Your SlideShare is downloading. ×
TrustBuilder IBM TAMeb sales presentation v2.3
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

TrustBuilder IBM TAMeb sales presentation v2.3

716
views

Published on

This presentation announces the IBM Web Access Management Co-Sell arrangement with SecurIT’s TrustBuilder product. TrustBuilder complements IBM’s Web Access Management offerings with User …

This presentation announces the IBM Web Access Management Co-Sell arrangement with SecurIT’s TrustBuilder product. TrustBuilder complements IBM’s Web Access Management offerings with User Authentication, Adaptive Access Control and Transaction Validation.

Published in: Technology, Business

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
716
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
8
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • This presentation intends to highlight a unique combination in today’s web access management market: IBM Tivoli Access Manager for e-Business and SecurIT TrustBuilder.
  • However, the security world is changing rapidly and new requirements keep popping up.In this presentation we will show the added value SecurIT’s TrustBuilder platform provides to TAMeB and TFIM, in the area of Versatile Authentication and Transaction Signing and Validation.
  • For instance, the internet banking world is due to increase the protection of user’s assets and facilitate new business models, as illustrated by the new FFIEC guidance. Here is an excerpt of the new FFIEC’s recommendations issued on June 28th, 2011: ‘…..The Federal Financial Institutions Examination Council1 (FFIEC) issued today a supplement to the Authentication in an Internet Banking Environment guidance, issued in October 2005. The purpose of the supplement is to reinforce the risk-management framework described in the original guidance and update the FFIEC member agencies' supervisory expectations regarding customer authentication, layered security, and other controls in the increasingly hostile online environment......‘The guidance clearly promotes a layered security approach, combining authentication, adaptive access control and transaction proofing mechanisms to accomplish this task.
  • Transaction Signing & Validation is a Security measure organizations use to accomplish 2 objectives:Ensure the critical data in a transaction cannot be altered by malicious invaders, either on the endpoint or in the networkAnd maintain an undisputable proof of the Transaction Contents and Timing in a safe placeIn business critical applications it provides an additional security layer at the transaction levelin different applications, like internet banking, Intellectual Property protection, submitting forms for subscribing to policies, like for instance insurance policies, registration to events, or simply keeping an undeniable proof that a user was able to access or obtain particular privileged information at a specific point in time.This represents an architectural choice for a re-usable service, rather than implementing such functions within each application. In other words: a Service Oriented Architecture. Bundling this with Authentication Services makes sense because very often the same validation mechanisms will be applied for authentication and signing, but in a different way.
  • Let’s now have a look at some observed business needs for such a solution.
  • Large organizationswillalways have to deal with multiple authenticationmechanisms. Organizationscannowchoosebetweenmany types of hardware or software tokens andone time password generators. Certificatesregain interest, especiallywhenissued in a community environment by a Trusted Party. Governmentsissuingelectronicidentity cards withcertificates are a goodexample. Plans are evolvingtoincludeBiometrics as well, in line withincreasedusabilityandcosteffectiveness.Someobviousreasonsfor the use of different methods have been illustrated in the previous slides. However, in practice we have seen even more reasonsforthis. Onemaydesiretoleverageexisting investments in a system. Especially in mergersituations we see the needtoconsolidate a centralapplication or infrastructure without obliging the users to change theirhabits or enforcecostsfor new methods.Anotherexample is migration. Even ifanorganizationdecidesto introduce anotherauthenticationmethodfor aparticularuse case, thiscannot happen overnight in most cases. Sotherewillbe a periodwherecertain users accessing the sameprotected resource are stillusing the old means andsomeother the new system. Thisrequires a workflow capabilityto handle thissmoothlyandunderuser’s control.Where traditional credentialslike username/password are stillused, a layered security approach maybeappropriate, characterized by the use of different controls in a transaction process so that a weakness in one control is generally compensated for by the strength of a different control.Examples are knowledge-basedauthentication, risk/fraude analysis systems or GeoLocation services, usedtolocate internet users tryingto access a particular environment.A keyrequirementfor the use of suchcomplementarymethods is the needto handle the authenticationprocess in multiple steps, controlledby a workflow for maximum flexibility in order toevolve over time without affecting anorganization’sapplicationsand Access Infrastructure components.
