You Are the Target

420 views
345 views

Published on

This Frost & Sullivan analyst report reveals how the legal and threat environment, combined with BYOD and cost factors, make multi-factor, risk-based authentication the logical approach to solving the security challenges posed by threat actors.

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
420
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
2
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

You Are the Target

  1. 1. You Are the Target – But You Don’t Have To Be with Effective Authentication www.frost.com An Executive Brief Sponsored by RSA August 2013
  2. 2. 2 © 2013 Frost & Sullivan. All Rights Reserved.August 2013 Frost & Sullivan YOU ARE THE TARGET – BUT YOU DON’T HAVE TO BE WITH EFFECTIVE AUTHENTICATION INTRODUCTION Any size organization can be a target, generally because of weak authentication. Password- only protection is simply too risky. In addition, stolen passwords were responsible for major thefts of records from Best Buy and Twitter. With the adoption of cloud-based IT infrastructures, and the pervasive use of mobile devices and mobile applications, IT organizations are being asked to secure what they don’t own, manage or control. For more on how to reduce the risk and the consequences of weak authentication, read on. This paper will show why any size organization can be a target; and how the legal and threat environment—combined with BYOD and cost factors—make multi-factor, risk- based authentication the logical approach to solving the problem. Case studies are used to illustrate. Robust, multi-factor authentication, which can increase the validation steps required if something seems out of the ordinary or if highly sensitive information is to be accessed, is a necessary and cost-effective way to reduce your vulnerability as a target. Relying on the leading vendor, RSA, is a proven strategy. In gauging threats, intelligence professionals start with the nature of the threat. We start with the most likely threat. Generally, this has meant that the target has employed poor authentication products and practices. We then move on to asking: who are they? What motivates them? What kinds of resources do they have at their disposal? Today’s adversaries cover a wide range of possibilities. At the top of the list are nation-states interested in learning defense secrets and gathering valuable data and trade secrets that can give them an edge in the global economy. Next in threat capabilities would be multi-national, non-state actors—such as organized crime—who target electronically stored information (ESI) that can either be resold or monetized in other ways. High on the list of their targets are databases of Personally Identifiable Information (PII), which would allow them or their customers to steal the identities of their victims; and then systematically loot their digital assets; establish false accounts to steal goods and services; while destroying the reputations and credit worthiness of their victims. Robust, multi-factor authentication, which can increase the validation steps required if something seems out of the ordinary or if highly sensitive information is to be accessed, is a necessary and cost- effective way to reduce your vulnerability as a target.
  3. 3. 3© 2013 Frost & Sullivan. All Rights Reserved. August 2013 You Are the Target – But You Don’t Have To Be with Effective Authentication Today’s competitive world means that organizations are keeping tabs on their competition in legal and illegal ways. Using social media, such as Facebook and LinkedIn, to learn about a competitor’s employees and plans is emerging as a common means of competitive intelligence gathering and industrial espionage. Hijacking Twitter Handles and other acts could have been prevented with robust authentication. Other threats include individuals and groups who are moved to correct social conditions they perceive as wrong. Dubbed “hacktivists,” these people have attacked a variety of organizations. Many of these groups are loosely organized, with no formal leadership; e.g., “Anonymous.” These groups can be especially dangerous because their very nature changes day to day, and their lack of a formal organization makes it difficult to track down individuals. Lastly, the threat can be a single individual. Aggrieved former employees and contractors are often unhappy about the circumstances of the termination of the relationship with their former employer or client. BAD THINGS HAPPEN TO GOOD PA$$WORDS—EVEN SECURE PASSWORDS AREN’T ENOUGH PROTECTION IN TODAY’S ENVIRONMENT All too often, organizations of all sizes rely on passwords as the way to confirm the identity of individuals who wish to access their electronic assets, as well as to guard access to their information technology (IT) infrastructure. Yet, passwords, even the most elaborate passwords, are not secure unless they are supplemented by other factors associated with the individual. This was not always the case. In the early days of computing, a user ID plus password was sufficient protection. This might have been fine when mainframes were the only IT resources, and were kept behind locked doors in special rooms. However, as Intel CEO Paul Otellini noted in his keynote speech at the 2012 Consumer Electronics Show, “Today your smartphone has more computing than existed in all of NASA in 1969.”1 This means that organizations need authentication security measures that provide appropriate security, can adapt to the dynamic threat environment, are easy for users to adopt, scalable across various sizes of organizations, and that can be easily integrated into complex and heterogeneous IT infrastructures. SIZE DOESN’T MATTER—ANY ORGANIZATION CAN BE A TARGET The adversary determines the target, and size does not matter; small sized organizations can be just as important to the attacker’s plans as the large ones. The following examples illustrate this point. 1 http://www.guardian.co.uk/technology/blog/2012/jan/11/ces-2012-intel-keynote-otellini Passwords, even the most elaborate passwords, are not secure unless they are supplemented by other factors associated with the individual.
