TrustBuilder IBM TAMeb sales presentation v2.3
Upcoming SlideShare
Loading in...5
×
 

TrustBuilder IBM TAMeb sales presentation v2.3

on

  • 856 views

This presentation announces the IBM Web Access Management Co-Sell arrangement with SecurIT’s TrustBuilder product. TrustBuilder complements IBM’s Web Access Management offerings with User ...

This presentation announces the IBM Web Access Management Co-Sell arrangement with SecurIT’s TrustBuilder product. TrustBuilder complements IBM’s Web Access Management offerings with User Authentication, Adaptive Access Control and Transaction Validation.

Statistics

Views

Total Views
856
Views on SlideShare
855
Embed Views
1

Actions

Likes
0
Downloads
7
Comments
0

1 Embed 1

http://a0.twimg.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • This presentation intends to highlight a unique combination in today’s web access management market: IBM Tivoli Access Manager for e-Business and SecurIT TrustBuilder.
  • However, the security world is changing rapidly and new requirements keep popping up.In this presentation we will show the added value SecurIT’s TrustBuilder platform provides to TAMeB and TFIM, in the area of Versatile Authentication and Transaction Signing and Validation.
  • For instance, the internet banking world is due to increase the protection of user’s assets and facilitate new business models, as illustrated by the new FFIEC guidance. Here is an excerpt of the new FFIEC’s recommendations issued on June 28th, 2011: ‘…..The Federal Financial Institutions Examination Council1 (FFIEC) issued today a supplement to the Authentication in an Internet Banking Environment guidance, issued in October 2005. The purpose of the supplement is to reinforce the risk-management framework described in the original guidance and update the FFIEC member agencies' supervisory expectations regarding customer authentication, layered security, and other controls in the increasingly hostile online environment......‘The guidance clearly promotes a layered security approach, combining authentication, adaptive access control and transaction proofing mechanisms to accomplish this task.
  • Transaction Signing & Validation is a Security measure organizations use to accomplish 2 objectives:Ensure the critical data in a transaction cannot be altered by malicious invaders, either on the endpoint or in the networkAnd maintain an undisputable proof of the Transaction Contents and Timing in a safe placeIn business critical applications it provides an additional security layer at the transaction levelin different applications, like internet banking, Intellectual Property protection, submitting forms for subscribing to policies, like for instance insurance policies, registration to events, or simply keeping an undeniable proof that a user was able to access or obtain particular privileged information at a specific point in time.This represents an architectural choice for a re-usable service, rather than implementing such functions within each application. In other words: a Service Oriented Architecture. Bundling this with Authentication Services makes sense because very often the same validation mechanisms will be applied for authentication and signing, but in a different way.
  • Let’s now have a look at some observed business needs for such a solution.
  • Large organizationswillalways have to deal with multiple authenticationmechanisms. Organizationscannowchoosebetweenmany types of hardware or software tokens andone time password generators. Certificatesregain interest, especiallywhenissued in a community environment by a Trusted Party. Governmentsissuingelectronicidentity cards withcertificates are a goodexample. Plans are evolvingtoincludeBiometrics as well, in line withincreasedusabilityandcosteffectiveness.Someobviousreasonsfor the use of different methods have been illustrated in the previous slides. However, in practice we have seen even more reasonsforthis. Onemaydesiretoleverageexisting investments in a system. Especially in mergersituations we see the needtoconsolidate a centralapplication or infrastructure without obliging the users to change theirhabits or enforcecostsfor new methods.Anotherexample is migration. Even ifanorganizationdecidesto introduce anotherauthenticationmethodfor aparticularuse case, thiscannot happen overnight in most cases. Sotherewillbe a periodwherecertain users accessing the sameprotected resource are stillusing the old means andsomeother the new system. Thisrequires a workflow capabilityto handle thissmoothlyandunderuser’s control.Where traditional credentialslike username/password are stillused, a layered security approach maybeappropriate, characterized by the use of different controls in a transaction process so that a weakness in one control is generally compensated for by the strength of a different control.Examples are knowledge-basedauthentication, risk/fraude analysis systems or GeoLocation services, usedtolocate internet users tryingto access a particular environment.A keyrequirementfor the use of suchcomplementarymethods is the needto handle the authenticationprocess in multiple steps, controlledby a workflow for maximum flexibility in order toevolve over time without affecting anorganization’sapplicationsand Access Infrastructure components.
  • Whereas Transaction Validation used to be included in some highly critical business applications by specialists only, it is now within reach for many applications. TrustBuilder’s model as a centralized service reduces the time and cost of adding such capability tremendously.Different transaction proofing mechanisms are now within reach and for each use case the critical data can easily be selected in order to ensure the integrity from the endpoint to the server and protect your intellectual property.
