Symantec Validation and ID Protection Service

Transcription

1 WHITE PAPER: LOW-COST, EASY-TO-USE CLOUD-BASED AUTHENTICATION Symantec Validation and ID Protection Service Who should read this paper Traditional on-premise two-factor authentication (2FA) solutions have been too costly for organizations to deploy universally across their operations. Given the significant investment required to purchase, implement, and manage 2FA in-house, most have been forced to pick and choose isolated areas of their businesses to secure. Learn how Symantec Validation and ID Protection Service enables organizations of all sizes to defend their sensitive networks, applications, and data against unauthorized access with a two-factor authentication solution offering unprecedented cost and operational savings.

2

3 WHITE PAPER: LOW-COST, EASY-TO-USE CLOUD-BASED AUTHENTICATION Symantec Validation and ID Protection Service Contents Introduction Protecting the enterprise: Three scenarios, three sets of challenges B2B Authentication: The need for trusted communities B2E Authentication: Managing an increasingly remote/mobile workforce B2C Authentication: Delivering a trusted online experience Symantec Validation and ID Protection Service Conclusion Glossary

4 Introduction You may be seeking a way to safeguard your business-to-business (B2B) interactions. Or your top priority might be securing access to the corporate network by remote employees. Or perhaps it s preventing fraud in customer transactions. In all these cases, two-factor authentication (2FA) delivers the strong security you need in today s digital world. But traditional on-premise 2FA solutions have been too costly for organizations to deploy universally across their operations. Given the significant investment required to purchase, implement, and manage 2FA in-house, most have been forced to pick and choose isolated areas of their businesses to secure. The result? Major gaps in security that can expose organizations to fraud and theft, accelerate customer defections, and put companies at risk of failing compliance audits. All that has changed with the availability of cloud-based 2FA. With access to a flexible and scalable 2FA solution that resides in the cloud, you can now afford to deploy 2FA throughout your operations to protect all digital interactions and activities whether involving employees, partners, customers, or any combination of the above. Symantec Validation and ID Protection Service is a cloud-based authentication service that delivers cost-effective, 2FA security with flexible choices of credentials. Because it is based in the cloud, it delivers unprecedented cost and operational savings. As such, it is the ideal choice for organizations of all sizes and across all industries needing to safeguard their networks, information assets, and transactions against intrusion, theft, corruption, or loss. Protecting the enterprise: Three scenarios, three sets of challenges You know you need strong authentication to keep your B2B interactions with partners and suppliers secure. But what about protecting the corporate network now that you ve opened it up to access by remote employees? Or ensuring that customer transactions are safeguarded against fraud? All three of these scenarios business-to-business (B2B), business-to-employee (B2E), and business-to-consumer (B2C) are critical to ensure your company is safe on all fronts. Although currently B2B leads the way in use of strong authentication, with 53 percent of Two-factor authentication: A definition Two-factor authentication combines something a user knows, such as a user name and password, with something he or she possesses, such as a unique six-digit security code (that changes every 30 seconds) generated by a card, token, or mobile phone. (A third type of factor something a user is, such as a fingerprint or other biometric measure can also be leveraged in security systems.) Most security mechanisms today involve singlefactor authentication typically involving a user name and password. But authentication solutions that use at least two of the three factors to verify identity are considered more secure than those that use singlefactor authentication only. 1 enterprises using strong authentication to secure interactions with partners, 52 percent believe they need 360 coverage across all segments of their businesses: B2C, B2B, and B2E. 2 In all these cases, cloud-based 2FA is a compelling solution that delivers numerous benefits compared to traditional on-premise solutions. In addition to securing partner, employee, and customer data from intrusion and fraud, cloud-based 2FA means you don t have to expand your IT staff or infrastructure to support it there s no new hardware or software to install and maintain. Authentication in the cloud minimizes the operational costs and complexity of implementing strong authentication. Finally, complying with regulatory mandates is an ever-present imperative across all three populations which cloud- based 2FA affordably addresses. Payment Card Industry (PCI), Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley (SOX), and the 1- Frequently Asked Questions on FFIEC Guidance on Authentication in an Internet Banking Environment, August 15, Trends in Strong Authentication Survey, Imprivata miscdocs/strong_authentication_survey_research_report_final_april_2009.pdf. 1

