SE-4110, Securing Identities in the Cloud, by Martin Ahlers

© 2013 - VASCO Data Security

Top Things to Consider When Authenticating Web Applications

November 2013


Increasing need to protect our online activities

2

End users ASP’s

!  Lost revenues !  Tarnished brand !  Low data integrity !  Subscriber churn

!  Confidential data leakage !  Cyber bullying !  “Gold farming” !  Identity theft

2012: Hacker able to access billing

information and other accounts

2012: Exposed 6 million user account

passwords

2013: Hackers posted fake news about bombing of the White House, Dow Jones dropped 100 points

2013: 10 million people watch Netflix without

paying for it by sharing passwords

2012: Hackers able to access users’ personal data for use in phishing

attacks

2013: Hackers able to access customer names,

credit/debit cards and expiration dates of 2.9

million customers, and up to 38 million ID’s and

passwords


Agenda

!  Applications and pain points !  Cloud services !  Subscription services !  Gaming

!  Quick VASCO background !  Combined AMD and VASCO solution !  Sample business case !  Sample competitive comparison

3


Cloud Security Concerns

4

!  Losing files

!  Files not stored securely

!  Loss of control

!  Embarrassing files made public

!  Computer viruses

Source: Halon 2013 Security Survey


Cloud Providers Are Expected to Lead on Security

5

Within five years, cloud security will become one of the primary drivers for adopting cloud computing. The reason for a shift of security from obstacle to driver is that Cloud Service Providers (CSPs) are expected to invest far more in the development of their security infrastructure and expertise than any typical enterprise

Ernst and Young: Cloud Computing Issues and Impacts, 2011


Subscription Sharing: New York Times Analysis

6

BuzzFeed: It is representative of a rising generation of young people who 1) Like watching shows Online and 2) Cannot fathom paying for them


!  Eliminate revenue leakage from account sharing !  Account sharing is perceived as a

back-end security problem. But for companies that rely on online subscriptions as a primary revenue stream, account sharing can mean lost income

!  What we found was that about 33 percent of the accounts on the network were being shared

!  Secure personal information

!  Preserve data integrity for advertising/marketing

Subscription Account Sharing Impacts

"If you're running The Wall Street Journal or World of Warcraft, and you've got multiple people sharing a single subscription, you're losing customers."

Source: AdmitOne 7


Tier 1 ASP Example

8

In need of a cloud based two-factor authentication platform

Company Profile !  One of the world's largest insight, information and

consultancy networks. By connecting its specialist companies, the group aims to become the pre-eminent provider of compelling insights for the global business community.

Needs !  Protect online assets/revenues and control their IP !  Auditable and traceable accounts for Risk and Compliance

Dept. !  No new overhead or code modification of existing web

portals !  OpEx based purchases to tie to subscription services and

improve cash flow !  Everything IT must move to the cloud


Creating Secure Communities Raises Revenues

9 http://info.socious.com/bid/56237/How-Online-Customer-Communities-Can-Increase-Revenue-By-19-Research

!  University of Michigan studied a Tier 1 online retailer

!  Study found a 19% increase in revenue when customers were connected in an online community

“While the major share of firm and media attention has focused on third-party online social networks such as Facebook, many firms have made the choice to build their own such networks.”


Current state of Gaming

10 Source: SuperData Research and Newzoo Games

$-‐ $2.0 $4.0 $6.0 $8.0 $10.0 $12.0 $14.0 $16.0 $18.0 $20.0

2012 2013 2014 2015

Online Gaming Market Share by Geography (USD $B)

ROW

US

Online gaming industry growing significantly….. …..however ARPU is steadily declining

Publishers need assistance to stabilize ARPU by providing additional value to paying customers


US Gaming Demographics

Typical US Gamer

Age 25-44 Income $35k-$75k 60% male 79% college degree

Sources: *Nielsen Entertainment's third annual Active Gamer Benchmark Study; ** StatGrab; ***SuperData Research/Newzoo 11

