What to do about privacy?

advertisement
The Future of Authentication and
Security
Kevin Dohrmann
CTO
Cosentry
MOVING FORWARD WITH CONFIDENCE
Facts at a Glance
Company Background
TA Investment
• Headquarters in Omaha, NE
• 180 Employees Nationwide
• One of Inc. 5000 Fastest Growing
Company 6 years running
• 5 years 20% growth Y/O/Y
• Center of Excellence in Compliance
and Security
• 6 Data Centers across the Midwest
• Acquisition occurred in 2011
• Founded in 1969 and headquartered
in Boston, MA
• $16 Billion raised since inception
• Primary focus on investments in the
technology industry with majority,
minority, and debt investments of up
to $500M
• Enables Growth and Strategic
Investment
Cosentry Solutions & Services
Facilities & Infrastructure
• Six Data Centers
• High Capacity Network
(over 31+GBPS of
Internet)
• Hardened Facilities
• 200,000 square feet
• High Available Production
Environments
• Compliance
• Data Security
• Backup &Recovery
Services
• Facilities Security- 24
Hour Electronic and
Biometric access Control
•
•
•
•
System Support
• Monitoring
• Reporting
• Managed Services
• Systems Management
• Technical Helpdesk
• Project Management
• Vendor Management
• Service Level
Agreement (SLA)
• Quarterly Client
Reviews
• Capacity Planning
Highly Available Systems
Hardened Data Centers
Regulatory
Security
Architecture & Design
• Capacity on Demand
• Vblock Cloud
Infrastructure
• Tiered Storage
• Backup Infrastructure
• Patch Management
• Load Balancing
• Regulatory Review &
Design
• Network Analysis
&Design
• System Performance &
Tuning
• 24/7 Operations and Support
• Capacity On Demand
• Compliance
Cosentry’s Flexible Service Capabilities
• Managed Applications • Web Hosting
• Business Continuity
• Content Management
•
•
IaaS Enablement
Compliant Data Centers
The password
1. I forgot my password!
20%-50% of Help Desk Calls
According to the Gartner Group,
between 20% to 50% of all help
desk calls are for password resets.
Forrester Research states that the
average help desk labor cost for a
single password reset is about
$70.
Credit-checking firm Experian
found that for an average of 26
different online accounts, users
had only five different
passwords. 25-34-year-olds are
the most prolific, with no fewer
than 40 online accounts per
person on average.
2 Million Stolen Passwords Recovered
The stash includes purloined Facebook, Google, Twitter, and Yahoo access
credentials.
~ the stolen credential mother lode was the botnet herder's collection of almost 1.6
million stolen website login credentials, which comprised 326,129 Facebook
passwords (or 59% of all recovered stolen passwords), followed by 70,532 passwords
for Google (13%), 59,549 for Yahoo (11%), 21,708 for Twitter (4%), and 8,490
LinkedIn (2%).
25 Most common passwords
Here are the top 25, as extracted by antivirus solution provider ESET.
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
password
123456
12345678
1234
qwerty
12345
dragon
pussy
baseball
football
letmein
monkey
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
696969
abc123
mustang
michael
shadow
master
jennifer
111111
2000
jordan
superman
harley
1234567
20/20 Vision: Top Identity & Access Management Predictions from the Gartner IAM Summit
Gartner floated some interesting ideas and predictions
on where the Identity and Access Management (IAM)
market is heading during Monday’s IAM Summit keynote.
Some may be a bit more futuristic than others, but their
view is cause to take a step back from the daily grind and
observe our industry from new perspectives. Below are
the highlights and 2020 predictions:
1. Every user is a consumer, and the way we access
systems is consumer-like –especially in the mobile era.
Gartner predicts that by 2020, 80% of access will be
shaped by non-PC architectures – up from 5% today. It’s
time to move on, and stop trying to make mobile devices
look like corporate PC’s.
2. The IAM space is becoming a competitive
marketplace for identities. By 2020, 60% of digital
identities interacting with the enterprise will come from
external identity providers through a competitive
marketplace – up from less than 10% today.
3. The death of the “least privileged”. By 2020, over 80%
of enterprise will allow unrestricted access to non-critical
assets up from 5% today reducing IAM spend by 25%. To
this end, organizations are better off focusing IAM spend
on high-value data, and applying baseline security to
everything else. (Drop Box)
Andrew Young
November 20, 2013, 11:41 am
EST
4. By end of 2020, overall IAM products and
services pricing will drop by 40% relative to
today in real terms. We’ll see new ways of
addressing the same issue, with new competitive
players. We’ll see a change in delivery models.