  • Whereas Transaction Validation used to be included in some highly critical business applications by specialists only, it is now within reach for many applications. TrustBuilder’s model as a centralized service reduces the time and cost of adding such capability tremendously.Different transaction proofing mechanisms are now within reach and for each use case the critical data can easily be selected in order to ensure the integrity from the endpoint to the server and protect your intellectual property.
  • We discussed what business requirements needs to be addressed which leads to the question: how can these needs be addressed in an optimal way?At SecurIT we have done exactly that when designing TrustBuilder. We released the first incarnation of TrustBuilder already in 2005. Today, it is a proven technology, which is being used in very large customer projects and in very stringent environments. So by now it also is a robust platform, which is able to fulfill its tasks in the most demanding environments.
  • TAMeb is the market leading web access management and single sign on solution. TrustBuilder extends TAMeb capabilities to extend authentication controls, introduces transaction layer protection and provides a workflow based UI to define policies. In addition to its out of the box support for many validation mechanisms, it adds adaptive, context-aware access control and a workflow driven authorization policy definition. Its layered security approach includes protecting the integrity of the application transaction contents, while maintaining a non-reputable proof of the transaction.TAMeb and TFIM combined with TrustBuilder provides the most comprehensive and flexible solution for Web Access Management in the industry today.
  • So how does this fit together ?Well, let’s start with the basic functionality offered by Tivoli Access Manager to manage access to an organization’s IT resources. TAM is a web single-sign-on solution, granting users access to protected applications. It provides course-grain access control based on the user’s identity, which is verified through its authentication processes.Some of that functionality is offered out-of-the-box and interfaces are provided to complement this with external components whenever needed.CLICKTFIM hooks into such an interface to add support for federated identity management and cross-domain single-sign-on, for instance with Microsoft Windows workstations.CLICKSimilarly, TrustBuilder can extend TAM’s reach by adding versatile authentication, as described in the beginning of this presentation, feeding context-based access control elements and facilitate transaction signing and validation. CLICKThis latter feature can also be used by applications, whether or not combined with TAM’s access control capabilities.CLICKFinally, TrustBuilder can also cooperate with TFIM to add authentication capabilities to TFIM’s processes.Reality has proven time and again that no other vendor can offer such a rich set of functionality. That is a key element of the cooperation between IBM and SecurIT.
  • On this slide a graphical overview of the TrustBuilder Security Service platform is presented. Looking at the top of the graphic you’ll see the services offered in dark blue, today in the field of authentication and/or transaction validation. The product is offering these services through a high level interface to either an infrastructure component, like Tivoli Access Manager, or to traditional applications, for instance through a plain HTTP/HTML interface or via Web services in a Service Orientated Architecture.On the other side of the framework, a plug-in architecture (in green) allows to insert so called Connectors. At present we have developed some 20 connectors to perform various functions in order to cover aspects around validation, either internally or interfacing with external validation services, capabilities to access information in almost any repository, or extend the platform to include services offered by any external application to fulfill certain parts of the requirements.In between and at the heart of the system is the policy and workflow management component. This management component is able to handle a request in multiple steps and its workflow will determine how the request will be handled in a particular use case. Such a workflow could be context depended, so the outcome of a particular step in the workflow can influence the way the continuation of the workflow will be handled. And the transaction can be managed by a policy, to allow the organization to set the boundaries of acceptable security levels.With the latest release, a graphical user interface makes it even much easier for customers to configure the system and change the behavior at any point in time.
  • TrustBuilder’s workflow manager is a key differentiator, allowing to configure easily how the request will be handled in a particular use case.Via a drag and drop GUI sophisticated workflows can be created, as well as changing existing ones with minimal effort and error risk.The graphical representation also provides a quick and simple analysis of the most complex security models.In addition, an organization’s policy can be included by setting the boundaries of acceptable security levels.
