Post on 13-May-2015
description
© Copyright Entrust, Inc. 2010
What are the Challenges of Securing Identities online?
© Copyright Entrust, Inc. 2010
2
Entrust is a World Leader in Identity Management and Security Software
• Founded in 1994, publicly-listed in 1998 (NASDAQ: ENTU)
• Best-in-class technology, service and support – industry pioneer
• Over 2000 customers in 50 countries – global reach
• Geographic presence: U.S., Canada, UK, China, Germany, India and Japan
• 411 employees and 110+ patents
• 2008 Revenue: ~$100.0 million
© Copyright Entrust, Inc. 2010
3
11.8
13.5
13.9
14.4
15.3
14.7
14.2
14.5
19.7
15.9
14.4
14.6
24.8
17.0
14.6
14.6
31.0
17.8
14.7
14.7
-
10.0
20.0
30.0
40.0
50.0
60.0
70.0
80.0
Tra
nsa
ctio
ns
(Bil
lio
ns)
2006 2007 2008 2009 2010
Online Call Center Branch ATM
Online Service Uptake Critical
US Banking Delivery Transactions by Channel (2006-10p)
May 31, 2008
© Copyright Entrust, Inc. 2010
Online Service Uptake Critical
Cost per Transaction (US $)
May 31, 2008
$4.05
$3.35
$2.30
$1.40
$0.40 $0.25 $0.20
$-
$1.00
$2.00
$3.00
$4.00
$5.00
Branch Platform Back Office Call Center Agent Branch Teller ATM IVR PC Banking
© Copyright Entrust, Inc. 2010
We Provide Identity-Based Security for:
Consumers Enterprises
Citizens Web Sites
Online banking users, e-commerce
site customers
Travelers, and those accessing
government services, in
person or online
Web servers (external and internal), email servers and code being distributed online
Business and government employees, contractors, first responders, and devices
5
Consumer Authentication
© Copyright Entrust, Inc. 2010
Consumer Auth Problems
Man in the Middle Attacker
Man in the Browser
Malware
Ongoing attacks against FI’s
Corporate accounts being targeted
Malware growing fast, hard to detect with Anti-Virus
End-users often resist strong auth
Source: Anti-Phishing Working Group, July/09
7
© Copyright Entrust, Inc. 2010Man in the Middle Attacker
Man in the Browser
Malware
Consumer Authentication: Entrust Solution
Flexible range of authenticators
Across spectrum of security / usability
Zero-touch fraud detection to spot unusual activity and stop malware
8
Username & PasswordMutual AuthenticationIP GeolocationDevice FingerprintKnowledge-Based AuthenticationGrid Card / eGridOne-Time Password TokensOut of Band Auth via SMS or EmailDigital CertificatesSmart Cards
Enterprise Authentication
© Copyright Entrust, Inc. 2010
Enterprise Identities: Problems
Protect access to intellectual property and customer data
Work from anywhere
Stay out of employees’ way
Audit access to resources
Reduce transaction costs by moving online
EmployeesPartners
Contractors
OtherBusinesses
10Mobile Devices
Other internalServers & Devices
# ofIDs
2000 2010
© Copyright Entrust, Inc. 2010
Enterprise Identities: Entrust’s Solution
Broad range of authentication credentials
For users, servers, devices
Enables encryption and digital signature with strong identity
EmployeesPartners
Contractors
OtherBusinesses
Mobile Devices 11
Other internalServers & Devices
Web Site Authentication
© Copyright Entrust, Inc. 2010
Web site authentication: Problems
Phishing attacks and other fraud often involve counterfeit websites
Users cannot easily detect fake sites
Numerous servers for IT staff to keep track of, ensuring no certificate expiries
Expense of certs for numerous servers
Customers,Employees
Mobile Users
13
Web servers,Exchange,Applications
© Copyright Entrust, Inc. 2010
Web site authentication: Entrust Solution
SSL certificates for web sites, MS Exchange, code signing, Adobe PDF
Stringent verification to prevent brand theft
Helps user verify they are at correct site
Enables browser to provide some automated protection
Powerful certificate management tools
Customers
Mobile Users
14
EntrustVerification
© Copyright Entrust, Inc. 2010 15
© Copyright Entrust, Inc. 2010
Identity-Based Security: a Layered Approach
People, Servers, Devices, Applications
Credential issuance, audit,
lifecycle management
Credential use, step-up, ongoingtransaction analysis, and forensics
16
© Copyright Entrust, Inc. 2010
Entrust IdentityGuard
• Single open platform, centralized policy management• User self administration• Deploy based on Risk, Usability, Cost
Username & Password
Grid
VersatileAuthenticationPlatform
ScratchPad Digital
Certificates
OTP Tokens
Smartcards &USB Tokens
Mutual Auth
IP-Geolocation
Machine/Device Auth
Mobile
Knowledge-Based
© Copyright Entrust, Inc. 2010
IP Geolocation
• Authentication based on users physical location
• Register common access points & record logon profiles
• Leverage IP black/white lists & OFIN data
© Copyright Entrust, Inc. 2010
Machine Authentication
• Captures machine parameters
• No user interaction
• With or without cookies
IP: 216.191.253.108 Browser: IE 7.0Screen Depth: 1024….…
© Copyright Entrust, Inc. 2010
Digital Certificates
• X.509 certificate support• Existing certificates or
leverage Entrust Managed Service Offering
• Standard SSL client or application signature-based authentication
• Stored in software, on smart cards, or USB tokens
© Copyright Entrust, Inc. 2010
21
Multiple Identities, one device
Mix of Soft token only and Transaction Notification
Independent activation and control
Customizable branding per identity
Mobile Authentication & Transaction Notification