  4. 4. 4 © 2013 Frost & Sullivan. All Rights Reserved.August 2013 Frost & Sullivan Small Company Small companies face increased risks on a global scale. According to David Willetts, British Minister of State for Universities and Science, “Companies are more at risk than ever of having their cyber security compromised—in particular small businesses—and no sector is immune from attack . . . But there are simple steps that can be taken to prevent the majority of incidents.”2 According to the 2013 Information Security Breaches Survey, released 23 April 2013, 87 percent of all small businesses in the United Kingdom experienced a breach in the last year. The survey indicated that breaches of small companies increased in the past year, and that the cost associated with these breaches could range up to 6 percent of company revenues.3 Small businesses can be targeted because they do business with larger businesses, such as defense contractors, major banks, etc. Their role as gateways for attackers has been shown in several major campaigns attributed to nation-states. Statistics for small businesses in the United States also show that they are major targets. According to Representative Chris Collins (R) of New York, himself a successful small business owner, “Although attacks on small businesses don’t make the headlines, a recent report shows nearly 20 percent of cyber-attacks are on small firms with less than 250 employees. Unlike a large company, small businesses may not be able to survive a cyber attack. Washington has begun to realize the importance and immediacy of this threat, but more must be done to help protect this vital segment of our economy from these increasingly complex attacks.”4 A typical small company situation could be a supplier to a large company. The large company is the real target; but it employs a layered security defense, including multi- factor authentication. The attacker has determined that the small company doesn’t employ any sort of security, other than passwords. Through diligent research on LinkedIn, the attacker has come up with several names of employees of the small company. The attacker employs a password cracker that he downloaded for free from the Internet—one like Password Cracker 3.97, available from Tucows.5 In short order, a suitable password is found. The attacker has gained access to the small company’s IT infrastructure, and is now free to rummage about to download data or to alter data, or even to destroy data essential to running the business. Essentially, small businesses are often targeted because they are perceived as gateways to larger businesses, in part, because they have weaker authentication mechanisms. 2 http://www.infosecurity-magazine.com/view/31999/infosecurity-europe-2013-technology-strategy-board-offers-money-to- small-businesses/ 3 http://www.infosecurity-magazine.com/view/31999/infosecurity-europe-2013-technology-strategy-board-offers-money-to- small-businesses/ 4 http://smallbusiness.house.gov/news/documentsingle.aspx?DocumentID=325034 5 http://www.tucows.com/preview/520041 Small businesses can be targeted because they do business with larger businesses, such as defense contractors, major banks, etc. Their role as gateways for attackers has been shown in several major campaigns attributed to nation-states.
