Title Slide. Subtitle here

Transcription

1 Title Slide Subtitle here 1

2 Agenda Overview of today New gtlds driving Internet change Cyber security landscape.trust making the Internet a safer place Financials 2

3 Overview of today Two objectives Meet the Domain Services team The Internet is about to change forever We are making the Internet a safer place Strengthening brand assurance in the online world Providing peace of mind for customers to transact securely A way for organisations to show that they take security seriously Addresses real concerns of today 3

4 Internet history & development 4

5 A new TLD landscape 5

6 Types of new gtlds New domains will be categorised into: Physical locations Brands Segments.london,.berlin,.quebec 600+ applied.aaa,.accenture,.axa,.bloomingdales,.lancome,.microsoft,.vista,.volkswagen Most companies have applied mainly for defensive purposes.cards,.creditcard,.book,.poker,.restaurant 6

7 Activity so far New gtld registrations has broken the million mark Cost per annum to register all naming possibilities would be prohibitive To register 140 possible extensions for one bank would cost $52,000 just for one year.xyz most popular with 88,000 registrations & counting Registrar giving them away for free & automatically Number of strings registered by individuals with no apparent link to the company in question Some are registered by the brand owners Top Five World Trademark Review May 2014 Extension Number Percentage.xyz 88, %.club 67, %.guru 61, %.berlin 48, %.photography 37, % 7

8 Wild West reality ICANN technical body not regulators Unprecedented expected growth Domains are on a first come first served basis Inadequate brand protection no pre-validation of rights before registration The path to resolution is complex & costly 1,400 new ways to get cybersquatted? Brand dilution Confusion Fraud 8

9 9

10 Opportunity or threat? Cloud SaaS Cloud backups Social media BYOD Data sharing (dropbox et al) The loss of the network perimeter 10

11 Global cost of cybercrime Source: Cost of Cybercrime Report, Norton

12 Threat landscape/horizon Cyber extortion DDoS Encryption of customer data Malware (e.g. GoZeus, Cryptolocker) Cyber fraud VOIP toll fraud Phishing Vishing Fake customer invoices Hacking/hacktivism Web applications Cloud backups Social media accounts Waterholing Supply chain attacks Mobile malware 12

13 Ultimate brand destruction Target Security breaches have far reaching consequences impacting reputation, customer confidence, data protection & the future of the organisation The Target breach in November 2013 is having repercussions to this day December 2013 May

14 Opportunity knocks with new gtlds Only 38% think their data is secure (Deloitte Jan 13) 53% more likely to share personal info with a brand they trust (Deloitte Jan 13) 66% users will use companies that provide reassurance about data protection & security (Deloitte Jan 13) Only 9% are unconcerned about the safety of their personal information online (Deloitte Jan 13) 14

15 15

16 Making a change for the better More than a new domain.trust is about making the Internet a safer place for both businesses & consumers alike.trust gives a clear signal that a site is a safe place to do business & interact with.trust will protect an organisation s Brand Reputation Customer data.trust communicates an organisation s commitment to protecting its customers 16

17 The.trust gated community In order to ensure a safe gated community all.trust domains will: Be verified as recognised brands Operate on secure registrar & DNS infrastructure Commit & actively work to comply with a high-bar of security set within the.trust policies 17

18 How we build trust A.trust domain Secure registrar & domain name system (DNS) infrastructure The.trust technical policy A new high-bar of security Developed by a coalition of industry & NCC Group experts The Continual Trust Monitoring Service (CTMS) Continual compliance testing Manual verification Direct interaction with security analysts to understand/remediate issues 18

19 .trust Technical Policy 58 high-level compliance issues Over 200 specific technical guidelines Four categories Combination of negative & positive requirements Don t have these vulnerabilities Do implement this standard Comprehensive Specific Achievable Network Best Practices Web Application Malware 19

20 .trust Technical Policy Current Practices Best Practices Network Insecure exposure of critical internal services is forbidden Operating systems & services kept upto-date on patches All services must be exposed only over secure channels Web Must not have known critical web application vulnerabilities Implement cutting edge security standards that reduce risk None Publish security policy in DNS that eliminates the risk of spam from your domain must be communicated over a secure transport Malware No serving of or linking to malicious content Monitoring of domain & IP blacklists for your names and addresses 20

21 Continual Trust Monitoring Service Comprehensive, accurate, continual security testing Cloud-based security testing portal Continual monitoring of publicly accessible assets for exposure to: network threats web application threats threats malware threats Manual verification of every reported vulnerability Direct interaction with security analysts to understand & remediate detected issues 21

