YOU ARE THE TARGET – BUT YOU DON’T HAVE TO BE WITH EFFECTIVE AUTHENTICATION
I NTRO D U CTI O N Any size organization can be a target, generally because of weak authentication. Password only protection is simply too risky. In addition, stolen passwords were responsible for major thefts of records from Best Buy and Twitter. With the adoption of cloud-based IT infrastructures, and the pervasive use of mobile devices and mobile applications, IT organizations are being asked to secure what they don’t own, manage or control. For more on how to reduce the risk and the consequences of weak authentication, read on. This paper will show why any size organization can be a target; and how the legal and threat environment—combined with BYOD and cost factors—make multi-factor, riskbased authentication the logical approach to solving the problem. Case studies are used to illustrate. Robust, multi-factor authentication, which can increase the validation steps required if something seems out of the ordinary or if highly sensitive information is to be accessed, is a necessary and cost-effective way to reduce your vulnerability as a target. Relying on the leading vendor, RSA, is a proven strategy. In gauging threats, intelligence professionals start with the nature of the threat. We start with the most likely threat. Generally, this has meant that the target has employed poor authentication products and practices. We then move on to asking: who are they? What motivates them? What kinds of resources do they have at their disposal? Today’s adversaries cover a wide range of possibilities. At the top of the list are nation -states interested in learning defense secrets and gathering valuable data and trade secrets that can give them an edge in the global economy. Next in threat capabilities would be multi-national, non-state actors—such as organized crime—who target electronically stored information (ESI) that can either be resold or monetized in other ways. High on the list of their targets are databases of Personally Identifiable Information (PII), which would allow them or their customers to steal the identities of their victims; and then systematically loot their digital assets; establish false accounts to steal goods and services; while destroying the reputations and credit worthiness of their victims.
Today’s competitive world means that organizations are keeping tabs on their competition in legal and illegal ways. Using social media, such as Facebook and LinkedIn, to learn about a competitor’s employees and plans is emerging as a common means of competitive intelligence gathering and industrial espionage. Hijacking Twitter Handles and other acts could have been prevented with robust authentication. Other threats include individuals and groups who are moved to correct social conditions they perceive as wrong. Dubbed “hacktivists,” these people have attacked a variety of organizations. Many of these groups are loosely organized, with no formal leadership; e.g., “Anonymous.” These groups can be especially dangerous because their very nature changes day to day, and their lack of a formal organization makes it difficult to track down individuals. Lastly, the threat can be a single individual. Aggrieved former employees and contractors are often unhappy about the circumstances of the termination of the relationship with their former employer or client. BAD THIN GS HA P PE N TO GO O D P A$$W ORD S —EVEN SEC UR E PAS SWORD S ARE N’ T ENO U G H P RO TEC TION IN TOD AY’ S ENVIRON MENT All too often, organizations of all sizes rely on passwords as the way to confirm the identity of individuals who wish to access their electronic assets, as well as to guard access to their information technology (IT) infrastructure. Yet, passwords, even the most elaborate passwords, are not secure unless they are supplemented by other factors associated with the individual. This was not always the case. In the early days of computing, a user ID plus password was sufficient protection. This might have been fine when mainframes were the only IT resources, and were kept behind locked doors in special rooms. However, as Intel CEO Paul Otellini noted in his keynote speech at the 2012 Consumer Electronics Show, “Today your smartphone has more computing than existed in all of NASA in 1969.” 1 This means that organizations need authentication security measures that provide appropriate security, can adapt to the dynamic threat environment, are easy for users to adopt, scalable across various sizes of organizations, and that can be easily integrated into complex and heterogeneous IT infrastructures. SI ZE D OESN’ T MAT TER —ANY O R GANIZ ATION CAN BE A T ARGET The adversary determines the target, and size does not matter; small sized organizations can be just as important to the attacker’s plans as the large ones. The following examples illustrate this point.
