ISS SA le presenta IdentityGuard de Entrust

5,144 views
4,985 views

Published on

Las organizaciones necesitan evolucionar más allá del nombre de usuario y contraseña básico y asegurar las transacciones en línea con un abanico de opciones de autenticación segura.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
5,144
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
26
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • BUILDS: It’s a layered approach to protection, because there is no silver bullet, no one technique that meets threats today or going forward. First, you use an authentication platform that lets you mix and match a wide range of authenticators, to meet the cost, usability and security demands. [click] then that platform manages the lifecycle of these credentials, issuing them to people and machines [click] and, as those credentials are used, the banks constantly monitor transaction activity and step-up authentication as required
  • Any standard x.509 certificate (Entrust, Microsoft, Verisign…)
  • Easy to use and support Standards-based (Radius, J2EE, Web Services) Integrated with leading applications & environments Full web management
  • Easy to use and support Standards-based (Radius, J2EE, Web Services) Integrated with leading applications & environments Full web management
  • Easy to use and support Standards-based (Radius, J2EE, Web Services) Integrated with leading applications & environments Full web management
  • Easy to use and support Standards-based (Radius, J2EE, Web Services) Integrated with leading applications & environments Full web management
  • Easy to use and support Standards-based (Radius, J2EE, Web Services) Integrated with leading applications & environments Full web management
  • Easy to use and support Standards-based (Radius, J2EE, Web Services) Integrated with leading applications & environments Full web management
  • ISS SA le presenta IdentityGuard de Entrust