  • We discussed what business requirements needs to be addressed which leads to the question: how can these needs be addressed in an optimal way?At SecurIT we have done exactly that when designing TrustBuilder. We released the first incarnation of TrustBuilder already in 2005. Today, it is a proven technology, which is being used in very large customer projects and in very stringent environments. So by now it also is a robust platform, which is able to fulfill its tasks in the most demanding environments.
  • TAMeb is the market leading web access management and single sign on solution. TrustBuilder extends TAMeb capabilities to extend authentication controls, introduces transaction layer protection and provides a workflow based UI to define policies. In addition to its out of the box support for many validation mechanisms, it adds adaptive, context-aware access control and a workflow driven authorization policy definition. Its layered security approach includes protecting the integrity of the application transaction contents, while maintaining a non-reputable proof of the transaction.TAMeb and TFIM combined with TrustBuilder provides the most comprehensive and flexible solution for Web Access Management in the industry today.
  • So how does this fit together ?Well, let’s start with the basic functionality offered by Tivoli Access Manager to manage access to an organization’s IT resources. TAM is a web single-sign-on solution, granting users access to protected applications. It provides course-grain access control based on the user’s identity, which is verified through its authentication processes.Some of that functionality is offered out-of-the-box and interfaces are provided to complement this with external components whenever needed.CLICKTFIM hooks into such an interface to add support for federated identity management and cross-domain single-sign-on, for instance with Microsoft Windows workstations.CLICKSimilarly, TrustBuilder can extend TAM’s reach by adding versatile authentication, as described in the beginning of this presentation, feeding context-based access control elements and facilitate transaction signing and validation. CLICKThis latter feature can also be used by applications, whether or not combined with TAM’s access control capabilities.CLICKFinally, TrustBuilder can also cooperate with TFIM to add authentication capabilities to TFIM’s processes.Reality has proven time and again that no other vendor can offer such a rich set of functionality. That is a key element of the cooperation between IBM and SecurIT.
  • On this slide a graphical overview of the TrustBuilder Security Service platform is presented. Looking at the top of the graphic you’ll see the services offered in dark blue, today in the field of authentication and/or transaction validation. The product is offering these services through a high level interface to either an infrastructure component, like Tivoli Access Manager, or to traditional applications, for instance through a plain HTTP/HTML interface or via Web services in a Service Orientated Architecture.On the other side of the framework, a plug-in architecture (in green) allows to insert so called Connectors. At present we have developed some 20 connectors to perform various functions in order to cover aspects around validation, either internally or interfacing with external validation services, capabilities to access information in almost any repository, or extend the platform to include services offered by any external application to fulfill certain parts of the requirements.In between and at the heart of the system is the policy and workflow management component. This management component is able to handle a request in multiple steps and its workflow will determine how the request will be handled in a particular use case. Such a workflow could be context depended, so the outcome of a particular step in the workflow can influence the way the continuation of the workflow will be handled. And the transaction can be managed by a policy, to allow the organization to set the boundaries of acceptable security levels.With the latest release, a graphical user interface makes it even much easier for customers to configure the system and change the behavior at any point in time.
  • TrustBuilder’s workflow manager is a key differentiator, allowing to configure easily how the request will be handled in a particular use case.Via a drag and drop GUI sophisticated workflows can be created, as well as changing existing ones with minimal effort and error risk.The graphical representation also provides a quick and simple analysis of the most complex security models.In addition, an organization’s policy can be included by setting the boundaries of acceptable security levels.
  • In addition, or in a second step, Transaction Validation services can be offered, which can easily be shared by multiple applications, allowing significant savings. This can even be done without changing a single byte in the application itself, a really unique feature in the industry.The combined solution is open to support different transaction proofing mechanisms, either based on one time password technology from vendors like Vasco, RSA or Gemalto, or based on digital certificates, and compliant with the CAP/EMV standard from VISA-Mastercard in the financial industry.
  • A few more words on Transaction Validation, or signing as a service if you want.Transaction validation is usually handled in three phases: in the preparation phase we collect the sensitive data of the transaction and generate the challenge. The second phase is the signing of the transaction, so presenting a signature form to the user, embed the challenge that has to be signed and potentially embed also the signing logic, if that is required. Finally there is the transaction validation cycle, capturing the signature, validating the signature and store the validation result.
