Trusted Identities. Foundational to Cloud Services LILA KEE CHIEF PRODUCT OFFICER GLOBALSIGN

Similar documents
EBOOK 4 TIPS FOR STRENGTHENING THE SECURITY OF YOUR VPN ACCESS

AN IPSWITCH WHITEPAPER. The Definitive Guide to Secure FTP

2015 Online Trust Audit & Honor Roll Methodology

Federated Authentication for E-Infrastructures

Security Best Practices. For DNN Websites

The Honest Advantage

Safelayer's Adaptive Authentication: Increased security through context information

Security Using Digital Signatures & Encryption

How Next Generation Trusted Identities Can Help Transform Your Business

Authentication Technology for a Smart eid Infrastructure.

SHA-1 to SHA-2. Migration Guide

SAML-Based SSO Solution

The Device Has Left the Building

Village Software. Security Assessment Report

Federated authentication for e-infrastructures

Public Key Infrastructure PKI. National Digital Certification Center Information Technology Authority Sultanate of Oman

Practical Issues with TLS Client Certificate Authentication

Exploring the potential of Mobile Connect: From authentication to identity and attribute sharing. Janne Jutila, Head of Business Development, GSMA

Securing today s identity and transaction systems:! What you need to know! about two-factor authentication!

I. INFORMATION WE COLLECT

Liferay Security Features Overview. How Liferay Approaches Security

Key Authentication Considerations for Your Mobile Strategy

Keep the Door Open for Users and Closed to Hackers

1 Copyright 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 7

Salesforce1 Mobile Security White Paper. Revised: April 2014

PRIVACY POLICY TABLE OF CONTENTS. Last updated October 05, 2018

Contents. SSL-Based Services: HTTPS and FTPS 2. Generating A Certificate 2. Creating A Self-Signed Certificate 3. Obtaining A Signed Certificate 4

Virtual Machine Encryption Security & Compliance in the Cloud

WHITE PAPER. The General Data Protection Regulation: What Title It Means and How SAS Data Management Can Help

Layer Security White Paper

WHITE PAPER. ENSURING SECURITY WITH OPEN APIs. Scott Biesterveld, Lead Solution Architect Senthil Senthil, Development Manager IBS Open APIs

Enterprise Simply Trustworthy?

CLOUD COMPUTING. The Old Ways Are New Again. Jeff Rowland, Vice President, USAA IT/Security Audit Services. Public Information

The Mobile Risk Management Company. Overview of Fixmo and Mobile Risk Management (MRM) Solutions

INNOVATIVE IT- SECURITY FOR THE BANKING AND PAYMENT INDUSTRY

ITU-T SG 17 Q10/17. Trust Elevation Frameworks

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

IDENTITY AND THE NEW AGE OF ENTERPRISE SECURITY BEN SMITH CISSP CRISC CIPT RSA FIELD CTO

AN IPSWITCH WHITEPAPER. 7 Steps to Compliance with GDPR. How the General Data Protection Regulation Applies to External File Transfers

Universal Representation of a Consumer's Identity Is it Possible? Presenter: Rob Harris, VP of Product Strategy, FIS

FACTS WHAT DOES FARMERS STATE BANK DO WITH YOUR PERSONAL INFORMATION? WHY? WHAT? HOW? L QUESTIONS?

A HOLISTIC APPROACH TO IDENTITY AND AUTHENTICATION. Establish Create Use Manage

Roadmap to the Efficient Cloud: 3 Checkpoints for the Modern Enterprise

Google Identity Services for work

Cloud Access Manager Overview

FinFit will request and collect information in order to determine whether you qualify for FinFit Loans*.

How. Biometrics. Expand the Reach of Mobile Banking ENTER

Next Generation Authentication

Trusted Computing As a Solution!

Leveraging Adaptive Auth and Device Trust for Enhanced Security and Compliance

PCI Compliance. What is it? Who uses it? Why is it important?

ArcGIS Enterprise Security: An Introduction. Randall Williams Esri PSIRT

For our services, the data controller (the company that s responsible for your privacy), is Rent a Van 365 Limited. Registered address:

Copy-Resistant Credentials with Minimum Information Disclosure

Personal Cybersecurity

Dissecting NIST Digital Identity Guidelines

PKI is Alive and Well: The Symantec Managed PKI Service

THALES DATA THREAT REPORT

SECURITY ON PUBLIC WI-FI New Zealand. A guide to help you stay safe online while using public Wi-Fi

PCI DSS 3.1 is here. Are you ready? Mike Goldgof Sr. Director Product Marketing

THALES DATA THREAT REPORT

Last updated 31 March 2016 This document is publically available at

Now there is: Asignio web-based signature authentication.

