Kyberrikollisuus - Kuinka investoimme IT:ssä siihen nähden?
Yksi keskitetty monen tekijän tunnistautumisratkaisu kaikkiin
käyttötarpeisiin - Advanced Authentication.
25.4.2017 Joustava ja hallittu pääsy
3. Trendejä ja haasteita
• Digitalisaatio
• Mobiliteetti
• Suurempi huomio tietoturvalle
• Ransomware
• Avoimmuus ja läpinäkyvyys tiedon suhteen
• Pilvipalvelut kuten Office 365 ja Salesforce
• Kansallinen ohjeistus:
• Katakri
• Vahti
• Terveydenhuolton määräykset
4. Trendejä ja haasteita
• Lait ja määrykset (ml. EU)
• Itsepalvelu ja hajautettu hallinta
• IT:n toimittaminen palveluna
liiketoiminnalle
• Useat palveluntarjoajat
• Yhteistoimintaryhmät
• Sähköiset palvelut
• Internet of Things (IoT)
• "Identity of Everything"
StudentsIdentities
SaaS
Ransomware
Storage
Virtual
History
Network
Mobility
Location
Vendors
LawsOperating System
Citizens
. . .
Collaboration
Clusters
Heritage
Organization
Social
Identities ?
?
?
. . .
10. Advanced Authentication
Yksi keskitetty monen tekijän tunnistautumisratkaisu kaikkiin
käyttötarpeisiin
Vältä erilaisten monen tekijän tunnistautumisratkaisujen käyttöä
organisaatiossa. Ota käyttöön yksi keskitetty palvelu, jota eri palvelut
käyttävät ja johon voit liittää eri tunnistautumistavat. Näin vähennät
ylläpitotyötä, helpotat käyttöä ja alennat riskejä.
Avaintoiminnallisuus
Yksi tunnistautumisratkaisu kaikkeen käyttöön
• Mobiili, työasema, selain, pilvipalvelut
• Tuki kaillle tunnistusmenetelmille
• Keskitetty sääntöjen hallinta
• Tuki useille toimipisteille
• Tuki erillisille käyttäjäorganisaatioille yhdessä toteutuksessa
Micro Focus
Advanced
Authentication
v5.5
Multi Factor
Authentication
16. Name
Password
Code
Login name
************
******
736021
Time-based
One-time Password
(TOTP App)
Name
Password
Login name
************
Out-of-Band Authentication
(OOBA App)
Approve
YES
NO
Name
Password
Code
Login name
************
******
Hardware Tokens
x
x
159 759
Name
Password
Insert Security
Key
Login name
************
FIDO U2F Key
app app
Name
Password
SMS
Login name
************
******
365128
SMS One-time Password
(OTP)
Telco
IP IP
Name
Password
Tap card
Login name
************
Card Authentication
(Proximity / Smartcard)
Name
Password
Code
Login name
************
******
Pin pad reader Fingerprint
Name
Password
Place Finger
Login name
************
Mikä on paras tunnistautumismenetelmä?
20. Haaste
Käytettävä palvelu
IT-infrastructure Access
User devices, network access,
access to servers
Building
IT-infrastructure Access
User devices, network access,
access to servers
Building
Enterprise Application Access
ERP, CRM
Finance
Remote
Kiosks and workstations
Enterprise Application Access
ERP, CRM
Finance
Remote
Kiosks and workstations
Cloud/Web access
On-prem web applications
SaaS applications
Federated access (to or from)
Cloud/Web access
On-prem web applications
SaaS applications
Federated access (to or from)
Other
Execution of Transactions
Signing of transactions
Business data (storage)
Other
Execution of Transactions
Signing of transactions
Business data (storage)
more…..more…..
Tunnistautumismenetelmät
Smart Cards
Contact and Contactless Cards, PKI cards
Smart Cards
Contact and Contactless Cards, PKI cards
Biometrics
Fingerprint, Iris, Vein, Voice
Biometrics
Fingerprint, Iris, Vein, Voice
Smartphone
One-Time-Password (OTP), Out-of-Band,
LiveEnsure
Smartphone
One-Time-Password (OTP), Out-of-Band,
LiveEnsure
Radius
Cryptocard, Phonefactor, SMS-Passcode,
etc.
Radius
Cryptocard, Phonefactor, SMS-Passcode,
etc.
Knowledge based
Secret (phrase) questions, Passwords, PIN
Knowledge based
Secret (phrase) questions, Passwords, PIN
Tokens
Software tokens, hardware tokens
Tokens
Software tokens, hardware tokens
Other
Social Login, federated authentication,
Thumb drive, Flash drive+PIN
Other
Social Login, federated authentication,
Thumb drive, Flash drive+PIN
21. Ratkaisu - Advanced Authentication Framework
Käytettävä palvelu
IT-infrastructure Access
User devices, network access,
access to servers
Building
IT-infrastructure Access
User devices, network access,
access to servers
Building
Enterprise Application Access
ERP, CRM
Finance
Remote
Kiosks and workstations
Enterprise Application Access
ERP, CRM
Finance
Remote
Kiosks and workstations
Cloud/Web access
On-prem web applications
SaaS applications
Federated access (to or from)
Cloud/Web access
On-prem web applications
SaaS applications
Federated access (to or from)
Other
Execution of Transactions
Signing of transactions
Business data (storage)
Other
Execution of Transactions
Signing of transactions
Business data (storage)
Tunnistautumismenetelmät
more…..more…..
