The Future of Authentication and Security

Kevin DohrmannCTO

Cosentry

MOVING FORWARD WITH CONFIDENCE

Facts at a Glance

Company Background

• Headquarters in Omaha, NE• 180 Employees Nationwide• One of Inc. 5000 Fastest Growing

Company 6 years running• 5 years 20% growth Y/O/Y• Center of Excellence in

Compliance and Security• 6 Data Centers across the Midwest

TA Investment

• Acquisition occurred in 2011• Founded in 1969 and headquartered

in Boston, MA• $16 Billion raised since inception• Primary focus on investments in the

technology industry with majority, minority, and debt investments of up to $500M

• Enables Growth and Strategic Investment

Cosentry Solutions & Services

Facilities & Infrastructure• Six Data Centers• High Capacity Network

(over 31+GBPS of Internet)

• Hardened Facilities• 200,000 square feet• High Available

Production Environments• Compliance• Data Security• Backup &Recovery

Services• Facilities Security- 24

Hour Electronic and Biometric access Control

System Support• Monitoring• Reporting• Managed Services• Systems Management• Technical Helpdesk• Project Management• Vendor Management• Service Level Agreement

(SLA)• Quarterly Client Reviews• Capacity Planning

Architecture & Design• Capacity on Demand• Vblock Cloud

Infrastructure• Tiered Storage• Backup Infrastructure• Patch Management• Load Balancing• Regulatory Review &

Design• Network Analysis &Design• System Performance &

Tuning

• Highly Available Systems• Hardened Data Centers• Regulatory • Security

• 24/7 Operations and Support• Capacity On Demand• Compliance

Cosentry’s Flexible Service Capabilities

• Managed Applications• Business Continuity

• Web Hosting• Content Management

• IaaS Enablement• Compliant Data Centers

The password1. I forgot my password!

20%-50% of Help Desk Calls According to the Gartner Group, between 20% to 50% of all help desk calls are for password resets. Forrester Research states that the average help desk labor cost for a single password reset is about $70.

Credit-checking firm Experian found that for an average of 26 different online accounts, users had only five different passwords. 25-34-year-olds are the most prolific, with no fewer than 40 online accounts per person on average.

2 Million Stolen Passwords RecoveredThe stash includes purloined Facebook, Google, Twitter, and Yahoo access credentials. ~ the stolen credential mother lode was the botnet herder's collection of almost 1.6 million stolen website login credentials, which comprised 326,129 Facebook passwords (or 59% of all recovered stolen passwords), followed by 70,532 passwords for Google (13%), 59,549 for Yahoo (11%), 21,708 for Twitter (4%), and 8,490 LinkedIn (2%).

25 Most common passwords

1. password2. 1234563. 123456784. 12345. qwerty6. 123457. dragon8. pussy9. baseball10. football11. letmein12. monkey

13. 69696914. abc12315. mustang16. michael17. shadow18. master19. jennifer20. 11111121. 200022. jordan23. superman24. harley25. 1234567

Here are the top 25, as extracted by antivirus solution provider ESET.

Gartner floated some interesting ideas and predictions on where the Identity and Access Management (IAM) market is heading during Monday’s IAM Summit keynote.Some may be a bit more futuristic than others, but their view is cause to take a step back from the daily grind and observe our industry from new perspectives. Below are the highlights and 2020 predictions:1. Every user is a consumer, and the way we access systems is consumer-like –especially in the mobile era. Gartner predicts that by 2020, 80% of access will be shaped by non-PC architectures – up from 5% today. It’s time to move on, and stop trying to make mobile devices look like corporate PC’s.2. The IAM space is becoming a competitive marketplace for identities. By 2020, 60% of digital identities interacting with the enterprise will come from external identity providers through a competitive marketplace – up from less than 10% today.3. The death of the “least privileged”. By 2020, over 80% of enterprise will allow unrestricted access to non-critical assets up from 5% today reducing IAM spend by 25%. To this end, organizations are better off focusing IAM spend on high-value data, and applying baseline security to everything else. (Drop Box)

