Our Chief Product Officer, Lila Kee spoke at Cloud Computing Expo in New York.
The talk is about how cloud-based service providers must build security and trust into their offerings. It is imperative that as these cloud-based service providers make identity, security, and privacy easy for their customers as customers become more reliant on these offerings. The slides include the best practices for cloud-based service providers and how a superior user experience that is backed by security features will enable business growth and reduce customer churn.
You can find out more in our webinar: https://www.globalsign.com/en/lp/webinar-the-business-advantages-of-ssl-as-a-service/
2. CloudExpo 2016
WHAT
YOU WILL
LEARN
TODAY
• Strong identity verification as a
security measure and business
enabler
• Authentication vs Authorization
vs Access Primer
• Types of User Identities –
Known and Unknown
• Assurance Levels
• 3rd Party Identity Providers -
MobileConnect
• Trends in Web Security
3. TRUST – It All Starts with Identity Verification
Identity is in Everything – Everything Needs a Trusted and
Manageable Identity
• Cloud-based service provider
customers are looking to their
providers to ensure the security
of their identities, transactions
and data.
• With the increased reliance on
cloud-based services, service
providers must build securityand
trust into their offerings, adding
value to customers and
improving the user experience.
• Making identity, security and
privacy easy for customers
provides a unique advantage
over the competition.
4. Protecting User Identities is Essential
• Customer retention
• Brand protection
• Compliance
Know Your Customer
• Prevent
• Identity theft
• Fraud
• Money laundering
5. Identity Theft: The Good News - Awareness
19
People fall victim to identity
theft every MINUTE
*Federal Trade Commission
6. Security as a Business Advantage
• Differentiate from your
competitor with a superior
user experience
• Reduce order / sign up
abandonment
• Reduce customer churn
with easy re-engagement
• Avoid costly fines and
reputation loss by
complying with privacy
regulations
8. What Do We Mean By “Identity”?
• We all have identities. In the digital
world our identities manifest
themselves in the form of
attributes, entries in the database.
• A unique attribute differentiatesus
from other online users. Such an
attribute could be an email
address, phone number, or a
social security number.
• We get attributes from our
employers in the form of titles, in
which business unit we belong to,
roles that we have in projects, or in
the organization hierarchy.
• Attributes pertaining our private
and working life are different and
change over time as we change
jobs, move, get married etc.
9. Attribute = Authorization?
• Some of the identity attributes
that we have are powerful. They
allow us to do things online.
• A role attribute that describes a
position within a company, a
purchase manager for example,
can tell an online site what the
person is allowed to do on that
specific site.
• Therefore, it is quite crucial that
attributes granting power to the
user are carefully managed and
maintained.
10. What Do We Mean By “Access”?
• Access decisions are Yes/No decisions.
• When an access control is deployed it will be tasked with
making the Yes/No decision when an online user tries to
enter or use the resource.
• There can be and usually are, multiple access control
points within an online service.
• On the top level there’s an access control point trying to
determine if the user is allowed to enter the site at all.
• Then in the lower level the access control point reaches the
individual files located somewhere on the hard drive.
11. What Do We Mean By “Authentication”?
• Authentication is a process where the identity of the user
will be established.
• There are many of different ways to authenticate the user.
• User name and Password
• PKI
• eID
• LEIs
• Email control
• Mobile Connect
• OTP
• Etc.
Authentication credentialsare
issued after identities are
verified
• Email control
• Active Directory/HR on-
boarding
• Assertion byIdP
12. GSMA MobileConnect
Mobile Network Operators (MNOs) have the opportunity to remove the
biggest obstacle in Service Provider onboarding – the customers.
With millions of subscribers and potential Mobile Connect users the
MNO is well positioned to offer convenient user authentication to
online services.
14. One Size Does Not Fit All
Low Medium High
Risk
Social Email control Face to Face
Identity
verification
User
Name/PW
Contextual 2FA
Authentication
15. Identity vs Access Management
• Identity
Management is
about managing the
attributes related to
the user
• Access
Management is
about evaluating the
attributes based on
policies and making
Yes/No decisions
16. The New Age of Bring Your Own Identity
Building Online Privacy Confidence
Gartner Recommends Use of 3rd-party IDs
17. Don’t go it Alone - Use 3rd-party verified IDs
• Reduces verifications costs up to 30 times
• Look for IAM providers that provide a single integration to
relevant high assurance IDs
19. Building Online Privacy Confidence
SSL/TLS (HTTPS) delivers website and server identity authentication as
well as encryption of data intransit
Protecting your eServices with SSL certificates provide customers and
visitors assurances that their browsing session is safe, and that payment
details and personal information is kept secure and encrypted.
However, browsers and Certificate Authorities
are making big changes to make browsing safer
that may impact youreService
21. SSL Trends
• With rise of Web 2.0 usersare
communicating sensitive information well
beyond credit card data.
• According to OTA, “Cybercriminals today are targeting
consumers using an attack method called sidejacking that takes
advantage of consumers visiting unencrypted HTTP web pages
after they have logged into a site.
• Online Trust Alliance (OTA) is calling on the security, business
and interactive advertising communities to adopt Always On SSL
(AOSSL), the approach of using SSL/TLS across your entire
website to protect users with persistent security, from arrival to
login to logout.
22. Google – Always on SSL – Motivating Good Security
• Marking HTTP as Insecure – Google has done it others
likely tofollow
• Mozilla and Apple have both indicated that they want more web
encryption. And even the US government has taken importantsteps
in that direction, requiring all .gov websites to be HTTPS by default
before the end of this year.
• Google made website security a factor in keyword search
• While the ranking increase is starting out quite slight, Google hinted
they will strengthen it’s impact over time as their goal is
to encourage stronger adoption of HTTPS technology across
the board to “keep everyone safe on the web.”
23. Certificate Transparency
• Certificate Transparency makes it possible to detect SSL certificates
that have been mistakenly issued by a certificate authority or
maliciously acquired from an otherwise unimpeachable certificate
authority. It also makes it possible to identify certificate authorities that
have gone rogue and are maliciously issuing certificates. Via:
• Certificate Logs
• Monitors
• Audits
• Early detection of misissued certificates, malicious certificates, and rogue CAs.
• Faster mitigation after suspect certificates or CAs are detected.
• Better oversight of the entire TLS/SSL system.
• Google is currently the only browser with a CT policy and the only one
with an enforcement mechanism.
• When Chrome encounters an EV certificate which does not comply
with the policy the EV Green bar treatment is removed. In order to have
be compliant, the EVcertificate:
25. Health Check Your Webserver Security
• Key size Use 2048-bit Private Keys
• Private key protection
• Ensure Sufficient Hostname Coverage
• Obtain Certificates from a Reliable CA
• Use Strong Certificate Signature Algorithms
• Configuration
• Deploy with Valid Certificate Chains
• Use Secure Protocols
• Control Cipher Suite Selection
• …… lots more. There’s an easy way
28. Conclusion
• Enhanced security doesn’t have to mean decline in user
experience
• Stay on top of browser changes
• Utilize bring your own identity by leveraging 3rd party identity
providers
• Apply the appropriate level of identity verification and
authentication methods to the impact of breach to data
• Remember users are increasingly becoming more security
savvy
• Only ask for what you need
• Solicit consent around data privacy (Federation, Cross-
borders)
• Strong identity verification is a business enabler