security Breaches
Source: 1998 CSI/FBI Computer Crime and Security Survey
$0
$500
$1,000
$1,500
$2,000
$2,500
$3,000
Financial fraud
Theft of proprietary information
Unauthorized access by employees
Reported Security BreachesReported Security Breaches
Average loss (000)
““Casual Intruder - Disgruntled Employee”Casual Intruder - Disgruntled Employee”
• Shoulder surfing co-workersShoulder surfing co-workers
• Finding written passwordFinding written password– Post-It NotesPost-It Notes– DayTimerDayTimer
• Guessing password Guessing password – ““password”password”– Spouse/Dog/Kid’s nameSpouse/Dog/Kid’s name– UsernameUsername
““Serious Hacker”Serious Hacker”
• All of the “casual” All of the “casual” approaches approaches
• ““Social engineering”Social engineering”
• Password crackingPassword cracking– ““Crack”Crack”– ““L0phtCrack”L0phtCrack”– ““Cracker Jack”Cracker Jack”
• Network sniffingNetwork sniffing
Passwords Are Passwords Are NotNot Secure Secure
• Tools for defeating passwords aboundTools for defeating passwords abound
• Compromise is not detectableCompromise is not detectable
• Passwords can be snooped off the NetPasswords can be snooped off the Net
• Passwords & files are diverted off desktopsPasswords & files are diverted off desktopsor serversor servers
• Password protected credentialsPassword protected credentialsare compromised off-lineare compromised off-line
“ “Privacy” is NOT “Security”Privacy” is NOT “Security”
Encrypted Tunnel Through Encrypted Tunnel Through Public NetworkPublic Network
Who’s at the Who’s at the other end of other end of the line?the line?
Identification & Authentication Identification & Authentication
IdentificationIdentification Who are you? ……. “John Smith”Who are you? ……. “John Smith”
AuthenticationAuthentication …….…….proveprove that that youyou are John Smith are John Smith
AuthenticationAuthenticationIdentificationIdentification
ProveProve It!It!
Methods of Methods of UserUser Authentication Authentication
• Something you Something you knowknow
– Password, PIN, “mother’s maiden Password, PIN, “mother’s maiden name” name”
• Something you Something you havehave
– magnetic card, smart card, token, magnetic card, smart card, token, Physical keyPhysical key
• Something Something unique about youunique about you
– Finger print, voice, retina, irisFinger print, voice, retina, iris
“1059”
Bank 1234 5678 9010
+ PIN+ PIN
Two Factor “Strong” AuthenticationTwo Factor “Strong” Authentication
One Time Passcode One Time Passcode SecurID Passcodes can only be used ONCE! SecurID Passcodes can only be used ONCE!
Passcode AcceptedPasscode Accepted
Passcode Accepted Passcode Accepted
Passcode Accepted Passcode Accepted
Access Denied Access Denied
345656 Locked345656 Locked
879845 Already Used879845 Already Used
Shoulder Surfing and Snoop will NOT work !Shoulder Surfing and Snoop will NOT work !
568787 Locked568787 Locked
879845 Locked879845 Locked
Traditional Authentication OptionsTraditional Authentication Options
Identification & Identification & Weakest Weakest
AuthenticationAuthentication
Passwords
Leve
l of S
ecur
ityLe
vel o
f Sec
urity
Identification & Weak Identification & Weak AuthenticationAuthentication
Software Token
Hardware Token Identification & Strong Identification & Strong User AuthenticationUser Authentication
New Authentication OptionsNew Authentication Options
Hardware Token
Identification & Identification & Weakest Weakest
AuthenticationAuthentication
Identification & Strong Identification & Strong User AuthenticationUser Authentication
Identification & Weak Identification & Weak AuthenticationAuthentication
Passwords
Leve
l of S
ecur
ityLe
vel o
f Sec
urity
Biometric
Software Token
Digital Certificate
Smart Card
Secure Remote AccessSecure Remote Access
• Let’s look at reducing the risks and complexityLet’s look at reducing the risks and complexity
Remote Access ComplexityRemote Access Complexity
The Internet Simplifies Remote AccessThe Internet Simplifies Remote Access
InternetInternet
Global AccessGlobal Accessdelivered by ISPdelivered by ISP
Reducing The Risks?Reducing The Risks?
• The Internet is a collection of unsecured The Internet is a collection of unsecured networks!networks!
• Strong Authentication and Encryption can Strong Authentication and Encryption can provide a solutionprovide a solution
• New TechnologyNew Technology– VPNVPN
What is a VPN?What is a VPN?
