The future of Authentication and SecurityJuly 9, 2015

Proprietary and Confidential

Kevin DohrmannCTO

Cosentry

The Future of Authentication and Security

Omaha Success Story – Heritage

3

Omaha Success Story – Background

Proprietary and Confidential

Company Background Founded and Headquartered in Omaha

and cover Five Midwest Markets Over 15 Year Heritage Center of Excellence in Managed IT

Solutions: Data Center services, Cloud, Managed Services, and Help Desk Services

Financial Strength Double digit top line/bottom line

growth Continue to invest in core platforms,

operations, and expansion markets Strong Financial Backing by TA

Associates and GSO Partners (Blackstone)

4

Omaha Success Story – Heritage

Proprietary and Confidential

2000

2001

2002

2003

2004

2005

2006

2007

2008

2009

2010

2011

2012

2013

2014

2015

Begins operations with Bellevue DC and 400 seat Work Group Recovery

Adds Help Desk Services

Adds 2 new markets – KC and Sioux Falls

Becomes part of Inc. Magazine’s 5000 fastest growing companies

TA Associates acquires Cosentry

Adds 4th Market in St. Louis

Establishes Credit Facility with GSO/Core

Opens 2nd Omaha DC in Papillion

Opens 2nd KC DC in LenexaOpens 2nd Sioux Falls DC

Adds 5th Market in Milwaukee

Initial ownership by founders, private investors and employees

Ownership changes to McCarthy Capital and Mgmt

5Proprietary and Confidential

Data Center/Colo Definition

What is a Data Center? Purpose built facility to house IT

infrastructure that runs critical internal and external facing applications

Delivers reliable power, environmentals, physical security and network connectivity

Large capital investment with costs varying based on scale and redundancies within the facility design

Delivery Models Build and Maintain Your Own

Built to your specifications and meeting your unique security/compliance requirements

Operations and maintenance are yours Large CAPEX expense Can you afford the redundancies needed?

Utilize a Multi-Tenant Facility Built at a larger and more resilient scale Trained staff for DC operations/maintenance Use what you need - No stranded capacity. CAPEX vs. OPEX. Usually a better TCO.

6

St. Louis: Acquired Xiolink January 2014

Market Leader in St. LouisOutstanding Managed Services CapabilityGreat culture and peopleCompetitive landscape in St. Louis attractive

Expansion Success

Proprietary and Confidential

7

Milwaukee: Acquired Red Anvil in October 2014

Market leader in MilwaukeeFull service provider capabilitySolid customer base Milwaukee business demographics very strongLimited competition

Expansion Success

Proprietary and Confidential

How it used to be..

How it used to be..

Sign in Sheet

The most common tech support call1. I forgot my password!

20%-50% of Help Desk Calls According to the Gartner Group, between 20% to 50% of all help desk calls are for password resets. Forrester Research states that the average help desk labor cost for a single password reset is about $70.

Access

25 Most common passwords

1. password2. 1234563. 123456784. 12345. qwerty6. 123457. dragon8. pussy9. baseball10. football11. letmein12. monkey

13. 69696914. abc12315. mustang16. michael17. shadow18. master19. jennifer20. 11111121. 200022. jordan23. superman24. harley25. 1234567

Here are the top 25, as extracted by antivirus solution provider ESET.

Password Cracking for Sale/free

Credit-checking firm Experian found that for an average of 26 different online accounts, users had only five different passwords. 25-34-year-olds are the most prolific, with no fewer than 40 online accounts per person on average.

Number of Accounts

2 Million Stolen Passwords RecoveredSecurity researchers have recovered a hacker stash of approximately 2 million access credentials for multiple social media networks, webmail accounts, and other online services.

That disclosure came this week from Trustwave's SpiderLabs, which said it found the information after gaining access to the control panel of a single -- albeit rather large -- instance of a Pony botnet, built using version 1.9 of the botnet software. "With the source code of Pony leaked and in the wild, we continue to see new instances and forks of Pony 1.9," wrote SpiderLab researchers Daniel Chechik and Anat (Fox) Davidi in a blog post.