5 European Union (EU) Data Protection Directive, among other regulations, all require organizations to demonstrate that they ve put security mechanisms and processes in place to ensure the security and/or privacy of data. Cloud-based 2FA solutions help you comply with the minimum of cost and organizational pain. B2B Authentication: The need for trusted communities Lines between extranets and intranets are blurring. Businesses are increasingly extending access to their networks to partners, suppliers, and vendors. The need for strong security is thus an imperative, not an option. After all, data leakage, intellectual property theft, fraud, and malicious activities continue to cost businesses millions of dollars every year, with the average data leak costing a U.S. company in the vicinity of $6.3 million. 3 Ninety-two percent of enterprise security professionals report that their companies experienced a cyber attack, and 77 percent said they considered cybercrime would be an increasingly serious threat. 4 Other reasons that strong authentication is needed in B2B situations: Malicious activities in the form of Internet-based threats, attacks, and hacks are responsible for one in every five occurrences of data loss. 5 Sites that infect browsers PCs with password-stealing malware have also been steadily growing. In 2009, one in every 150 legitimate sites were infected with malware. 6 Cloud-based 2FA helps address these issues by delivering a security solution that is not only robust, but extraordinarily cost-effective. By implementing a centralized strong authentication solution, cloud-based 2FA helps eliminate data leakage, theft, and fraud due to unauthorized access. And as ecosystems consisting of interdependent organizations that work together toward a common goal, such as serving a particular customer base, continue to proliferate, 2FA raises the level of trust across all participants. B2E Authentication: Managing an increasingly remote/mobile workforce Chances are good that a significant proportion of your workforce is already accessing your network from beyond the four physical walls of your business. By the end of 2013 over 75 percent of U.S. employees and nearly 1.2 billion workers worldwide are expected to routinely work outside traditional office environments, 7 and many of these employees will need to remotely access the corporate network. Moreover, the mobile revolution is growing. Already, 89 of the top 100 U.S. companies offer telecommuting. Fifty-eight percent of companies consider themselves virtual workplaces. And 67 percent of all workers use mobile and wireless computing, increasing the opportunities for unauthorized intruders to break into the network. 8 More than 50 percent of enterprises surveyed said remote devices are a top security concern. 9 Today, most organizations will agree that user names and passwords are no longer adequate to protect against unauthorized access. User names and passwords can be easily stolen or compromised. As a result, enterprises have deployed 2FA to a few individuals who require remote access to the most sensitive corporate data. However, supporting a large number of 2FA users can be expensive especially when utilizing an on-premise 2FA solution that requires additional infrastructure investments to deliver the scalability and reliability needed to support a large workforce. 3- Five Data Leak Nightmares, Jeff Vance, NetworkWorld, January 7, Security Mega Trends Survey, Ponemon Institute, November Taking Action to Protect Sensitive Data, the IT Policy Compliance Group, January One in Every 150 Legitimate Sites Infected by Malware, Dennis Fisher, ThreatPost, February 3, Worldwide Mobile Worker Population Forecast, IDC, December The Mobile Workforce and Enterprise Applications , the Insight Research Corporation. 9-"Worldwide Mobile Worker Forecast, IDC, December