1
http://www.guardian.co.uk/technology/blog/2012/jan/11/ces-2012-intel-keynote-otellini
Sm al l Com pan y Small companies face increased risks on a global scale. According to David Willetts, British Minister of State for Universities and Science, “Companies are more at risk than ever of having their cyber security compromised —in particular small businesses—and no sector is immune from attack . . . But there are simple steps that can be taken to prevent the majority of incidents.” 2 According to the 2013 Information Security Breaches Survey, released 23 April 2013, 87 percent of all small businesses in the United Kingdom experienced a breach in the last year. The survey indicated that breaches of small companies increased in the past year, and that the cost associated with these breaches could range up to 6 percent of company revenues. 3 Small businesses can be targeted because they do business with larger businesses, such as defense contractors, major banks, etc. Their role as gateways for attackers has been shown in several major campaigns attributed to nation -states. Statistics for small businesses in the United States also show that they are major targets. According to Representative Chris Collins (R) of New York, himself a successful small business owner, “Although attacks on small businesses don’t make the headlines, a recent report shows nearly 20 percent of cyber-attacks are on small firms with less than 250 employees. Unlike a large company, small businesses may not be able to survive a cyber attack. Washington has begun to realize the importance and immediacy of this threat, but more must be done to help protect this vital segment of our economy from these increasingly complex attacks.” 4 A typical small company situation could be a supplier to a large company. The large company is the real target; but it employs a layered security defense, including multi factor authentication. The attacker has determined that the small company doesn’t employ any sort of security, other than passwords. Through diligent research on LinkedIn, the attacker has come up with several names of employees of the small company. The attacker employs a password cracker that he downloaded for free from the Internet —one like Password Cracker 3.97, available from Tucows. 5 In short order, a suitable password is found. The attacker has gained access to the small company’s IT infrastructure, and is now free to rummage about to download data or to alter data, or even to destroy data essential to running the business. Essentially, small businesses are often targeted because they are perceived as gateways to larger businesses, in part, because they have weaker authentication mechanisms. 2
http://www.infosecurity-magazine.com/view/31999/infosecurity-europe-2013-technology-strategy-board-offers-money-tosmall-businesses/ 3
http://www.infosecurity-magazine.com/view/31999/infosecurity-europe-2013-technology-strategy-board-offers-money-tosmall-businesses/ 4
http://smallbusiness.house.gov/news/documentsingle.aspx?DocumentID=325034
5
http://www.tucows.com/preview/520041
Mi d si ze B u si ne ss A midsized company manufactures equipment used in the testing of radar systems to be installed on fighter jets. The company competes with much larger companies, and has had to become innovative by developing unique processes to design its test algorithms. Unfortunately, the company has not upgraded its security to multi -factor authentication. Adding to the company’s vulnerabilities is its headquarters location —near popular coffee shops and eateries that offer free Wi-Fi. While convenient for the company’s employees to access IT resources, public Wi-Fi hotspots are also subject to sniffing attacks; attacks that require little technical skill. For example, as explained in “How Logging On From Starbucks Can Compromise Your Corporate Security,” 6 packet sniffing can easily vacuum up sensitive data such as passwords. Once compromised, the passwords authorize access as if the attacker was a legitimate end user. Enter pri se s While enterprises with 1,000 or more employees have more resources than their smaller counterparts, it doesn’t necessarily follow that they are more secure. For instance, many large enterprises have grown by acquisitions; often, integrating the new company into the mainstream IT infrastructure of the acquiring company is not instantaneous. This contributes to uneven authentication approaches; e.g., strong (multi -factor) for some employees, but weak (e.g., password only) for others —yet both sets of employees can access similar sensitive resources. THE CH AN GIN G EN VI RO N ME NT This section addresses four key areas that are impacting the operating environment: Legal, BYOD, Evolving Threats, and Cost Factors. One of the best ways that an organization can insulate itself, its people, and its assets in the face of these dynamic environmental factors is by employing robust authentication. Legal & Reg ul ato ry Data Privacy Laws Currently, there are approximately 50 countries that have data privacy laws of various types. The European Union, for example, is in the process of dramatically revising the breach disclosure and other aspects of its data privacy regulations. 7 According to the Financial Times of London, EU-based firms could be fined up to 2 percent of a company’s global revenue for data breaches. International law generally recognizes three main classes of personal data that require special attention because they are legally regulated or scrutinized by an industry 6
http://www.securityweek.com/how-logging-starbucks-can-compromise-your-corporate-security
7
http://news.cnet.com/8301-1009_3-57573051-83/eu-feeling-pressure-to-tweak-data-privacy-legislation/#!