  • Using TrustBuilder for Transaction Validation can occur in different ways. In this graph we show two distinct possibilities, but a combinations of these scenarios is possible as well.In the first use case, the authentication services are provided to TAM, which takes care of SSO and access control to application resources. The transaction validation services are being used by the application itself through a web service interface. The application maintains control of the user interaction at any point in time. We call this the application-aware approach, as it is actively involved in the process. Still, all functions related to transaction preparation, signing and validation are handled by TrustBuilder as a service to the application, considerably decreasing the complexity, development cost and time to market. The service is of course re-usable by other applications.The second case illustrates a so called application-unaware approach. This intends to insert signing and validation of transactions without involvement of the application. The access policy in TAM can determine when a validation cycle needs to be invoked and forward the page with transaction data to TrustBuilder, which takes control over the user interaction to complete the preparation, signing and validation phases and informs TAM on completion, which subsequently releases the page to the application. This is a really unique feature allowing to add proofing capabilities to almost any application, without changing a single byte in the application.
  • Let’s now have a look at some real customer use cases, starting with versatile authentication.KBC Bank is headquartered in Belgium and active across Europe, with a market leading position in some eastern Europe countries.The main business driver for the bank was being able to support the most appropriate authentication mechanism for various user communities, whether from the retail banking sector, corporate banking, foreign agencies or internal users, ranging from simple username/password to one time passwords and digital certificates. Remark that internal users ‘s passwords are also being validated by RACF on the IBM mainframe, an example of using another user registry to validate the authentication.
  • Eurocontrol is the European organization for the safety of air navigation.The TFIM based portal in combination with TrustBuilder provides secure access to its applications and data for the partners, such as the airlines and air traffic control centers.Context-aware access control is offered to different user communities, each authenticated by distinct mechanisms. Tokens are shared with the VPN environment and sophisticated, policy-based handling of digital certificates allow for business-driven validation.
  • The combination of TAM and TrustBuilder allowed these customers to realize this with a minimum of development costs and without affecting the user’s habits. It also allowed to select the best authentication method for a given use case, based on cost versus security and user friendliness, and align their security infrastructure with changing government and industry regulations.
  • ING is a large banking and insurance group, active in the financial industry around the world.We’ll use the ING use case to illustrate how the combination of TFIM and TrustBuilder allowed to design a security infrastructure that could serve the needs of its new banking concept.At the start, the main focus was on aligning with regulatory demands by changing its validation mechanisms, both for authentication and signing. The choice went to the combination of an unconnected card reader with the user’s Bank card, in accordance with the CAP-EMV rules from VISA Mastercard.The new platform will accommodate SSO for customers from both retail and wholesale segments. Moreover, crossing customer segments will be supported, allowing users to log-in in various capacities, such as an internal user, retail customer or employee of a wholesale customer.In addition, new paradigms like federation to external hosted applications and mobile banking need to be supported.
  • The resulting integrated architecture is depicted on this slide, supporting the vision to become a Direct bank for all its financial services and providing universal access by employees.Crossing customer segments is fully supported, allowing e.g. a customer employee user to check on its private affairs or consulting a bank’s offer to the employer.This new infrastructure is realized by the combination of TAM, TFIM and TrustBuilder, the latter providing the security services for authentication and transaction signing and validation. Through its comprehensive workflow capabilities, TrustBuilder also provides the flexibility to easily accommodate the use cases above and integrate with the bank’s legacy user management platform.
  • To conclude this presentation, I would like to highlight some of the key features TrustBuilder is offering to its customers.As an Enterprise Security Services platform, it provides a very complete set of services for Authentication and Transaction Validation.In most cases, TrustBuilder can accommodate customer requirements out-of-the-box and offer the services to other Security infrastructure components or to applications. Through its plug-in architecture and a comprehensive Connectors Library, it supports virtually any third party validation mechanism and is able to integrate smoothly with back-end repositories.The solution provides the flexibility organizations need to address rapidly and constantly changing requirements with minimal impact.Ease of implementation or changing an existing environment became even smoother with the introduction of drag-and-drop configuration of the system.Last but not least, TrustBuilder has proven to be a robust and highly scalable platform, in use at large corporations and in stringent conditions since years.Clearly, TrustBuilder fulfills many of today’s and tomorrow’s needs and the combination with TAMeB and TFIM represents the most advanced solution for Web Access Management in today’s market place.
  • Well, this concludes the presentation on SecurIT TrustBuilder, showing how the product adds value to IBM’s solutions for identity and Access Management, resulting in an unmatched offering to the market and client base. Please contact us via the coordinates on this slide if you have any questions or requests.Thank you very much for your interest.

