Risk Based Authentication in the Enterprise



Similar documents
expanding web single sign-on to cloud and mobile environments agility made possible

Strong Authentication: Enabling Efficiency and Maximizing Security in Your Microsoft Environment

XYPRO Technology Brief: Stronger User Security with Device-centric Authentication

FFIEC CONSUMER GUIDANCE

Risk Based Authentication and AM 8. What you need to know!

FFIEC CONSUMER GUIDANCE

KEYSTROKE DYNAMIC BIOMETRIC AUTHENTICATION FOR WEB PORTALS

Building Secure Multi-Factor Authentication

Authentication Strategy: Balancing Security and Convenience

Guide to Evaluating Multi-Factor Authentication Solutions

ACI Response to FFIEC Guidance

WHITE PAPER. Active Directory and the Cloud

Software that provides secure access to technology, everywhere.

Top 10 Anti-fraud Tips: The Cybersecurity Breach Aftermath

Citrix Ready Solutions Brief. CA Single Sign-On and Citrix NetScaler: Quickly Adapt to Your Dynamic Authentication Demands. citrix.

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

White Paper Preventing Man in the Middle Phishing Attacks with Multi-Factor Authentication

SOLUTION BRIEF CA TECHNOLOGIES IDENTITY-CENTRIC SECURITY. How Can I Both Enable and Protect My Organization in the New Application Economy?

White Paper. FFIEC Authentication Compliance Using SecureAuth IdP

Securing access to Citrix applications using Citrix Secure Gateway and SafeWord. PremierAccess. App Note. December 2001

Security Considerations for DirectAccess Deployments. Whitepaper

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

BUILDING SECURITY IN. Analyzing Mobile Single Sign-On Implementations

Assuring Application Security: Deploying Code that Keeps Data Safe

Transaction Anomaly Protection Stopping Malware At The Door. White Paper

Out-of-Band Multi-Factor Authentication Cloud Services Whitepaper

Building a Mobile App Security Risk Management Program. Copyright 2012, Security Risk Advisors, Inc. All Rights Reserved

How To Comply With Ffiec

Commercially Proven Trusted Computing Solutions RSA 2010

OPENIAM ACCESS MANAGER. Web Access Management made Easy

Threat Intelligence Pty Ltd Specialist Security Training Catalogue

Top 5 Reasons to Choose User-Friendly Strong Authentication

IBM MobileFirst Managed Mobility

Security in an Increasingly Threatened World. SMS: A better way of doing Two Factor Authentication (2FA)

SOLUTION BRIEF CA ADVANCED AUTHENTICATION. How can I provide effective authentication for employees in a convenient and cost-effective manner?

ProtectID. for Financial Services

Why SMS for 2FA? MessageMedia Industry Intelligence

Marble & MobileIron Mobile App Risk Mitigation

WRITTEN TESTIMONY OF NICKLOUS COMBS CHIEF TECHNOLOGY OFFICER, EMC FEDERAL ON CLOUD COMPUTING: BENEFITS AND RISKS MOVING FEDERAL IT INTO THE CLOUD

IDENTITY & ACCESS. Providing Cost-Effective Strong Authentication in the Cloud. a brief for cloud service providers

Gladiator NetTeller Enterprise Security Monitoring Online Fraud Detection INFORMATION SECURITY & RISK MANAGEMENT

Supplement to Authentication in an Internet Banking Environment

Securing Online Payments in ACH Client and Remote Deposit Express

SOLUTION BRIEF ADVANCED AUTHENTICATION. How do I increase trust and security with my online customers in a convenient and cost effective manner?

Modern two-factor authentication: Easy. Affordable. Secure.

