Solution Brief
SECURING IDENTITIES IN
CONSUMER PORTALS
1 Arstechnica. http://arstechnica.com/security/2012/08/passwords-under-assault/. August 20, 2012.
2 Balaouras, Stephanie. Understand the State of Identity and Access Management. Forrester Research, Inc. December 11, 2012.
3 Cser, Andras; Maler, Eve. Inquiry Spotlight: Consumer-Facing Identity, Q4 2012 to Q1 2013. Forrester Research, Inc. March 22, 2013.
4 Cybersource. 2012 Online Fraud Report. PAGE 2
THE CHALLENGE IN SECURING CONSUMER PORTALS TODAY
The Bilateral Pull between Security and User Experience
As the world becomes increasingly digital, it is no surprise that the use of web-based consumer portals is on the rise. From a business perspective, deploying web-based consumer portals enables significant benefits, and in many cases is a necessity to drive business. Parallel to the growth in consumer portals, however, is also the increased need to securely manage these portals and ensure consumer security.
Achieving the right balance of security without compromising user experience is a challenge for organizations deploying business-to-consumer (B2C) portals. Enterprises now need to approach security from multiple angles – they need to cater to an
increasingly complex network of identities, including customers, members, patients, and partners, all on a myriad of mobile devices. Any security issue can significantly impact customer satisfaction and brand reputation of a company.
On one end, organizations must provide a seamless end-user experience to drive repeat visits to their sites. End-users expect convenience, including transparent risk-based authentication and single sign on – with minimal extra steps to ensure this security. A fragmented login experience discourages customers to return to the site, which results in a loss in user registration, revenue, and other business metrics. Additionally, end-users are growing increasingly aware of the high-profile breaches that occur daily, yet are unwilling to go through tedious authentication processes to secure their identities. In step with consumer expectations, organizations must also guarantee security measures to mitigate potential fraud and fines related to privacy regulations. B2C deployments generally include high volumes of users, and have higher stakes than internal deployments. Due to end-user behavior, B2C deployments are also higher risk, since consumers tend to reuse the same password on multiple sites. In fact, the average web user maintains 25 separate accounts but uses just 6.5 passwords to protect them1. Serving the needs of large volumes of consumers requires a different approach for security – including secure identity and access management, risk-based authentication, and session-based web intelligence.
The Increasingly Sophisticated Threat Environment
Hackers continue to proliferate and evolve, leveraging phishing, Man-in-the-Middle (MITM), Man-in-the-Browser (MITB), smash-and-grab server attacks, SQL Injection, and other sophisticated tactics to gain unauthorized access to consumer portals across various industries. In addition to the risk of breach, consumers are now more concerned about how organizations store their information. In a 2012 Forrester report, 44% of US adults in 2011, a 6% increase from 2008, reported they chose not to complete an online transaction with a company due to the company’s privacy policy3. With the risk of end-user fear freezing any potential business transactions online, it is critical that organizations put the right security steps in place and instill confidence in their consumers.
The continued momentum behind e-commerce has placed stronger demands for online security. This use case is possibly the most demanding from a user-experience and security standpoint, due to the wide reach and high visibility of e-commerce applications. Merchants are continuously affected by the threat of e-commerce fraud with the
increased sophistication of fraudsters and hackers. In 2012, according to Cybersource, US online merchants lost $3.4 billion due to fraud4. Regulations are also in place that protect PCI data – and easily translate into fines if not followed.
The rate of adoption in consumer identity access management has grown over the past year.
In a Forrester survey regarding IAM adoption, 32% of respondents either implemented or had plans to implement consumer IAM in 2012, a 5% increase from 2011.2
5 HIMSS Analytics. 2012 HIMSS Analytics Report: Security of Patient Data. PAGE 3
Using the healthcare industry as another example, patient and provider web portals have become more common in health care organizations. Patients, providers, and employees need to access the information on the web portal, which has also become an increasing target for scrutiny and risk. At the same time, regulations also require protecting the privacy of patient information. In a 2012 survey for healthcare IT professionals, 27% of respondents indicated that their healthcare organization had a security breach within the past 12 months, which illustrates a 19% increase from 2010.5
Similarly, as more banks continue to give their customers the option of online banking, this poses a significant threat to identity security. Financial institutions report an increasing rate of account takeover attempts annually, which clearly puts consumers at a higher risk in their online banking transactions. Financial services organizations are affected in the case of a potential breach, not only from a brand reputation perspective, but also from a financial impact in remediating any consumer financial losses.
