Technology Audit: Entrust IdentityGuard v10.1

Entrust IdentityGuard (OI00070-106)

© Ovum (Published 02/2012)

This report is a licensed product and is not to be photocopied

TECHNOLOGY AUDIT

Entrust IdentityGuard Version 10.1Entrust Inc

Reference Code: OI00070-106

Publication Date: February 2012

Author: Andy Kellett

SUMMARY

Catalyst

Entrust IdentityGuard is a function-rich, identity-based software authentication platform. It supports a broad range of secure authentication products. Its facilities cover the breadth of the authentication market, ranging from smartcards, mobile device usage, risk-based approaches, and one-time tokens, through to lighter controls that fit the needs of specific business activities. The tools, which can be software and hardware-based, include IP geo-location checks, out-of-band, certificate authentication, and e-grids.

Entrust recognizes that different organizations and users have different authentication requirements. Its products are designed to handle these variations and support the use of mixed authentication techniques across user groups. The new IdentityGuard release, version 10.1, focuses on extending the business use of mobile devices and the opportunity to combine logical (LACs) and physical (PACs) access controls using a single authentication approach.

Key findings Entrust provides one of the broadest ranges of authentication tools available in the

identity and access management (IAM) market.

Physical as well as logical access facilities are supported.

Mobile device authentication can be used to deal with the physical and logical access requirements of mobile workers, online clients, and everyday business users.




Mobile device authentication reduces the need for hardware-based tokens and adds extra resilience when tokens are lost or software alternatives are required.

OoB authentication, which confirms the legitimacy of transactions, is a valuable tool for detecting and preventing fraud.

Risk-based authentication links the required levels of authentication to individual activities.

Although PKI and certificate-based services are supported, a complete managed service option for IdentityGuard will not be available until later in 2012.

Ovum recommends Threats to information systems continue to grow. At the same time, systems and

networks become more open as businesses collaborate with external partners, provide access to users from a variety of locations, and make use of an increasing range of smart mobile devices to gain entry. All these issues highlight the importance of identity management and its core role to allow or block user access.

The key element that drives secure access to corporate systems is identity. Identity is the foundation of secure access, but to be effective its authentication approaches must fit the risk requirements of business systems.

Users require different levels of authentication. Many need read-only access to low-level business information, a few work with highly sensitive data, and most fall somewhere in between. Business organizations need identity-management facilities that are secure enough to support a range of users and flexible enough to deal with users as their access requirements evolve and change.

Value proposition

Entrust has built its reputation by providing an identity-based software security platform that offers a broad range of software and hardware authentication facilities including support for federated identities and self-service administration. Release 10.1 of IdentityGuard extends this approach by making it easier for employees to use their mobile devices as a core source of authentication and information access. The approach adds convenience because users can gain access to business systems using a device that they carry with them. It offers convergence and enterprise-grade credentials because mobile technology with its near-field communication (NFC) and Bluetooth technology can be used to combine PACs (physical access control) and LACs (logical access control) authentication using a single credential.




The target audience for Entrust is industry-wide, and because its authentication options range from very light to highly secure, there will be a range of identity-based facilities that meet the needs and budgets of most organizations.

The effective management of identity is one of the most important elements of an enterprise security strategy. However, the IAM sector has a reputation for delivering complex and expensive solutions. Enterprise-level take-up continues to be restricted because of these issues. Where IAM products are used, they are usually deployed to deal with a particular business risk or address a trading requirement such as providing secure online access for employees or customers.

The ways in which users now access corporate systems are changing. New mobile devices present both a security challenge relating to how access is controlled and an opportunity to replace expensive hardware-based tokens. For example, financial services organizations have deployed card readers for online customers to improve security when logging on and as a secondary method of confirming certain transactions. Today, different approaches using mobile devices, application-based software, and grid technology provide cost-effective alternatives.

It is advantageous to make better and more extensive use of constantly available devices such as mobile phones, tablets, and iPads. These devices are in everyday use and can be used to support the authentication and user access requirements of businesses and their users.




SOLUTION ANALYSIS

Functionality

The Entrust IdentityGuard platform was built with versatility in mind. At a very early stage Entrust recognized there would never be a one-size-fits-all approach to authentication. The company offers a very broad range of authenticators that cover high-end through to more basic requirements. Coverage includes a range of hardware and software-based one-time tokens and smartcards, risk-based authentication, IP geo-location, certificate-based authentication, use of grid cards and software grids, and user-response approaches.

Some older authentication methods are now beginning to look outdated. The use of mobile devices provides a software and application-based authentication alternative. The availability of mobile OoB transaction verification is good way of defeating man-in-the-browser threats, with available geo-location checks also adding an extra layer of protection.