22 Comprehensive & safe testing Network Scanners Web App Scanners Malware Scanners Custom Tools Automatic Correlation Manual Result Verification Actionable Results Penetration Testing Testing is performed using a full suite of automated security & custom tools combined with penetration testing Network, web application, malware scanners are used to detect easily identifiable vulnerabilities Penetration testing & custom tools are used when automated tools are inaccurate, non-existent or could harm production systems 22

23 Customer portal Intuitive design displays your security posture at a glance 23

24 Customer portal Compliance view - results consolidated into compliance issues instead of 100+ page lists 24

25 Customer portal Detailed vulnerability descriptions Drill down to detailed information for all detected security issues 25

26 Real time security expert Remediation advice from security experts Security Operations Centre Manual verification Support Trusted security advisor 26

27 27

28 Most of the work is invisible 28

29 Timely, important & actionable 29

30 Under the hood 30

31 CTMS architecture 31

32 Securing sensitive information 32

33 Secure & scalable from the start Frontend Services Customer Portal Security Operations Centre Job Scheduler Assessment Coordinator Backend Services Scan Controller Correlation Engine Policy Management Authentication Service Results Databases Encryption Engine Notification Engine Scanner Farm Web Scanners Malware Scanners Network Scanners Custom Tools 33

34 34

35 Registrars current scenario Do not add much value Add to Cart mentality Focused on making money by selling names, no matter what s after the dot Not designed to protect brands or organisations Accept registrations requests from anyone Don t understand specificities of extensions as a service (as seen with.tel) Often confuse customers with too many options Even established players can be the weakest link (as seen with Facebook and NYTimes.com) 35

36 New York Times example 36

37 NCC Group Secure Registrar Committed to doing things differently creating our own Registrar Member of the ICANN community already, Registrar is the logical next step We will: help steer organisations through the new world provide bespoke registration advice in any relevant extension only process requests from an authorised representative always control the chain of command no resellers provide an end-to-end experience 37

38 Registering a.trust domain Only recognised brands are granted domains Human verification of all domain applicants Validate the organisation is the official brand owner Prevents typosquatting or misleading domain names No need to register 1000s of domains Validate all changes are made by an official representative of the organisation Prevents hijacking Every fully qualified domain name comes with an SSL/EV certificate automatically Best of breed DNS servers automatically assigned to.trust domain to prevent Denial of Service 38

39 39

40 Who is.trust for? Organisations Those interested in protecting brand, reputation & customer data Adds credibility & reassurance to all industries Adds differentiator when launching new initiatives Can be used for sensitive portion of web applications ecommerce Aids secure supply chain management Those that care about security & want to show it Consumers Those that are concerned about data privacy & security of their information Those that want reassurance when shopping & transacting online 40

41 .trust adoption 41

42 .trust implementation 42

43 .trust Domain Service pricing model Annual subscription for 100,000/$150,000 includes: One.trust domain & two sub-domains Additional 3-20 sub domains 30,000/$50,000 each Membership in a trusted community Remediation advice from security experts to ensure continual compliance Continual Trust Monitoring Service & portal Annual remote penetration test of.trust assets Implementation service 15,000/$25,000 (first year) includes: Two week consultative implementation plan by an engagement security engineer 43

44 44

45 Expected revenue drivers 2014/ / /17 No. of new customers Total no. of customers Total live sub-domains Renewal rate N/A 95% 95% First customer live in October 2014 pending ICANN progress Average customers moving two sub-domains onto.trust Carefully managed growth predicated on ensuring high quality transition onto new sub-domain 45

46 Illustrative financial model m 2014/ / /17 Net revenue Operating costs (5.3) (5.4) (6.6) Contribution (4.3) Margin ~ 3% 25% Capex (5.1) (1.6) (0.5) Revenue deferred over 12 month period with 95% expected to renew Base operating costs stable in the first two years, then step up with increasing scale of business Margin expected to be around ~ 25% Capex development reducing sharply after service goes live 46

47 Making a change for the better Key brand differentiator Bringing back consumer confidence Protecting customers as they interact & transact online The domain of choice in the new confusing landscape 47

48 North America Atlanta Austin Chicago Mountain View New York San Francisco Seattle Europe Manchester - Head Office Cheltenham Edinburgh Leatherhead London Milton Keynes Amsterdam Copenhagen Munich Zurich Australia Sydney 48