SmartCard Forum 2009 - OpenTrust SCM


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

SmartCard Forum 2009 - OpenTrust SCM

  1. 1. Integrated Lifecycle Management of Smart Cards, USB Tokens & User Credentials
  2. 2. Badge & Credential Management Agenda• Introduction – IT Security: Too many challenges… – A strong need for “Trusted Identities” – “Trusted Users” Key Benefits – A strong need for Integrated Badge & Credential Management (CMS)• OpenTrust SCM Overview – OpenTrust SCM Key Benefits – A Simple and Full Featured Enterprise CMS – Making “Trusted Users” a reality – OpenTrust SCM Architecture and Ecosystem – Worldwide References & related business cases• Use Cases: eBanking, IAM Integation Confidential - OPENTRUST - Page 2
  3. 3. IT Security: too many challenges … How to allow IS access to roaming users, third parties and remote application services without How to secure access control to business compromising IT security ? applications, while authentication schemes How to (safely) provide enough rely (mostly) on shareable/spoofable logins and passwordsto adapt to : IS flexibility ? How to warrant Enterprise data privacy and ► Evolving business workflow requirements ? integrity in order to protect mission critical ► Organization and regulations changes ?How to take advantage of electronic to existing regulations assets, with respect ► Heterogeneous connection means and devices ?transactions to leverage business SAFE, etc.) ? (SOX, PCI, Bale II,processes and to increase globalproductivity to get better protected against How ? internal threats & frauds ? etc… Confidential - OPENTRUST - Page 3
  4. 4. Electronic Trust… a global answerThe widespread use of Digital Identities securely granted to any userand IS component establishes the basis of new and powerful security At OpenTrust, we believe that implementing apolicy enforcement paradigms : global Trust Infrastructure is the Corporate only foundation User to address upcoming IT security challenges ► “Trusted Networks” in one, with respect to : all Authorized IAN / IBNS Employee External ► “Trusted Users” - Security standards User ► “Trusted Transactions” OK - Ease of use Certificate KO KO ArchivingProvider (PKI) System - Productivity requirements (TCO, ROI) Customer SSOBusiness Application Server Portal OTP Server Confidential - OPENTRUST - Page 4
  5. 5. Key benefits of “Trusted Users” (1/2)Prevent user security credentials disclosure using a single,safe and personal cryptographic support ► Enabling IS-wide “two factor” strong authentication, regardless of connection means and user types ► Confining multiple user “secrets” (OTP, SSO, Key pairs…) in a single support that can be fully managed locally and remotely at any time ► Providing a suitable mean of convergence for logical (certificate, key pairs…) and physical (contactless, biometrics…) access control credentials… one step toward unified Corporate BadgingAllow a simple, cost effective and deep integrationof asymmetric cryptography standards in the IT environment ► Already supported by most of the IT (infrastructure: routers, switches… & software components: web servers, email clients, SSO, Windows Logon…) ► Enabling easy user (or server) based data encryption and regulation compliant digital signature Confidential - OPENTRUST - Page 5
  6. 6. Key benefits of “Trusted Users” (2/2)Establish a user friendly “state of the art” security model ► No more passwords (goal : not even a few) ► Simple and secure handling of personal authentication means ► Enhanced user capabilities and asset protection (encryption, digital signature) ► Empowered user productivity (focus on core business rather than getting lost with multiple access control schemes)Provide secure and integrated credential lifecycle managementto existing X.509 Certificate (PKI), SSO, OTP & IAM solutions ► Allowing them to rely on secure digital identities that can be trusted far beyond logins and passwords… and that belong to a global, consistent and business effective security policy ► Lowering TCO : multiple (i.e. per solution) credential management tasks are automated and handled from a focal point : the Card Management System (CMS) Confidential - OPENTRUST - Page 6