4. By end of 2020, overall IAM products and services pricing will drop by 40% relative to today in real terms. We’ll see new ways of addressing the same issue, with new competitive players. We’ll see a change in delivery models. Also, pricing will move from user-based to transaction-based.5. It’s not who you are, but what you do and how you do it. Multitude of devices, applications, and identities bring more attributes and multi-dimensional context to access control. By 2020, 70% of all businesses will use attribute based access control (ABAC) as the dominant mechanism to protect critical assets, up from 5% today.6. Identity intelligence finally gets a brain: By 2020, identity analytical and intelligence (IAI) tools will deliver direct business value in 60% of enterprises up from less than 5% today. This will include logging and log management, behavioral attributes about who is accessing what and “identity nodes” around users and administrators.7. Managing identities will include the internet of things. By 2020, the internet of things will redefine the concept of “identity management” to include what people own, share, and use. Legacy pricing models will implode:

20/20 Vision: Top Identity & Access Management Predictions from the Gartner IAM Summit

Andrew YoungNovember 20, 2013, 11:41 am EST

In a breach first announced on this blog Oct. 3, 2013, Adobe said hackers had stolen nearly 3 million encrypted customer credit card records, as well as login data for an

undetermined number of Adobe user accounts. Earlier this month, Adobe said it had actually notified more than 38 million users that their encrypted account data may have been compromised. But asfirst reported here on Oct. 29, the breach may have

impacted closer to 150 million Adobe users.

Adobe Breach

To Restate The Problem

• Login and password authentication stinks– Hard to remember– Easy to Steal– Easy to Spoof– Hard to support– Old Technology

• Gets better with two factors (mobile or Token)

Technology TrendsAccording to Kevin

1. Bandwidth Prices have no bottom2. Storage cost will continue to Drop3. Processing power will increase and costs will drop4. Mobile technology is ubiquitous5. Big Data (Stupid Phrase) is just getting started6. Video and photo is the new text

Technology Trends

Enabling

1. Impossible applications will be possible (Gods Number, bio-informatics, Kinect)

2. Real time video and image analysis (Remote medicine, wearable computing, augmented Reality)

3. Context Sensitive Security 4. GPS aware security 5. Attribute Bases Access control6. “Trust Everyone but brand your Cattle”

According to Kevin

Future of Identity and Authentication Management

1. “Welcome back to the Gap Mr. Yakimoto”. Mall Scene from Minority Report 2. Multifactor Biometrics (Iris, facial, fingerprint, DNA) (things we are)3. Tokens and devices (things we have)4. PIN’s, password and codes (things we know)5. Context aware (Attribute Based Access Control) NIST 800-162 (October 2013)

(things we are doing)6. What to do about privacy?

Past - Future

Future of Identity and Authentication ManagementWinners?

1. Characteristics of winners in the space1. Low Cost2. Secure implementation3. Universal adoption4. Hard to Hack or Crack5. Must be 2 or 3 factor

2. Trusted or required3. Mobile devices are first to implement

1. Apple 5s finger print reader2. Samsung Galaxy S4 facial recognition

4. Rings (NFC) no biometrics 5. NYMI (Heart beat)6. Kinect Heart Beat

Problems1. FIDO versus What? No Standards to

begin with2. Bad guys can buy technology also3. Human beings are not that smart

about stuff4. What to do about privacy ?5. Can the law gather your DNA just in

case you ever commit a crime? 6. Freedom from search without a

probable cause

EFF ( Worry Warts) Blogs about Mandatory National IDs and Biometric Databases

December 29, 2012 - 3:01pm | By Rebecca Bowe 2012 in Review: Biometric ID Systems Grew Internationally… And So Did Concerns About Privacy

October 15, 2012 - 8:56pm | By Katitza Rodriguez Highest Court in the European Union To Rule On Biometrics Privacy

September 27, 2012 - 3:45pm | By Rebecca Bowe India's Gargantuan Biometric Database Raises Big Questions

August 31, 2012 - 12:05pm | By EFF Intern Despite Privacy Concerns, Mexico Continues Scanning Youth Irises for ID Cards

Referenceswww.ieee.org/publications_standards/.../sample_biometrics_pdf.pdf

Questions?

• “When you come to the Fork in the Road pick it up”, Yogi Berra.