SE-4110, Securing Identities in the Cloud, by Martin Ahlers

Top Things to Consider When
Authenticating Web Applications
© 2013 - VASCO Data Security

November 2013

Increasing need to protect our online activities
End users

! 
! 
! 
! 

Confidential data leakage
Cyber bullying
“Gold farming”
Identity theft

2012: Hackers able to
access users’ personal
data for use in phishing
attacks

2012: Hacker able to
access billing
information and other
accounts


2012: Exposed 6
million user account
passwords

ASP’s

! 
! 
! 
! 

Lost revenues
Tarnished brand
Low data integrity
Subscriber churn

2013: Hackers posted
fake news about bombing
of the White House, Dow
Jones dropped 100 points

2013: 10 million people
watch Netflix without
paying for it by sharing
passwords

2013: Hackers able to
access customer names,
credit/debit cards and
expiration dates of 2.9
million customers, and up
to 38 million ID’s and
passwords

2

Agenda
!  Applications and pain points
!  Cloud services
!  Subscription services
!  Gaming

! 
! 
! 
! 

Quick VASCO background
Combined AMD and VASCO solution
Sample business case
Sample competitive comparison


3

Cloud Security Concerns
!  Losing files
!  Files not stored securely
!  Loss of control
!  Embarrassing files made public
!  Computer viruses


Source: Halon 2013 Security Survey

4

Cloud Providers Are Expected to Lead on Security
Within five years, cloud security will become one of the
primary drivers for adopting cloud computing. The reason
for a shift of security from obstacle to driver is that Cloud
Service Providers (CSPs) are expected to invest far
more in the development of their security
infrastructure and expertise than any typical enterprise
Ernst and Young: Cloud Computing Issues and Impacts, 2011


5

Subscription Sharing: New York Times Analysis

BuzzFeed: It is representative of a rising generation of young people who
1) Like watching shows Online and 2) Cannot fathom paying for them

6

Subscription Account Sharing Impacts

!  Eliminate revenue leakage from
account sharing
!  Account sharing is perceived as a
back-end security problem. But for
companies that rely on online
subscriptions as a primary revenue
stream, account sharing can mean
lost income
!  What we found was that about 33
percent of the accounts on the
network were being shared

!  Secure personal information
!  Preserve data integrity for
advertising/marketing
"If you're running The Wall Street Journal or World of Warcraft, and you've got multiple
people sharing a single subscription, you're losing customers."

Source: AdmitOne

7

Tier 1 ASP Example
Company Profile
! 

One of the world's largest insight, information and
consultancy networks. By connecting its specialist
companies, the group aims to become the pre-eminent
provider of compelling insights for the global business
community.

Needs
! 
! 
! 
! 
! 

Protect online assets/revenues and control their IP
Auditable and traceable accounts for Risk and Compliance
Dept.
No new overhead or code modification of existing web
portals
OpEx based purchases to tie to subscription services and
improve cash flow
Everything IT must move to the cloud

In need of a cloud based two-factor authentication platform

8

Creating Secure Communities Raises Revenues

!  University of Michigan studied a Tier 1
online retailer
!  Study found a 19% increase in
revenue when customers were
connected in an online community

“While the major share of firm and
media attention has focused on thirdparty online social networks such as
Facebook, many firms have made the
choice to build their own such
networks.”
http://info.socious.com/bid/56237/How-Online-Customer-Communities-Can-Increase-Revenue-By-19-Research


9

Current state of Gaming
Online
gaming
industry
growing
signiﬁcantly…..

…..however
ARPU
is
steadily
declining

Online
Gaming
Market
Share
by
Geography
(USD
$B)

$20.0

$18.0

$16.0

$14.0

$12.0

$10.0

ROW

$8.0

US

$6.0

$4.0

$2.0

$-‐
2012

2013

2014

2015

Publishers need assistance to stabilize ARPU by providing
additional value to paying customers

Source: SuperData Research and Newzoo Games

10

US Gaming Demographics
117m
Online
Gamers
in
the
US

Typical US Gamer
Age 25-44
Income $35k-$75k
60% male
79% college degree


Aﬃnity
to
online
security

1.  Above average income and education
2.  Tech savvy
3.  Understand the value of security

Sources: *Nielsen Entertainment's third annual Active Gamer Benchmark Study; ** StatGrab; ***SuperData Research/Newzoo

11

Gaming companies must capitalize on hits
!  Example: Diablo 3
!  Fastest selling PC game to date
!  Broke Amazon record for most preorders
!  Sold 3.5m copies on the 1st day
!  Sold 6m copies in 1st week
!  Within 1 week, it became the most
played game in Korea, 39% of Korean
gamers logging in daily