Also, pricing will move from user-based to
transaction-based.
5. It’s not who you are, but what you do and
how you do it. Multitude of devices, applications,
and identities bring more attributes and multidimensional context to access control. By 2020,
70% of all businesses will use attribute based
access control (ABAC) as the dominant
mechanism to protect critical assets, up from 5%
today.
6. Identity intelligence finally gets a brain: By
2020, identity analytical and intelligence (IAI)
tools will deliver direct business value in 60% of
enterprises up from less than 5% today. This will
include logging and log management, behavioral
attributes about who is accessing what and
“identity nodes” around users and administrators.
7. Managing identities will include the internet
of things. By 2020, the internet of things will
redefine the concept of “identity management”
to include what people own, share, and
use. Legacy pricing models will implode:
Adobe Breach
In a breach first announced on this blog Oct. 3, 2013, Adobe said hackers had stolen
nearly 3 million encrypted customer credit card records, as well as login data for an
undetermined number of Adobe user accounts. Earlier this month, Adobe said it had
actually notified more than 38 million users that their encrypted account data may
have been compromised. But asfirst reported here on Oct. 29, the breach may have
impacted closer to 150 million Adobe users.
To Restate The Problem
• Login and password authentication stinks
– Hard to remember
– Easy to Steal
– Easy to Spoof
– Hard to support
– Old Technology
• Gets better with two factors (mobile or Token)
Technology Trends
According to Kevin
1.
2.
3.
4.
5.
6.
Bandwidth Prices have no bottom
Storage cost will continue to Drop
Processing power will increase and costs will drop
Mobile technology is ubiquitous
Big Data (Stupid Phrase) is just getting started
Video and photo is the new text
Technology Trends
According to Kevin
Enabling
1. Impossible applications will be possible (Gods Number, bioinformatics, Kinect)
2. Real time video and image analysis (Remote medicine, wearable
computing, augmented Reality)
3. Context Sensitive Security
4. GPS aware security
5. Attribute Bases Access control
6. “Trust Everyone but brand your Cattle”
Future of Identity and Authentication
Management
1.
2.
3.
4.
5.
“Welcome back to the Gap Mr. Yakimoto”. Mall Scene from Minority Report
Multifactor Biometrics (Iris, facial, fingerprint, DNA) (things we are)
Tokens and devices (things we have)
PIN’s, password and codes (things we know)
Context aware (Attribute Based Access Control) NIST 800-162 (October 2013)
(things we are doing)
6. What to do about privacy?
Past - Future
Future of Identity and Authentication
Management
Winners?
1. Characteristics of winners in the space
1. Low Cost
2. Secure implementation
3. Universal adoption
4. Hard to Hack or Crack
5. Must be 2 or 3 factor
2. Trusted or required
3. Mobile devices are first to implement
1. Apple 5s finger print reader
2. Samsung Galaxy S4 facial recognition
4. Rings (NFC) no biometrics
5. NYMI (Heart beat)
6. Kinect Heart Beat
Problems
1. FIDO versus What? No Standards to
begin with
2. Bad guys can buy technology also
3. Human beings are not that smart
about stuff
4. What to do about privacy ?
5. Can the law gather your DNA just in
case you ever commit a crime?
6. Freedom from search without a
probable cause
EFF ( Worry Warts) Blogs about Mandatory National IDs and Biometric Databases
December 29, 2012 - 3:01pm | By Rebecca Bowe 2012 in Review:
Biometric ID Systems Grew Internationally… And So Did Concerns About Privacy
October 15, 2012 - 8:56pm | By Katitza Rodriguez
Highest Court in the European Union To Rule On Biometrics Privacy
September 27, 2012 - 3:45pm | By Rebecca Bowe
India's Gargantuan Biometric Database Raises Big Questions
August 31, 2012 - 12:05pm | By EFF Intern
Despite Privacy Concerns, Mexico Continues Scanning Youth Irises for ID Cards
References
www.ieee.org/publications_standards/.../sample_biometrics_pdf.pdf
Questions?
• “When you come to the Fork in the Road pick
it up”, Yogi Berra.
Download