Password Fatigation
http://your.intranet.com                               your.   intranet.com                                               ...
http://your.intranet.com                                                    your                                          ...
your                               domain                                                             Identity            ...
your                                          domain                                                              SAML    ...
your                               domain                                                  Reduces                        ...
your                               domain© 2013 - VASCO Data Security    IDENTIKEY Federation Server Workshop   7
your                               domain© 2013 - VASCO Data Security    IDENTIKEY Federation Server Workshop   8
your                        the                               domain                     cloud                            ...
your                         the                                          domain                      cloud               ...
Yes you can                  8            Can I access?                                        1                          ...
User                                                        A                                             Service         ...
…                                                           Identity                               Identity               ...
Identity                               One Family                                      Identity                      Authe...
IFS: The selling story      Raf Van Ermengem                 Trainer
Existing        New               Newcustomer       Customer          Customer                              helpdesk costs...
Catherine Falcke       CEO                   17
Remote access        OWA25                     18
Protect all company      Brent Kehl applications with    Account Manager                                        19
Which applications? How many users?
580             25           40               15     Sales        Admin        Technical        21
I don’t talk                                      RADIUS         25 Sales            40 Admin                    Upgrade l...
Username & OTP   Check OTPSandra                                      23
SAML?    SOAP?         Username C  ?          Username A            Username CSandra                   OpenID?            ...
Single Sign On   Future-ready                    No upgrade  Secure          existing licenses
Username         OTPSandra                    27
Easy                   Future management of Secure    licenses        ready                    Easy   SSO              use...
New Existingcustomer       Customer            User ManagementSecurity
John Forbes  Manager              Customer                         30
31
Protection web   applications         Alice Malley                      Account ManagerConsultants leaving    company     ...
Which applications? How many users?                      33
770                40                30     Employee        Consultant        34
Username         OTPDennis                    36
1 central        point       Secure     FutureSSO                  proof         …                           37
Existing         New              Newcustomer        Customer         CustomerSecurity    User Management   helpdesk costs
Marc CelisIT Manager              39
David GomezPassword issues                  Account manager Helpdesk cost                                40
Which applications? How many users?                      41
7             Soft       HR portal      My             skills                 employees             Training    Training  ...
Complaints?Login = annoying  What’s my                   SSO = solution?  password?                                     43
4444
Soft                    skills                  HR portal                    Training                    Credits       Use...
1 central    Decrease    point        TCO                 Easy  1 login        user              managementConvenient     ...
4747
Soft                    skills                  HR portal                    Training                    Credits       Use...
1 central    Decrease   point        TCO                Easy  1 login       user             managementConvenient    Secur...
120              5000Employee         B2B associates User license?           120               5000                       ...
Security ?               5000    B2B associates                      51                      51
Soft             5000                skills                    Username                    Password   HR portalB2B associa...
53
Soft             5000                skills                    Username                    Password                    OTP...
1 central      Future    point         ready        decrease                                 TCO                 Easy    S...
Existing         New              Newcustomer        Customer         Customer                              helpdesk costs...
Define Title in Insert Header/Footer Slide   57
Password fatigation
Password fatigation
Upcoming SlideShare
Loading in...5
×

Password fatigation

642

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
642
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • The IT security problem of today:Password Fatigation
  • This is a classic login screen on your intranet, a way of getting access using a username and password.
  • Besides the intranet your company is also offering other internalapplications that require an additional login.
  • Applications with the main purpose of offering a service to a select user group and therefor storing identities, in the form of a username and password.
  • “Provider” is a generic way of referring to both IdP’s (Identity Providers) and SP’s (Service Providers). There are overlaps when it comes to defining Identity providers vs. Service Providers. According to the OASIS (organization) that created SAML an Identity provider is defined as “A kind of provider that creates, maintains, and manages identity information for principals and provides principal authentication to other service providers within a federation, such as with web browser profiles.” A Service provider is “A role donned by a system entity where the system entity provides services to principals or other system entities” and a Federation is “An association comprising any number of service providers and identity providers.”
  • In simple terms and as they relate to identity management an Identity provider can be described as a Service Provider for storing identity profiles and offering incentives to other SP’s with the aim of federating user identities. It should be noted however that Identity Providers can also provide services beyond those related to the storage of identity profiles. This way reducing the cost for identity management.
