No Littering, No Smoking, NO PASSWORDS

April 2017

Bob Kalka, VP IBM Security

2 IBM Security

The Transformation of Identity and Access Management

Reason: changing technology

environment

63%Of organizations to

replace an IAM technology w/in 2 yrs

#1

94%

*Gartner conference Dec 2016

Of IAM budgets increasing or staying

the same in 2017

3 IBM Security

Password Use is Dropping Rapidly

IBM AND BUSINESS PARTNER INTERNAL USE ONLY

Drop in use due to introduction of

recognition technologies

55%Drop in use of

Passwords and tokens by 2019

*Gartner Strategic planning assumption –Ant Allan(in medium-risk use cases)

4 IBM Security

Enterprises are trying to find the balance between two interests

Demand for Increased Assurance

•Lose customers due to inconvenience

•Employees want to get their job done

•Employee productivity: time consuming, easily forgotten

• Steal a password and you’re in

• Employees, often unwittingly, are key to many large data breaches

• A stolen consumer password turns your customer transaction into fraud

Usability Expectations Increased Assurance

$$$

60%Of known data

breaches use weak or stolen passwords

Password:xgGL$#!jjhh(*%!aAbc

5 IBM Security

Why risk-based authentication?No matter what level of security you require…

Security User Experience

…risk-based authentication is the most basic step towards increasing security without compromising user convenience.

6 IBM Security

Adapt and enforce access based on risk

Time of day

IP reputation

User info

Browser type

Device type

APPROVE CHALLENGE DENY

RISK-ENGINE

7 IBM Security

Why Smartphone-based authentication?

Usability Security

8 IBM Security

Solution: Infuse multiple authentication types for stronger security

Capture

SOMETHING THAT YOU KNOW- Usernames and

passwords- Knowledge questions

SOMETHING THAT YOU HAVE- User presence - One time passwords

- Time-based- Email/ SMS

SOMETHING THAT YOU ARE- Biometrics

Move towards stronger, easier authentication

Risk-based access

9 IBM Security

The IBM approach

Devices / Smartphones

Risk-based access

Less intrusive, more affordable, strong authentication=

+

IBM Verify

10 IBM Security

IBM Security Access Manager: IBM Verify! Mobile Authentication

Enroll Touch(Fingerprint)

Confirm (Y/N)Login

• Multi-modal: different types supported for different scenarios • Integrated: Easily integrate flexible, intelligent multi-factor authentication into applications

• IBM Verify mobile App: out of the box multi-factor authentication• IBM Mobile Access SDK: MFA easily integrated into a custom mobile app

• Policy driven: Permit access when risk is low risk and demand authentication challenges when risk is high

• Extensible: Adopt a platform approach for evolving user expectations and authentication technologies

** Statement of direction: In a future release, IBM intends to add biometric authentication capability into the IBM Security Access Manager platform.

Confirm (Y/N)Transaction

Face & Voice Recognition

(future)**

One Time Password

11 IBM Security

Demo

IBM AND BUSINESS PARTNER INTERNAL USE ONLY

12 IBM Security

IBM Security Access Manager: risk-based access supports five main context domains for adaptive access control

Identity:Groups, roles, credential attributes, organization

Endpoints:There are various unique attributes (device fingerprint).

Screen depth/resolution, Fonts, OS, Browser, Browser plug-in, device model & UUID

Environment:Geographic location, network, local time . . . etc

Resource / Action:The application being requested and what is being done.

Behavior:Analytics of user historical and current resource usage.

User activity monitoring, specific business activity monitoring

ibm.com/security

securityintelligence.com

xforce.ibmcloud.com

@ibmsecurity

youtube/user/ibmsecuritysolutions

© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.

FOLLOW US ON:

THANK YOU