The harsh reality across all industries illustrates that there is an increasing occurrence of high-profile sophisticated cyber attacks targeting identities. It is inevitable that hackers will get even more sophisticated and evolve.
KEY REQUIREMENTS FOR SECURE ACCESS IN B2C PORTALS
Providing secure access balances ease-of-use, proper authorization of information access, strong authentication, and insight into online behavior. B2C portals require a seamless interaction between identity and data, based on attributes and the level of risk for each online session or transaction. The decisions for appropriate access need to be risk-based, and involve a level of risk intelligence, all without impeding the consumer experience.
At RSA, our approach to solving this problem is called Adaptive IAM. Adaptive IAM provides a centralized security service that securely and cost-effectively provides risk-based authentication, and offers granular authorization policy to control access, all based on a single source of identity truth.
Identity Confirmation & Assurance
Before any individual can be trusted with access, its identity must be verified. Criminals often seek to exploit weaknesses in proving identity in order to gain unauthorized access to assets. It is thus an important first step, before establishing a relationship between individuals or organizations and their online accounts, to assure high confidence in the identity. This assurance depends on determining that the entity is indeed who they claim to be.
Web Access Management
For organizations to provide secure access for high-volume and diverse users, it is critical to authorize users based on context and level of risk. They also need to have the ability to control user privileges, based on definable attributes, business rules and security policies. Access privileges combined with high-value user identities ensure that the right users can access the right applications at the right time.
To strengthen security across web access, the solution also needs to provide a broad range of authentication methods based on acceptable levels of risk for each web application or portal. By complementing a secure web access management solution with a wide range of authentication technologies, this ensures a seamless, transparent
experience for users, and strong security capabilities to control access to sensitive intellectual property. Also web single sign-on across multiple applications enhances the user experience, which drives a higher likelihood of repeat use of the portal.
Managing Identity Information
Identity information is an increasingly valuable asset for organizations of all sizes, not only for B2C portal security, but also from a marketing and customer service perspective. With identity information, organizations have the ability to vastly improve the customer experience by providing a personalized experience based on the user identity. Nurturing these relationships is based on understanding the user’s behavior, history, and preferences. The more an organization knows about their customer, the better they can serve them—and the more opportunities there are to convert this intelligence to business returns. This valuable connection between identities to backend processes is especially relevant for B2C portals. Targeted marketing, order entry, and fulfillment are all activities that are closely tied to identity and also happen to be service-related activities. Today’s businesses strive to be customer-focused, and not transaction-focused—and this requires seeing the whole picture of the customer, and their entire relationship with the business. However, today’s identity infrastructures are a fragmented collection of identity stores, making it very difficult to achieve the 360° view of customers you need for marketing and customer service. With critical identity information siloed in diverse data stores and applications, what you know about a user is scattered across disparate back end sources, protocols, and identity representations—with no easy way to retrieve the information and put it all together. Even the basic task of authentication—identifying users from across data silos to grant them access—has become a nearly insurmountable burden. Managing identities in this environment requires a solution that is flexible, scalable, and
comprehensive.
Distinguishing Customers from Criminals
Authentication is one of the first lines of defense in a layered, risk-based security strategy. However there are limitless potential threats that can be realized post-authentication as well. Once users have been authenticated and gain access to the portal, the information stored on that portal is even more vulnerable to account takeover. Account takeover attacks such as those launched via Middle and Man-in-the-Browser are increasingly sophisticated and difficult to detect, resulting in negative consequences from fraudulent money movement to identity theft to the intentional and malicious destruction of data.
In order to protect customers from account takeover and other post-authentication attacks, today’s organizations must be able to distinguish the actions of legitimate users of their web site from criminal or disruptive users.