  • In addition, or in a second step, Transaction Validation services can be offered, which can easily be shared by multiple applications, allowing significant savings. This can even be done without changing a single byte in the application itself, a really unique feature in the industry.The combined solution is open to support different transaction proofing mechanisms, either based on one time password technology from vendors like Vasco, RSA or Gemalto, or based on digital certificates, and compliant with the CAP/EMV standard from VISA-Mastercard in the financial industry.
  • A few more words on Transaction Validation, or signing as a service if you want.Transaction validation is usually handled in three phases: in the preparation phase we collect the sensitive data of the transaction and generate the challenge. The second phase is the signing of the transaction, so presenting a signature form to the user, embed the challenge that has to be signed and potentially embed also the signing logic, if that is required. Finally there is the transaction validation cycle, capturing the signature, validating the signature and store the validation result.
  • Using TrustBuilder for Transaction Validation can occur in different ways. In this graph we show two distinct possibilities, but a combinations of these scenarios is possible as well.In the first use case, the authentication services are provided to TAM, which takes care of SSO and access control to application resources. The transaction validation services are being used by the application itself through a web service interface. The application maintains control of the user interaction at any point in time. We call this the application-aware approach, as it is actively involved in the process. Still, all functions related to transaction preparation, signing and validation are handled by TrustBuilder as a service to the application, considerably decreasing the complexity, development cost and time to market. The service is of course re-usable by other applications.The second case illustrates a so called application-unaware approach. This intends to insert signing and validation of transactions without involvement of the application. The access policy in TAM can determine when a validation cycle needs to be invoked and forward the page with transaction data to TrustBuilder, which takes control over the user interaction to complete the preparation, signing and validation phases and informs TAM on completion, which subsequently releases the page to the application. This is a really unique feature allowing to add proofing capabilities to almost any application, without changing a single byte in the application.
  • Let’s now have a look at some real customer use cases, starting with versatile authentication.KBC Bank is headquartered in Belgium and active across Europe, with a market leading position in some eastern Europe countries.The main business driver for the bank was being able to support the most appropriate authentication mechanism for various user communities, whether from the retail banking sector, corporate banking, foreign agencies or internal users, ranging from simple username/password to one time passwords and digital certificates. Remark that internal users ‘s passwords are also being validated by RACF on the IBM mainframe, an example of using another user registry to validate the authentication.
  • Eurocontrol is the European organization for the safety of air navigation.The TFIM based portal in combination with TrustBuilder provides secure access to its applications and data for the partners, such as the airlines and air traffic control centers.Context-aware access control is offered to different user communities, each authenticated by distinct mechanisms. Tokens are shared with the VPN environment and sophisticated, policy-based handling of digital certificates allow for business-driven validation.
  • The combination of TAM and TrustBuilder allowed these customers to realize this with a minimum of development costs and without affecting the user’s habits. It also allowed to select the best authentication method for a given use case, based on cost versus security and user friendliness, and align their security infrastructure with changing government and industry regulations.
  • ING is a large banking and insurance group, active in the financial industry around the world.We’ll use the ING use case to illustrate how the combination of TFIM and TrustBuilder allowed to design a security infrastructure that could serve the needs of its new banking concept.At the start, the main focus was on aligning with regulatory demands by changing its validation mechanisms, both for authentication and signing. The choice went to the combination of an unconnected card reader with the user’s Bank card, in accordance with the CAP-EMV rules from VISA Mastercard.The new platform will accommodate SSO for customers from both retail and wholesale segments. Moreover, crossing customer segments will be supported, allowing users to log-in in various capacities, such as an internal user, retail customer or employee of a wholesale customer.In addition, new paradigms like federation to external hosted applications and mobile banking need to be supported.
  • The resulting integrated architecture is depicted on this slide, supporting the vision to become a Direct bank for all its financial services and providing universal access by employees.Crossing customer segments is fully supported, allowing e.g. a customer employee user to check on its private affairs or consulting a bank’s offer to the employer.This new infrastructure is realized by the combination of TAM, TFIM and TrustBuilder, the latter providing the security services for authentication and transaction signing and validation. Through its comprehensive workflow capabilities, TrustBuilder also provides the flexibility to easily accommodate the use cases above and integrate with the bank’s legacy user management platform.