authority. Personal Health Information (PHI) 8 is almost universally considered among the most sensitive types of data. This information concerns the health of specific individuals. Specific relevant US laws include the Health Information Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH). Personally Identifiable Information (PII) is information that, if stolen, allows the thief to masquerade as the individual. PII is protected by a number of United States state and federal laws. Japan is also taking measures to strengthen data privacy for its citizens, such as by requiring strong authentication for online access. 9 A third class of protected data is information that is regulated by the Payment Card Industry (PCI). This data is defined in PCI Data Security Standard 2.0, 1 0 and covers the data used in digital payment and credit transactions. Confirming the identity of authorized users must be a prerequisite to giving them access to the organization’s IT resources. In Singapore, the Monetary Authority of Singapore (MAS) requires financial institutions to implement IT controls to protect customer information from unauthorized access and disclosure. Moreover, with the growing use of mobile banking, the risk of unauthorized access and disclosure is growing. Multi-factor authentication is one of the important and proven security technologies that elevate the protection of sensitive data stored and used by financial institutions, and that also contributes to building trust among mobile banking users. Breach Notification Laws The EU is taking stronger action on data breaches, as noted above. Readers should be aware that, as of August 2012, 46 states and the District of Colombia have enacted laws requiring organizations to notify individuals if their PII has been breached, or if the data controller (holder of the data) suspects there has been a breach. 11 These notifications can be expensive, and they certainly raise questions of the organization’s trustworthiness in the minds of the customers, employees, patients, and others who may receive the notifications. Preventing such breaches can save organizations significant exposure. A basic step such as requiring multi-factor authentication is sensible to ensure that only properly authorized individuals are granted access. Industry Specific Laws A number of industries have specific laws that govern data security. The section on PHI, above, includes two laws in the healthcare industry. Other industries with their own regulations include, for example: the banking industry with its Gramm Leach Bliley Act 8
http://www.hrsa.gov/healthit/toolbox/HealthITAdoptiontoolbox/PrivacyandSecurity/underhipaa.html
9
http://www.infoworld.com/d/security-central/japan-tightens-personal-data-protection-356
10
https://www.pcisecuritystandards.org/security_standards/documents.php?document=pci_dss_v2-0#pci_dss_v2-0
11
http://www.ncsl.org/issues-research/telecom/security-breach-notification-laws.aspx
and Federal Financial Institutions Examination Council (FFIEC); the North American energy industry, which is regulated by North American Electric Reliability Corporation (NERC); 12 and the United States energy industry, governed by the Federal Energy Regulatory Commission (FERC). 13 The point is simple—more regulations are likely to be enacted that will require enhanced information security measures. Bri ng Y o ur Ow n D e vi c e (BYO D ) In order to attract a new and vibrant workforce, and as a means to enhance productivity, organizations are allowing their employees and contractors to access the IT infrastructure with their personal smartphones, tablets, and laptops. Multi -factor authentication is necessary to ensure that authorized end users can access their IT resources from any device, while protecting the integrity of the IT infrastructure. Security solutions addressing BYOD need to work seamlessly, as software is embedded with applications. Furthermore, the use of a Software Development Kit (SDK) to integrate with a variety of applications that are core to the business is critical. A rich ecosystem of partners, such as that offered by RSA, is a major strong point. Many organizations have not considered the security aspects of this move, and have not suitably protected access to their information resources with enhanced security measures such as multi-factor authentication. Security principles hold that information is to be protected according to its value, not its location. Consequently, organizations are well advised to implement robust authentication across all means of entry into their IT and network infrastructure. Evol vi ng T hreat s While threats in the past were mostly static and slow to develop, today’s threat environment is dynamic and unpredictable. Vulnerabilities are known to exist in today’s complex software and Web applications. Attackers exploit known and unknown vulnerabilities in several ways. One instance of quickly evolving threats is Advanced Persistent Threats (APT). This type of attack is highly targeted, adaptable, and designed to clandestinely yield long term results. Often these sophisticated threats include the use of social engineering, to compromise passwords, to gain access to networks as entry points for more robust attacks. Another unaware software sampling
threat is to attack vulnerabilities that even the product’s developers are of. These attacks are called “Zero Day Attacks” because attackers exploit code vulnerabilities before the vulnerabilities are known. These are just a of the dynamic and unpredictable nature of today’s threat environment. The
12
http://www.nerc.com/Pages/default.aspx
13
https://www.ferc.gov/
Stuxnet attack on the Iranian nuclear program is cited as a good example of this type of attack, as were the cyber-attacks on the Saudi government in May 2013. Organizations need to set policies based on risk, and implement those policies in a way that, when the end-user activity seems out of the ordinary, they are challenged with additional identity confirmation requirements, such as answers to security questions. Self learning risk engines are proving to be efficient at uncovering anomalous activity. The ability to employ device and behavior characteristics, as well as identity authentication factors, strengthens assurances that end users are who they say they are. Co st Fac to r s Successful attacks can result in significant direct and indirect costs, including:
▪
Loss of Intellectual Property – Trends indicate that attacks are becoming more focused. Organizations are often targeted because they have unique advantages in trade secrets, patent development, or both. Attackers, ranging from competitors to nation-states, seek access to intellectual property (IP). This IP can give attackers economic or efficiency advantages, in addition to saving them significant research and development (R&D) time and expense.