  5. 5. 5© 2013 Frost & Sullivan. All Rights Reserved. August 2013 You Are the Target – But You Don’t Have To Be with Effective Authentication Midsize Business A midsized company manufactures equipment used in the testing of radar systems to be installed on fighter jets. The company competes with much larger companies, and has had to become innovative by developing unique processes to design its test algorithms. Unfortunately, the company has not upgraded its security to multi-factor authentication. Adding to the company’s vulnerabilities is its headquarters location—near popular coffee shops and eateries that offer free Wi-Fi. While convenient for the company’s employees to access IT resources, public Wi-Fi hotspots are also subject to sniffing attacks; attacks that require little technical skill. For example, as explained in “How Logging On From Starbucks Can Compromise Your Corporate Security,”6 packet sniffing can easily vacuum up sensitive data such as passwords. Once compromised, the passwords authorize access as if the attacker was a legitimate end user. Enterprises While enterprises with 1,000 or more employees have more resources than their smaller counterparts, it doesn’t necessarily follow that they are more secure. For instance, many large enterprises have grown by acquisitions; often, integrating the new company into the mainstream IT infrastructure of the acquiring company is not instantaneous. This contributes to uneven authentication approaches; e.g., strong (multi-factor) for some employees, but weak (e.g., password only) for others—yet both sets of employees can access similar sensitive resources. THE CHANGING ENVIRONMENT This section addresses four key areas that are impacting the operating environment: Legal, BYOD, Evolving Threats, and Cost Factors. One of the best ways that an organization can insulate itself, its people, and its assets in the face of these dynamic environmental factors is by employing robust authentication. Legal & Regulatory Data Privacy Laws Currently, there are approximately 50 countries that have data privacy laws of various types. The European Union, for example, is in the process of dramatically revising the breach disclosure and other aspects of its data privacy regulations.7 According to the Financial Times of London, EU-based firms could be fined up to 2 percent of a company’s global revenue for data breaches. International law generally recognizes three main classes of personal data that require special attention because they are legally regulated or scrutinized by an industry 6 http://www.securityweek.com/how-logging-starbucks-can-compromise-your-corporate-security 7 http://news.cnet.com/8301-1009_3-57573051-83/eu-feeling-pressure-to-tweak-data-privacy-legislation/#! One of the best ways that an organization can insulate itself, its people, and its assets in the face of these dynamic environmental factors is by employing robust authentication.
  6. 6. 6 © 2013 Frost & Sullivan. All Rights Reserved.August 2013 Frost & Sullivan authority. Personal Health Information (PHI)8 is almost universally considered among the most sensitive types of data. This information concerns the health of specific individuals. Specific relevant US laws include the Health Information Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH). Personally Identifiable Information (PII) is information that, if stolen, allows the thief to masquerade as the individual. PII is protected by a number of United States state and federal laws. Japan is also taking measures to strengthen data privacy for its citizens, such as by requiring strong authentication for online access.9 A third class of protected data is information that is regulated by the Payment Card Industry (PCI). This data is defined in PCI Data Security Standard 2.0,10 and covers the data used in digital payment and credit transactions. Confirming the identity of authorized users must be a prerequisite to giving them access to the organization’s IT resources. In Singapore, the Monetary Authority of Singapore (MAS) requires financial institutions to implement IT controls to protect customer information from unauthorized access and disclosure. Moreover, with the growing use of mobile banking, the risk of unauthorized access and disclosure is growing. Multi-factor authentication is one of the important and proven security technologies that elevate the protection of sensitive data stored and used by financial institutions, and that also contributes to building trust among mobile banking users. Breach Notification Laws The EU is taking stronger action on data breaches, as noted above. Readers should be aware that, as of August 2012, 46 states and the District of Colombia have enacted laws requiring organizations to notify individuals if their PII has been breached, or if the data controller (holder of the data) suspects there has been a breach.11 These notifications can be expensive, and they certainly raise questions of the organization’s trustworthiness in the minds of the customers, employees, patients, and others who may receive the notifications. Preventing such breaches can save organizations significant exposure. A basic step such as requiring multi-factor authentication is sensible to ensure that only properly authorized individuals are granted access. Industry Specific Laws A number of industries have specific laws that govern data security. The section on PHI, above, includes two laws in the healthcare industry. Other industries with their own regulations include, for example: the banking industry with its Gramm Leach Bliley Act 8 http://www.hrsa.gov/healthit/toolbox/HealthITAdoptiontoolbox/PrivacyandSecurity/underhipaa.html 9 http://www.infoworld.com/d/security-central/japan-tightens-personal-data-protection-356 10 https://www.pcisecuritystandards.org/security_standards/documents.php?document=pci_dss_v2-0#pci_dss_v2-0 11 http://www.ncsl.org/issues-research/telecom/security-breach-notification-laws.aspx