6 Cloud-based 2FA addresses these challenges by making it easier and more affordable to manage and use 2FA to support large numbers of users. It also addresses the challenges of scalability and reliability that many individual organizations face when trying to implement onpremise 2FA. And in addition to providing strong authentication that can be tailored to your particular risk model and policies at an affordable cost, 2FA delivered via the cloud is flexible enough to adjust to your changing security requirements. B2C Authentication: Delivering a trusted online experience Identity fraud continues to be a threat. The current tally of victims is 8.1 million adults in the U.S. 10 More than one-half of U.S. adults are concerned about identity theft. 11 A recent survey found that 86 percent of consumers prefer sites that enable proactive security measures such as 2FA. Meanwhile, 68 percent said they would like better systems in place to protect their identities, and 41 percent said they would consider new applications offering identity protection, even if that meant taking extra steps. 12 Given all this, it s not surprising that survey respondents said that line-of-business managers believe that establishing and retaining customer trust is not an option, but a business requirement. 13 Increasingly businesses, such as banks and other financial institutions, are on the hook for consumer losses stemming from security breaches. A U.S. couple who had thousands of dollars stolen from their online account are suing their bank for failing to provide adequate online security. The lawsuit cites a document from the Federal Financial Institutions Examination Council (FFIEC) entitled Authentication in an Internet Banking Environment which says single-factor authentication is inadequate and calls on banks to implement two-factor systems. 14 In the past, traditional ways to authenticate online customers involved independently establishing trust between each of your customers and yourself. With cloud-based 2FA, you eliminate this patchwork approach to authentication while helping consumers feel confident that their online experiences are safe. Online businesses can thus differentiate the online experience through higher perceived security to drive loyalty, decrease churn, and boost revenues. The fact that cloud-based 2FA solutions are scalable is also a boon. Fifty-nine percent of online businesses surveyed in 2008 receive more than 500 customer visits daily, 15 a number that can fluctuate significantly, especially for businesses with seasonal purchasing cycles. Social networking sites have millions of users Facebook alone had million unique visitors in November Cloud-based 2FA enables such businesses to scale as needed to meet demand. This keeps costs aligned with business needs. Symantec Validation and ID Protection Service Symantec Validation and ID Protection (VIP) Service is a cloud- based authentication service that protects enterprises and users from unauthorized account access above and beyond simple user name and password with an additional factor of authentication. Symantec VIP is comprised of the cloud-based service, hosted by Symantec, and a variety of supported 2FA credentials, ranging from security hardware tokens to software-generated credentials. Symantec VIP enables enterprises to provide a safe, easy-to-use, and trusted online experience for their consumers, employees, and business partners to be securely authenticated and thus obtain access to protected information and enable secure communications. 10-Javelin Strategy & Research, 2011 Identity Fraud Survey Report, Five Data Leak Nightmares, Jeff Vance, NetworkWorld, January 7, VeriSign 2008 Brand Research, Synovate/GMI, September Authentication-as-a-Service, A commissioned study conducted by Forrester Consulting on behalf of VeriSign, March 20, Court Allows Woman to Sue Bank for Lax Security After $26,000 Stolen by Hacker, Kim Zetter, Wired, September 4, Authentication-as-a-Service, A commissioned study conducted by Forrester Consulting on behalf of VeriSign, March 20, Facebook Doubles, MySpace Visitors Down in November, ClickZ Stats staff, ClickZ, January 5,

7 Eases credential lifecycle management For Symantec VIP customers who do not want to bear the burdens of credential issuance (such as credential fulfillment, distribution, and support), Symantec offers a hosted solution that issues credentials directly to end users. The service also provides first-level customer support directly to users. This allows enterprises to outsource the complexity to Symantec, while also enabling strong multifactor authentication for their online application in a lightweight, easy-to-integrate fashion. Whatever scenario you are facing B2B, B2E, or B2C authentication you can also offer end users more convenience and security with Symantec VIP Access for Mobile. VIP Access for Mobile allows users to turn their smartphone into a one-time password (OTP) credential. VIP Access for Mobile is free and can be downloaded over the air, which makes implementing 2FA both very easy and extremely cost-effective. As with other Symantec VIP offerings, VIP Access for Mobile is compliant with the Initiative for Open Authentication (OATH) reference architecture and other open standards, so there is no vendor lock-in for authentication credentials. Provides a broad choice of credentials Symantec VIP embraces open standards and allows any OATH-compliant device to be used for authentication. OATH is an industry-wide collaboration to develop an open reference architecture by leveraging existing open standards for the universal adoption of strong authentication. By supporting open standards, Symantec VIP can support a broad array of OTP form factors, from traditional hardware tokens to user-friendly devices, such as USB flash drives, mobile phones, and dual-purpose credit cards. Integrates with existing infrastructure Symantec VIP is implemented as an Internet service. Integration with your online applications is straightforward and simple, using a servicebased application programming interface (API). The result is seamless users are unaware that sophisticated technology is behind the secure logon. By using Symantec VIP APIs, you can evaluate, test, and integrate Symantec VIP 2FA into your own online applications using a Simple Object Access Protocol (SOAP) web services interface. Alternatively, if a traditional software developer kit (SDK) is better suited to your organization, Symantec also offers C and Java SDKs that provide equivalent functionality. In addition to integrating Symantec VIP with your online applications, the APIs also enable you to optionally integrate Symantec VIP functions into your existing help desk application to manage users and credentials. The VIP Test Drive for Developers gives organizations access to these APIs for a pilot environment to test Symantec VIP and integration with a company s online applications. Offers further protection with fraud detection When using Symantec VIP to protect B2C transactions, an important, but invisible, aspect of the service is the VeriSign Identity Protection Fraud Detection Service. Fraud Detection Service works in real time to detect and prevent identity theft and transaction fraud. Combining complex business logic with advanced machine learning techniques, Fraud Detection Service provides an efficient and robust transaction monitoring solution to block criminal acts attempted with stolen identities. Behavioral patterns, including machine fingerprints, are learned for each user upon previous legitimate activity, while anomalous actions are detected and reported as suspicious. Business rules are also applied for identifying high-risk characteristics and scenarios. When the risk score exceeds a predefined threshold, the user is challenged and required to pass a higher level of authentication. 4