  • To conclude this presentation, I would like to highlight some of the key features TrustBuilder is offering to its customers.As an Enterprise Security Services platform, it provides a very complete set of services for Authentication and Transaction Validation.In most cases, TrustBuilder can accommodate customer requirements out-of-the-box and offer the services to other Security infrastructure components or to applications. Through its plug-in architecture and a comprehensive Connectors Library, it supports virtually any third party validation mechanism and is able to integrate smoothly with back-end repositories.The solution provides the flexibility organizations need to address rapidly and constantly changing requirements with minimal impact.Ease of implementation or changing an existing environment became even smoother with the introduction of drag-and-drop configuration of the system.Last but not least, TrustBuilder has proven to be a robust and highly scalable platform, in use at large corporations and in stringent conditions since years.Clearly, TrustBuilder fulfills many of today’s and tomorrow’s needs and the combination with TAMeB and TFIM represents the most advanced solution for Web Access Management in today’s market place.
  • Well, this concludes the presentation on SecurIT TrustBuilder, showing how the product adds value to IBM’s solutions for identity and Access Management, resulting in an unmatched offering to the market and client base. Please contact us via the coordinates on this slide if you have any questions or requests.Thank you very much for your interest.
  • Transcript

    • 1. Presenter’s name
      Date
      IBM Tivoli Access Manager for e-Business and
      SecurIT TrustBuilder®
      A UNIQUE COMBINATION
    • 2. Web Access Management
      2
      Products:
      Tivoli Federated Identity Manager (TFIM) and Tivoli Access Manager for ebusiness(TAMeb)
      IBM is a viable option in almost every WAM project, and continues to show customer growth, even though most other vendors' sales are flat or down.
      IBM TFIM combines the functionality of three products: a well-featured WAM product, a full-featured identity federation tool suitable for enterprise and service provider deployments, and a moderately well-featured Web services security tool.
    • 3. TrustBuilder Value Proposition for TAMeb & TFIM
      Versatile Authentication
      Transaction Signing and Validation
      3
    • 4. Why Versatile Authentication ?
      Static approaches to definingsecurity controls is no longer
      adequate
      Security controls need to be flexible and meet the needs of the diverse setof user access requirements
      Ant Allen
      IAM Summit, London March 2009
      4
    • 5. Improving Security Controlswith TAMeb and TrustBuilder
      Security requirements continue to evolve and require more flexible dynamic approaches to protecting customer information and user access
      Deeper security controls are required to ensure information is protected and not tampered with
      Customers need to review their authentication strategies with an eye towards moving up to true a versatile authentication approach.
      The ultimate goal, KuppingerCole believes, is to be able to move back and forth between different authentication mechanisms freely and flexibly without the need to modify the applications themselves.
      Martin Kuppinger
      Introducing Versatile Authentication and Transaction Signing
      5
    • 6. FFIEC Guidance: Authentication in an Internet Banking Environment
      The Federal Financial Institutions Examination Council, or FFIEC, is a formal interagency body of the United States government empowered to:
      prescribe uniform principles, standards, and report forms for the federal examination of financial institutions
      make recommendations to promote uniformity in the supervision of financial institutions.
      FFIEC guidance issued in 2005. New recommendations issued on June 28th, 2011.
      6
      New recommendation
      • Layered Security Programs
      • 7. the use of different controls at different points in a transaction process
      • 8. can substantially strengthen the overall security of Internet-based services
      • 9. be effective in protecting sensitive customer information, preventing identity theft, and reducing account takeovers and the resulting financial losses.
    • What is Versatile Authentication ?
      Login
      Please enter your ID and password
      ID
      Password
      13289576
      SECURID
      C
      • Access policy depends on User/Group/Role
      • 10. Information needs to be protected based on itsvalue to the business
      • 11. Access management must be flexible and modular
      • 12. A layered security approach can provide the ability to support course to fine grained access controls
      The ability to dynamically set the authentication methods, based on workflow, can provide the flexibility to define the access management policy
      7
    • 13. What is Transaction Signing and Validation?