▪
Reputational Costs – Many businesses are based on trust. Organizations that handle sensitive data, such as PHI, PII, and PCI, are in a critical position of responsibility to safeguard this information. Breaches and unauthorized access to this information can result in wide ranging publicity that will negatively impact the public perception of the company. Lack of trust can lead not only to lost business, but legal action.
▪
Legal Costs – Organizations entrusted with sensitive data have a legal duty to protect that data. Failure to adequately protect can subject the company to lawsuits on a variety of grounds. These lawsuits can result in financial damages including retribution and fines. Failure to exercise due care, and adhere to the standard of care within the industry, such as multi -factor authentication, can strengthen plaintiff’s claims.
▪
Lost Employee Productivity – Considerable time can be spent in remediating breaches and unauthorized access. This is employee time that would have been better spent on other aspects of the business. It is also fair to say that employees have a certain level of trust in their employers. Employers, after all, store quite a bit of PII about their employees (e.g., salary information and performance reviews). Yet, the effort to recover from a breach of employee sensitive information can be just as taxing as a breach involving sensitive customer information.
SO LVIN G THE P RO B LEM Classically, organizations address security shortfalls with a combination of people, process, and technology. Multi-factor authentication snugly fits into this trifecta, and has proven to be a measure that can address a variety of security gaps across a wide range of organizations and industries. Appl i c abl e t o D i ffere nt Si ze O rga ni zati on s – Sc al e A hallmark of leading edge technology is that it can be applied across organizations of varying size. This is because the key is not so much the size of the organization, but the ability of end users to conduct their work and access the resources they need in a secure and efficient manner. Security processes that consume end-user time or that are inconvenient are often ignored by end users. Moreover, end users develop work -arounds that circumvent the very processes and technologies that are designed to improve security. In addition, the move to Web-based applications and cloud services means that organizations must adopt security measures that can be operational as quickly as cloud services, and in a cost effective manner. Scalability costs are also important considerations, and include startup costs and ongoing maintenance. Assessing both classes of costs is especially important to organizations that are growing by acquisition. Risk-Based Authentication – Adapting the Protection to the Threat Security principles dictate that security measures should be applied based on the value of the data to be protected and the likely risks. Risk -Based Authentication (RBA) is a logical and proven technique for matching the level of protection with the risk. Key to success of a Risk-Based Authentication schema is the ability to process information during the log -in process, and to evaluate the level of risk of the particular end user seeking to be granted access. Conventional Risk-Based Authentication involves several steps:
▪
Device Validation – Devices can be identified by secure first -party cookies and Flash Shared Objects (sometimes referred to as Flash cookies). When these two components are used in tandem, there is a double layer of validation. Alternatively, device characteristics can be analyzed to develop a unique ‘fingerprint’ to establish its identity and its users.
▪
Behavior Profiling – In this phase, the context of the log-in is compared to known behavior and other factors, such as the sensitivity of the data. As the context risk and data sensitivity increase, the identity validation steps required of the end user to gain access are likewise increased.
