SE-4110, Securing Identities in the Cloud, by Martin Ahlers

  • View
    103

  • Download
    1

Embed Size (px)

DESCRIPTION

Presentation SE-4110 by Martin Ahlers at the AMD Developer Summit (APU13) November 11-13, 2013.

Text of SE-4110, Securing Identities in the Cloud, by Martin Ahlers

  • 1. Top Things to Consider When Authenticating Web Applications 2013 - VASCO Data SecurityNovember 2013

2. Increasing need to protect our online activities End users! ! ! !Confidential data leakage Cyber bullying Gold farming Identity theft2012: Hackers able to access users personal data for use in phishing attacks2012: Hacker able to access billing information and other accounts 2013 - VASCO Data Security2012: Exposed 6 million user account passwordsASPs! ! ! !Lost revenues Tarnished brand Low data integrity Subscriber churn2013: Hackers posted fake news about bombing of the White House, Dow Jones dropped 100 points2013: 10 million people watch Netflix without paying for it by sharing passwords2013: Hackers able to access customer names, credit/debit cards and expiration dates of 2.9 million customers, and up to 38 million IDs and passwords2 3. Agenda ! Applications and pain points ! Cloud services ! Subscription services ! Gaming! ! ! !Quick VASCO background Combined AMD and VASCO solution Sample business case Sample competitive comparison 2013 - VASCO Data Security3 4. Cloud Security Concerns ! Losing files ! Files not stored securely ! Loss of control ! Embarrassing files made public ! Computer viruses 2013 - VASCO Data SecuritySource: Halon 2013 Security Survey4 5. Cloud Providers Are Expected to Lead on Security Within five years, cloud security will become one of the primary drivers for adopting cloud computing. The reason for a shift of security from obstacle to driver is that Cloud Service Providers (CSPs) are expected to invest far more in the development of their security infrastructure and expertise than any typical enterprise Ernst and Young: Cloud Computing Issues and Impacts, 2011 2013 - VASCO Data Security5 6. Subscription Sharing: New York Times AnalysisBuzzFeed: It is representative of a rising generation of young people who 1) Like watching shows Online and 2) Cannot fathom paying for them 2013 - VASCO Data Security6 7. Subscription Account Sharing Impacts ! Eliminate revenue leakage from account sharing ! Account sharing is perceived as a back-end security problem. But for companies that rely on online subscriptions as a primary revenue stream, account sharing can mean lost income ! What we found was that about 33 percent of the accounts on the network were being shared! Secure personal information ! Preserve data integrity for advertising/marketing "If you're running The Wall Street Journal or World of Warcraft, and you've got multiple people sharing a single subscription, you're losing customers." 2013 - VASCO Data SecuritySource: AdmitOne7 8. Tier 1 ASP Example Company Profile !One of the world's largest insight, information and consultancy networks. By connecting its specialist companies, the group aims to become the pre-eminent provider of compelling insights for the global business community.Needs ! ! ! ! !Protect online assets/revenues and control their IP Auditable and traceable accounts for Risk and Compliance Dept. No new overhead or code modification of existing web portals OpEx based purchases to tie to subscription services and improve cash flow Everything IT must move to the cloudIn need of a cloud based two-factor authentication platform 2013 - VASCO Data Security8 9. Creating Secure Communities Raises Revenues! University of Michigan studied a Tier 1 online retailer ! Study found a 19% increase in revenue when customers were connected in an online communityWhile the major share of firm and media attention has focused on thirdparty online social networks such as Facebook, many firms have made the choice to build their own such networks. http://info.socious.com/bid/56237/How-Online-Customer-Communities-Can-Increase-Revenue-By-19-Research 2013 - VASCO Data Security9 10. Current state of Gaming Onlinegamingindustrygrowingsignicantly....howeverARPUissteadilydecliningOnlineGamingMarketSharebyGeography(USD$B)$20.0 $18.0$16.0 $14.0 $12.0$10.0ROW$8.0US$6.0$4.0 $2.0 $- 2012201320142015Publishers need assistance to stabilize ARPU by providing additional value to paying customers 2013 - VASCO Data SecuritySource: SuperData Research and Newzoo Games10 11. US Gaming Demographics 117mOnlineGamersintheUSTypical US Gamer Age 25-44 Income $35k-$75k 60% male 79% college degree 2013 - VASCO Data SecurityAnitytoonlinesecurity1. Above average income and education 2. Tech savvy 3. Understand the value of securitySources: *Nielsen Entertainment's third annual Active Gamer Benchmark Study; ** StatGrab; ***SuperData Research/Newzoo11 12. Gaming companies must capitalize on hits ! Example: Diablo 3 ! Fastest selling PC game to date ! Broke Amazon record for most preorders ! Sold 3.5m copies on the 1st day ! Sold 6m copies in 1st week ! Within 1 week, it became the most played game in Korea, 39% of Korean gamers logging in dailySecuring new game revenue is a natural fit 2013 - VASCO Data Security12 13. Gaming ASP Pain Points ! Account sharing ! Increase revenues and subscriptions with stronger authentication ! New releases are very competitive, must capitalize on hits! Account bullying ! Hackers stealing credentials to tamper with account holders! Gold farming ! Dissatisfaction lowers switching costs and increases churn ! Less of an issue with advent of free to play and ability to buy/sell with real dollars! User islands ! Create communities of users to increase stickiness and monetize free to play ! Cross sell gaming assets ! One credential to access all game sites MMO players are very dedicated gamers. As the majority already plays games on other screens, it will be interesting to see if publishers succeed in extending and monetizing their MMO experience across all screens. Peter Warman, CEO of Newzoo 2013 - VASCO Data Security13 14. Agenda ! Applications and pain points ! Cloud services ! Subscription services ! Gaming! ! ! !Quick VASCO background Combined AMD and VASCO solution Sample business case Sample competitive comparison 2013 - VASCO Data Security14 15. Our PhilosophySecurityEaseCostFind the optimal balance for ASPs and consumers 2013 - VASCO Data SecurityFederal Reserve Briefing15 16. VASCO Heritage in Banking Security 2013 - VASCO Data Security16 17. Agenda ! Applications and pain points ! Cloud services ! Subscription services ! Gaming! ! ! !Quick VASCO background Combined AMD and VASCO solution Sample business case Sample competitive comparison 2013 - VASCO Data Security17 18. Secure Portal to Web Apps App1App2Numerous Logins Passwords QR code scanApp3App4Cloud SubscribersOTPApp5App6Complex for users, headache IT helpdesk Simple for users, savings for for IT helpdesk 2013 - VASCO Data Security18 18 19. Integration overview AMDchipset NormalSecDon AppAppSecureSecDon AppTrusted Trusted App App SecureOSTEEClientAPI PlaBorm/RichOS (e.g.Windows,etc)DIGIPASS(TEE)Secure MonitorSecureBootARMCortexA5ProcessorwithTrustzoneSecurityExtensions 2013 - VASCO Data Security19 20. Highly secure yet familiar, simple user experience 2013 - VASCO Data Security20 21. Agenda ! Applications and pain points ! Cloud services ! Subscription services ! Gaming! ! ! !Quick VASCO background Combined AMD and VASCO solution Sample business case Sample competitive comparison 2013 - VASCO Data Security21 22. Cost Effective CloudCost per userOpex Model Pay as you grow Users or Authentications 2013 - VASCO Data Security22 23. MYDIGIPASS.COM Subscription Business Case ASP with 1M users per monthIncreased Subscription Assumptions: Per a Tier 1 subscription account, 2FA will increase revenues by 10% in YR 1 increasing to 20% by YR 5 $100 annual subscription revenue $10 per user 2FA cost20,000,00016,000,00012,000,000Incremental revenues Incremental costs 8,000,0004,000,000YR 1YR 2YR 3YR 4YR 5MDP.com would return $17.5M net profit over 5 years. 2013 - VASCO Data Security23 24. Easily Deployed Two Factor Authentication 2013 - VASCO Data Security24 25. Agenda ! Applications and pain points ! Cloud services ! Subscription services ! Gaming! ! ! !Quick VASCO background Combined AMD and VASCO solution Sample business case Sample competitive comparison 2013 - VASCO Data Security25 26. Comparison vs. Home Grown SMS Home Grown SMSYour unique code is w2z356Does not operate on WiFi Not delivered in poor coverage area Not delivered when out of range Not delivered under heavy traffic congestion Over 5% of SMS deliveries fail* Operates on 3G/4G, WiFi or LANOver 9% take over 5 minutes* * Per UCLA study Analysis of the Reliability of a Nationwide Short Message Service 2013 - VASCO Data Security26 27. Spying on SMS Home Grown SMSYour unique code is w2z356Your unique code is w2z356Secure out of band QR code transmission 2013 - VASCO Data SecurityUnsecure text message can be intercepted using off the shelf software 27 28. Baseline Mobile App Security Home Grown SMSYour unique code is w2z356Federate Multiple Applications NoFederate Multiple Applications YES Incremental SMS Opex NO Authentication method Challenge/response - more secureIncremental SMS Opex YES Authentication method Standard OTP Back-up methods Written codeBack-up methods Smartphone Hardware token 2013 - VASCO Data Security28 29. Top Things to Remember for ASPs ! Are you creating a secure cloud community? ! Application ! Delivery! Is account vulnerability limiting your revenue growth? ! Losing potential customers ! High cost of fixing account hacking events ! Causing customer churn! Could strong two-factor authentication in the cloud meet your needs? ! Speedy ROI ! Easy to manage / Easy for users ! More secure than SMS 2013 - VASCO Data Security29 30. For More Information ! Contact us at ! martin.ahlers@vasco.com ! jonathan.abon@vasco.com ! And go to our Application Service Provider site ! http://mydigipass.vasco.com/ 2013 - VASCO Data Security30