Securing new game revenue is a natural fit

12

Gaming ASP Pain Points
!  Account sharing
!  Increase revenues and subscriptions with stronger
authentication
!  New releases are very competitive, must capitalize on hits

!  Account bullying
!  Hackers stealing credentials to tamper with account holders

!  Gold farming
!  Dissatisfaction lowers switching costs and increases churn
!  Less of an issue with advent of free to play and ability to buy/sell
with real dollars

!  User islands
!  Create communities of users to increase stickiness and
monetize free to play
!  Cross sell gaming assets
!  One credential to access all game sites
“MMO players are very dedicated gamers. As the majority already plays games on other screens, it will be interesting
to see if publishers succeed in extending and monetizing their MMO experience across all screens.“
Peter Warman, CEO of Newzoo

13

Agenda
!  Cloud services
!  Gaming

! 
! 
! 
! 



14

Our Philosophy

Security

Ease

Cost

Find the optimal balance for ASPs and consumers


Federal Reserve Briefing

15

VASCO Heritage in Banking Security


16

Agenda
!  Cloud services
!  Gaming

! 
! 
! 
! 



17

Secure Portal to Web Apps
App1

App2

Numerous
Logins
Passwords
QR code scan

App3

App4

Cloud Subscribers

OTP

App5

App6

Complex for users, headache IT helpdesk
Simple for users, savings for for IT helpdesk

18
18

Integration overview
AMD
chipset

Normal
SecDon

App

App

Secure
SecDon

App

Trusted
Trusted

App

App

Secure
OS

TEE
Client
API

PlaBorm/Rich
OS

(e.g.
Windows,
etc)

DIGIPASS

(TEE)

Secure

Monitor

Secure
Boot

ARM
Cortex
A5
Processor
with
Trustzone
Security
Extensions


19

Highly secure yet familiar, simple user experience


20

Agenda
!  Cloud services
!  Gaming

! 
! 
! 
! 



21

Cost Effective Cloud

Cost
per
user

Opex Model
Pay as you grow
Users or Authentications


22

MYDIGIPASS.COM Subscription Business Case
ASP with 1M users per month

Increased Subscription Assumptions:
•  Per a Tier 1 subscription account, 2FA will
increase revenues by 10% in YR 1
increasing to 20% by YR 5
•  $100 annual subscription revenue
•  $10 per user 2FA cost

20,000,000

16,000,000

12,000,000

Incremental revenues
Incremental costs
8,000,000

4,000,000

YR 1

YR 2

YR 3

YR 4

YR 5

MDP.com would return $17.5M net profit over 5 years.

23

Easily Deployed Two Factor Authentication


24

Agenda
!  Cloud services
!  Gaming

! 
! 
! 
! 



25

Comparison vs. Home Grown SMS
Home Grown SMS

Your unique
code is
w2z356

Does not operate on WiFi
Not delivered in poor coverage area
Not delivered when out of range
Not delivered under heavy traffic
congestion
Over 5% of SMS deliveries fail*
Operates on 3G/4G, WiFi or LAN

Over 9% take over 5 minutes*
* Per UCLA study Analysis of the Reliability of
a Nationwide Short Message Service


26

Spying on SMS
Home Grown SMS

Your unique
code is
w2z356

Your unique
code is
w2z356

Secure out of band QR code
transmission

Unsecure text message can be
intercepted using off the shelf
software
27

Baseline Mobile App Security
Home Grown SMS

Your unique
code is
w2z356

Federate Multiple
Applications
No

Federate Multiple Applications
YES
Incremental SMS Opex
NO
Authentication method
Challenge/response - more secure

Incremental SMS Opex
YES
Authentication method
Standard OTP
Back-up methods
Written code

Back-up methods
Smartphone
Hardware token

28

Top Things to Remember for ASP’s
!  Are you creating a secure cloud community?
!  Application
!  Delivery

!  Is account vulnerability limiting your revenue growth?
!  Losing potential customers
!  High cost of fixing account hacking events
!  Causing customer churn

!  Could strong two-factor authentication in the cloud
meet your needs?
!  Speedy ROI
!  Easy to manage / Easy for users
!  More secure than SMS

29

For More Information
!  Contact us at
!  martin.ahlers@vasco.com
!  jonathan.abon@vasco.com
!  And go to our Application Service Provider site
!  http://mydigipass.vasco.com/


30

SE-4110, Securing Identities in the Cloud, by Martin Ahlers

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to SE-4110, Securing Identities in the Cloud, by Martin Ahlers

Similar to SE-4110, Securing Identities in the Cloud, by Martin Ahlers (20)

More from AMD Developer Central

More from AMD Developer Central (20)

Recently uploaded

Recently uploaded (20)

SE-4110, Securing Identities in the Cloud, by Martin Ahlers