8 For example, the Fraud Detection Service automated system may query the user to identify him or herself further with any of the following types of credentials: an OTP, a unique question and answer, a PIN provided to the user in or SMS, or by phone or a customer service call. Part of a layered security strategy While proven point products can be effective, no single security measure is foolproof. That s why Symantec VIP is designed to be a part of a larger layered security strategy. A multilayer approach to security addresses the full spectrum of online challenges around identity theft and fraud, delivering a continuum of protection across all critical areas of Internet transactions: authenticating the website, protecting the transaction, protecting the user s identity, and fraud detection/protection. In a layered security approach, complementary security products and services such as strong authentication, fraud detection, and Secure Sockets Layer (SSL) certificates fortify each other to create a solution that is stronger than the sum of its parts. Why Symantec VIP? Easy and cost-effective to implement. As a cloud-based service, you don t need to invest in additional hardware or software or other infrastructure components to deploy Symantec VIP. Deployment is quick and easy. Supports a variety of credentials. This includes everything from hardware tokens to free mobile phone-based software credentials. Scales as needed. Symantec VIP can meet the needs of small and medium businesses (SMBs), large enterprises, and government organizations alike. Integrates with your existing infrastructure. Adherence to industry standards and open APIs means that cloud-based Symantec VIP can easily interoperate with your current infrastructure and applications. Conclusion Organizations today must ensure the identity of users in three broad scenarios: B2B, B2E, and B2C. Yet on-premise solutions are too costly and don t scale on-demand when an increasing number of users need 2FA. Symantec, a trusted provider of enterprise security solutions, delivers proven, cloud- based 2FA to protect against unauthorized access to corporate applications and data containing sensitive information. Symantec VIP makes compliance with access control requirements more affordable even as it scales to safeguard any volume of data or number of applications an enterprise needs to protect. Whether concerned about safeguarding B2B, B2E, or B2C interactions, Symantec VIP meets your authentication needs. 5

9 Glossary 2-Factor Authentication, Strong Authentication, Multifactor Authentication All of these terms refer to the authentication practice of requiring confirmation of something you know, such as a user name and password, and something you have, such as a smart card, token or certificate. Authentication The process of confirming that something is genuine. In computer security, authentication is usually an automated process of verifying the identity of someone or something, such as a computer or application. Credential Proof of qualification, competence, or clearance that is attached to a person. A digital certificate, token, smart card, mobile phone, or installed software are credentials that may be used to enable strong or multifactor authentication.

10

11 About Symantec Symantec is a global leader in providing security, storage, and systems management solutions to help consumers and organizations secure and manage their information-driven world. Our software and services protect against more risks at more points, more completely and efficiently, enabling confidence wherever information is used or stored. Headquartered in Mountain View, Calif., Symantec has operations in 40 countries. More information is available at For specific country offices and contact numbers, please visit our website. Symantec World Headquarters 350 Ellis St. Mountain View, CA USA +1 (650) (800) Symantec helps organizations secure and manage their information-driven world with security management, endpoint security, messaging security, and application security solutions. Copyright 2011 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and the Checkmark Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. VeriSign, VeriSign Trust and other related marks are the trademarks or registered trademarks of VeriSign, Inc. or its affiliates or subsidiaries in the U.S. and other countries and licensed to Symantec Corporation. Other names may be trademarks of their respective owners. 8/