Risk-Based Authentication can provide end users with some very solid benefits. RSA’s Risk-Based Authentication can lower the authentication cost per user by up to 40 percent, when compared to traditional hardware authenticators. RBA can also considerably speed up deployment time in large organizations, typically reducing implementation across enterprise organizations from weeks to days. 14 Risk-Based Authentication is particularly relevant in situations where the organization has privacy concerns, because this method of authentication is robust, yet does not infringe on end-user privacy. RSA, the dominant player in the market, employs Risk -Based Authentication which looks for anomalies based on historical patterns. Since it only tracks the authentication process, there are no privacy issues with this proven approach. Platform Agnostic Another key aspect of authentication technology today is that it must be platform agnostic, meaning that the same level of authentication, and essentially the same process of authentication, must be facilitated across the platforms favored by end users. Also, some end users may be most comfortable with software on their desktop or laptop computers. This is a staple of many organizations and many industries. However, as industries evolve, so do their computing platforms. The authentication technology must also be available, in a consistent form factor, to function on mobile phones and tablets, so as to facilitate remote access 24x7 by authorized end users. Interestingly enough, many end users still prefer the comfort of hardware tokens. In fact, many large banks brand RSA hardware tokens for their large portfolio customers, to control access to their accounts. RSA’s software tokens are used for similar purpose, and add to choice and flexibility in strong authentication. RSA’s ability to enhance the security based on the cumulative learning of the sum of the authentication processes increases security —and is transparent to the user. The ubiquity of smartphones, exacerbated by the growing popularity of BYOD, mandates that authentication via SMS is another platform that must be part of the offering. Considering the ever-present and on-person nature of smartphones, these devices, when used with SMS, become an effective something-you-have authentication factor. Easy to Integrate Into Existing Operations End users do not want to be interrupted in their work; consequently, authentication technology must be easily integrated into their routines. Ideally, this integration would be at the lowest possible level in the technology stack, with native support being ideal. Embedding the authentication is a proven way of enhancing security while facilitating operations. Many organizations are taking advantage of the SecurID platform version RSA ® Authentication Manager 8.0. In particular, this release is optimized and certified as a 14
RSA Analysis
VMware ® Ready Virtual Appliance for use with popular VMware tools such as snapshots, VMotion and high availability. Now, with the release of RSA® Authentication Manager 8.1, those who wanted a hardware appliance have the option of either a virtual or hardware appliance to take advantage of. Examples of embedded authentication include SanDisk integration of RSA authentication into its flash drives; Privaris’s implementation with its biometric devices; and Juniper Networks working with RSA to enable mobile security services that unite strong authentication with secure remote access, to extend the security model and streamline the mobile user experience when accessing both corporate and cloud -based resources. RSA continues to revolutionize its multi-factor authentication portfolio, both organically and through acquisitions—such as PassBan, a visionary leader in mobile and cloud -based multi-factor authentication. There are also over 400 partners that have established RSA interoperability with their products and services, including Check Point, Cisco, Citrix, and IBM. Collectively, these examples illustrate that an authentication technology must be embraced by a robust ecosystem of interoperable products in order to drive widespread adoption. HO W S UC CESS FU L CO M PA NI ES ARE ME ETING T HE AUTHE NTICATI O N CHAL L EN GE This section provides highlights of how organizations of various sizes have solved their authentication challenges by employing RSA products. Grupo Bancolombia
▪ The Business – One of the largest banks in Latin America, founded nearly 70 years ago—and the largest in Colombia—the bank provides banking services to approximately 60,000 organizations and over 1.5 million retail customers. One of the bank’s key initiatives was to leverage the competitive advantages of its online banking portal. The portal is used by approximately 90,000 people in the organizational sector, and about two-thirds of its retail customers. 1 5
▪ The Security Challenge – A number of years ago, the bank noticed a significant increase in fraudulent access attempts to the online portal. According to Carlos Rodriques, Internet Manager of Bancolombia, “We knew we needed to respond quickly and effectively, both for the sake of our customers and to preserve the integrity of our offerings. Until that point, we had relied on applications we had developed in-house to prevent attacks. However, the severity of the fraud activity we were starting to see highlighted the need to strengthen our defenses with dedicated security solutions.”
▪ The Solution – The company wanted to be able to offer software -based authenticators to its retail customers, and hardware authenticators to its corporate 15
http://www.grupobancolombia.com/webcorporativa/
clientele. The availability of both approaches was critical because retail customers want the convenience of not installing special software or having a hardware token; while corporate clients want the security, durability, reliability, and standardization that comes with hardware tokens.
▪ The Impact – Subsequent to installing the solution, the bank saw a marked decrease in fraudulent activity targeting its online platform. According to Rodriguez, “Fraud fell by around 90 percent after we added the technology, and has remained constant ever since.” Banco Popular De Puerto Rico
▪ The Business – This largest commercial bank in Puerto Rico has 174 branches, almost 600 ATMs, and more than 27,000 Point of Sale (POS) terminals. The bank also provides a variety of Internet banking services, including: Internet Banking, e Commercial Statement, and WebCash Manager. 1 6
▪ The Security Challenge – The bank had developed its own version of a three -step password process. Requirements of the Federal Financial Institutions Examination Council (FFIEC) mandated the use of multi -factor authentication as a prerequisite to enter online banking systems.
