ISS SA le presenta IdentityGuard de Entrust

© Copyright Entrust, Inc. 2010

What are the Challenges of Securing Identities online?


2

Entrust is a World Leader in Identity Management and Security Software

• Founded in 1994, publicly-listed in 1998 (NASDAQ: ENTU)

• Best-in-class technology, service and support – industry pioneer

• Over 2000 customers in 50 countries – global reach

• Geographic presence: U.S., Canada, UK, China, Germany, India and Japan

• 411 employees and 110+ patents

• 2008 Revenue: ~$100.0 million


3

11.8

13.5

13.9

14.4

15.3

14.7

14.2

14.5

19.7

15.9

14.4

14.6

24.8

17.0

14.6

14.6

31.0

17.8

14.7

14.7

-

10.0

20.0

30.0

40.0

50.0

60.0

70.0

80.0

Tra

nsa

ctio

ns

(Bil

lio

ns)

2006 2007 2008 2009 2010

Online Call Center Branch ATM

Online Service Uptake Critical

US Banking Delivery Transactions by Channel (2006-10p)

May 31, 2008


Online Service Uptake Critical

Cost per Transaction (US $)

May 31, 2008

$4.05

$3.35

$2.30

$1.40

$0.40 $0.25 $0.20

$-

$1.00

$2.00

$3.00

$4.00

$5.00

Branch Platform Back Office Call Center Agent Branch Teller ATM IVR PC Banking


We Provide Identity-Based Security for:

Consumers Enterprises

Citizens Web Sites

Online banking users, e-commerce

site customers

Travelers, and those accessing

government services, in

person or online

Web servers (external and internal), email servers and code being distributed online

Business and government employees, contractors, first responders, and devices

5

Consumer Authentication


Consumer Auth Problems

Man in the Middle Attacker

Man in the Browser

Malware

Ongoing attacks against FI’s

Corporate accounts being targeted

Malware growing fast, hard to detect with Anti-Virus

End-users often resist strong auth

Source: Anti-Phishing Working Group, July/09

7

© Copyright Entrust, Inc. 2010Man in the Middle Attacker

Man in the Browser

Malware

Consumer Authentication: Entrust Solution

Flexible range of authenticators

Across spectrum of security / usability

Zero-touch fraud detection to spot unusual activity and stop malware

8

Username & PasswordMutual AuthenticationIP GeolocationDevice FingerprintKnowledge-Based AuthenticationGrid Card / eGridOne-Time Password TokensOut of Band Auth via SMS or EmailDigital CertificatesSmart Cards

Enterprise Authentication


Enterprise Identities: Problems

Protect access to intellectual property and customer data

Work from anywhere

Stay out of employees’ way

Audit access to resources

Reduce transaction costs by moving online

EmployeesPartners

Contractors

OtherBusinesses

10Mobile Devices

Other internalServers & Devices

# ofIDs

2000 2010


Enterprise Identities: Entrust’s Solution

Broad range of authentication credentials

For users, servers, devices

Enables encryption and digital signature with strong identity

EmployeesPartners

Contractors

OtherBusinesses

Mobile Devices 11

Other internalServers & Devices

Web Site Authentication


Web site authentication: Problems

Phishing attacks and other fraud often involve counterfeit websites

Users cannot easily detect fake sites

Numerous servers for IT staff to keep track of, ensuring no certificate expiries

Expense of certs for numerous servers

Customers,Employees

Mobile Users

13

Web servers,Exchange,Applications


Web site authentication: Entrust Solution

SSL certificates for web sites, MS Exchange, code signing, Adobe PDF

Stringent verification to prevent brand theft

Helps user verify they are at correct site

Enables browser to provide some automated protection

Powerful certificate management tools

Customers

Mobile Users

14

EntrustVerification


Identity-Based Security: a Layered Approach

People, Servers, Devices, Applications

Credential issuance, audit,

lifecycle management

Credential use, step-up, ongoingtransaction analysis, and forensics

16


Entrust IdentityGuard

• Single open platform, centralized policy management• User self administration• Deploy based on Risk, Usability, Cost