  7. 7. 7© 2013 Frost & Sullivan. All Rights Reserved. August 2013 You Are the Target – But You Don’t Have To Be with Effective Authentication and Federal Financial Institutions Examination Council (FFIEC); the North American energy industry, which is regulated by North American Electric Reliability Corporation (NERC);12 and the United States energy industry, governed by the Federal Energy Regulatory Commission (FERC).13 The point is simple—more regulations are likely to be enacted that will require enhanced information security measures. Bring Your Own Device (BYOD) In order to attract a new and vibrant workforce, and as a means to enhance productivity, organizations are allowing their employees and contractors to access the IT infrastructure with their personal smartphones, tablets, and laptops. Multi-factor authentication is necessary to ensure that authorized end users can access their IT resources from any device, while protecting the integrity of the IT infrastructure. Security solutions addressing BYOD need to work seamlessly, as software is embedded with applications. Furthermore, the use of a Software Development Kit (SDK) to integrate with a variety of applications that are core to the business is critical. A rich ecosystem of partners, such as that offered by RSA, is a major strong point. Many organizations have not considered the security aspects of this move, and have not suitably protected access to their information resources with enhanced security measures such as multi-factor authentication. Security principles hold that information is to be protected according to its value, not its location. Consequently, organizations are well advised to implement robust authentication across all means of entry into their IT and network infrastructure. Evolving Threats While threats in the past were mostly static and slow to develop, today’s threat environment is dynamic and unpredictable. Vulnerabilities are known to exist in today’s complex software and Web applications. Attackers exploit known and unknown vulnerabilities in several ways. One instance of quickly evolving threats is Advanced Persistent Threats (APT). This type of attack is highly targeted, adaptable, and designed to clandestinely yield long term results. Often these sophisticated threats include the use of social engineering, to compromise passwords, to gain access to networks as entry points for more robust attacks. Another threat is to attack vulnerabilities that even the product’s developers are unaware of. These attacks are called “Zero Day Attacks” because attackers exploit software code vulnerabilities before the vulnerabilities are known. These are just a sampling of the dynamic and unpredictable nature of today’s threat environment. The 12 http://www.nerc.com/Pages/default.aspx 13 https://www.ferc.gov/ Security solutions addressing BYOD need to work seamlessly.
  8. 8. 8 © 2013 Frost & Sullivan. All Rights Reserved.August 2013 Frost & Sullivan Stuxnet attack on the Iranian nuclear program is cited as a good example of this type of attack, as were the cyber-attacks on the Saudi government in May 2013. Organizations need to set policies based on risk, and implement those policies in a way that, when the end-user activity seems out of the ordinary, they are challenged with additional identity confirmation requirements, such as answers to security questions. Self- learning risk engines are proving to be efficient at uncovering anomalous activity. The ability to employ device and behavior characteristics, as well as identity authentication factors, strengthens assurances that end users are who they say they are. Cost Factors Successful attacks can result in significant direct and indirect costs, including: ▪ Loss of Intellectual Property – Trends indicate that attacks are becoming more focused. Organizations are often targeted because they have unique advantages in trade secrets, patent development, or both. Attackers, ranging from competitors to nation-states, seek access to intellectual property (IP). This IP can give attackers economic or efficiency advantages, in addition to saving them significant research and development (R&D) time and expense. ▪ Reputational Costs – Many businesses are based on trust. Organizations that handle sensitive data, such as PHI, PII, and PCI, are in a critical position of responsibility to safeguard this information. Breaches and unauthorized access to this information can result in wide ranging publicity that will negatively impact the public perception of the company. Lack of trust can lead not only to lost business, but legal action. ▪ Legal Costs – Organizations entrusted with sensitive data have a legal duty to protect that data. Failure to adequately protect can subject the company to lawsuits on a variety of grounds. These lawsuits can result in financial damages including retribution and fines. Failure to exercise due care, and adhere to the standard of care within the industry, such as multi-factor authentication, can strengthen plaintiff’s claims. ▪ Lost Employee Productivity – Considerable time can be spent in remediating breaches and unauthorized access. This is employee time that would have been better spent on other aspects of the business. It is also fair to say that employees have a certain level of trust in their employers. Employers, after all, store quite a bit of PII about their employees (e.g., salary information and performance reviews). Yet, the effort to recover from a breach of employee sensitive information can be just as taxing as a breach involving sensitive customer information. Organizations need to set policies based on risk, and implement those policies in a way that, when the end-user activity seems out of the ordinary, they are challenged with additional identity confirmation requirements, such as answers to security questions.
