Author: Kevin Moulton
Kevin Moulton has been in the security space for more than 25 years, and with Oracle for 7 years. He manages the East EnterpriseSecurity Sales Consulting Team. He is also a Distinguished Toastmaster. Follow Kevin on Twitter at twitter.com/kevin_moulton, where he sometimes tweets about security, but might also tweet about running, beer, food, baseball, football, good books, or whatever else grabs his attention. Kevin will be a regular contributor to this blog so stay tuned for more posts from him.
It happened again! There I was, reading
something interesting online, and realizing that a friend might find it
interesting too. I clicked on the little email link, thinking that I could
easily forward this to my friend, but no! Instead, a new screen popped up where
I was asked to create an account. I was
expected to create a User ID and password, not to mention providing some personally identifiable information, just for
the privilege of helping that website spread their word.
Of course, I didn’t want to have to remember a new
account and password, I didn’t
want to provide the requisite information, and
I didn’t want to
waste my time. I gave up, closed the web page,
and moved on to something else. I was left
with a bad taste in my mouth, and my friend might
never find her way to this interesting website. If you were this content provider, would
this be the outcome you were looking for?
A few days later, I had a similar experience, but this one went a little differently. I
was surfing the web, when I happened upon some little chotcke
that I just had to have. I added it to my cart. When I went
to buy the item, I was again brought to a page to create account. Groan!
But wait! On this page, I also had the option to sign in with my OpenID account, my
Facebook account, my Yahoo account, or my Google Account. I have all of those!
No new account to create, no new password to remember, and no personally
identifiable information to be given to someone else (I’ve already given it all to those other
guys, after all).
In this case, the vendor was easy to deal with, and
I happily completed the transaction. That pleasant
experience will bring me back again.
This is where security can grow your business. It’s
a differentiator. You’ve
got to have a presence on the web, and that presence has to take into account
all the smart phones everyone’s
carrying, and the tablets that took over cyber Monday this year. If you are a company that a customer can deal with securely,
and do so easily, then you are a company
customers will come back to again and again.
I recently had a need to open a new
bank account. Every bank has a web presence now, but they are certainly not all
the same. I wanted one that I could deal with easily using my laptop, but I also
wanted 2-factor authentication in case I had
to login from a shared machine, and I wanted an app for my iPad. I found a bank
with all three, and that’s
who I am doing business with.
say, for example, that I’m
in a regular Texas Hold-em game on Friday
nights, so I move a couple of hundred bucks from checking to savings on Friday
afternoons. I move a similar amount each week
and I do it from the same machine. The bank trusts me, and they trust my
machine. Most importantly, they trust my
behavior. This is adaptive
authentication. There should be no reason for my bank to make this transaction
difficult for me.
say that I login from a Starbucks in Uzbekistan, and I transfer $2,500. What
should my bank do now? Should they stop the transaction? Should they call my
home number? (My former bank did exactly this
once when I was taking money out of an ATM on a business
trip, when I had provided my cell phone
number as my primary contact. When I asked them why they called my home number rather than my cell, they told
me that their “policy” is to call the
home number. If I'm on the road, what exactly
is the use of trying to reach me at home to verify my transaction?)
But, back to Uzbekistan…
Should my bank assume that I am happily
at home in New Jersey, and someone is trying to hack into my account? Perhaps
they think they are protecting me, but I wouldn’t
be very happy if I happened to be traveling on business in Central Asia.
What if my bank were to automatically analyze my behavior and calculate a risk score?
Clearly, this scenario would be outside of my typical behavior, so my risk
score would necessitate something more than a simple login and password.
Perhaps, in this case, a one-time password to my cell phone would prove that
this is not just some hacker half way around the world.
But, what if you're not a bank?
Do you need this level of security? If you want to be a business that is easy to
deal with while also protecting your customers, then of course you do.
You want your customers to trust you,
but you also want them to enjoy doing business with you. Make it easy for them
to do business with you, and they’ll
come back, and perhaps even Tweet about it, or Like you, and then their friends
How can Oracle help?
the technology and expertise to help you to grown
your business with security.
Adaptive Access Manager will
help you to prevent fraud while making it easier for your customers to do
business with you by providing the risk analysis I discussed above, step-up authentication, and much more.
Mobile and Social Access Service will
help you to secure mobile access to applications by expanding
on your existing back-end identity management infrastructure, and allowing your customers to transact business with you
using the social media accounts they already
know. You also have device fingerprinting and metrics
to help you to grow your business securely.
Security is not just a cost
anymore. It’s a way to set your business apart.
With Oracle’s help,
you can be the business that everyone’s
Image courtesy of Flickr user shareski