  • Single sign-on (SSO) is a property of access control of multiple related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them. Conversely, Single sign-off is the property whereby a single action of signing out terminates access to multiple software systems. As different applications and resources support different authentication mechanisms, single sign-on has to internally translate to and store different credentials compared to what is used for initial authentication. Single sign-on requires that users literally sign in once to establish their credentials. Systems which require the user to log in multiple times to the same identity are inherently not single sign-on. For example, an environment where users are prompted to log in to their desktop, then log in to their email using the same credentials, is not single sign-on.
  • As single sign-on provides access to many resources once the user is initially authenticated ("keys to the castle") it increases the negative impact in case the credentials are available to other persons and misused. Therefore, single sign-on requires an increased focus on the protection of the user credentials, and should ideally be combined with strong authentication methods like smart cards and one-time password tokens.
  • FIdM, or the "federation" of identity, describes the technologies, standards and use-cases which serve to enable the portability of identity information across otherwise autonomous security domains. The ultimate goal of identity federation is to enable users of one domain to securely access data or systems of another domain seamlessly, and without the need for completely redundant user administration. Identity federation comes in many flavors, including "user-controlled" or "user-centric" scenarios, as well as enterprise controlled or B2B scenarios.
  • Digital identity platforms that allow users to log onto third-party websites, applications, mobile devices and gaming systems with their existing identity, i.e. enable social login.Social login, allows public access for your application, without the need of managing their Identity.
  • Hello everybody. Let’s give you some help to sell the IDENTIKEY Federation Server.
  • We will go through 3 case studies.First one:An existing customer who has a security concernSecond one:A new customer who has some issues with User ManagementAnd the last one:A customer who likes to decrease the helpdesk costs.Fasten your seatbelts, let’s start with the first case.
  • Let’s say hi to Catherine Falcke. She is the CEO of “Beyond the door”.This company is situated in selling and placing doors, garage doors, skylights, window security,…More than 100 employees are working for this company.
  • Good to know is that the company already uses the VASCO IDENTIKEY Authentication Server to protect the remote access for the Sales PeopleAlready customer of VASCO?Yes. 3 years ago a VASCO reseller sold and installedan IDENTIKEY Authentication Server.Reason: Protection of the remote access for the complete Sales team (25 persons)Protection of the OWA for the complete Sales teamQ: Which edition of IDENTIKEY Authentication Server did the reseller sold?IK Gold, for the web filters
  • She remembers, during a previous contact, that it’s no problem to protect also all the web based applications with a OTP.So she setup a meeting with Brent Kehl from Easysis, her dedicated reseller.
  • Now we need to get more information from MssFalcke.How many applications are you using?Who has access to these applications?
  • Well, we have in total 5 different web based applications:Sharepoint, OWA, hardware inventory (Baramundi), Salesforce and SecurexThe last 2 are cloud based solutions. I hope this is not a problem?All these applications are protected with static passwordsWho has access to these applications?Besides all the 25 sales people, also my complete administrative staff (40 persons) and some technical guys (15 persons)So, in total 80 employees have access to all the internal applications.
  • Brent listened very carefully, thought about it, and came up with a solution!Dear Mss. Falcke, Thanks to the fact that you are already working with a VASCO solution, it is actually simple.Let me explain how:We will upgrade the 25 user licenses of the sales people from a Gold to an Enterprise editionYou need to buy 55 extra user licenses, Enterprise EditionAnd 55 DIGIPASS Authenticators, for the administrative staff and technical guys.
  • And how does this work in real life.Say hi to Sandra. Sandra is an administrative person. As from today, she has a secured access to the web based applications, thanks to IK Authentication Server.So each day, time she needs to login on each site with a OTP. Not really convenient!?Can we offer an even more convenient solution?
  • We can do better than this. Just keep the next concerns in mind:Each day Sandra, and the others, need to log in in different applications = annoyingIs she using, on each application the same username?Are all the web based applications talking SOAP? Or SAML? Oauth, …More and more applications are cloud based. So there is a big chance that this company will work in the future with extra applications.Upgrade of user licenses, can be hard to sell. And even than, you are not sure that it can work (SAML, Oauth, ….)