THE RSA SOLUTION
RSA provides a proven solution for secure B2C portals. The RSA solution delivers the most effective combination of risk-based user authentication methods, access management controls, identity aggregation and synchronization, web-session intelligence, and online behavioral analysis for post-authentication threats. Seen in isolation, these technologies are effective – but the sum of these solutions is larger than
the individual parts. With RSA’s multi-pronged secure web access solution, risk-based assessments are used to protect access through the “front door” of web applications and also throughout the web session.
RSA’s Adaptive IAM approach provides a smart response to ever-changing risk profiles, and an increasing number of identities. RSA offers the appropriate mix of products, which can either be deployed individually or in combination as a complete Adaptive IAM solution including the following:
RSA® Access Manager secures access to web applications with transparent, single sign-on
(SSO) access based on coarse to fine-grained access control policies. RSA Access Manager integrates with a broad range of authentication methods or combination of methods based on your acceptable level of risk. These include Integrated Windows Authentication (IWA), x.509 certificates, RSA SecurID® two-factor authentication and RSA Adaptive Authentication, which includes out-of-band phone, out-of-band email, and out-of-band SMS authentication among others. RSA Access Manager works seamlessly with RSA Adaptive Directory so that organizations have a logical view of all identities and attributes listed in one place to ensure safer authorization of access to web applications.
RSA® Adaptive Authentication, with its advanced self-learning risk engine, calculates a
risk score based on the user behavior profile, the device profile, and the eFraudNetwork match. This risk score is provided to a policy engine and the user is either granted access, required to provide an alternate authentication credential, or denied access. RSA
Adaptive Authentication is a proven solution protecting thousands of organizations and users worldwide today.
RSA® Adaptive Directory creates and secures a single, authoritative identity directory
from disparate and distributed directory infrastructures for authentication, authorization and federation. Users who exist in more than one source – both on-premise and in cloud applications – now have a single profile of all attributes without duplication. This gives you one virtual view of all users and entitlements - on top of your existing identity infrastructure.
RSA, the RSA logo, EMC2, and EMC are registered trademarks or trademarks of EMC Corporation in the United States and other countries. All other trademarks used herein are the property of their respective owners. ©2013 EMC Corporation. All rights reserved. Published in the USA.
h11733 SB 0413
About RSA
RSA is the premier provider of security, risk and compliance solutions, helping the world’s leading organizations succeed by solving their most complex and sensitive security challenges. These challenges include managing organizational risk, safe-guarding mobile access and collaboration, proving compliance, and securing virtual and cloud environments.
Combining business-critical controls in identity assurance, data loss prevention, encryption and tokenization, fraud protection and SIEM with industry leading eGRC capabilities and consulting services, RSA brings trust and visibility to millions of user identities, the transactions that they perform and the data that is generated.
www.rsa.com
RSA® Identity Verification, from LexisNexis, is a strong consumer authentication service
that validates user identities in real-time, reducing the risk of identity impersonation. Using Dynamic Knowledge-Based Authentication, Identity Verification challenges users through a series of top-of-mind questions generated from billions of public and commercially available records. This capability can deliver a high-confidence confirmation of identity within seconds, even if no prior relationship has been established with the user.
RSA SecurID® is a market leading two-factor authentication solution. It solves the
“weak link” issue of poorly chosen user passwords by enforcing strong, multi-factor authentication. The RSA SecurID authentication mechanism consists of either a hardware or software token that generates unique authentication codes at fixed time intervals using the token’s factory-encoded random key.
RSA® Authentication Manager 8.0 delivers the world class strength of RSA SecurID
Authentication technology and now also offers a risk engine to meet the challenges and needs of today’s organizations. The RSA Authentication Manager virtual appliance provides the flexibility to support a wide range of authentication methods, an advanced risk engine, ease of manageability, and interoperability with industry leading products and vendors. RSA® Web Threat Detection enables organizations to differentiate between legitimate and
disruptive use of a website through behavioral analysis. The solution captures and analyzes click stream data to build behavioral profiles for both the user population and individual end users of a website. The RSA Web Threat Detection solution provides complete visibility into online behavior before, during and after authentication and detects anomalies, online security threats, fraud, insider threats, business logic attacks and other malicious activity.