TrustBuilder IBM TAMeb sales presentation v2.3 TrustBuilder IBM TAMeb sales presentation v2.3 Presentation Transcript

  • Presenter’s name
    Date
    IBM Tivoli Access Manager for e-Business and
    SecurIT TrustBuilder®
    A UNIQUE COMBINATION
  • Web Access Management
    2
    Products:
    Tivoli Federated Identity Manager (TFIM) and Tivoli Access Manager for ebusiness(TAMeb)
    IBM is a viable option in almost every WAM project, and continues to show customer growth, even though most other vendors' sales are flat or down.
    IBM TFIM combines the functionality of three products: a well-featured WAM product, a full-featured identity federation tool suitable for enterprise and service provider deployments, and a moderately well-featured Web services security tool.
  • TrustBuilder Value Proposition for TAMeb & TFIM
    Versatile Authentication
    Transaction Signing and Validation
    3
  • Why Versatile Authentication ?
    Static approaches to definingsecurity controls is no longer
    adequate
    Security controls need to be flexible and meet the needs of the diverse setof user access requirements
    Ant Allen
    IAM Summit, London March 2009
    4
  • Improving Security Controlswith TAMeb and TrustBuilder
    Security requirements continue to evolve and require more flexible dynamic approaches to protecting customer information and user access
    Deeper security controls are required to ensure information is protected and not tampered with
    Customers need to review their authentication strategies with an eye towards moving up to true a versatile authentication approach.
    The ultimate goal, KuppingerCole believes, is to be able to move back and forth between different authentication mechanisms freely and flexibly without the need to modify the applications themselves.
    Martin Kuppinger
    Introducing Versatile Authentication and Transaction Signing
    5
  • FFIEC Guidance: Authentication in an Internet Banking Environment
    The Federal Financial Institutions Examination Council, or FFIEC, is a formal interagency body of the United States government empowered to:
    prescribe uniform principles, standards, and report forms for the federal examination of financial institutions
    make recommendations to promote uniformity in the supervision of financial institutions.
    FFIEC guidance issued in 2005. New recommendations issued on June 28th, 2011.
    6
    New recommendation
    • Layered Security Programs
    • the use of different controls at different points in a transaction process
    • can substantially strengthen the overall security of Internet-based services
    • be effective in protecting sensitive customer information, preventing identity theft, and reducing account takeovers and the resulting financial losses.
  • What is Versatile Authentication ?
    Login
    Please enter your ID and password
    ID
    Password
    13289576
    SECURID
    C
    • Access policy depends on User/Group/Role
    • Information needs to be protected based on itsvalue to the business
    • Access management must be flexible and modular
    • A layered security approach can provide the ability to support course to fine grained access controls
    The ability to dynamically set the authentication methods, based on workflow, can provide the flexibility to define the access management policy
    7
  • What is Transaction Signing and Validation?
    • Ensure the critical data in a transaction cannot be altered by malicious invaders, either on the endpoint or in the network
    • Maintain an undisputable proof of the Transaction Contents and Timing in a safe place
    APPLICATIONS
    Seal
    Sign
    Typical Use cases
    • Internet Banking
    • IP Protection
    • Subscription
    • Registration
    • Proof of Access
    Provides the ability to detect application data tampering and keep an undisputable proof
    User
    Vault
    8
  • Business needs
    TAMeB and SecurIT TrustBuilder®
    9
  • Observed TrustBuilder Business Needs