  9. 9. 9© 2013 Frost & Sullivan. All Rights Reserved. August 2013 You Are the Target – But You Don’t Have To Be with Effective Authentication SOLVING THE PROBLEM Classically, organizations address security shortfalls with a combination of people, process, and technology. Multi-factor authentication snugly fits into this trifecta, and has proven to be a measure that can address a variety of security gaps across a wide range of organizations and industries. Applicable to Different Size Organizations – Scale A hallmark of leading edge technology is that it can be applied across organizations of varying size. This is because the key is not so much the size of the organization, but the ability of end users to conduct their work and access the resources they need in a secure and efficient manner. Security processes that consume end-user time or that are inconvenient are often ignored by end users. Moreover, end users develop work-arounds that circumvent the very processes and technologies that are designed to improve security. In addition, the move to Web-based applications and cloud services means that organizations must adopt security measures that can be operational as quickly as cloud services, and in a cost effective manner. Scalability costs are also important considerations, and include startup costs and ongoing maintenance. Assessing both classes of costs is especially important to organizations that are growing by acquisition. Risk-Based Authentication – Adapting the Protection to the Threat Security principles dictate that security measures should be applied based on the value of the data to be protected and the likely risks. Risk-Based Authentication (RBA) is a logical and proven technique for matching the level of protection with the risk. Key to success of a Risk-Based Authentication schema is the ability to process information during the log -in process, and to evaluate the level of risk of the particular end user seeking to be granted access. Conventional Risk-Based Authentication involves several steps: ▪ Device Validation – Devices can be identified by secure first-party cookies and Flash Shared Objects (sometimes referred to as Flash cookies). When these two components are used in tandem, there is a double layer of validation. Alternatively, device characteristics can be analyzed to develop a unique ‘fingerprint’ to establish its identity and its users. ▪ Behavior Profiling – In this phase, the context of the log-in is compared to known behavior and other factors, such as the sensitivity of the data. As the context risk and data sensitivity increase, the identity validation steps required of the end user to gain access are likewise increased. A hallmark of leading edge technology is that it can be applied across organizations of varying size. Security principles dictate that security measures should be applied based on the value of the data to be protected and the likely risks.
  10. 10. 10 © 2013 Frost & Sullivan. All Rights Reserved.August 2013 Frost & Sullivan Risk-Based Authentication can provide end users with some very solid benefits. RSA’s Risk-Based Authentication can lower the authentication cost per user by up to 40 percent, when compared to traditional hardware authenticators. RBA can also considerably speed up deployment time in large organizations, typically reducing implementation across enterprise organizations from days to weeks.14 Risk-Based Authentication is particularly relevant in situations where the organization has privacy concerns, because this method of authentication is robust, yet does not infringe on end-user privacy. RSA, the dominant player in the market, employs Risk-Based Authentication which looks for anomalies based on historical patterns. Since it only tracks the authentication process, there are no privacy issues with this proven approach. Platform Agnostic Another key aspect of authentication technology today is that it must be platform- agnostic, meaning that the same level of authentication, and essentially the same process of authentication, must be facilitated across the platforms favored by end users. Also, some end users may be most comfortable with software on their desktop or laptop computers. This is a staple of many organizations and many industries. However, as industries evolve, so do their computing platforms. The authentication technology must also be available, in a consistent form factor, to function on mobile phones and tablets, so as to facilitate remote access 24x7 by authorized end users. Interestingly enough, many end users still prefer the comfort of hardware tokens. In fact, many large banks brand RSA hardware tokens for their large portfolio customers, to control access to their accounts. RSA’s software tokens are used for similar purpose, and add to choice and flexibility in strong authentication. RSA’s ability to enhance the security based on the cumulative learning of the sum of the authentication processes increases security—and is transparent to the user. The ubiquity of smartphones, exacerbated by the growing popularity of BYOD, mandates that authentication via SMS is another platform that must be part of the offering. Considering the ever-present and on-person nature of smartphones, these devices, when used with SMS, become an effective something-you-have authentication factor. Easy to Integrate Into Existing Operations End users do not want to be interrupted in their work; consequently, authentication technology must be easily integrated into their routines. Ideally, this integration would be at the lowest possible level in the technology stack, with native support being ideal. Embedding the authentication is a proven way of enhancing security while facilitating operations. Many organizations are taking advantage of the recently released SecurID platform version RSA® Authentication Manager 8.0. In particular, this release is optimized and 14 RSA Analysis Another key aspect of authentication technology today is that it must be platform- agnostic, meaning that the same level of authentication, and essentially the same process of authentication, must be facilitated across the platforms favored by end users. End users do not want to be interrupted in their work; consequently, authentication technology must be easily integrated into their routines.