After gaining access to the Pony botnet's control panel, the researchers found that the botnet's controller -- a.k.a. herder -- had amassed approximately 3,000 remote desktop access credentials, 320,000 email account access credentials, and 41,000 FTP account credentials. But the stolen credential mother lode was the botnet herder's collection of almost 1.6 million stolen website login credentials, which comprised 326,129 Facebook passwords (or 59% of all recovered stolen passwords), followed by 70,532 passwords for Google (13%), 59,549 for Yahoo (11%), 21,708 for Twitter (4%), and 8,490 LinkedIn (2%).

Also on the list were two Russian-language social networking sites, 9,321 passwords for odnoklassniki.ru (2%) and 6,867 for vk.com (1%), which suggested that many infected PCs were used by Russian language speakers. The bot herder is likely also a Russian speaker, since the Pony control panel's language preference was set to Russian.

SpiderLabs “herder” cache

Never Quest Bot Net DDOS Generator

Never Quest Bot Net DDOS Generator

17

Largest Data Breaches Ever

Heartland Payment Systems, 2008-2009: 130 million records compromisedTarget Stores, 2013: 110 million records compromisedSony online entertainment services, 2011: 102 million records compromisedNational Archive and Records Administration, 2008: 76 million records compromisedAnthem, 2015: 69 million to 80 million records compromisedEpsilon, 2011: 60 million to 250 million records compromisedHome Depot, 2014: 56 million payment cards compromisedEvernote, 2013: More than 50 million records compromisedLiving Social, 2013: More than 50 million records compromisedTJX Companies Inc., 2006-2007: At least 46 million records compromised

To Restate

• Login and password authentication stinks– Hard to remember– Easy to Steal– Easy to Spoof– Hard to support– Old Technology

The Problem

In a breach first announced on this blog Oct. 3, 2013, Adobe said hackers had stolen nearly 3 million encrypted customer credit card records, as well as login data for an

undetermined number of Adobe user accounts. Earlier this month, Adobe said it had actually notified more than 38 million users that their encrypted account data may

have been compromised. But as first reported here on Oct. 29, the breach may have impacted closer to 150 million Adobe users.

Higher and Higher Profile

One Solution Aadhaar

The Future

Gartner Future of Security is adaptive and context aware

Gartner floated some interesting ideas and predictions on where the Identity and Access Management (IAM) market is heading during the 2014 IAM Summit keynote.Some may be a bit more futuristic than others, but their view is cause to take a step back from the daily grind and observe our industry from new perspectives. Below are the highlights and 2020 predictions:

1. Every user is a consumer, and the way we access systems is consumer-like –especially in the mobile era. Gartner predicts that by 2020, 80% of access will be shaped by non-PC architectures – up from 5% today. It’s time to move on, and stop trying to make mobile devices look like corporate PC’s.2. The IAM space is becoming a competitive marketplace for identities. By 2020, 60% of digital identities interacting with the enterprise will come from external identity providers through a competitive marketplace – up from less than 10% today.3. The death of the “least privileged”. By 2020, over 80% of enterprise will allow unrestricted access to non-critical assets up from 5% today reducing IAM spend by 25%. To this end, organizations are better off focusing IAM spend on high-value data, and applying baseline security to everything else.

Gartner IAM Summit (2014)

23

4. Legacy pricing models will implode: By end of 2020, overall IAM products and services pricing will drop by 40% relative to today in real terms. We’ll see new ways of addressing the same issue, with new competitive players. We’ll see a change in delivery models. Also, pricing will move from user-based to transaction-based.5. It’s not who you are, but what you do and how you do it. Multitude of devices, applications, and identities bring more attributes and multi-dimensional context to access control. By 2020, 70% of all businesses will use attribute based access control (ABAC) as the dominant mechanism to protect critical assets, up from 5% today.6. Identity intelligence finally gets a brain: By 2020, identity analytical and intelligence (IAI) tools will deliver direct business value in 60% of enterprises up from less than 5% today. This will include logging and log management, behavioral attributes about who is accessing what and “identity nodes” around users and administrators.7. Managing identities will include the internet of things. By 2020, the internet of things will redefine the concept of “identity management” to include what people own, share, and use.

Multi-Factor Authentication