    Do youneedto support otherAuthenticationmechanismsthan those provided by standard TAM
    Do you need to migrate smoothly from username/password to strong Authentication?
    Is there a requirement to support multiple Authentication mechanisms simultaneously?
    Security Driven (authenticationvs strong authentication)
    Business Driven (cost / user-friendliness / legacy / rules)
    Do you need to determine the authentication requirements based on variables, such as the type of User, the Protected Resource, the User’s location, context-based variables, etc.?
    10
    AUTHENTICATION
    • Username/Password: LDAP, AD, RACF, etc.
    • OTP: hardware, software, outbound / mobile
    • Digital Certificates: SSL, challenge/response
    • Biometrics
    • Etc.
  • Observed TrustBuilder Business Needs
    • Do you want to reduce the development time & costs of adding Transaction Validation services to applications?
    With TrustBuilder the transaction data integrity and non-repudiation services can be centralized in the security infrastructure in stead of including them into every application.
    • Is there need to support different Transaction Proofing mechanisms?
    • Do you want to ensure transactions are not tampered with?
    • Do you want to protectyour intellectual property?
    11
    TRANSACTION VALIDATION
  • VALUE PROPOSITION
    TAMeB and SecurIT TrustBuilder®
    12
  • TAMeb and TrustBuilder
    TrustBuilder
    • Context aware access control
    • Out of the box support for many validation mechanisms
    • Workflow driven authorization policy definition
    • Protecting the Integrity of the application transaction contents
    • Keep a non-repudiated proof of the transaction.
    Versatile Authentication
    WorkflowExtendedPolicy Controls
    ConnectorsforValidation
    AccessAuthenticationAuthorization
    AccessPolicy
    Logging
    TAMeb
    TrustBuilder extends TAMeb capabilities to extend authentication controls, introduces transaction layer protection, and provides a workflow based UI to define policies
    13
  • How it fits together
    Identity Federation
    Cross-domain SSO
    TFIM
    TAMeB
    Authentication
    Access Control
    Web SSO
    APPLICATIONS
    User
    Versatile Authentication
    Adaptive Access Control
    Transaction Validation
    TrustBuilder
    14
  • TrustBuilder Security Services Platform
    Plug-ins
    Available as WebSphere®Application and Software Appliance
    15
  • TrustBuilder Workflow Manager
    • This management component will determine how the request will be handled in a particular use case
    • Graphical User Interface for ease of use
    • Drag and drop configuration
    • Easily create new or edit existing workflows
    • Quick and simple analysis of a complex security model
    • The transaction can be managed by a policy.
    • set the boundaries of acceptable security levels and alike.
    16
  • Benefits for a TAMeB or TFIM customer
    • Save considerable Time and Money by extendingTAMeB with other Authentication capabilities from # vendors. (Vasco, RSA, Gemalto, Kobil & all RADIUS)
    • Ability to dynamically update authentication mechanisms, without affecting TAMeB or Applications.
    • Simply accommodate # user communities with # authentication requirements and/or mechanisms.
    • Easily map authentication tokens to a known TAMeB ID (e.g. certificate).
    • Considerably reduce the workload on WebSEAL by offloading authentication to TrustBuilder Server.
    • Share TrustBuilder Server authentication services between TAMeB and other platforms (Network Access, Portals, Applications, etc.)
    Versatile Authentication
    17
  • Benefits for a TAMeB or TFIM customer
    Transaction Validation Services can be combined with Authentication Services on the same TrustBuilder system
    Minimal impact on existing and new applications, reducing development time
    Transaction Validation services can now easily be shared by multiple applications, allowing significant savings