We offer background check and identity verification services to employers, businesses, and individuals. For example, we provide:

Guardium UI Login using a Smart card

etouches, Inc. Privacy Policy

Document Cloud (including Adobe Sign) Additional Terms of Use. Last updated June 5, Replaces all prior versions.

EXPERIENCE SIMPLER, STRONGER AUTHENTICATION

BEYOND AUTHENTICATION IDENTITY AND ACCESS MANAGEMENT FOR THE MODERN ENTERPRISE

A Privacy and Cybersecurity Primer for Nonprofits Nonprofits in the Digital Age March 9, 2016

Conjure Network LLC Privacy Policy

Beam Technologies Inc. Privacy Policy

eid Applications Cross Border Authentication

PayThankYou LLC Privacy Policy

Data Privacy in Your Own Backyard

INTERNET SAFETY IS IMPORTANT

Wayward Wi-Fi. How Rogue Hotspots Can Hijack Your Data and Put Your Mobile Devices at Risk

DIGITAL IDENTITY TRENDS AND NEWS IN CHINA AND SOUTH EAST ASIA

Installation and usage of SSL certificates: Your guide to getting it right

MOBILE.NET PRIVACY POLICY

Cyber Security and Data Protection: Huge Penalties, Nowhere to Hide

IMPLEMENTING A SOLUTION FOR ASSURING KEYS AND CERTIFICATES

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

GRANDSTREAM PRIVACY STATEMENT

Dell One Identity Cloud Access Manager 8.0. Overview

Privacy Policy Personal identification information Non-personal identification information Web browser cookies

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Kickstart. Overview. Oct 2017

PCI DSS Compliance. Verba SOLUTION GUIDE. Introduction. Verba and the Payment Card Industry Data Security Standard

ANATOMY OF A DATA BREACH: DEVELOPMENTS IN DATA SECURITY AND CLOUD COMPUTING LAW

Business White Paper IDENTITY AND SECURITY. Access Manager. Novell. Comprehensive Access Management for the Enterprise

2018 Data Security Incident Response Report Building Cyber Resilience: Compromise Response Intelligence in Action

Security

Comodo Certificate Manager

Canadian Access Federation: Trust Assertion Document (TAD)

ISSUES FOR RESPONSIBLE USER-CENTRIC IDENTITY

Cyber fraud and its impact on the NHS: How organisations can manage the risk

Tieto Compliance Cloud For a more secure IT environment

Identity Proofing Blinding the Eye of Sauron

Sectigo Security Solution

Transcription:

Trusted Identities Foundational to Cloud Services LILA KEE CHIEF PRODUCT OFFICER GLOBALSIGN

WHAT YOU WILL LEARN TODAY Strong identity verification as a security measure and business enabler Authentication vs Authorization vs Access Primer Types of User Identities Known and Unknown Assurance Levels 3 rd Party Identity Providers - MobileConnect Trends in Web Security CloudExpo 2016

TRUST It All Starts with Identity Verification Identity is in Everything Everything Needs a Trusted and Manageable Identity Cloud-based service provider customers are looking to their providers to ensure the security of their identities, transactions and data. With the increased reliance on cloud-based services, service providers must build security and trust into their offerings, adding value to customers and improving the user experience. Making identity, security and privacy easy for customers provides a unique advantage over the competition.

Protecting User Identities is Essential Customer retention Brand protection Compliance Know Your Customer Prevent Identity theft Fraud Money laundering

Identity Theft: The Good News - Awareness 19 People fall victim to identity theft every MINUTE *Federal Trade Commission

Security as a Business Advantage Differentiate from your competitor with a superior user experience Reduce order / sign up abandonment Reduce customer churn with easy re-engagement Avoid costly fines and reputation loss by complying with privacy regulations

User Identities

What Do We Mean By Identity? We all have identities. In the digital world our identities manifest themselves in the form of attributes, entries in the database. A unique attribute differentiates us from other online users. Such an attribute could be an email address, phone number, or a social security number. We get attributes from our employers in the form of titles, in which business unit we belong to, roles that we have in projects, or in the organization hierarchy. Attributes pertaining our private and working life are different and change over time as we change jobs, move, get married etc.

Attribute = Authorization? Some of the identity attributes that we have are powerful. They allow us to do things online. A role attribute that describes a position within a company, a purchase manager for example, can tell an online site what the person is allowed to do on that specific site. Therefore, it is quite crucial that attributes granting power to the user are carefully managed and maintained.