© Copyright Entrust, Inc. 2010
22
OATH compliant
Time-based soft token
30 second time window
Brandable interface
IDG Mobile – Soft Token
© Copyright Entrust, Inc. 2010
23
IDG Mobile - with Transaction Notification
OATH Time-based Soft Token
Transaction details confirmed out of band on mobile device
No data entry
OATH signature of transaction contents
User confirms transaction or acts on suspect details
© Copyright Entrust, Inc. 2010
Soft Token Mobile Authentication• Single or multiple one-time
passcodes to mobile device– SMS, email, voice
• Authenticate while out of cell range
• Out-of-band transaction detail confirmation and authentication OTP
• Automatic refresh of OTPs
© Copyright Entrust, Inc. 2010
Knowledge Authentication
• Configurable number of questions
• User defined or imported
• Define number of correct answers
• Randomly presented
© Copyright Entrust, Inc. 2010
• Each grid card unique
• Inexpensive to produce and deploy
• Innovative eGrid in graphic or PDF format
• Easy to use and support
C 2 3
Grid Authentication
© Copyright Entrust, Inc. 2010
Mini Tokens
Mini OT• Time-Synchronous
• OATH Compliant
Mini AT• Time & Event-Synchronous
• Standards Based Algorithm
© Copyright Entrust, Inc. 2010
Pocket Tokens
• Time & Event-Synchronous
• Pin unlock, Response, Challenge + Response
• Standards Based Algorithm
© Copyright Entrust, Inc. 2010
DisplayCard Tokens
• Credit card format
• OATH based OTP generation
• Multi-functional card including optional on-board chip (PKI and/or EMV chip)
29
© Copyright Entrust, Inc. 2010
Mutual Authentication
• End user validation of site
• Personalized for user• Increased user
confidenceSerial Number Replay
Extended Validation Certificates
Image & Message Replay
© Copyright Entrust, Inc. 2010
Policy & User Management
Web based Administration
© Copyright Entrust, Inc. 2010
Reporting
• Web based reporting• User and
authentication tracking and analysis
© Copyright Entrust, Inc. 2010 33
Integrating IdentityGuard
Remote Access Applications
Microsoft Windows Servers
End User
Web Authentication Applications
Enterprise Applications
& Data
Repository
© Copyright Entrust, Inc. 2010 34
2nd Factor Authentication
Authentication Platform
Online Application
Initial Logon
User Name?Password?
User Name?Password?
2nd Factor Authentication
2nd Factor Challenge
© Copyright Entrust, Inc. 2010 35
Application: Remote Access
End User
Remote Access Applications
• Integrates with leading remote access solutions
• Leverages industry standards to streamline deployment
• Supports MS RAS, IP-SEC, & 802.1x clients
© Copyright Entrust, Inc. 2010 36
36
Application: Enterprise Desktops & Servers
End User
• Integrated 2nd factor authentication
• Easy to use & deploy
• Leverages common security infrastructure
Any user
****
1 6 3
Enterprise Servers
Microsoft WindowsDesktops
Administrators
© Copyright Entrust, Inc. 2010 37
Application: Extranet Access
End User
Web Authentication Applications
• Range of authenticators
• Inexpensive to deploy
• Easy to use and support
© Copyright Entrust, Inc. 2010 38
Easily Extends across Enterprise Applications
• Extranet (incl. MS OWA & leading Web SSO vendors)• Microsoft Windows Desktops • Remote Access: Leading IP-SEC & SSL VPNs, RAS, 802.1x, Citrix
AnyUser
******
© Copyright Entrust, Inc. 2010 39
IdentityGuard 2nd Factor Protection
Remote Access
Enterprise ServersMicrosoft Desktops
Extranet Access
© Copyright Entrust, Inc. 2010 40
Integrating IdentityGuard
Remote Access Applications
Microsoft Windows Servers
End User
Web Authentication Applications
Enterprise Applications
& Data
Repository
© Copyright Entrust, Inc. 2010 41
Integrated with Leading Technology Partners
Applications
Application / Infrastructure
Remote Access
Platform
© Copyright Entrust, Inc. 2010 42
SSL VPN: Juniper
© Copyright Entrust, Inc. 2010 43
Web Application Integration
Customer Environment
Existing Authentication/
Sign-on Application
SSL
SOAP
• WSDL Interface for J2EE & .NET applicactions
• Included Java bindings• Included ISAPI filter for IIS/ISA
© Copyright Entrust, Inc. 2010 44
Microsoft Desktop & Server Integration
Existing Active Directory
Enterprise Applications &
Network Resources
• Small Client for Windows desktops (GINA Chain)
• Existing AD Deployment (single or multi-domain)
• Configurable support for MS RAS, IP-SEC, and 802.1x clients built-in
© Copyright Entrust, Inc. 2010 45
Remote Access Integration
Existing Remote Access Gateway(IP-SEC or SSL)
Radius
Directory UN/PW auth with Active
Directory or LDAP
• IP-SEC or SSL Gateways• Configuration-only integration!
© Copyright Entrust, Inc. 2010 46
Remote Access Authentication Flow
VPN Client or
Web Browser
Remote Access Gateway
1.User enters authentication credentials
2. User credentials sent to IdentityGuard
4. IdentityGuard challenge requested & presented
5. IdentityGuard response sent to IG server
6. IdentityGuard server returns accept/reject to VPN Client
Repository
7.Success allows user entry
3. User credentials validated against directory
© Copyright Entrust, Inc. 2010 47
Repository Integration
• Leverages existing user entries
• Adds attributes to object classes for LDAP or independent table for RBDMS
• Read and Write operations required for some authentication options
DirectoryDatabase
JNDI
SSL
Thank you!