1 / 45

Securing Electronic Commerce: Identification & Authentication

Securing Electronic Commerce: Identification & Authentication. Douglas Graham UK Channel Technical Manager Security Dynamics Technologies, Inc. Security Dynamics. RSA. 300 million copies installed & in use worldwide. Security Dynamics Technologies Inc. 110,000 BoKS users

becka
Télécharger la présentation

Securing Electronic Commerce: Identification & Authentication

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Securing Electronic Commerce:Identification & Authentication Douglas Graham UK Channel Technical Manager Security Dynamics Technologies, Inc

  2. SecurityDynamics RSA 300 million copies installed & in use worldwide Security Dynamics Technologies Inc. 110,000 BoKS users Major OEM relationships 3 million users of SecurID 3,000 companies 9,000 installations 2,000 companies 250 + of the Fortune 500

  3. $ $ $ Key Business Trends • Enhanced outreach and collaboration with employees, customers, partners, distributors and suppliers • Emergence of the “virtual enterprise” • “Market of One” interactive customer relationship eBusiness is no longer a competitive advantage, it is a necessity

  4. Key Technology Trends • Rapid deployment of intranets and extranets • New generation of inexpensive, high-speed, IP-ready network capacity coming online • Broad adoption and continued evolution of mission-critical ERP applications • Continued outsourcing of network transport, Web hosting and application deployment Moving rapidly to the Internet-enabled enterprise

  5. Key Security Trends • Enterprises supplementing perimeter defense with protection of applications and information • Increasing requirements for user authentication, authorization and intrusion monitoring and detection • PKI emerging as a common architectural foundation for multiple security applications • Security decisions driven by line-of-business needs Enterprise security is the key enabler for eBusiness

  6. What is Electronic Commerce ? • Electronic Commerce is the temporary extension of a computer network over a Public or Private connection to facilitate business transactions. • PSTN, ISDN, Internet • Can be used by Individual users or to connect two or more networks together. • Notebook dial-in for email, small office to HQ connection

  7. Remote Access Head Office Mobile User Public Network

  8. Electronic Commerce Applications • Home Banking • Quick Easy access to corporate information and services • Sharing information between Business Partners & Customers • Telecommuters (Home working) Day Extenders • IT Support Staff

  9. Remote Access Benefits • Productivity • Cost Savings • Easy Information Access • High Availability of Information • Competitive Advantage

  10. 56 million 60,000,000 50,000,000 40,000,000 30,000,000 US 20,000,000 10,000,000 0 1997 1998 1999 2000 Remote Access Growth Source: Giga, September 1997

  11. Business Consumer W. European e*Commerce, 1996-2001Commerce Revenue/Year, Year Ending $Million 16,000 14,794 14,000 12,000 11,115 CAGR = 137 % 10,000 8,809 8,000 6,469 6,000 4,343 4,000 3,123 1,795 2,000 1,278 681 214 421 136 - 1996 1997 1998 1999 2000 2001 Source: IDC, July ‘97

  12. What are the risks? • Protecting the network and data from abuse by authorised users • Protecting the network and data from abuse by unauthorised users • Data Privacy • Data Confidentiality • Complexity of service operation and delivery

  13. 45% 40% 35% 30% 25% 20% 15% 10% 5% 0% Attacks from Inside & Out Reported Security Breaches Unauthorized access by employees System penetration from outside Source: 1998 CSI/FBI Computer Crime and Security Survey

  14. $3,000 $2,500 $2,000 $1,500 $1,000 $500 $0 Cost of Security Breaches Average loss (000) Reported Security Breaches Financial fraud Theft of proprietary information Unauthorized access by employees Source: 1998 CSI/FBI Computer Crime and Security Survey

  15. “Casual Intruder - Disgruntled Employee” • Shoulder surfing co-workers • Finding written password • Post-It Notes • DayTimer • Guessing password • “password” • Spouse/Dog/Kid’s name • Username

  16. “Serious Hacker” • All of the “casual” approaches • “Social engineering” • Password cracking • “Crack” • “L0phtCrack” • “Cracker Jack” • Network sniffing

  17. Passwords Are Not Secure • Tools for defeating passwords abound • Compromise is not detectable • Passwords can be snooped off the Net • Passwords & files are diverted off desktopsor servers • Password protected credentialsare compromised off-line

  18. “Privacy” is NOT “Security” Encrypted Tunnel Through Public Network ? Who’s at the other end of the line?

