PORTAL PROTECTION. Raising security without raising disruptions

Transcription

1 PORTAL PROTECTION Raising security without raising disruptions

2 TABLE OF CONTENTS 2 Introduction 3 One Portal, Two Sides 4 Real Threats to Good Security 5 Simple Solutions for the Security Conscious User 6 The Cost of Compromise 7 SecureAuth Adaptive Access Management 8 Adaptive Authentication Identity-Proofing Context 11 Threat Snapshot 1

3 INTRODUCTION It's a dilemma that affects both the digital and physical environments in which we operate: security versus user experience. Bettering one has traditionally meant decreasing the quality of the other: hardening security adds to the burden on users because they must authenticate more often or supply additional factors. Other organizations prefer to err on the side of the user experience, especially when it comes to protecting portals. With 81% of reported breaches involving the use of stolen or weak credentials, user convenience may seem like a luxury companies simply can t afford. The good news is, choosing between disruption-less user experience and strong security is no longer necessary. Read on to understand how to address both security and user experience at the portal level in order to protect your business and its valuable assets Top Security Concerns Preventing the misuse of stolen credentials Providing the best possible user experience Centralization of access controls and policies Consolidating technology Meeting compliance mandates. 2

4 ONE PORTAL, TWO SIDES There are two sides to nearly every portal: security and sales/marketing. Greater security means greater peace of mind and a more positive user experience means positive word of mouth. Improved security makes two-factor authentication (2FA) a common go-to, but its disruptive nature is a major downside. Security 2FA offers security and compliance A security breach means potential job loss Breaches are a concern of the boardroom Sales/Marketing Brand is king Customer retention is paramount Positive user experience trumps all Two-factor authentication does not reconcile these sides. 2FA may not be enough to stop determined attackers. 2FA often causes poor user experience. 3

5 REAL THREATS TO "GOOD" PORTAL SECURITY Attacks have always been a risk, but in recent years, they have only grown more relentless. Here are just some of the many challenges facing organizations today when it comes to delivering good security. Breaches rose 44% in Top passwords are easily guessed 3 Breaches have been increasing over the past 3-5 years. Consumer portals are increasingly popular victims because of typically large user counts. Some of 2018 s top passwords were , qwerty, , and password, so it s no surprise that some attackers are just walking in the front door. 81% of breaches leveraged stolen and/or weak passwords 2 Attackers go undetected for 101 days 4 Breaches leveraging stolen passwords have also increased; the number was less than 50% three years ago. While this number has decreased from 229 days in 2013, 3+ months is still too long and is plenty of time for an attacker to get what they want before detection 81% of adults admit to using the same password for more than one account When one key opens multiple doors, a breach at any other large organization can make hundreds of thousands or millions of stolen credentials available on the dark web, indirectly affecting your security. Two-factor authentication is inadequate Two-factor authentication is much better than relying on passwords alone, however attackers can defeat some popular methods including phone-based authentications and knowledge-based questions. 4

6 SIMPLE SOLUTIONS FOR THE SECURITY CONSCIOUS USER While customers have become more accustomed to lengthy authentication processes, minimizing steps can be a relief and help keep more customers happier. Plot twist A recent survey conducted by SecureAuth revealed that as users become more security conscious, they may actually welcome added security, but this should be done in a manner that is complementary to existing systems. Not requiring users to endure lengthy enrollment processes by using social logins and allowing users to scan codes to enroll helps make access as self-serve as possible. Constantly requiring password changes and complicated strings of numbers, letters, symbols may make it harder for attackers to guess, but with millions of stolen credentials for sale, it may not matter. Moving between and among applications should not require unnecessary authentication disruptions; seamless transitions and movement among multiple applications should be a top priority. Sitting on the phone waiting for the help desk is frustrating. Instead, empowering users to help themselves expedites solutions to their problems and keeps help desk calls and costs to a minimum. 86% of surveyed adults said they would use two-factor authentication if provided. 5 5

7 THE COST OF COMPROMISE Cost of a Breach $7.9 million per US occurrence on average. With consumer portals typically having large user counts, costs could exceed what we ve seen at large breaches from recent years: Anthem Target Home Depot $115M 6 $300M 7 $180M 8 BRAND EROSION A breach can demonstrate how willing customers are to re-engage with your brand. In the days following the company's disclosure of its breach, Target's brand plunged by 35 points on the 100 point Brand Index scale. 9 HELP DESK COST The more users are engaged, the greater the number of potential help desk calls, be it for password resets, account unlocking, or enrollment -- significantly increasing operational costs. LOST REVENUE Lost revenue due to customers seeking alternatives is often hard to quantify and difficult to recover from. Engaged and happy customers, however, spend STOLEN RECORDS $80-$355 per record depending on industry and black-market demand. 11 between 20-40% more than others. 10 6