  • So, let’s give them a solution:Whereby we offer the end user a SSOWhereby security Which is future-ready:Extra applications  No problemApplications talking SAML, REST, Oauth, SOAP  can be easily integrated.Which on not need an upgrade of existing licenses.
  • Well, we can offer a solution which take care of all these topics: IDENTIKEY Authentication Server, in combination with IDENTIKEY Federation Server.And the good news is that they belong to the same familyOK, but how will it look like?
  • So, thanks to the combination of IK authentication server and Federation Server, we offer the end user a secure and convenient solution.
  • So,The IDENTIKEY Authentication Server, in combination with the IDENTIKEY Federation Server, offers the customer a lot of advantagesFor the end user:1 login to access all the applicationsLogin is secured by a One Time PasswordFor the company, and more specific, the IT-people:1 central point to manage all the usersNo administration overloadEasy management of licenses
  • Brief recapitulation:Case 1 :An existing IK Authentication customer.Request for securing web based applicationsSolution IK authentication and Federation ServerCase 2:New customerWeb based applications – scared of hackingSolution: IK authentication and Federation ServerCase 3:New customerWeb based applications – Likes to be a differentiatorSolution: IK authentication, Federation Server and MYDIGIGIPASS.COM
  • The company QuickMedia is situated in the marketing vertical.They offer their customers:Social Media Marketing CampaignsSEO solutions (Search Engine Optimization)Content marketingHelp to convert website visits into customers…
  • John is concerned about confidentiality. All the company applications are accessible via an username and password.So, he is scared that someone could have access to the internal databases of the company (without knowing it)
  • QuickMedia invited Alice Malley, a reseller of VASCO.John will explain that he likes to have a secure solution for his web based applications.Another concern he has, is about the consultants. He is not always sure that, when they leave the company, the access on each website is blocked.@Peter Vervloedt: Gartner report regarding the time it takes before an ex-employee is bloc
  • Well, and again, we must ask these 2 questions:Which applications would you like to protect?And how many persons are using these applications?
  • Well, we have in total 7 different web based application running.The customer has in total 7 different applications running:3 managed internallySharepointWordPress (for blogs)SAP (Management of data)3 managed externallyOffice 365HRnetSource (online HR portal)EPAY (Cloud based time tracking tool)Salesforce50 people or working in our company. 40 of them are on the Payroll of QuickMedia, the other 10 are consultants.
  • Alice can offer John a great solution: IFS together with the IAS.Q&AWhich solution can we offer? And Why?IAS in combination with IFSSecure (OTP) and simple user management (for blocking leaving people)What was the request again?Security and blocking consultants
  • So, thanks to the combination of IK authentication server and Federation Server, we offer the end user a secure and convenient solution.
  • So,The IDENTIKEY Authentication Server, in combination with the IDENTIKEY Federation Server, offers the customer a lot of advantagesFor the end user:Login is secured by a One Time PasswordFor the company, and more specific, the IT-people:1 central point to manage all the usersNo administration overloadEasy blocking consultants who are leaving the company
  • Brief recapitulation:Case 1 :An existing IK Authentication customer.Request for securing web based applicationsSolution IK authentication and Federation ServerCase 2:New customerWeb based applications – scared of hackingSolution: IK authentication and Federation ServerCase 3:New customerWeb based applications – Likes to be a differentiatorSolution: IK authentication, Federation Server and MYDIGIGIPASS.COM
  • Marc Celis is the IT manager of EduSocra. This company is offering HR-managers, of several companies in France, online tools to create/follow up, … training tracks of their employees.Good to know is that they are linked (financially) with the national government.
  • As an IT manager, Marc sees that 40% of the IT tickets are created because of password issues.Since they changed the password policy (stronger).This implicates also that the workload of the IT-department increases. EduSocra even took the recruitment of 2 new IT administrators in consideration.
  • Can you give me more information about the applications and the people who are using these?
  • We have in total 7 different applications. All internally managed, except Google apps.All the internal applications are “house made” and accessible by the B2B associates as well as the employees.In total 5120 persons are using the online applications.From the 5120 people, 120 are employees of EduSocra.
  • Justin: As far I can see, your company has setup a great solution for their employees and B2B-associates.Nevertheless, are people having complaints about this way of working?Marc: We hear more and more people complaining about the login on each website.They very often forget their username, password. This increases the workload of the IT staff.And keep also in mind that people are very impatient these days. The like to have a solution asap.