    Open to support different Transaction Proofing mechanisms
    OTP (Gemalto, RSA, Vasco)
    X.509 Signatures
    Compliant with CAP/EMV (VISA/MC)
    Open to support new Transaction Types by generating a highly-configurable challenge over any transaction or data submitted to it
    Solution meetsmanyindustry standardsand aids in compliance management.
    Transaction Validation
    18
  • Signing as a Service
    Transaction Preparation
    Collect sensitive information from Transactions
    Generate Challenge
    Transaction Signing
    Present Signature Form
    Embed Challenge
    Embed signing logic
    Transaction Validation
    Capture Signature
    Validate Signature
    Store validation result
    19
  • Transaction Validation Use Cases
    20
    Web Service provided to Applications
    APPS
    TAMeB
    SSO
    Authentication
    Signing & Validation
    TrustBuilder
    User
    User
    APPS
    TAMeB
    Service provided via TAM Authorization Policy
    SSO
    Authentication
    Signing & Validation
    TrustBuilder
    • Username/Password
    • validated against RACF
    • VASCO Digipass
    • OTP device
    • Unconnected Card Reader
    • X.509 Certificates
    • Certificate on USB dongle
    • Certificate on SmartCard
    Business Drivers:
    Using # authentication mechanisms for # user communities
    • Retail banking
    • Wholesale banking
    • Internal
    • Foreign Agencies
    USE CASEVersatile AUTHENTICATION
    21
  • 22
    • Username/Password
    • validated through TAM API
    • RSA SecurID
    • Radius backend shared with VPN
    • including Token life cycle Mgmt
    • X.509 Certificates
    • Certificate to TAM ID mapping
    • Online and offline Revocation check
    European Organization for the Safety of Air Navigation
    SecurIT TrustBuilder
    USE CASEVersatile AUTHENTICATION
  • Benefits for the Customers
    Simultaneous support for multiple Authentication methods to accommodate use cases
    More flexibility in the rapidly changing world of security.
    The environment can easily be extended with other Authentications methods.
    Less Development Costs
    Compliance with Government and Industry regulations.
    23
    • Align with regulatory demands
    • Migrate to CAP-EMV using an UCR
    • Business requirements
    • SSO for customers within retail & wholesale segments
    • Support crossing of customer segments
    • Support external hosted applications
    • Support employees – branch of the future
    • Support newer paradigms: Federation, Mobile …
    • Buy versus Build, also for Security
    USE CASETRANSACTIONSIGNING & VALIDATION
    24
  • Translated into reality …
    One integrated architecture
    Supporting the vision to become a ‘Direct’ bank
    Supporting ‘Universal’ access by employees
    The architecture supports cross over behaviour
    The customer employee user wants to check on its private affairs
    The customer employee user is interested in seeing the offers of the bank her/his employer is using
    Combination of TAM/TFIM and TrustBuilder.
    TAM/TFIM
    • TrustBuilder
    • Extends the Authentication capabilities of TAM/TFIM
    • Acts as gateway to Authentication & Signing Services
    • Enables Flexibility in defining Security Workflows.
    TrustBuilder
    25
  • TrustBuilder: Key Features
    Enterprise Security Services platform
    Versatile Authentication
    Transaction Signing & Validation
    Out-of-the-Box solution
    Plug-in Architecture with comprehensive Connector Library
    Supports many Vendor/Validation mechanisms
    Integrates with many User & Data Repositories
    Guarantees Flexibility
    Easily adapt to changing requirements
    Supports migration needs
    Configurable Workflow to accommodate # Use Cases
    Ease of Implementation
    No development
    Choose, Pick or Change Connectors
    Drag-and-drop GUI Workflow set-up
    Field proven, robust and scalable Technology
    26
  • SecurIT
    info@securit.biz
    www.securit.biz
    QUESTIONS ?
    27