117m Online Gamers in the US

1.  Above average income and education 2.  Tech savvy 3.  Understand the value of security

Affinity to online security


Gaming companies must capitalize on hits

!  Example: Diablo 3 !  Fastest selling PC game to date !  Broke Amazon record for most pre-

orders !  Sold 3.5m copies on the 1st day !  Sold 6m copies in 1st week !  Within 1 week, it became the most

played game in Korea, 39% of Korean gamers logging in daily

12

Securing new game revenue is a natural fit


Gaming ASP Pain Points

!  Account sharing !  Increase revenues and subscriptions with stronger

authentication !  New releases are very competitive, must capitalize on hits

!  Account bullying !  Hackers stealing credentials to tamper with account holders

!  Gold farming !  Dissatisfaction lowers switching costs and increases churn !  Less of an issue with advent of free to play and ability to buy/sell

with real dollars

!  User islands !  Create communities of users to increase stickiness and

monetize free to play !  Cross sell gaming assets !  One credential to access all game sites

“MMO players are very dedicated gamers. As the majority already plays games on other screens, it will be interesting to see if publishers succeed in extending and monetizing their MMO experience across all screens.“

Peter Warman, CEO of Newzoo

13


Agenda



14


Federal Reserve Briefing 15

Our Philosophy

Security

Cost Ease

Find the optimal balance for ASPs and consumers


VASCO Heritage in Banking Security

16


Agenda



17


18 18 18

Secure Portal to Web Apps

App3

App6

App4

App5

App1

App2

Cloud Subscribers

Logins Passwords

Numerous

Complex for users, headache for IT helpdesk

App3

App6

App4

App5

App1

App2

Cloud Subscribers

QR code scan

Simple for users, savings for IT helpdesk

OTP


Integration overview

19

App App App

TEE Client API

Trusted App

Trusted App DIGIPASS

Secure OS (TEE)

Secure Monitor Secure Boot

ARM Cortex A5 Processor with Trustzone Security Extensions

Normal SecDon Secure SecDon

AMD chipset

PlaBorm/Rich OS (e.g. Windows, etc)


Highly secure yet familiar, simple user experience

20


Agenda



21


Cost Effective Cloud

22

Cost per user

Users or Authentications

Opex Model Pay as you grow


-

4,000,000

8,000,000

12,000,000

16,000,000

20,000,000

YR 1 YR 2 YR 3 YR 4 YR 5

Incremental revenues

Incremental costs

MYDIGIPASS.COM Subscription Business Case

ASP with 1M users per month

23

Increased Subscription Assumptions:

•  Per a Tier 1 subscription account, 2FA will increase revenues by 10% in YR 1 increasing to 20% by YR 5

•  $100 annual subscription revenue •  $10 per user 2FA cost

MDP.com would return $17.5M net profit over 5 years.


Easily Deployed Two Factor Authentication

24


Agenda



25


Comparison vs. Home Grown SMS

26

Operates on 3G/4G, WiFi or LAN

Does not operate on WiFi

Not delivered in poor coverage area

Not delivered when out of range

Not delivered under heavy traffic congestion

Over 5% of SMS deliveries fail*

Over 9% take over 5 minutes*

* Per UCLA study Analysis of the Reliability of

a Nationwide Short Message Service

Your unique code is w2z356

Home Grown SMS


Spying on SMS

27

Secure out of band QR code transmission

Unsecure text message can be intercepted using off the shelf

software



Home Grown SMS


Baseline Mobile App Security

28

Federate Multiple Applications

No

Incremental SMS Opex YES

Authentication method

Standard OTP

Back-up methods Written code


Home Grown SMS

Federate Multiple Applications YES

Incremental SMS Opex

NO

Authentication method Challenge/response - more secure

Back-up methods

Smartphone Hardware token


Top Things to Remember for ASP’s

!  Are you creating a secure cloud community? !  Application !  Delivery

!  Is account vulnerability limiting your revenue growth? !  Losing potential customers !  High cost of fixing account hacking events !  Causing customer churn

!  Could strong two-factor authentication in the cloud meet your needs? !  Speedy ROI !  Easy to manage / Easy for users !  More secure than SMS

29


For More Information

30

!  Contact us at !  [email protected] !  [email protected] !  And go to our Application Service Provider site !  http://mydigipass.vasco.com/

Technology

SE-4110, Securing Identities in the Cloud, by Martin Ahlers