  7. 7. Requirements for an Enterprise CMSWidespread use of Digital Identities storedon personal cryptographic supports is avery attractive approach of user securityBut it requires strong and completemanagement capabilities to becomea reality across the Enterprise Multiple Lifecycle Operations Multiple Supports Distribution & Enrollement Multi vendors Multiple Holders Revocation Smart Cards & Tokens Employees, Credential renewal (and related drivers, Externals, Badge recycling middlewares…) Partners, Self care (unlocking, Customers (B2B, B2C), PIN change, replacement, etc.) Etc… Confidential - OPENTRUST - Page 7
  8. 8. OpenTrust SCM Key Benefits is a comprehensive answer that provides enterprisewide “Trusted Users” management capabilities, while remaining : ► Highly secure (communications, access control, operations, auditing…) ► Simple and user friendly (easy endorsement, enhanced productivity) ► Open to third party solutions (SSO, OTP, IAM…) and trough standard interfaces (Web Services, LDAP, PKCS#7...) ► Flexible and complete (multiple smart card & token support, many operator and user profiles, heterogeneous issuance and lifecycle operations…) ► Cost effective: providing an outstanding security level, while lowering user credential management costs (automation, centralization, homogeneity) Confidential - OPENTRUST - Page 8
  9. 9. OpenTrust SCM a simple and full featured CMS• Modeling tools: datasources & profiles (users, cards, certificates…)• Integrated Enrolment & Issuance processes – “Self Enrolment” by the badge holder (end user) – Issuance through the “Badge Office” – Badge “Pre Personalization” process• Card & Token Lifecycle Management processes – • Badge holder Self Issuance of replacement/temporary badges Care operations – – Badge loss/theft statement Certificate renewal – – Auto recovery of old encryption certificates Replacement and renewal of cryptographic contents – Badge recycling – PIN Code change – – Badge Card & Token remote unlocking unlocking (on line, off line) • Common Platform Services – Logging, notification, publication, auditing… – Strong Authentication and Access Control – Dynamic application skinning and multi lingual support – Platform clustering and HA management Confidential - OPENTRUST - Page 9
  10. 10. Making “Trusted Users” a reality… Enterprise AD / LDAP User Directory Hardware Security Help Desk Module PKI Operator OK Server Auto Security Discovery CredentialOfficer of Generation User’s Card Existing IT Infrastructure Profile Requests (SOAP) OTP User Server Authentication Automated Card Card User Holder Initialization process Employee, External, Partner, etc. SSO Server Enrolled Support Empty Support Confidential - OPENTRUST - Page 10
  11. 11. OpenTrust SCM Architecture Third-party OpenTrust OpenTrust Applications PKI OTP WS/SOAP WS/SOAP OpenTrust SCM Server Smartcard & Cedentials HSM Lifecycle Management Card profile Card profile Card profile Authentication Signature encryption Smartcard Initialization &Selfcare Operations WS/SOAP Third-party Applications (IAM) Confidential - OPENTRUST - Page 11
  12. 12. A large and complete Ecosystem PKI Microsoft PKI HSM Vendors Certificate ProvidersSSO & IAMProviders Card & Token Manufacturers OTP Solutions One Time Password Confidential - OPENTRUST - Page 12
  13. 13. Smart Card & Credentials Management Worlwide References SWISS CARREFOUR ALSTOM Transport THALES Office MinisterTOTAL French Custom DASSAULT Defense of Aviation MICHELIN RENAULT-NISSAN BNP PARIBAS Global OpenTrust PKI, SCM and OTP Multiservice Smart Card security project MigrationPKI deployed ofaccess users, Worldwide deployment a multiservice Global OpenTrustandBaltimore PKI and OpenTrust from a Strong physical& SCMproject targeting the OpenTrust PKI Cardlogical Management Implementation SCM Card 40.000 control Card OpenTrust SCM& PlatformtoManagement for bothAuthentication Management project OpenTrust SCM Corporate Badging project for implementation, targetingCard forlogical access control (integration Smart(OCSCards), runningbothto logical (Mifare) 150. 