Most business and systems users either own or are provided with a company mobile device. Employees want to use the latest devices for personal use and to access business systems. Businesses benefit from the combined use of these devices if security concerns about device use and access control are dealt with.

Entrust IdentityGuard addresses mobile device issues by providing device-management and access-control facilities.

Figure 1: IdentityGuard - authentication platform

Source: Entrust O V U M




IdentityGuard supports the use of smart mobile credentials for logical and physical access, including the use of near-field communication (NFC) and Bluetooth facilities.

Entrust uses NIST-approved personal identity verification (PIV) certificates to deal with mobile security and control issues.

IdentityGuard provides integration with leading MDM (mobile device management) vendors to support strong device identity (certificate-based device identity).

IdentityGuard provides support for digital signature and encryption/decryption facilities for secure email services. Certificate on-boarding for authentication and signing email, and S/MIME-based decryption facilities are available.

Strong certificate-based authentication is available for users accessing corporate networks using mobile devices.

Soft tokens are available in form factors that support the generation of one-time pass codes.

Software development kit (SDK) facilities that allow organizations to build Entrust mobile capabilities into their own mobile applications are also available.

To date few IAM vendors have successfully addressed the need for a common approach to physical and logical access. Smartcard technology allows the combined approach to become a practical reality. Entrust IdentityGuard allows organizations to integrate the two environments. It uses secure NFC technology as an alternative to older and less secure HID physical access cards and can leverage Bluetooth to act as a smartcard reader to provide logical access to computer devices. Improved return on investment (ROI), reduced running costs, and the provision of a single integrated approach and credential are the primary drivers.

Risk-based authentication allows different authenticators to be deployed to various user groups based on the amount of risk associated with each user, transaction, or particular area of the business. The usability element of the approach also allows more appropriate checks to be made if access requirements vary from the norm.

Entrust IdentityGuard Server is the main component of the IdentityGuard system (see Figure 1).

Entrust IdentityGuard uses a three-tie architecture approach. It is a J2EE-based solution, and the presentation layer and business logic layer can co-exist on a single hardware platform. In operational use IdentityGuard leverages an existing data repository, such as eDirectory, for data storage, and communicates with this using either Java Database Connectivity (JDBC) or Lightweight Directory Access Protocol (LDAP).

Entrust IdentityGuard Server includes the following core applications and interfaces:




Authentication and administration provides web services using the Java platform and C# application programming interfaces (APIs).

Administration interface, properties editor, and master user shell.

A sample web application that demonstrates service delivery capabilities.

The applications and interfaces are used to authenticate and manage users and their authentication data.

Figure 2: IdentityGuard - integration with an authentication application


Go-to-market strategy

Entrust IdentityGuard provides an inclusive approach to working with the types and levels of authentication that clients choose to deploy. Its open API architecture supports a wide range of software and hardware tokens, and integration with leading MDM (mobile device management), IAM, and PKI (public key infrastructure) vendors, including Entrust PKI. This allows the solution to be used across a broad range of mature and emerging markets, and supports the ability to work with a wide range of digital certificates.

Traditionally the company has targeted the financial services and government sectors where it has achieved successful results. In addition, Entrust's position as a Certificate Authority (CA) allows it to support strong certificate-based authentication that is relevant to organizations of all sizes.

As a provider of mainstream authentication services, the vendors that Entrust regularly competes against include CA, Gemalto, HID, RSA, Symantec, and VascoData.




Entrust brings its IdentityGuard product to market using a mix of direct sales and distribution partners. Its extensive list of distribution partners includes Allstream, Fishnet, HP, IBM, MPA, NeoSecure, NeTrust, PTE, and SIA.

The company maintains technology-partner relationships with leading industry providers. These include formal relationships where vendors that have made their products "Entrust Ready" by including encryption and digital signature facilities. There are currently over 200 partners engaged in the Entrust partner program and 115 of their products have been awarded the "Entrust Ready" designation. Entrust works with a significant number of high-profile partners including Adobe, Cisco, IBM, Microsoft, Oracle, PeopleSoft, and SAP.

Typical project values for entry-level projects start at around $20,000, the average is set at $60,000, with the largest projects exceeding $1m with a typical 80%-20% split between software licenses and services across all project sizes.

Entrust has an evolving roadmap strategy for IdentityGuard. The current focus is on developing new approaches to support mobile authentication. The next release (v10.1) will build additional smart credentialing and certificate enrollment facilities for mobile. These were first introduced in the current product release. It will also introduce a managed offering for IdentityGuard during the first half of next year.