  11. 11. 11© 2013 Frost & Sullivan. All Rights Reserved. August 2013 You Are the Target – But You Don’t Have To Be with Effective Authentication certified as a VMware® Ready Virtual Appliance for use with popular VMware tools such as snapshots, VMotion and high availability. Examples of embedded authentication include SanDisk integration of RSA authentication into its flash drives; Privaris’s implementation with its biometric devices; and Juniper Networks working with RSA to enable mobile security services that unite strong authentication with secure remote access, to extend the security model and streamline the mobile user experience when accessing both corporate and cloud-based resources. RSA continues to revolutionize its multi-factor authentication portfolio, both organically and through acquisitions—such as PassBan, a visionary leader in mobile and cloud-based multi-factor authentication. There are also over 400 partners that have established RSA interoperability with their products and services, including Check Point, Cisco, Citrix, and IBM. Collectively, these examples illustrate that an authentication technology must be embraced by a robust ecosystem of interoperable products in order to drive widespread adoption. HOW SUCCESSFUL COMPANIES ARE MEETING THE AUTHENTICATION CHALLENGE This section provides highlights of how organizations of various sizes have solved their authentication challenges by employing RSA products. Grupo Bancolombia ▪ The Business – One of the largest banks in Latin America, founded nearly 70 years ago—and the largest in Colombia—the bank provides banking services to approximately 60,000 organizations and over 1.5 million retail customers. One of the bank’s key initiatives was to leverage the competitive advantages of its online banking portal. The portal is used by approximately 90,000 people in the organizational sector, and about two-thirds of its retail customers.15 ▪ The Security Challenge – A number of years ago, the bank noticed a significant increase in fraudulent access attempts to the online portal. According to Carlos Rodriques, Internet Manager of Bancolombia, “We knew we needed to respond quickly and effectively, both for the sake of our customers and to preserve the integrity of our offerings. Until that point, we had relied on applications we had developed in-house to prevent attacks. However, the severity of the fraud activity we were starting to see highlighted the need to strengthen our defenses with dedicated security solutions.” ▪ The Solution – The company wanted to be able to offer software-based authenticators to its retail customers, and hardware authenticators to its corporate clientele. The availability of both approaches was critical because retail customers want the convenience of not installing special software or having a hardware token; 15 http://www.grupobancolombia.com/webcorporativa/
  12. 12. 12 © 2013 Frost & Sullivan. All Rights Reserved.August 2013 Frost & Sullivan while corporate clients want the security, durability, reliability, and standardization that comes with hardware tokens. ▪ The Impact – Subsequent to installing the solution, the bank saw a marked decrease in fraudulent activity targeting its online platform. According to Rodriguez, “Fraud fell by around 90 percent after we added the technology, and has remained constant ever since.” Banco Popular De Puerto Rico ▪ The Business – This largest commercial bank in Puerto Rico has 174 branches, almost 600 ATMs, and more than 27,000 Point of Sale (POS) terminals. The bank also provides a variety of Internet banking services, including: Internet Banking, e- Commercial Statement, and WebCash Manager.16 ▪ The Security Challenge – The bank had developed its own version of a three-step password process. Requirements of the Federal Financial Institutions Examination Council (FFIEC) mandated the use of multi-factor authentication as a prerequisite to enter online banking systems. ▪ The Solution – After performing a risk assessment, the bank decided that the combination of a Risk-Based Authentication system for its customers and a hardware- based authentication system for its internal network would be the optimal solution. RSA was chosen, after a vendor qualification process. The bank felt that the powerful nature of the RSA Risk Engine—tracking over 100 fraud indicators—would be the most effective way to manage security at the individual log-in level, with minimal interruptions and inconvenience to customers. According to Miguel Mercado Torres, CISO and VP Operational Risk management at the Bank, “We were keen to upgrade our solution, in light of the increase of cyber threats and cyber fraud activity. By adding an extra layer of security for access into the corporate Intranet, RSA SecurID authentication enables us to increase the number of people who are able to work from home, and also enables the