Smart Cards
Contact and Contactless Cards, PKI cards
Smart Cards
Contact and Contactless Cards, PKI cards
Biometrics
Fingerprint, Iris, Vein, Voice
Biometrics
Fingerprint, Iris, Vein, Voice
Smartphone
One-Time-Password (OTP), Out-of-Band,
LiveEnsure
Smartphone
One-Time-Password (OTP), Out-of-Band,
LiveEnsure
Radius
Cryptocard, Phonefactor, SMS-Passcode,
etc.
Radius
Cryptocard, Phonefactor, SMS-Passcode,
etc.
Knowledge based
Secret (phrase) questions, Passwords, PIN
Knowledge based
Secret (phrase) questions, Passwords, PIN
Tokens
Software tokens, hardware tokens
Tokens
Software tokens, hardware tokens
Other
Social Login, federated authentication,
Thumb drive, Flash drive+PIN
Other
Social Login, federated authentication,
Thumb drive, Flash drive+PIN
Tunnistus
Hallinta
Delegointi
Tunnistautumisen
välimuisti
jne.
AAF
Hakemisto
22. Windows
Advanced Authentication Framework
Advanced Authentication
Credential
Provider
Authentication
Plugin-in
Pluggable Auth.
Module
RADIUS/ HSM APIs
ADFS Plug-in
Mobile APIs
/RADIUS
Web Services API APIs APIs APIs
APIs
OS X Linux Security
Access
Management
Enterprise
SSO
ADFS Mobile Platforms Browser Password Reset Terminal Emulator
Privileged User
Management
X
green
23. Advanced Authentication -palvelin
Smartphone Geo-Fencing FIDO U2F Soft Token ADFS Oauth
Out-Of-Band push
to iOS, Android or
Windows Phones
Smartphone Based
GPS Location validation
“Fast Identity Online”
for
Chrome / API
Application
OATH Based
TOTP / HOTP
ADFS
Plug-in Integration
Open Authorization
Token
Google Auth Microsoft Live RADIUS Client Hard Token REST RADIUS
External Google
Authenticator
OTP
External Microsoft Live
OATH
OTP
Interface with existing
RADIUS Solutions
Device
OATH Based
TOTP / HOTP
Light Weight
Programming Interface
Internal RADIUS Server
Voice OTP SMS OTP Email OTP Voice Call FIPS 140-2 Multi-Tenant
Voice-call
delivered
OTP
Short Message
Service delivered
OTP
Email
Delivered
OTP
Voice Call with
Prompt for User
PIN validation
“FIPS Inside”
Via OpenSSL
FIPS Module
Support Multi Divisions
or Clients
Swisscom Emergency PW PIN Code Challenge Impersonation Cashing
External Swisscom
SmartPhone PKI
Authentication
Helpdesk
Assisted
Password
User enrolled
PIN Code
as a Factor
User enrolled
Challenge / Response
Linked Account
Authenticator
Second Factor
Skipping
HTTP Proxy Kerberos
Secure AA Behind
Network
SSO with Kerberos
Ticket Systems
HSPD-12PKCS11 OAuth2
RADIUS
Google Auth.PKCS7 Kerberos
Remote Access Edition Methods Remote Access Edition Features
BYOD Windows CP Bluetooth FIDO U2F
Non-Domain
Workstation Support
Credential Provider
Win 7, 8 and 10
Device-in-Range login
and lock for Windows
Use “Fast Identity
Online” for Anything
AD Login Filter Mac OS X Smartcard Fingerprint
MS Active Directory
Domain Login Filter
OS X Authentication
Plug-In
PKI / PKCS7
w/Certificate Validation
Windows Biometric
Framework
Off-Line Linux PAM Smartcard Fingerprint
Workstation Login
(Win, Mac, Linux)
RPM and DEB modules PKI / PKCS11
w/Certificate Validation
NEXT Biometrics
Direct API Integration
NFC Fingerprint
13.56Mhz Cards,
Tokens, fobs,
Smartphones, etc.
Lumidigm / HID Direct
API Integration
RFID Fingerprint
125kHz Proximity Cards,
Tokens, fobs, etc.
Digital Persona Driver
Based Integration
Enterprise Edition Features (additional) Enterprise Edition Methods (additional)
Remote Access Edition
Enterprise Edition
Standards and Integrations
Microsoft
Live OATH
NFC ISO/IEC Mac OS X
25. Avaintoiminnallisuus
• Monen tekijän tunnistautuminen
• 20+ tunnistautumismenetelmää
• Eri käyttäjätietovarastot
• AD, ADLDS, eDir, LDAP
• Hajautetut ympäristöt
• Moniorganisaatiomahdollisuus
• Eri alustat
• Windows, Linux ja Mac OS
• RADIUS-palvelu
• Sekä palvelin että asiakas
• ADFS 3, OAuth 2.0 ja SAML 2.0
• Syslog-tuki
• FIPS 140-2 mukainen salaus
• Helpdesk-tuki
• Raportointiportaali
• Toimitus ohjelmisto-appliancena