▪ The Solution – After performing a risk assessment, the bank decided that the combination of a Risk-Based Authentication system for its customers and a hardware based authentication system for its internal network would be the optimal solution. RSA was chosen, after a vendor qualification process. The bank felt that the powerful nature of the RSA Risk Engine—tracking over 100 fraud indicators—would be the most effective way to manage security at the individual log -in level, with minimal interruptions and inconvenience to customers. According to Miguel Mercado Torres, CISO and VP Operational Risk management at the Bank, “We were keen to upgrade our solution, in light of the increase of cyber threats and cyber fraud activity. By adding an extra layer of security for access into the corporate Intranet, RSA SecurID authentication enables us to increase the number of people who are able to work from home, and also enables the sales team to complete more transactions while out in the field.”
▪ The Impact – The Bank has noticed a significant reduction in attacks on their customers’ accounts, and a corresponding increase in customer confidence and satisfaction with the bank. Lazio Innovazione Technologica (LAit)
▪ The Business – LAit is the IT development arm charged with working with Regione Lazio 17 in Italy, to help the government in automating services and to stimulate adoption of digital services. These services include: healthcare, e -mail, and data 16
http://www.popular.com/en/business-online-services#GA=Online_Services__Business_Services__LP
17
http://www.regione.lazio.it/rl_sanita/?vw=contenutidettaglio&id=43
transfers. One example was the Farmarecup project. This project provides consumers choice in pharmaceutical products from 170 pharmacies in Lazio, and provides patient online scheduling of medical appointments through a self -service, Web-based appointment system.
▪ The Security Challenge – LAit needed an authentication mechanism that would integrate with existing systems, improve security, be patient -friendly, and that would be cost effective.
▪ The Solution – The company opted for a two-factor authentication system from RSA, because of its ease of use and management capabilities. The Technical Director of LAit, Vittorio Gallinella, explained, “We evaluated the performance of the systems in real-life scenarios. This was necessary to verify the compatibility and integration with LAit’s systems, as well as ease of installation.”
▪ The Impact – According to Regino Brachetti, President of LAit S.P.A., “Secure remote booking Regione reduced
access and collaboration has enabled us to accelerate the process for medical appointments and exams, providing more efficient public services to Lazio’s citizens. What’s more, thanks to two -factor authentication, we have management costs by 70 percent.”
The government found that the authentication system created the means to expand the range of services it offered. Separately, as noted by Mr. Gallinella, “We, above all, recognize the versatility of RSA SecurID—besides the simplicity of installation, management and use. Because of these characteristics, we have adopted this solution for other purposes too; in particular, providing remote access to a number of services for some Directorates and Departments, for system management and to give access to some resources. The solution enables us to unify password management and consolidate authentication management with a unique tool.” NTT Com Asia
▪ The Company – NTT Com Asia Limited is a wholly owned subsidiary of NTT Communications, which is the international and long distance arm of NTT (Nippon Telegraph and Telephone Company). NTT Com Asia serves as the regional headquarters of East Asia, covering Hong Kong, Macao, Taiwan, and Korea. The company provides multinational companies with end-to-end network and IT solutions. These solutions include cloud hosting, managed services, integrated solutions IP connectivity, and data center support. The company also provides local connectivity and services for small and midsize businesses. 1 8
▪ The Security Challenge – The company needed a strong authentication system to protect sensitive customer information, while ensuring compliance with local financial regulations. Due to its role as a communications provider, the company needed a security solution that would offer high availability and dependability on a 24x7 basis. According to Jonathan Wong of NTT Com Asia, “The goal of the project was to provide a system that enabled mobile workers at our customer sites to access 18
http://www.hk.ntt.com/en/index.html
sensitive information stored on their internal servers, from a remote location, whenever they needed it. The process had to be secure, but also needed to be simple enough to implement to a potential workforce of hundreds of thousands.”
▪ The Solution – NTT Com Asia selected the RSA SecurID solution to implement a two-step authentication process.