sales team to complete more transactions while out in the field.” ▪ The Impact – The Bank has noticed a significant reduction in attacks on their customers’ accounts, and a corresponding increase in customer confidence and satisfaction with the bank. Lazio Innovazione Technologica (LAit) ▪ The Business – LAit is the IT development arm charged with working with Regione Lazio17 in Italy, to help the government in automating services and to stimulate adoption of digital services. These services include: healthcare, e-mail, and data transfers. One example was the Farmarecup project. This project provides consumers choice in pharmaceutical products from 170 pharmacies in Lazio, and 16 http://www.popular.com/en/business-online-services#GA=Online_Services__Business_Services__LP 17 http://www.regione.lazio.it/rl_sanita/?vw=contenutidettaglio&id=43
  13. 13. 13© 2013 Frost & Sullivan. All Rights Reserved. August 2013 You Are the Target – But You Don’t Have To Be with Effective Authentication provides patient online scheduling of medical appointments through a self-service, Web-based appointment system. ▪ The Security Challenge – LAit needed an authentication mechanism that would integrate with existing systems, improve security, be patient-friendly, and that would be cost effective. ▪ The Solution – The company opted for a two-factor authentication system from RSA, because of its ease of use and management capabilities. The Technical Director of LAit, Vittorio Gallinella, explained, “We evaluated the performance of the systems in real-life scenarios. This was necessary to verify the compatibility and integration with LAit’s systems, as well as ease of installation.” ▪ The Impact – According to Regino Brachetti, President of LAit S.P.A., “Secure remote access and collaboration has enabled us to accelerate the process for booking medical appointments and exams, providing more efficient public services to Regione Lazio’s citizens. What’s more, thanks to two-factor authentication, we have reduced management costs by 70 percent.” The government found that the authentication system created the means to expand the range of services it offered. Separately, as noted by Mr. Gallinella, “We, above all, recognize the versatility of RSA SecurID—besides the simplicity of installation, management and use. Because of these characteristics, we have adopted this solution for other purposes too; in particular, providing remote access to a number of services for some Directorates and Departments, for system management and to give access to some resources. The solution enables us to unify password management and consolidate authentication management with a unique tool.” NTT Com Asia ▪ The Company – NTT Com Asia Limited is a wholly owned subsidiary of NTT Communications, which is the international and long distance arm of NTT (Nippon Telegraph and Telephone Company). NTT Com Asia serves as the regional headquarters of East Asia, covering Hong Kong, Macao, Taiwan, and Korea. The company provides multinational companies with end-to-end network and IT solutions. These solutions include cloud hosting, managed services, integrated solutions IP connectivity, and data center support. The company also provides local connectivity and services for small and midsize businesses.18 ▪ The Security Challenge – The company needed a strong authentication system to protect sensitive customer information, while ensuring compliance with local financial regulations. Due to its role as a communications provider, the company needed a security solution that would offer high availability and dependability on a 24x7 basis. According to Jonathan Wong of NTT Com Asia, “The goal of the project was to provide a system that enabled mobile workers at our customer sites to access sensitive information stored on their internal servers, from a remote location, 18 http://www.hk.ntt.com/en/index.html
  14. 14. 14 © 2013 Frost & Sullivan. All Rights Reserved.August 2013 Frost & Sullivan whenever they needed it. The process had to be secure, but also needed to be simple enough to implement to a potential workforce of hundreds of thousands.” ▪ The Solution – NTT Com Asia selected the RSA SecurID solution to implement a two-step authentication process. ▪ The Impact – the company found that the implementation of the robust authentication system gave its customers a higher level of customer confidence and trust. Mr. Wong felt that the system was responsible for strengthening customer relationships. He noted, “Since we deployed RSA SecurID, the feedback has been very positive. The key theme coming through is reliability. Our customers trust the solution to deliver against their security requirements.” Red Bull Racing ▪ The Company – The Red Bull Racing team, based in United Kingdom’s Milton Keynes, is a double Formula 1 World Champion. ▪ The Security Challenge – The Red Bull Racing team