WAN security threat landscape and best mitigation practices. Rex Stover Vice President, Americas, Enterprise & ICP Sales

The SMB Cyber Security Survival Guide

Protect Your Business and Customers from Online Fraud

FERPA: Data & Transport Security Best Practices

Business Case for Voltage Secur Mobile Edition

BioCatch Fraud Detection CHECKLIST. 6 Use Cases Solved with Behavioral Biometrics Technology

managing SSO with shared credentials

SSL Encryption and Traffic Inspection ADDRESSING THE INCREASED 2048-BIT PERFORMANCE DEMANDS OF 2048-BIT SSL CERTIFICATES

BYOD: Should Convenience Trump Security? Francis Tam, Partner Kevin Villanueva, Senior Manager

THE SECURITY OF HOSTED EXCHANGE FOR SMBs

RSA Solution Brief. RSA SecurID Authentication in Action: Securing Privileged User Access. RSA Solution Brief

MODERN THREATS DRIVE DEMAND FOR NEW GENERATION MULTI-FACTOR AUTHENTICATION

next generation privilege identity management

Securing Mobile Apps in a BYOD World

Mobile Banking. Secure Banking on the Go. Matt Hillary, Director of Information Security, MX

Permeo Technologies WHITE PAPER. HIPAA Compliancy and Secure Remote Access: Challenges and Solutions

A brief on Two-Factor Authentication

RSA Solution Brief. RSA Adaptive Authentication. Balancing Risk, Cost and Convenience

Securing Physician and Patient Portals for HIPAA Compliance

Deploying secure wireless network services The Avaya Identity Engines portfolio offers flexible, auditable management for secure wireless networks.

101 Things to Know About Single Sign On

Securing Your Business s Bank Account

Cloud and Critical Infrastructures how Cloud services are factored in from a risk perspective

SANS Top 20 Critical Controls for Effective Cyber Defense

Mobile Application Security. Helping Organizations Develop a Secure and Effective Mobile Application Security Program

Moving Beyond User Names & Passwords Okta Inc. info@okta.com

Adding Stronger Authentication to your Portal and Cloud Apps

BUILDING AN OFFENSIVE SECURITY PROGRAM BUILDING AN OFFENSIVE SECURITY PROGRAM

Entrust IdentityGuard

MIGRATION GUIDE. Authentication Server

Authentication Solutions. Versatile And Innovative Authentication Solutions To Secure And Enable Your Business

How To Protect Your Online Banking From Fraud

Transcription:

Risk Based Authentication in the Enterprise ISSA Phoenix Q3 Chapter Meeting July 8 th, 2014 Rupert Scammell Principal Consultant rupert.scammell@rsa.com 1

Talking Points A quick introduction to your presenter How we got here a brief history of risk-based authentication Techniques, tools & threats RBA s enterprise leap a few stories from the field Enterprise integration strategies Overcoming common objections and concerns Design patterns What s next 2

Rupert Scammell First real job was as a QA engineer for a dot-com era server software company 12 years with RSA, initially as a developer Left to join an startup focused on RBA for financial services companies Rejoined RSA (through acquisition!) Many roles since pro services, pre-sales Most recently as global SE for several major RSA customers 3

RBA A quick definition Start with an Ideal Activity Allow some degree of variance Define activities in comfort zone Opportunity to control costs if comfort zone activities can be reliably identified Identify and flag only those activities which fall outside of comfort zone Area of Concern Comfort Zone Activity C Activity B Activity D Ideal Activity Activity A 4

Risk Based Authentication Transparent detection of malicious behavior without sacrificing user experience Monitor and authenticate both login and post login activities (ideally) Use a risk based self-learning engine (minimize admin cost & overhead, quickly detect new threats) Retain control over institutional policy Incorporate knowledge of what s occuring beyond the castle walls! 5

Out-of-band Challenge Knowledge Others Behavior Device Threat intel RBA in a little more detail Risk Engine 271 937 Policy Mgr. Authenticate Continue Activity details Feedback Step-up Authentication Feedback Case Mgmt 6