• VPN - “Virtual Private Network”VPN - “Virtual Private Network”
• Transport encrypted information via the Internet and Transport encrypted information via the Internet and public networkspublic networks
• Offer benefits of private network using “free” Offer benefits of private network using “free” Internet infrastructure Internet infrastructure
• Encryption means privacy not securityEncryption means privacy not security
• A VPN can be owned and run locally, or delivered as A VPN can be owned and run locally, or delivered as a service from a Telco or ISPa service from a Telco or ISP
Firewall or RAS server
Request Connection
Request Passcode
PIN + Send Passcode
Send Session Key
ACE/Server
Secure VPNSecure VPN
Creating a Secure VPNCreating a Secure VPN
InternetInternet
InternetInternet
VPNs Reduce Cost and ComplexityVPNs Reduce Cost and Complexity• Reduce leased line costs Reduce leased line costs
and dial access chargesand dial access charges
• Reduce user supportReduce user support
• Simplify remote access Simplify remote access architecturearchitecture
Reduce help desk Reduce help desk servicesservices
Allow tracking / Allow tracking / billing for usagebilling for usage
Reduce equip. costs Reduce equip. costs for remote accessfor remote access
Increased Use of Authenticators Increased Use of Authenticators
Source: Giga EST., Sept. 1997Source: Giga EST., Sept. 1997
00
5,000,0005,000,000
10,000,00010,000,000
15,000,00015,000,000
20,000,00020,000,000
19961996 19971997 19981998 19991999 20002000
Internet users Internet users (177%(177% CAGR)CAGR)
VAN users VAN users (132%(132% CAGR)CAGR)
Dial-in users Dial-in users (52%(52%CAGR)CAGR)
VPNs Offer Estimated 60% Cost SavingsVPNs Offer Estimated 60% Cost Savings
AccessAccess
AccessAccess
$-$- $500$500 $1,000$1,000 $1,500$1,500 $2,000$2,000 $2,500$2,500 $3,000$3,000 $3,500$3,500
Traitional RemoteTraitional Remote
Internet RemoteInternet Remote
Remote Access Cost Comparisons for 2000 Remote Users - ($000's)Remote Access Cost Comparisons for 2000 Remote Users - ($000's)
User SupportUser SupportPhone/ISP ChargesPhone/ISP ChargesRouters/ServersRouters/ServersT1 LinesT1 Lines
Source: Forrester Research 7/97Source: Forrester Research 7/97
Secure Web ApplicationsSecure Web Applications
• Home BankingHome Banking
• Business to Business CommunicationBusiness to Business Communication
• Price Lists to PartnersPrice Lists to Partners
• Human ResourcesHuman Resources
• Product Support and UpdatesProduct Support and Updates
Using the WWW to share sensitive informationUsing the WWW to share sensitive information
Secure Web Authentication & PrivacySecure Web Authentication & Privacy
• Issues Similar to Remote Access Issues Similar to Remote Access – User Identification & AuthenticationUser Identification & Authentication
• Passwords are not enough!Passwords are not enough!– Data Privacy during connectionData Privacy during connection
• Prevent snoopingPrevent snooping– Granular Access Granular Access
• Grant access rights based upon service levelGrant access rights based upon service level
Web Applications Security Web Applications Security
SecurWorld
SecurCareReseller
SecurWorld OnlineSecurWorld Online
Passcode********************
Customer
Passcode********************
What about Certificates for Authentication?What about Certificates for Authentication?
• A Digital Certificate is a unique electronic identifier (complex A Digital Certificate is a unique electronic identifier (complex password) associated with a userpassword) associated with a user
• Browsers use certificates widely for establishing a level of Browsers use certificates widely for establishing a level of authenticationauthentication
• More and more applications will use certificatesMore and more applications will use certificates– Email, SSSO, E-commerceEmail, SSSO, E-commerce
• A user’s certificate can be used to check a Digital Signature A user’s certificate can be used to check a Digital Signature - a unique electronic signature associated with the owner of - a unique electronic signature associated with the owner of the certificatethe certificate– essential for non-repudiation of messages and transactionsessential for non-repudiation of messages and transactions
?
How can we be sure of a Certificate?How can we be sure of a Certificate?• A certificate is usually ‘signed for’ electronically by a A certificate is usually ‘signed for’ electronically by a
Trusted Third party, e.g. VerisignTrusted Third party, e.g. Verisign– I.e. Two companies trust the integrity of a certificate I.e. Two companies trust the integrity of a certificate
issued by a jointly trusted external organisationissued by a jointly trusted external organisation
• Today most Certificates are stored electronically on Today most Certificates are stored electronically on servers (e.g. LDAP)servers (e.g. LDAP)– So how can we be sure that the person who is using a So how can we be sure that the person who is using a
certificate is who they say they are!certificate is who they say they are!• We Cannot unless they use Strong We Cannot unless they use Strong
Authentication!Authentication!
Smartcards for SecuritySmartcards for Security
• Benefits Benefits – Two Factor ‘Strong Authentication’Two Factor ‘Strong Authentication’– Secure storage of Private CredentialsSecure storage of Private Credentials– Building AccessBuilding Access– Photograph Photograph – Other ApplicationsOther Applications
• DownsideDownside– ReadersReaders– InfrastructureInfrastructure
Soft SmartcardsSoft Smartcards
• Host based secure electronic ‘wallets’ (or files) that Host based secure electronic ‘wallets’ (or files) that contain a users security credentialscontain a users security credentials
• Downloaded to the user on successful authenticationDownloaded to the user on successful authentication
• Two Factor Authentication to access Soft SmartcardTwo Factor Authentication to access Soft Smartcard
• Excellent transitional solution to help companies Excellent transitional solution to help companies migrate to smartcards for network accessmigrate to smartcards for network access
• Available todayAvailable today
Soft Smartcards for Secure Applications Soft Smartcards for Secure Applications AccessAccess
PIN +
User dials-inRequest for Passcode
User Sends PasscodeAuthenticates and Credentials downloaded
SummarySummary
• Local and Global Electronic Commerce can Local and Global Electronic Commerce can – increase productivity and communicationincrease productivity and communication– reduce costs of doing businessreduce costs of doing business– deliver competitive advantagedeliver competitive advantage
• Suffers from risk of abuse and fraud if not prudently Suffers from risk of abuse and fraud if not prudently securedsecured
• User Authentication, Encryption of traffic and use of User Authentication, Encryption of traffic and use of Certificates can deliver very secure applications Certificates can deliver very secure applications including E-Commerceincluding E-Commerce