      • Ensure the critical data in a transaction cannot be altered by malicious invaders, either on the endpoint or in the network
      • 14. Maintain an undisputable proof of the Transaction Contents and Timing in a safe place
      APPLICATIONS
      Seal
      Sign
      Typical Use cases
      Provides the ability to detect application data tampering and keep an undisputable proof
      User
      Vault
      8
    • 19. Business needs
      TAMeB and SecurIT TrustBuilder®
      9
    • 20. Observed TrustBuilder Business Needs
      Do youneedto support otherAuthenticationmechanismsthan those provided by standard TAM
      Do you need to migrate smoothly from username/password to strong Authentication?
      Is there a requirement to support multiple Authentication mechanisms simultaneously?
      Security Driven (authenticationvs strong authentication)
      Business Driven (cost / user-friendliness / legacy / rules)
      Do you need to determine the authentication requirements based on variables, such as the type of User, the Protected Resource, the User’s location, context-based variables, etc.?
      10
      AUTHENTICATION
      • Username/Password: LDAP, AD, RACF, etc.
      • 21. OTP: hardware, software, outbound / mobile
      • 22. Digital Certificates: SSL, challenge/response
      • 23. Biometrics
      • 24. Etc.
    • Observed TrustBuilder Business Needs
      • Do you want to reduce the development time & costs of adding Transaction Validation services to applications?
      With TrustBuilder the transaction data integrity and non-repudiation services can be centralized in the security infrastructure in stead of including them into every application.
      • Is there need to support different Transaction Proofing mechanisms?
      • 25. Do you want to ensure transactions are not tampered with?
      • 26. Do you want to protectyour intellectual property?
      11
      TRANSACTION VALIDATION
    • 27. VALUE PROPOSITION
      TAMeB and SecurIT TrustBuilder®
      12
    • 28. TAMeb and TrustBuilder
      TrustBuilder
      • Context aware access control
      • 29. Out of the box support for many validation mechanisms
      • 30. Workflow driven authorization policy definition
      • 31. Protecting the Integrity of the application transaction contents
      • 32. Keep a non-repudiated proof of the transaction.
      Versatile Authentication
      WorkflowExtendedPolicy Controls
      ConnectorsforValidation
      AccessAuthenticationAuthorization
      AccessPolicy
      Logging
      TAMeb
      TrustBuilder extends TAMeb capabilities to extend authentication controls, introduces transaction layer protection, and provides a workflow based UI to define policies
      13
    • 33. How it fits together
      Identity Federation
      Cross-domain SSO
      TFIM
      TAMeB
      Authentication
      Access Control
      Web SSO
      APPLICATIONS
      User
      Versatile Authentication
      Adaptive Access Control
      Transaction Validation
      TrustBuilder
      14
    • 34. TrustBuilder Security Services Platform
      Plug-ins
      Available as WebSphere®Application and Software Appliance
      15
    • 35. TrustBuilder Workflow Manager
      • This management component will determine how the request will be handled in a particular use case
      • 36. Graphical User Interface for ease of use
      • 37. Drag and drop configuration
      • 38. Easily create new or edit existing workflows
      • 39. Quick and simple analysis of a complex security model
      • 40. The transaction can be managed by a policy.
      • 41. set the boundaries of acceptable security levels and alike.
      16
    • 42. Benefits for a TAMeB or TFIM customer
      • Save considerable Time and Money by extendingTAMeB with other Authentication capabilities from # vendors. (Vasco, RSA, Gemalto, Kobil & all RADIUS)
      • 43. Ability to dynamically update authentication mechanisms, without affecting TAMeB or Applications.
      • 44. Simply accommodate # user communities with # authentication requirements and/or mechanisms.
      • 45. Easily map authentication tokens to a known TAMeB ID (e.g. certificate).
      • 46. Considerably reduce the workload on WebSEAL by offloading authentication to TrustBuilder Server.
      • 47. Share TrustBuilder Server authentication services between TAMeB and other platforms (Network Access, Portals, Applications, etc.)