  19. Identification & Authentication IdentificationWho are you? ……. “John Smith”Authentication…….prove that you are John Smith

  20. Identification Authentication ProveIt!

  21. Bank 1234 5678 9010 Methods of User Authentication • Something you know • Password, PIN, “mother’s maiden name” • Something you have • magnetic card, smart card, token, Physical key • Something unique about you • Finger print, voice, retina, iris “1059”

  22. Two Factor “Strong” Authentication + PIN

  23. One Time Passcode 345656 Locked SecurID Passcodes can only be used ONCE! Passcode Accepted 568787 Locked Passcode Accepted Passcode Accepted 879845 Locked 879845 Already Used Access Denied Shoulder Surfing and Snoop will NOT work !

  24. Traditional Authentication Options Identification & Strong User Authentication Hardware Token Level of Security Software Token Identification & Weak Authentication Identification & Weakest Authentication Passwords

  25. New Authentication Options Biometric Smart Card Digital Certificate Identification & Strong User Authentication Hardware Token Level of Security Software Token Identification & Weak Authentication Identification & Weakest Authentication Passwords

  26. Secure Remote Access • Let’s look at reducing the risks and complexity

  27. Remote Access Complexity

  28. Internet The Internet Simplifies Remote Access Global Access delivered by ISP

  29. Reducing The Risks? • The Internet is a collection of unsecured networks! • Strong Authentication and Encryption can provide a solution • New Technology • VPN

  30. What is a VPN? • VPN - “Virtual Private Network” • Transport encrypted information via the Internet and public networks • Offer benefits of private network using “free” Internet infrastructure • Encryption means privacy not security • A VPN can be owned and run locally, or delivered as a service from a Telco or ISP

  31. Secure VPN Send Session Key Request Passcode Request Connection PIN + Send Passcode Creating a Secure VPN ACE/Server Firewall or RAS server Internet

  32. Internet VPNs Reduce Cost and Complexity • Reduce leased line costs and dial access charges • Reduce user support • Simplify remote access architecture • Reduce help desk services • Allow tracking / billing for usage • Reduce equip. costs for remote access

  33. Increased Use of Authenticators Internet users (177% CAGR) 20,000,000 VAN users (132% CAGR) 15,000,000 Dial-in users (52% CAGR) 10,000,000 5,000,000 0 1996 1997 1998 1999 2000 Source: Giga EST., Sept. 1997

  34. User Support Phone/ISP Charges Routers/Servers T1 Lines VPNs Offer Estimated 60% Cost Savings Remote Access Cost Comparisons for 2000 Remote Users - ($000's) Internet Remote Access Traitional Remote Access $- $500 $1,000 $1,500 $2,000 $2,500 $3,000 $3,500 Source: Forrester Research 7/97

  35. Secure Web Applications Using the WWW to share sensitive information • Home Banking • Business to Business Communication • Price Lists to Partners • Human Resources • Product Support and Updates

  36. Secure Web Authentication & Privacy • Issues Similar to Remote Access • User Identification & Authentication • Passwords are not enough! • Data Privacy during connection • Prevent snooping • Granular Access • Grant access rights based upon service level

  37. SecurWorld Customer Reseller SecurCare SecurWorld Online Passcode Passcode ********** ********** Web Applications Security

  38. What about Certificates for Authentication? • A Digital Certificate is a unique electronic identifier (complex password) associated with a user • Browsers use certificates widely for establishing a level of authentication • More and more applications will use certificates • Email, SSSO, E-commerce • A user’s certificate can be used to check a Digital Signature - a unique electronic signature associated with the owner of the certificate • essential for non-repudiation of messages and transactions

  39. How can we be sure of a Certificate? • A certificate is usually ‘signed for’ electronically by a Trusted Third party, e.g. Verisign • I.e. Two companies trust the integrity of a certificate issued by a jointly trusted external organisation • Today most Certificates are stored electronically on servers (e.g. LDAP) • So how can we be sure that the person who is using a certificate is who they say they are! • We Cannot unless they use Strong Authentication! ?

  40. Smartcards for Security • Benefits • Two Factor ‘Strong Authentication’ • Secure storage of Private Credentials • Building Access • Photograph • Other Applications • Downside • Readers • Infrastructure

  41. Soft Smartcards • Host based secure electronic ‘wallets’ (or files) that contain a users security credentials • Downloaded to the user on successful authentication • Two Factor Authentication to access Soft Smartcard • Excellent transitional solution to help companies migrate to smartcards for network access • Available today

  42. PIN + Soft Smartcards for Secure Applications Access User dials-in Request for Passcode User Sends Passcode Authenticates and Credentialsdownloaded

  43. Summary • Local and Global Electronic Commerce can • increase productivity and communication • reduce costs of doing business • deliver competitive advantage • Suffers from risk of abuse and fraud if not prudently secured • User Authentication, Encryption of traffic and use of Certificates can deliver very secure applications including E-Commerce

More Related