Username & Password

Grid

VersatileAuthenticationPlatform

ScratchPad Digital

Certificates

OTP Tokens

Smartcards &USB Tokens

Mutual Auth

IP-Geolocation

Machine/Device Auth

Mobile

Knowledge-Based


IP Geolocation

• Authentication based on users physical location

• Register common access points & record logon profiles

• Leverage IP black/white lists & OFIN data


Machine Authentication

• Captures machine parameters

• No user interaction

• With or without cookies

IP: 216.191.253.108 Browser: IE 7.0Screen Depth: 1024….…


Digital Certificates

• X.509 certificate support• Existing certificates or

leverage Entrust Managed Service Offering

• Standard SSL client or application signature-based authentication

• Stored in software, on smart cards, or USB tokens


21

Multiple Identities, one device

Mix of Soft token only and Transaction Notification

Independent activation and control

Customizable branding per identity

Mobile Authentication & Transaction Notification


22

OATH compliant

Time-based soft token

30 second time window

Brandable interface

IDG Mobile – Soft Token


23

IDG Mobile - with Transaction Notification

OATH Time-based Soft Token

Transaction details confirmed out of band on mobile device

No data entry

OATH signature of transaction contents

User confirms transaction or acts on suspect details


Soft Token Mobile Authentication• Single or multiple one-time

passcodes to mobile device– SMS, email, voice

• Authenticate while out of cell range

• Out-of-band transaction detail confirmation and authentication OTP

• Automatic refresh of OTPs


Knowledge Authentication

• Configurable number of questions

• User defined or imported

• Define number of correct answers

• Randomly presented


• Each grid card unique

• Inexpensive to produce and deploy

• Innovative eGrid in graphic or PDF format

• Easy to use and support

C 2 3

Grid Authentication


Mini Tokens

Mini OT• Time-Synchronous

• OATH Compliant

Mini AT• Time & Event-Synchronous

• Standards Based Algorithm


Pocket Tokens

• Time & Event-Synchronous

• Pin unlock, Response, Challenge + Response

• Standards Based Algorithm


DisplayCard Tokens

• Credit card format

• OATH based OTP generation

• Multi-functional card including optional on-board chip (PKI and/or EMV chip)

29


Mutual Authentication

• End user validation of site

• Personalized for user• Increased user

confidenceSerial Number Replay

Extended Validation Certificates

Image & Message Replay


Policy & User Management

Web based Administration


Reporting

• Web based reporting• User and

authentication tracking and analysis


Integrating IdentityGuard

Remote Access Applications

Microsoft Windows Servers

End User

Web Authentication Applications

Enterprise Applications

& Data

Repository


2nd Factor Authentication

Authentication Platform

Online Application

Initial Logon

User Name?Password?

User Name?Password?

2nd Factor Authentication

2nd Factor Challenge


Application: Remote Access

End User


• Integrates with leading remote access solutions

• Leverages industry standards to streamline deployment

• Supports MS RAS, IP-SEC, & 802.1x clients


36

Application: Enterprise Desktops & Servers

End User

• Integrated 2nd factor authentication

• Easy to use & deploy

• Leverages common security infrastructure

Any user

****

1 6 3

Enterprise Servers

Microsoft WindowsDesktops

Administrators


Application: Extranet Access

End User


• Range of authenticators

• Inexpensive to deploy

• Easy to use and support


Easily Extends across Enterprise Applications

• Extranet (incl. MS OWA & leading Web SSO vendors)• Microsoft Windows Desktops • Remote Access: Leading IP-SEC & SSL VPNs, RAS, 802.1x, Citrix

AnyUser

******


IdentityGuard 2nd Factor Protection

Remote Access

Enterprise ServersMicrosoft Desktops

Extranet Access


Integrating IdentityGuard


Microsoft Windows Servers

End User


Enterprise Applications

& Data

Repository


Integrated with Leading Technology Partners

Applications

Application / Infrastructure

Remote Access

Platform


SSL VPN: Juniper


Web Application Integration

Customer Environment

Existing Authentication/

Sign-on Application

SSL

SOAP

• WSDL Interface for J2EE & .NET applicactions

• Included Java bindings• Included ISAPI filter for IIS/ISA


Microsoft Desktop & Server Integration

Existing Active Directory

Enterprise Applications &

Network Resources

• Small Client for Windows desktops (GINA Chain)

• Existing AD Deployment (single or multi-domain)

• Configurable support for MS RAS, IP-SEC, and 802.1x clients built-in


Remote Access Integration

Existing Remote Access Gateway(IP-SEC or SSL)

Radius

Directory UN/PW auth with Active

Directory or LDAP

• IP-SEC or SSL Gateways• Configuration-only integration!


Remote Access Authentication Flow

VPN Client or

Web Browser

Remote Access Gateway

1.User enters authentication credentials

2. User credentials sent to IdentityGuard

4. IdentityGuard challenge requested & presented

5. IdentityGuard response sent to IG server

6. IdentityGuard server returns accept/reject to VPN Client

Repository

7.Success allows user entry

3. User credentials validated against directory


Repository Integration

• Leverages existing user entries

• Adds attributes to object classes for LDAP or independent table for RBDMS

• Read and Write operations required for some authentication options

DirectoryDatabase

JNDI

SSL

Thank you!

ISS SA le presenta IdentityGuard de Entrust

Technology

Transcript of ISS SA le presenta IdentityGuard de Entrust