000both physical and Each dealer holdersrunning physical access Projecta(GemaltoSSO from Evidian and with IAMis in production since including:legacy cards) Network. (integration worldwideproductionboth physical and CMS system in OpenTrust From PKI, Smart Card group’s Worldwide Dealing Management, One Time(Gemalto Cyberflex Cards), for (integration with Project control – 20.000 since Sun100.000 enrolled OfficersServices and from & fromaaccess control,IAM from 20.000 more and logical Platform, badges since 2004, with2007 forMicrosystems)andUSB security token to withSSO SCMPassLogix30.000 GemaltoIBM “TIM”)delivered withDigitalCustom-withusersrecycling Password, ActivIdentity6 weeks Worldwide PKI 2003 with already 2 daily usersworldwide SSO from self enrollingontargeting Cyberflex Signature Web deployment, full thanenrolled supports 30.000 the Minister get Cards), 70.000userscore business applications extranet 30.000 to from badges internal branch office users targeted secure document exchange platform access existing Usage:30 000access150.000 (HID, Mifare), ofPhysical Authentication (Wifi, VPN, Usage: Strong (parts, stoks, orders, etc.), control enrolled tokens Usage: Strong Authentication, Usage: Physical & logical access control Usage: logical access Cyberflex control Windows) andPhysical Access Control, X.509 Usage: Strong Authentication, Signaturea legacy Usage: Physical (HQ)& Digital Data (viacards), OpenTrust OTP (on Access Control Encryption, Usage: PhysicalGemaltocontrol (Mifare) Data Encryption & logical access Usage: Physical accessEncryptionqualified Strong authentication, DataData VPN,(Mifare), Authentication, control Strong authentication (WIFI, Encryption, StrongStrong Authentication and Windows), SSO System), (WIFI, VPN, Windows), Digital Signature &encryption and Strong Usage: StrongProof Management, authentication Authentication Data encryptionSignature Secure Strong documentDigital Signature &Digital and Digital Signature digitalLogical accessXiring and Secure authentication signature (via control Data encryption sendings to business applications PIN Entry readers) Data encryption Confidential - OPENTRUST - Page 13
  14. 14. “Self Enrolment” by the Badge Holder Enterprise AD/LDAP User Directory CardCentral ShippingSecurity Officer Server Process Card Serial a Numbers Registration c Auth. Auto Scheme Discovery User‘s Card d Profile b Registered User Confidential - OPENTRUST - Page 14
  15. 15. Badge Enrollement through the « Badge Office » Enterprise AD/LDAP User DirectoryEnrolling BadgeUser Office Badge Operator « PIN Server Code » Personal Q&A for Formal OK OffAuthentication Line c Identification a User‘s Card b Profile OK Enrolled User + « PIN » EnrolledSupport Empty Support Confidential - OPENTRUST - Page 15
  16. 16. Badge “Pre Personalization” process Recording, Shipping and Assignment Enterprise AD/LDAP User DirectoryCentralSecurity Officer Server Card Serial Numbers a (CSV file) b Card Shipping Process c Card Activation Code & Instructions d e Card Delivery Operator Enrolling User Confidential - OPENTRUST - Page 16
  17. 17. “Pre Perso” Process Stage 2 – Final Badge Activation by the Holder Enterprise AD/LDAP User DirectoryEnrolled User a « Activation Server Code » « PIN Code » b Confidential - OPENTRUST - Page 17
  18. 18. “Pre Perso” Process Stage 1 – Badge recording & “face to face” Issuance Enterprise AD/LDAP Badge User Directory BureauEnrolling BadgeUser Operator c a Server b Confidential - OPENTRUST - Page 18
  19. 19. Use Case : “Trusted Users” in eBanking Token Serial Numbers Security Registration Officer  Server Token’s  Central Activation Enrolment Production Environment  Codes Token Shipping Process  Mailing Process  Secure Auth B2C eBanking Secure Transactions Infrastructure Customer Personal Token Activation Code Confidential - OPENTRUST - Page 19
  20. 20. Use Case: Tight Coopling with the IAM « User Properties & Identities » PKI Help Desk Server Operator Enterprise Portal / IAM Enterprise AD / LDAP User Directory SecureCard Holder LDAP / SOAP Employee, Infrastructure External, Partner, Server etc. Security Credentials OTP Server Authentication : WIFI, VPN, SSO, Windows… Encryption : Certificates & Private Keys SSO Digital Signature : Signing Certificates Server for Business Applications Confidential - OPENTRUST - Page 20
  21. 21. OpenTrust SCM Sample Card Profile Access Control SSO App. Workflows & Options Card X.509 Profile SecurityCertificate Profile Profiles Smart Cards (Gemalto, Operators Obertur, Aladdin) Confidential - OPENTRUST - Page 21
  22. 22. OpenTrust Project Méthodology Solution’s Training & Skills Architecture & Project Launch Transfert Parameters specification Qualification Qualification Server infrastructure Platform’s Platform Installation & Setup & Config.Acceptance Testing Configuration Phase Roll out & OperationsProduction Platform Formal Setup & Config. Reception Maintenance & Phase & Sign Off support from OpenTrust Confidential - OPENTRUST - Page 22