      Versatile Authentication
      17
    • 48. Benefits for a TAMeB or TFIM customer
      Transaction Validation Services can be combined with Authentication Services on the same TrustBuilder system
      Minimal impact on existing and new applications, reducing development time
      Transaction Validation services can now easily be shared by multiple applications, allowing significant savings
      Open to support different Transaction Proofing mechanisms
      OTP (Gemalto, RSA, Vasco)
      X.509 Signatures
      Compliant with CAP/EMV (VISA/MC)
      Open to support new Transaction Types by generating a highly-configurable challenge over any transaction or data submitted to it
      Solution meetsmanyindustry standardsand aids in compliance management.
      Transaction Validation
      18
    • 49. Signing as a Service
      Transaction Preparation
      Collect sensitive information from Transactions
      Generate Challenge
      Transaction Signing
      Present Signature Form
      Embed Challenge
      Embed signing logic
      Transaction Validation
      Capture Signature
      Validate Signature
      Store validation result
      19
    • 50. Transaction Validation Use Cases
      20
      Web Service provided to Applications
      APPS
      TAMeB
      SSO
      Authentication
      Signing & Validation
      TrustBuilder
      User
      User
      APPS
      TAMeB
      Service provided via TAM Authorization Policy
      SSO
      Authentication
      Signing & Validation
      TrustBuilder
    • 51.
      • Username/Password
      • 52. validated against RACF
      • 53. VASCO Digipass
      • 54. OTP device
      • 55. Unconnected Card Reader
      • 56. X.509 Certificates
      • 57. Certificate on USB dongle
      • 58. Certificate on SmartCard
      Business Drivers:
      Using # authentication mechanisms for # user communities
      USE CASEVersatile AUTHENTICATION
      21
    • 62. 22
      • Username/Password
      • 63. validated through TAM API
      • 64. RSA SecurID
      • 65. Radius backend shared with VPN
      • 66. including Token life cycle Mgmt
      • 67. X.509 Certificates
      • 68. Certificate to TAM ID mapping
      • 69. Online and offline Revocation check
      European Organization for the Safety of Air Navigation
      SecurIT TrustBuilder
      USE CASEVersatile AUTHENTICATION
    • 70. Benefits for the Customers
      Simultaneous support for multiple Authentication methods to accommodate use cases
      More flexibility in the rapidly changing world of security.
      The environment can easily be extended with other Authentications methods.
      Less Development Costs
      Compliance with Government and Industry regulations.
      23
    • 71.
      • Align with regulatory demands
      • 72. Migrate to CAP-EMV using an UCR
      • 73. Business requirements
      • 74. SSO for customers within retail & wholesale segments
      • 75. Support crossing of customer segments
      • 76. Support external hosted applications
      • 77. Support employees – branch of the future
      • 78. Support newer paradigms: Federation, Mobile …
      • 79. Buy versus Build, also for Security
      USE CASETRANSACTIONSIGNING & VALIDATION
      24
    • 80. Translated into reality …
      One integrated architecture
      Supporting the vision to become a ‘Direct’ bank
      Supporting ‘Universal’ access by employees
      The architecture supports cross over behaviour
      The customer employee user wants to check on its private affairs
      The customer employee user is interested in seeing the offers of the bank her/his employer is using
      Combination of TAM/TFIM and TrustBuilder.
      TAM/TFIM
      • TrustBuilder
      • 81. Extends the Authentication capabilities of TAM/TFIM
      • 82. Acts as gateway to Authentication & Signing Services
      • 83. Enables Flexibility in defining Security Workflows.
      TrustBuilder
      25
    • 84. TrustBuilder: Key Features
      Enterprise Security Services platform
      Versatile Authentication
      Transaction Signing & Validation
      Out-of-the-Box solution
      Plug-in Architecture with comprehensive Connector Library
      Supports many Vendor/Validation mechanisms
      Integrates with many User & Data Repositories
      Guarantees Flexibility
      Easily adapt to changing requirements
      Supports migration needs
      Configurable Workflow to accommodate # Use Cases
      Ease of Implementation
      No development
      Choose, Pick or Change Connectors
      Drag-and-drop GUI Workflow set-up
      Field proven, robust and scalable Technology
      26
    • 85. SecurIT
      info@securit.biz
      www.securit.biz
      QUESTIONS ?
      27