8 SECUREAUTH IDP ADAPTIVE ACCESS MANAGEMENT Greater security and smooth user experience can go hand in hand. SecureAuth IdP Adaptive Access Management is proof: Truly Secure 25+ different supported multi-factor authentication methods The most risk analysis of any authentication vendor 3,000x more secure than traditional 2FA Threat Detection High fidelity threat data Contextual data informs why authentication failed Focus on threats that matter by correlating with other security events, data, and alerts at the SIEM or Security Operations Center Ease of Use Strong authentication only when needed Single-sign on to easily traverse applications Self-service capabilities for fast remediation and lower operational cost 7

9 Adaptive Authentication: IDENTITYPROOFING SecureAuth IdP s multi-layered risk analysis also known as Adaptive Authentication improves security and user experience by examining risk to detecting anomalies and prompt for authentication only when necessary. Adaptive Authentication Uses Risk checks may be applied to one-time instances or to continuously occurring actions. NEW USER REGISTRATION Validate identities being on-boarded without relying on the helpdesk or third party for identity proofing. USER AUTHENTICATION Use always-on protection for ongoing logins against fraudulent identity. CONTINUAL IDENTITY VALIDATION Ensure only legitimate customers are performing password resets and profile updates. 8

10 Adaptive Authentication: CONTEXT These pre-authentication risk checks work behind the scenes to improve identity security without compromising user experience. DEVICE RECOGNITION SecureAuth looks at web browser configuration, language, installed fonts, browser plugins, device IP address, screen resolution, cookie settings, time zone, and more to create a unique device profile. THREAT SERVICE By comparing the IP address of authentication requests to known white and black lists and to live threat intelligence service feeds, SecureAuth identifies whether a request is coming from an anonymity network like Tor or been associated with nefarious activity in the past. GEO-LOCATION SecureAuth compares an identity s current geographic location against good and bad locations. For example, an organization may not have employees, partners, or customers in China, therefore no one from China will be given access. GEO-VELOCITY Improbable travel events such as a user logging in at 2PM in Los Angeles followed by a second login an hour later in New York do not meet authentication requirements. DIRECTORY LOOKUP Group membership and user attributes are checked against all required fields to find any abnormalities that may signal a false identity and trigger additional authentication. 9

11 Phone Number Fraud Prevention A phone number profiling service is used to identify the class of phone (e.g. mobile, landline, VoIP) and block certain classes of phone. Identify the carrier network and block if unfamiliar. Identify if number was recently ported and require additional authentication steps to verify the user. Identity Governance Provides a risk score based on entitlements; the more access a user has to sensitive resources, the higher the score. User & Entity Behavior Analytics SecureAuth uses that information in its overall adaptive risk scoring. 10

12 THREAT SNAPSHOT One of larger consumer portal customers did not believe many external threats were attempting access and allowed SecureAuth IdP to run three weeks of authentications through the SecureAuth Threat Service; the results speak for themselves. 7,130 suspicious logins prevented by OR 339 potential threats per day OR 14 attacks per hour SecureAuth in three weeks The Details 7,103 suspicious logins from an anonymous proxy 14 malicious logins associated with known cybercriminal activity 13 suspicious logins originating from transparent proxies 11

13 CONCLUSION Portal breaches are increasing and need more than "password" protection Interactions among portal and customer should not be difficult or burdensome Portal breaches can be very costly both in terms of actual costs and perception Portal protection doesn't need to be a compromise - you can have both strong security and disruption-less user experiences with adaptive authentication For more information on how SecureAuth IdP can protect your portal with minimal user disruptions, visit secureauth.com/portal-protection.

14 Sources Data Breach Year-End Review by the Identity Theft Resource Center Verizon Data Breach Investigations Report Most Popular Passwords M-Trends reports from FireEye Wakefield Research Survey: Majority of Americans Reuse Passwords and Millennials Are the Biggest Culprits Anthem Agrees to Settle 2015 Data Breach for $115 Million, Threatpost 7. Report: Cost of Target s Data Breach Nearing $300 Million Home Depot to Pay Banks $25 Million in Data Breach Settlement, Fortune 9. After security breach, Target's brand takes a hit Customer Experience Statistics Every Company Needs to Know About Ponemon Institute Cost of a Data Breach Study, IBM Copyright 2018 by SecureAuth All rights reserved. No part of this publication may be reproduced, distributed, or transmitted in any form or by any means, including photocopying, recording, or other electronic or mechanical methods, without the prior written permission of the publisher, except in the case of brief quotations embodied in critical reviews and certain other noncommercial uses permitted by copyright law.