  • Mr. Celis, we can offer you the IDENTIKEY Federation Server. With this solution you will create a SSO-solution for your employees as well for your B2B-associates.
  • So, if it’s one of your employees or a business associate, they need to fill in only one their username and password.It’s a very convenient solution.But sorry, this is also a very dangerous solution!
  • Well, this is a really great solution and very convenient for the end user and IT administrators.But there is a major security risk!! All the web based applications are accessible with a username and same static password.
  • Get rid of these static passwords!! Combine the IDENTIKEY Federation Server together with the IDENTIKEY Authentication Server.Which IDENTIKEY Authentication Server?Is already possible with a standard edition. Is tricky, no backup license!!
  • Get rid of these static passwords!! Combine the IDENTIKEY Federation Server together with the IDENTIKEY Authentication Server.Which IDENTIKEY Authentication Server?Is already possible with a standard edition. Is tricky, no backup license!!
  • Get rid of these static passwords!! Combine the IDENTIKEY Federation Server together with the IDENTIKEY Authentication Server.Which IDENTIKEY Authentication Server?Is already possible with a standard edition. Is tricky, no backup license!!
  • Marc Celis is convienced of the proposed solution.He has however, some issues with the total cost of this solution.Paying for user licenses on the IFS, for employees and B2B associates no issue.This will decrease the helpdesk costs so acceptablePaying for security? Buying user licenses on IAS for employees:No issueOwn staff  extra cost is acceptable.For the 5000 B2B associates  to expensiveAre they still an associate after 1 year?
  • Marc Celis is convienced of the proposed solution.He has however, some issues with the total cost of this solution.Paying for user licenses on the IFS, for employees and B2B associates no issue.This will decrease the helpdesk costs so acceptablePaying for security? Buying user licenses on IAS for employees:No issueOwn staff  extra cost is acceptable.For the 5000 B2B associates  to expensiveAre they still an associate after 1 year?
  • And how would the solution look like?So, the B2B associates will secure login, with a free DIGIPASS authenticator on the MDP-platform.And MYDIGIPASS.COM can easily be linked to the IDENTIKEY Federation Server.
  • And the name of this solution? MYDIGIPASS.COM
  • And how would the solution look like?So, the B2B associates will secure login, with a free DIGIPASS authenticator on the MDP-platform.And MYDIGIPASS.COM can easily be linked to the IDENTIKEY Federation Server.
  • The IDENTIKEY Federation Server offers you a bunch of advantages:1 login to all the applications1 central place to manage the users1 central point to manage leaving employeesSSO increases productivity
  • Brief recapitulation:Combine the IAS and IFS gives customers a solution for different issues:Focus on SecurityFocus on User ManagementOr Focus on Help desk costs.Case 1 :An existing IK Authentication customer.Request for securing web based applicationsSolution IK authentication and Federation ServerCase 2:New customerWeb based applications – scared of hackingSolution: IK authentication and Federation ServerCase 3:New customerWeb based applications – Likes to be a differentiatorSolution: IK authentication, Federation Server and MYDIGIGIPASS.COM
  • Password fatigation

    1. 1. Password Fatigation
    2. 2. http://your.intranet.com your. intranet.com john.doe@vasco.com Y ********© 2013 - VASCO Data Security IDENTIKEY Federation Server Workshop 2
    3. 3. http://your.intranet.com your domain your. intranet.com Y …© 2013 - VASCO Data Security IDENTIKEY Federation Server Workshop 3
    4. 4. your domain Identity Service© 2013 - VASCO Data Security IDENTIKEY Federation Server Workshop 4
    5. 5. your domain SAML Identity Service© 2013 - VASCO Data Security IDENTIKEY Federation Server Workshop 5
    6. 6. your domain Reduces Identity $ Management Costs© 2013 - VASCO Data Security IDENTIKEY Federation Server Workshop 6