    1. 1. What are the Challenges of Securing Identities online?
    2. 2. Entrust is a World Leader in Identity Management and Security Software <ul><li>Founded in 1994, publicly-listed in 1998 (NASDAQ: ENTU) </li></ul><ul><li>Best-in-class technology, service and support – industry pioneer </li></ul><ul><li>Over 2000 customers in 50 countries – global reach </li></ul><ul><li>Geographic presence: U.S., Canada, UK, China, Germany, India and Japan </li></ul><ul><li>411 employees and 110+ patents </li></ul><ul><li>2008 Revenue: ~$100.0 million </li></ul>
    3. 3. Online Service Uptake Critical US Banking Delivery Transactions by Channel (2006-10p) May 31, 2008
    4. 4. Online Service Uptake Critical Cost per Transaction (US $) May 31, 2008
    5. 5. We Provide Identity-Based Security for: Consumers Enterprises Citizens Web Sites Online banking users, e-commerce site customers Travelers, and those accessing government services, in person or online Web servers (external and internal), email servers and code being distributed online Business and government employees, contractors, first responders, and devices
    6. 6. Consumer Authentication
    7. 7. Consumer Auth Problems Ongoing attacks against FI’s Corporate accounts being targeted Malware growing fast, hard to detect with Anti-Virus End-users often resist strong auth Source: Anti-Phishing Working Group, July/09 Man in the Middle Attacker Man in the Browser Malware
    8. 8. Consumer Authentication: Entrust Solution Flexible range of authenticators Across spectrum of security / usability Zero-touch fraud detection to spot unusual activity and stop malware Man in the Middle Attacker Man in the Browser Malware Username & Password Mutual Authentication IP Geolocation Device Fingerprint Knowledge-Based Authentication Grid Card / eGrid One-Time Password Tokens Out of Band Auth via SMS or Email Digital Certificates Smart Cards
    9. 9. Enterprise Authentication
    10. 10. Enterprise Identities: Problems Protect access to intellectual property and customer data Work from anywhere Stay out of employees’ way Audit access to resources Reduce transaction costs by moving online Employees Partners Contractors Other Businesses Mobile Devices Other internal Servers & Devices # of IDs 2000 2010
    11. 11. Enterprise Identities: Entrust’s Solution Broad range of authentication credentials For users, servers, devices Enables encryption and digital signature with strong identity Employees Partners Contractors Other Businesses Mobile Devices Other internal Servers & Devices
    12. 12. Web Site Authentication
    13. 13. Web site authentication: Problems Phishing attacks and other fraud often involve counterfeit websites Users cannot easily detect fake sites Numerous servers for IT staff to keep track of, ensuring no certificate expiries Expense of certs for numerous servers Customers, Employees Mobile Users Web servers, Exchange, Applications
    14. 14. Web site authentication: Entrust Solution SSL certificates for web sites, MS Exchange, code signing, Adobe PDF Stringent verification to prevent brand theft Helps user verify they are at correct site Enables browser to provide some automated protection Powerful certificate management tools Customers Mobile Users Entrust Verification
    15. 15.
    16. 16. Identity-Based Security: a Layered Approach People, Servers, Devices, Applications Credential issuance, audit, lifecycle management Credential use, step-up, ongoing transaction analysis, and forensics
    17. 17. Entrust IdentityGuard <ul><li>Single open platform, centralized policy management </li></ul><ul><li>User self administration </li></ul><ul><li>Deploy based on Risk, Usability, Cost </li></ul>Username & Password Grid Versatile Authentication Platform Scratch Pad Digital Certificates OTP Tokens Smartcards & USB Tokens Mutual Auth IP-Geolocation Machine/ Device Auth Mobile Knowledge-Based
    18. 18. IP Geolocation <ul><li>Authentication based on users physical location </li></ul><ul><li>Register common access points & record logon profiles </li></ul><ul><li>Leverage IP black/white lists & OFIN data </li></ul>
    19. 19. Machine Authentication <ul><li>Captures machine parameters </li></ul><ul><li>No user interaction </li></ul><ul><li>With or without cookies </li></ul>IP: 216.191.253.108 Browser: IE 7.0 Screen Depth: 1024 … . …
    20. 20. Digital Certificates <ul><li>X.509 certificate support </li></ul><ul><li>Existing certificates or leverage Entrust Managed Service Offering </li></ul><ul><li>Standard SSL client or application signature-based authentication </li></ul><ul><li>Stored in software, on smart cards, or USB tokens </li></ul>
    21. 21. Multiple Identities, one device Mix of Soft token only and Transaction Notification Independent activation and control Customizable branding per identity Mobile Authentication & Transaction Notification
    22. 22. OATH compliant Time-based soft token 30 second time window Brandable interface IDG Mobile – Soft Token
    23. 23. IDG Mobile - with Transaction Notification OATH Time-based Soft Token Transaction details confirmed out of band on mobile device No data entry OATH signature of transaction contents User confirms transaction or acts on suspect details