regularly competes in Grand Prix events all over the world, and many employees are often traveling. Indeed, individuals frequently need to access the Red Bull corporate network from challenging locations and under significant time pressure—particularly those based in the pit lane on race day. In a fiercely competitive field like F1 racing, however, providing employees with fast and reliable access to critical applications and e-mail is just half the story. At the same time, Red Bull must ensure that any unauthorized attempts to access its network are effectively prevented, to keep team secrets from being leaked. ▪ The Solution – Hardware tokens were issued to around 400 employees, who adopted the new technology enthusiastically, thanks to the user-friendly easy-to-read design. In addition to the robust and reliable hardware element, Red Bull Racing was impressed by the fact that the RSA Authentication Manager integrated smoothly with its existing IT environment. ▪ The Impact – The new authentication system integrated well into the existing infrastructure. Neil Bailey, Red Bull Racing IT Infrastructure Manager, commented, “We were pleasantly surprised by how well the solution integrated with our Citrix Access Gateway VPN. It also works very well with our Cisco Secure Remote Access solution, enabling smooth delivery of applications. This effortless interoperability meant that migrating our user base to the RSA platform was quick and hassle-free.” Where new tokens needed to be allocated—for example to new employees—the process is now much simpler and more efficient. Previously, a skilled security expert would need to spend about 30 minutes in the authentication management console, setting up a new user and allocating them a new token. Using the RSA Authentication Manager console, new users can now be set up in just a few minutes.
  15. 15. 15© 2013 Frost & Sullivan. All Rights Reserved. August 2013 You Are the Target – But You Don’t Have To Be with Effective Authentication Frost & Sullivan The Last Word This paper has explained why any size organization can be a target for hackers and at risk of data breaches due to weak authentication. We have also shared how the legal and threat environment, combined with new operating necessities, such as BYOD, make multi-factor, Risk-Based Authentication a logical approach to reducing these risks. We included five RSA customer case studies showing the various ways that organizations are meeting their security challenges with RSA’s SecurID authentication platform. RSA’s SecurID is the most widely deployed one-time password platform, with over 25,000 customers worldwide and 40+ million tokens actively in use. Currently, over 350 million online identities are protected with Risk-Based Authentication by RSA. Robust authentication that is intuitive for users and available across multiple platforms is critical to effective utilization of today’s networks. Characteristics such as adaptability across a range of organizations, with a common interface and an over- arching management system are vital to insuring optimal security in today’s dynamic threat environment. Robust authentication that is intuitive for users and available across multiple platforms is critical to effective utilization of today’s networks.
  16. 16. 877.GoFrost • myfrost@frost.com http://www.frost.com ABOUT FROST & SULLIVAN Frost & Sullivan, the Growth Partnership Company, works in collaboration with clients to leverage visionary innovation that addresses the global challenges and related growth opportunities that will make or break today’s market participants. For more than 50 years, we have been developing growth strategies for the Global 1000, emerging businesses, the public sector and the investment community. Is your organization prepared for the next profound wave of industry convergence, disruptive technologies, increasing competitive intensity, Mega Trends, breakthrough best practices, changing customer dynamics and emerging economies? Contact Us: Start the Discussion For information regarding permission, write: Frost & Sullivan 331 E. Evelyn Ave. Suite 100 Mountain View, CA 94041 Silicon Valley 331 E. Evelyn Ave., Suite 100 Mountain View, CA 94041 Tel 650.475.4500 Fax 650.475.1570 London 4, Grosvenor Gardens, London SWIW ODH,UK Tel 44(0)20 7730 3438 Fax 44(0)20 7730 3343 San Antonio 7550 West Interstate 10, Suite 400 San Antonio, Texas 78229-5616 Tel 210.348.1000 Fax 210.348.1003 Auckland Bahrain Bangkok Beijing Bengaluru Bogotá Buenos Aires Cape Town Chennai Colombo Delhi / NCR Detroit Dhaka Dubai Frankfurt Hong Kong Iskander Malaysia/Johor Bahru Istanbul Jakarta Kolkata Kuala Lumpur London Manhattan Mexico City Miami Milan Moscow Mumbai Oxford Paris Rockville Centre San Antonio São Paulo Seoul Shanghai Shenzhen Silicon Valley Singapore Sophia Antipolis Sydney Taipei Tel Aviv Tokyo Toronto Warsaw Washington, DC

×