A brief history of RBA Prior to 2005-2006, usernames and passwords were king in the consumer space Insecure but convenient Fear of alienating customers Relatively few compelling threats (at least on the surface) FFIEC (regulator for banks and credit unions in the US) was the first to mandate stronger authentication Phishing attacks were top of mind Drove adoption of challenge questions as a commonly used enhanced auth method Set the stage for a shift in the online security posture of financial institutions globally (copied by other regulators, used as a standard by many unregulated FIs) 7

A brief history of RBA part II Threats evolved remarkably quickly Phishing remained (and remains) a concern, but Cheap, sophisticated malware became readily available No need to build own infrastructure Fraud as a Service Obscure source of attacks via botnets Focus on device takeover (MITM/MITB attacks) over simple credential collection Very long gap (5+ years) between original FFIEC guidance and revised rules for banks New regs have met with a mixed reaction sensible response to threats vs. worries about introducing yet more authentication steps 8

Botnets for hire 9

The human element a fraudster callcenter 10

A ever-growing menagerie of malware 11

The present day Diversification of attacker types and motives State sponsored actors No safe industries Attackers no longer purely focused on financial gain Increase in underground market sophistication has enabled monetization of intellectual property and (sometimes obscure) corporate assets Increasing use of ransomware to hold acquired information hostage very much an enterprise play 12

One example 13

RBA s leap into the enterprise space It was a rainy afternoon in San Mateo, CA, c ~2007 Received a call from a long-time RSA SecurID token customer in the hospital management industry Demanded an alternative to token necklaces for physicians and clinical staff who had admitting privileges at the hospitals Led us to think creatively about how to adapt our RBA portfolio for other use cases Initial partnership with enterprise infrastructure vendors (e.g. SSL/VPN) was key 14

The leap, continued Developed vendor-specific middleware to interface with a back-end risk engine and secondary authentication server Took longer than expected original requestor walked, but similar requests from non-traditional customers (esp. healthcare companies) began arriving from all sides Formerly disgruntled end-users / doctors became our best customers viral marketing! 15

Overcoming objections & concerns Rock the boat, but do it gently Find a champion with a well-scoped use case (e.g. an electronic medical records pilot implementation) Be willing to co-exist with incumbent authentication methods to ease acceptance Accept that you won t be able to integrate with everything web apps are usually easier than dusty AS/400 greenscreens! Use consumer familiarity with authentication techniques outside the workplace (online banking) to explain threats & rationale Provide a flexible toolbox Centralize risk and policy functions on the back-end Exercise caution re. customization requests danger of oneoffs and unmaintainable environments 16

Typical architecture (simplified) End user browser, Mobile application or client app Application Presentation layer (often an SSL/VPN or a proxy) Application Business logic layer App database Credential store Communication interface Risk engine / Policy management RBA data store External network Firewall DMZ Firewall Trusted network 17

Common enterprise design patterns In all cases, you must have a risk engine that can ingest meaningful information from the access channel! Intermediate it Leverage existing proxy infrastructure Alternatively, introduce a new entity to perform this function Can dramatically reduce complexity by providing a single integration point for many applications Wrap it Utilize a web-access management style agent/server model May allow apps scattered through the enterprise to be tied to a central authentication / risk analysis source more easily Generally requires deep integration with WAM/MDM systems, however Directly integrate with it Preferred method for many banks Provides maximal flexibility Requires ability to modify presentation/business logic of app often a rarity in enterprise settings Apps must be integrated/supported upgraded individually 18

What s next Static authentication methods (challenge questions, passwords) must eventually die, but have a long half life Loosely connected populations contractors, vendors, supply chain partners will often be first candidates for enterprise RBA Encouraging movement toward dynamic authentication in many contexts, consumer and enterprise Often requires a compelling event such as a breach to spur action Regulation is slowly producing positive changes in many industries, but can t always keep up Users are often more willing to adopt new authentication methods than security staff realize Must secure multiple channels Channel-friendly auth methods for web, mobile, tablets, voice Leverage what the user has Biometrics Device characteristics Geolocation Gestures 19

Thank you! 20

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information