    24. 24. Soft Token Mobile Authentication <ul><li>Single or multiple one-time passcodes to mobile device </li></ul><ul><ul><li>SMS, email, voice </li></ul></ul><ul><li>Authenticate while out of cell range </li></ul><ul><li>Out-of-band transaction detail confirmation and authentication OTP </li></ul><ul><li>Automatic refresh of OTPs </li></ul>
    25. 25. Knowledge Authentication <ul><li>Configurable number of questions </li></ul><ul><li>User defined or imported </li></ul><ul><li>Define number of correct answers </li></ul><ul><li>Randomly presented </li></ul>
    26. 26. <ul><li>Each grid card unique </li></ul><ul><li>Inexpensive to produce and deploy </li></ul><ul><li>Innovative eGrid in graphic or PDF format </li></ul><ul><li>Easy to use and support </li></ul>Grid Authentication C 2 3
    27. 27. Mini Tokens <ul><li>Mini OT </li></ul><ul><li>Time-Synchronous </li></ul><ul><li>OATH Compliant </li></ul><ul><li>Mini AT </li></ul><ul><li>Time & Event-Synchronous </li></ul><ul><li>Standards Based Algorithm </li></ul>
    28. 28. Pocket Tokens <ul><li>Time & Event-Synchronous </li></ul><ul><li>Pin unlock, Response, Challenge + Response </li></ul><ul><li>Standards Based Algorithm </li></ul>
    29. 29. DisplayCard Tokens <ul><li>Credit card format </li></ul><ul><li>OATH based OTP generation </li></ul><ul><li>Multi-functional card including optional on-board chip (PKI and/or EMV chip) </li></ul>
    30. 30. Mutual Authentication <ul><li>End user validation of site </li></ul><ul><li>Personalized for user </li></ul><ul><li>Increased user confidence </li></ul>Serial Number Replay Extended Validation Certificates Image & Message Replay
    31. 31. Policy & User Management Web based Administration
    32. 32. Reporting <ul><li>Web based reporting </li></ul><ul><li>User and authentication tracking and analysis </li></ul>
    33. 33. Integrating IdentityGuard Remote Access Applications Microsoft Windows Servers End User Web Authentication Applications Enterprise Applications & Data Repository
    34. 34. 2 nd Factor Authentication Authentication Platform Online Application   Initial Logon User Name? Password? 2 nd Factor Authentication 2 nd Factor Challenge
    35. 35. Application: Remote Access End User Remote Access Applications <ul><li>Integrates with leading remote access solutions </li></ul><ul><li>Leverages industry standards to streamline deployment </li></ul><ul><li>Supports MS RAS, IP-SEC, & 802.1x clients </li></ul>
    36. 36. Application: Enterprise Desktops & Servers End User Enterprise Servers Microsoft Windows Desktops Administrators <ul><li>Integrated 2 nd factor authentication </li></ul><ul><li>Easy to use & deploy </li></ul><ul><li>Leverages common security infrastructure </li></ul>Any user **** 1 6 3
    37. 37. Application: Extranet Access End User Web Authentication Applications <ul><li>Range of authenticators </li></ul><ul><li>Inexpensive to deploy </li></ul><ul><li>Easy to use and support </li></ul>
    38. 38. Easily Extends across Enterprise Applications <ul><li>Extranet (incl. MS OWA & leading Web SSO vendors) </li></ul><ul><li>Microsoft Windows Desktops </li></ul><ul><li>Remote Access: Leading IP-SEC & SSL VPNs, RAS, 802.1x, Citrix </li></ul>AnyUser ******
    39. 39. IdentityGuard 2 nd Factor Protection Remote Access Enterprise Servers Microsoft Desktops Extranet Access
    40. 40. Integrating IdentityGuard Remote Access Applications Microsoft Windows Servers End User Web Authentication Applications Enterprise Applications & Data Repository
    41. 41. Integrated with Leading Technology Partners Applications Application / Infrastructure Remote Access Platform
    42. 42. SSL VPN: Juniper
    43. 43. Web Application Integration <ul><li>WSDL Interface for J2EE & .NET applicactions </li></ul><ul><li>Included Java bindings </li></ul><ul><li>Included ISAPI filter for IIS/ISA </li></ul>Customer Environment Existing Authentication/ Sign-on Application SSL SOAP
    44. 44. Microsoft Desktop & Server Integration <ul><li>Small Client for Windows desktops (GINA Chain) </li></ul><ul><li>Existing AD Deployment (single or multi-domain) </li></ul><ul><li>Configurable support for MS RAS, IP-SEC, and 802.1x clients built-in </li></ul>Existing Active Directory Enterprise Applications & Network Resources
    45. 45. Remote Access Integration <ul><li>IP-SEC or SSL Gateways </li></ul><ul><li>Configuration-only integration! </li></ul>Existing Remote Access Gateway (IP-SEC or SSL) Radius Directory UN/PW auth with Active Directory or LDAP
    46. 46. Remote Access Authentication Flow VPN Client or Web Browser Remote Access Gateway 1. User enters authentication credentials 2 . User credentials sent to IdentityGuard 4 . IdentityGuard challenge requested & presented 5. IdentityGuard response sent to IG server 6. IdentityGuard server returns accept/reject to VPN Client Repository 7. Success allows user entry 3 . User credentials validated against directory
    47. 47. Repository Integration <ul><li>Leverages existing user entries </li></ul><ul><li>Adds attributes to object classes for LDAP or independent table for RBDMS </li></ul><ul><li>Read and Write operations required for some authentication options </li></ul>JNDI SSL Directory Database
    48. 48. Thank you!

    ×