▪ The Impact – the company found that the implementation of the robust authentication system gave its customers a higher level of customer confidence and trust. Mr. Wong felt that the system was responsible for strengthening customer relationships. He noted, “Since we deployed RSA SecurID, the feedback has been very positive. The key theme coming through is reliability. Our customers trust the solution to deliver against their security requirements.” Red Bull Racing
▪ The Company – The Red Bull Racing team, based in United Kingdom’s Milton Keynes, is a double Formula 1 World Champion.
▪ The Security Challenge – The Red Bull Racing team regularly competes in Grand Prix events all over the world, and many employees are often traveling. Indeed, individuals frequently need to access the Red Bull corporate network from challenging locations and under significant time pressure —particularly those based in the pit lane on race day. In a fiercely competitive field like F1 racing, however, providing employees with fast and reliable access to critical applications and e -mail is just half the story. At the same time, Red Bull must ensure that any unauthorized attempts to access its network are effectively prevented, to keep team secrets from being leaked.
▪ The Solution – Hardware tokens were issued to around 400 employees, who adopted the new technology enthusiastically, thanks to the user -friendly easy-to-read design. In addition to the robust and reliable hardware element, Red Bull Racing was impressed by the fact that the RSA Authentication Manager integrated smoothly with its existing IT environment.
▪ The Impact – The new authentication system integrated well into the existing infrastructure. Neil Bailey, Red Bull Racing IT Infrastructure Manager, commented, “We were pleasantly surprised by how well the solution integrated with our Citrix Access Gateway VPN. It also works very well with our Cisco Secure Remote Access solution, enabling smooth delivery of applications. This effortless interoperability meant that migrating our user base to the RSA platform was quick and hassle -free.” Where new tokens needed to be allocated—for example to new employees—the process is now much simpler and more efficient. Previously, a skilled security expert would need to spend about 30 minutes in the authentication management console, setting up a new user and allocating them a new token. Using the RSA Authentication Manager console, new users can now be set up in just a few minutes.
Frost & Sullivan The Last Word This paper has explained why any size organization can be a target for hackers and at risk of data breaches due to weak authentication. We have also shared how the legal and threat environment, combined with new operating necessities, such as BYOD, make multi-factor, Risk-Based Authentication a logical approach to reducing these risks. We included five RSA customer case studies showing the various ways that organizations are meeting their security challenges with RSA’s SecurID authentication platform. RSA’s SecurID is the most widely deployed one -time password platform, with over 25,000 customers worldwide and 40+ million tokens actively in use. Currently, over 350 million online identities are protected with Risk -Based Authentication by RSA. Robust authentication that is platforms is critical to effective as adaptability across a range of arching management system are threat environment.
intuitive for users and available across multiple utilization of today’s networks. Characteristics such organizations, with a common interface and an over vital to insuring optimal security in today’s dynamic
Silicon Valley 331 E. Evelyn Ave., Suite 100 Mountain View, CA 94041
San Antonio 7550 West Interstate 10, Suite 400 San Antonio, Texas 78229-5616
London
Tel 650.475.4500 Fax 650.475.1570
Tel 210.348.1000 Fax 210.348.1003
Tel 44(0)20 7730 3438 Fax 44(0)20 7730 3343
4, Grosvenor Gardens, London SWIW ODH,UK
877.GoFrost • myfrost@frost.com http://www.frost.com
ABOUT FROST & SULLIVAN Frost & Sullivan, the Growth Partnership Company, works in collaboration with clients to leverage visionary innovation that addresses the global challenges and related growth opportunities that will make or break today’s market participants. For more than 50 years, we have been developing growth strategies for the Global 1000, emerging businesses, the public sector and the investment community. Is your organization prepared for the next profound wave of industry convergence, disruptive technologies, increasing competitive intensity, Mega Trends, breakthrough best practices, changing customer dynamics and emerging economies? Contact Us: Start the Discussion For information regarding permission, write: Frost & Sullivan 331 E. Evelyn Ave. Suite 100 Mountain View, CA 94041
Auckland Bahrain Bangkok Beijing Bengaluru Bogotá Buenos Aires Cape Town Chennai Colombo Delhi / NCR Detroit
Dhaka Dubai Frankfurt Hong Kong Iskander Malaysia/Johor Bahru Istanbul Jakarta Kolkata Kuala Lumpur London Manhattan Mexico City
Miami Milan Moscow Mumbai Oxford Paris Rockville Centre San Antonio São Paulo Seoul Shanghai Shenzhen
Silicon Valley Singapore Sophia Antipolis Sydney Taipei Tel Aviv Tokyo Toronto Warsaw Washington, DC