Deployment

The time taken for the implementation of a pilot IdentityGuard project is typically one to three days and involves between one and two subject matter experts with server, network, and repository management and administration skills. For an average sized implementation (30 user departments and above) the same skill sets apply with the potential addition of user management (helpdesk) capabilities and an implementation timeframe of two to four days. At the enterprise level (500-user departments and above) the timeline is three to five days with the same skill requirements.

Entrust can supply a range of professional implementation support services. These include architecture, design and planning services, installation and deployment assistance, and endpoint integration and validation support. It extends to include customized application development and documentation services and support for customized training programs.

There are three levels of technical support: Silver, Gold, and Platinum.

Silver support provides coverage Monday to Friday, 8.00am to 8.00pm EST and 7.00am to 7.00pm Greenwich Mean Time (GMT), and has an annual charge of 18% of the contract price.

Gold support extends coverage to 24 hours a day Monday to Friday and has an annual charge of 20% of the contract price.




Platinum support provides 24-hours-a-day, 7-days-a-week coverage and has an annual charge of 22% of the contract price.

Entrust IdentityGuard is used by some of the world’s largest enterprise and government organizations. It has millions of product licenses deployed across hundreds of customers.

Customer deployment examples

Bank of New Zealand is one of New Zealand’s largest banks and has been operating since 1861. The bank selected Entrust IdentityGuard because of its ease of use, low cost overheads, and because its grid card systems could be locally branded to meet the bank’s requirements. The deployment allows the bank to offer strong authentication to all new consumer banking customers. During the first phase of the project, approximately 25,000 users were provided with grid cards within a two-week period. In less than nine months, the bank issued over 130,000 cards, which represented close to half of its online customers. In a follow-up phase to its campaign against online fraud, the bank implemented additional IdentityGuard authentication facilities, including device, knowledge-based, and mutual authentication.

Société Générale, a major European bank and financial services company, needed to address an increasingly pervasive range of online identity theft attacks that were hurting its high-end clients. The protection requirement was to provide clients with an extra level of confidence and safety during online transactions and enterprise communications. Entrust IdentityGuard was chosen to replace an existing token-based solution using its grid card approach. The initial deployment was for 1,500 IdentityGuard grid cards, with the future potential of extending the service to thousands of other Société Générale customers. The grid cards, which were reported as being both secure and easy to use, are used to authenticate access to the company's investment web portal.




DATA SHEET

Key facts about the solution

Table 1: Data sheet

Product name Entrust IdentityGuard Product classification Identity and Access Management

Version number 10.1 Release date February 2012

Industries covered Government, Aerospace, Defense, Energy, Financial, Manufacturing, Auto, Technology and Hi Tech

Geographies covered Global

Relevant company sizes Small, medium, and large companies.

Platforms supported Microsoft Windows, Linux, Solaris, AIX, HP/UX, z/OS, Mac OS, and others

Languages supported English is the default language. Other languages, including French, can be supported as part of a professional services engagement.

Licensing options Perpetual on a server basis

Deployment options On premise Route(s) to market Direct sales and through channel partners, VARs, and SIs.

URL www.entrust.com Company headquarters One Lincoln Center 5400 LBJ Freeway Ste 1340 Dallas TX 75240 USA

European headquarters Unit 4 Napier Court First Floor Napier Road Reading Berkshire RG1 8BW UK

North America headquarters

As company headquarters

Asia-Pacific headquarters Level 57, MLC Centre 19 Martin Place Sydney NSW 2000 Australia





APPENDIX

Further reading 2012 Trends to watch: security (OI00127-046)

SailPoint IdentityIQ (v5.5), Technology Audit

Swivel PINsafe (v3.8), Technology Audit

Methodology

Ovum Technology Audits are independent product reviews carried out using Ovum’s evaluation model for the relevant technology area, supported by conversations with vendors, users, and service providers of the solution concerned, and in-depth secondary research.

Author

Andrew Kellett, Senior Analyst, Infrastructure Solutions, Security

[email protected]

Ovum Consulting

We hope that this analysis will help you make informed and imaginative business decisions. If you have further requirements, Ovum’s consulting team may be able to help you. For more information about Ovum’s consulting capabilities, please contact us directly at [email protected].

Disclaimer

All Rights Reserved.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior permission of the publisher, Ovum (an Informa business).

The facts of this report are believed to be correct at the time of publication but cannot be guaranteed. Please note that the findings, conclusions, and recommendations that Ovum delivers will be based on information gathered in good faith from both primary and secondary sources, whose accuracy we are not always in a position to guarantee. As such Ovum can accept no liability whatever for actions taken based on any information that may subsequently prove to be incorrect.

mailto:[email protected]

Technology Audit: Entrust IdentityGuard v10.1

Technology

Transcript of Technology Audit: Entrust IdentityGuard v10.1