    7. 7. your domain© 2013 - VASCO Data Security IDENTIKEY Federation Server Workshop 7
    8. 8. your domain© 2013 - VASCO Data Security IDENTIKEY Federation Server Workshop 8
    9. 9. your the domain cloud …© 2013 - VASCO Data Security IDENTIKEY Federation Server Workshop 9
    10. 10. your the domain cloud Authentication … Identity Service Users DIGIPASS© 2013 - VASCO Data Security IDENTIKEY Federation Server Workshop 10
    11. 11. Yes you can 8 Can I access? 1 Please Login @ … Jack 6 A Service Ticket ? 7 3 Authentication 2 OTP ? 4 Identity Identity 5 Authentication Service Jack© 2013 - VASCO Data Security IDENTIKEY Federation Server Workshop 11
    12. 12. User A Service 2 Ticket Identity Authentication Ticket ? 4 3 Please Login @ … Can I access? 1 B Jack Service Yes you can 5© 2013 - VASCO Data Security IDENTIKEY Federation Server Workshop 12
    13. 13. … Identity Identity Authentication© 2013 - VASCO Data Security IDENTIKEY Federation Server Workshop 13
    14. 14. Identity One Family Identity Authentication Identity Server Federation SAML© 2013 - VASCO Data Security IDENTIKEY Federation Server Workshop 14
    15. 15. IFS: The selling story Raf Van Ermengem Trainer
    16. 16. Existing New Newcustomer Customer Customer helpdesk costsSecurity User Management B2B associates
    17. 17. Catherine Falcke CEO 17
    18. 18. Remote access OWA25 18
    19. 19. Protect all company Brent Kehl applications with Account Manager 19
    20. 20. Which applications? How many users?
    21. 21. 580 25 40 15 Sales Admin Technical 21
    22. 22. I don’t talk RADIUS 25 Sales 40 Admin Upgrade license to Enterprise 15Technical Selling 55 user licenses Enterprise Selling 55 DIGIPASS Authenticators 22
    23. 23. Username & OTP Check OTPSandra 23
    24. 24. SAML? SOAP? Username C ? Username A Username CSandra OpenID? OAuth? 24
    25. 25. Single Sign On Future-ready No upgrade Secure existing licenses
    26. 26. Username OTPSandra 27
    27. 27. Easy Future management of Secure licenses ready Easy SSO user 1 login No management administration overloadConvenient … 28
    28. 28. New Existingcustomer Customer User ManagementSecurity
    29. 29. John Forbes Manager Customer 30
    30. 30. 31
    31. 31. Protection web applications Alice Malley Account ManagerConsultants leaving company 32
    32. 32. Which applications? How many users? 33
    33. 33. 770 40 30 Employee Consultant 34
    34. 34. Username OTPDennis 36
    35. 35. 1 central point Secure FutureSSO proof … 37
    36. 36. Existing New Newcustomer Customer CustomerSecurity User Management helpdesk costs
    37. 37. Marc CelisIT Manager 39
    38. 38. David GomezPassword issues Account manager Helpdesk cost 40
    39. 39. Which applications? How many users? 41
    40. 40. 7 Soft HR portal My skills employees Training Training Training Credits Tracks offer5120 120 5000 Employee Associates 42
    41. 41. Complaints?Login = annoying What’s my SSO = solution? password? 43
    42. 42. 4444
    43. 43. Soft skills HR portal Training Credits Username Training Tracks PasswordLisa Training offer My employees 45 45
    44. 44. 1 central Decrease point TCO Easy 1 login user managementConvenient 46
    45. 45. 4747
    46. 46. Soft skills HR portal Training Credits Username Training Tracks OTPLisa Training offer My employees 48 48
    47. 47. 1 central Decrease point TCO Easy 1 login user managementConvenient Security 49 49
    48. 48. 120 5000Employee B2B associates User license? 120 5000 SecurityEmployee B2B associates 50 50
    49. 49. Security ? 5000 B2B associates 51 51
    50. 50. Soft 5000 skills Username Password HR portalB2B associates Training Credits 120 Username Training Tracks OTP Employee Training offer My employees 52 52
    51. 51. 53
    52. 52. Soft 5000 skills Username Password OTP HR portalB2B associates Training Credits 120 Username Training Tracks OTP Employee Training offer My employees 54 54
    53. 53. 1 central Future point ready decrease TCO Easy SSO user Secure managementConvenient Cost effective 55 55
    54. 54. Existing New Newcustomer Customer Customer helpdesk costsSecurity User Management B2B associates
    55. 55. Define Title in Insert Header/Footer Slide 57

    ×