What Do We Mean By Access? Access decisions are Yes/No decisions. When an access control is deployed it will be tasked with making the Yes/No decision when an online user tries to enter or use the resource. There can be and usually are, multiple access control points within an online service. On the top level there s an access control point trying to determine if the user is allowed to enter the site at all. Then in the lower level the access control point reaches the individual files located somewhere on the hard drive.

What Do We Mean By Authentication? Authentication is a process where the identity of the user will be established. There are many of different ways to authenticate the user. User name and Password PKI eid LEIs Email control Mobile Connect OTP Etc. Authentication credentials are issued after identities are verified Email control Active Directory/HR onboarding Assertion by IdP

GSMA MobileConnect Mobile Network Operators (MNOs) have the opportunity to remove the biggest obstacle in Service Provider onboarding the customers. With millions of subscribers and potential Mobile Connect users the MNO is well positioned to offer convenient user authentication to online services.

Assurance Level

One Size Does Not Fit All Risk Low Medium High Identity verification Social Email control Face to Face Authentication User Name/PW Contextual 2FA

Identity vs Access Management Identity Management is about managing the attributes related to the user Access Management is about evaluating the attributes based on policies and making Yes/No decisions

The New Age of Bring Your Own Identity Building Online Privacy Confidence Gartner Recommends Use of 3 rd -party IDs

Don t go it Alone - Use 3 rd -party verified IDs Reduces verifications costs up to 30 times Look for IAM providers that provide a single integration to relevant high assurance IDs

Creating a Trusted eservice Site Trends in SSL

Building Online Privacy Confidence SSL/TLS (HTTPS) delivers website and server identity authentication as well as encryption of data in transit Protecting your eservices with SSL certificates provide customers and visitors assurances that their browsing session is safe, and that payment details and personal information is kept secure and encrypted. However, browsers and Certificate Authorities are making big changes to make browsing safer that may impact your eservice

Always on SSL

SSL Trends With rise of Web 2.0 users are communicating sensitive information well beyond credit card data. According to OTA, Cybercriminals today are targeting consumers using an attack method called sidejacking that takes advantage of consumers visiting unencrypted HTTP web pages after they have logged into a site. Online Trust Alliance (OTA) is calling on the security, business and interactive advertising communities to adopt Always On SSL (AOSSL), the approach of using SSL/TLS across your entire website to protect users with persistent security, from arrival to login to logout.

Google Always on SSL Motivating Good Security Marking HTTP as Insecure Google has done it others likely to follow Mozilla and Apple have both indicated that they want more web encryption. And even the US government has taken important steps in that direction, requiring all.gov websites to be HTTPS by default before the end of this year. Google made website security a factor in keyword search While the ranking increase is starting out quite slight, Google hinted they will strengthen it s impact over time as their goal is to encourage stronger adoption of HTTPS technology across the board to keep everyone safe on the web.

Certificate Transparency Certificate Transparency makes it possible to detect SSL certificates that have been mistakenly issued by a certificate authority or maliciously acquired from an otherwise unimpeachable certificate authority. It also makes it possible to identify certificate authorities that have gone rogue and are maliciously issuing certificates. Via: Certificate Logs Monitors Audits Early detection of misissued certificates, malicious certificates, and rogue CAs. Faster mitigation after suspect certificates or CAs are detected. Better oversight of the entire TLS/SSL system. Google is currently the only browser with a CT policy and the only one with an enforcement mechanism. When Chrome encounters an EV certificate which does not comply with the policy the EV Green bar treatment is removed. In order to have be compliant, the EV certificate:

Server Security Configuration

Health Check Your Webserver Security Key size Use 2048-bit Private Keys Private key protection Ensure Sufficient Hostname Coverage Obtain Certificates from a Reliable CA Use Strong Certificate Signature Algorithms Configuration Deploy with Valid Certificate Chains Use Secure Protocols Control Cipher Suite Selection lots more. There s an easy way

Installing SSL Certificate, Just the Beginning https://globalsign.ssllabs.com/

Google DevTools

Conclusion Enhanced security doesn t have to mean decline in user experience Stay on top of browser changes Utilize bring your own identity by leveraging 3 rd party identity providers Apply the appropriate level of identity verification and authentication methods to the impact of breach to data Remember users are increasingly becoming more security savvy Only ask for what you need Solicit consent around data privacy (Federation, Crossborders) Strong identity verification is a business enabler

Questions? Lila.Kee@globalsign.com twitter.com/globalsign

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback