This document outlines the layered security features provided by IDentiWall, an identity and access management solution. Key features include VPN access, web security, user and device authentication using over 150 methods, transaction verification, breach notification, risk-based policies, digital forensics investigations, high availability, and a quick return on investment through initial virtual appliance installation and configuration wizards. IDentiWall provides comprehensive identity and access security across networks, applications, and devices.
Welcome to the IDentiWall presentation.Through this presentation you’d get familiar with the vast security functionality and the unique architecture of IDentiWall.
With this new release, we’ve made tremendous effort to reinvent cyber security in a way that suits modern ways of doing business.The unusual-rich functionality list, listed here on the left, implies End-to-End cyber defense that tackles all issues that need to be dealt with for such defense to be successful.
The first area of protection is that of the VPNs.(enter)IDentiWall is a Radius server and as such can be setup to take care of User Authentications for the VPN.In case that your organization is managing its users in LDAP directory, behind a web service or maybe in an SQL database, IDentiWall will get the authentication request from VPN through the Radius protocol, will convert it respectively to LDAP, SOAP or SQL and transmit the request to the appropriate user repository.Once it gets back a positive authentication reply, it than executes the second factor of the authentication and only after that one was successful, IDentiWall authorizes the user’s access through the VPN.(enter)Since IDentiWall is a Radius server it can be used as an authentication service for any Radius supporting environment such as Citrix or maybe a Wi-Fi access point.(enter)Multiple end point support is probably the best way to explain how IDentiWall goes the extra mile to ensure that its users get the best service possible.You probably came across some of the thousands of vendors who are selling SMS based authentication solutions.Did any of them bothered to explain the shortcomings of an exclusive reliance on such method?Let me try to explain this crucial issue;There will be a point where some of your users will try to use the VPN from an area without cellular coverage, such as basements.Some of your users will, no doubt, try to login when travelling abroad while using local replacement SIM card, for cheaper calls.A simplified SMS based authentication solution has no capability whatsoever of servicing these users who can not get the SMS that was sent to them.But that’s only half of the story. Growing part of the modern cyber attacks are based on the Man-in-the-browser methodology. They work through a malware code that the attacker was successful in injecting to the user’s browsing device. This malware records credentials and becomes self-sufficiant in attacking alone, without the participation of the user itself.That’s way it’s important to execute out-of-band second factor authentication, an authentication that doesn’t go through the IP network but rather uses another network, the cellular network for example.Now, what if your user tries to connect while using its cellular device, such as smartphone or tablet?Does sending SMS directly to the Man-in-the-browser that is installed on the same device is still regarded as out-of-band usage?Well, unfortunately with over 99% of the vendors its OK to ignore this security breach, but with IDentiWall it’s not OK.IDentiWall uses its Browsing Platform Sensitivity capability and whenever it senses that the user is browsing through a cellular device, it excludes SMS and it resorts to some other secured authentication methods that it’s equipped with.This is exactly why customers prefer IDentiWall over other solutions – because of its meticulous professionalism and its coverage of all the angles.(enter)For complex organizations who deploy more that one VPN, IDentiWall also offers built-in support for multiple VPNs.
IDentiWall protection for web application is a layered security technology.(enter)In compliance with one of the most important security principals, IDentiWall can be implemented in a web application agnostic mode.By choosing the agnostic mode over API compiling mode, you actually choose:To maintain the important security principal of “Segregation of duties” between your application programmers and your security professionals. To maintain your ability to decide to stop using IDentiWall, any time in the future, without any consequences to your web application.And by that option, you keep us alert and focused on our service.(enter)The real huge market divide is between those vendors who sell “one size fit all” solution and between those few who sell Risk-based Security.The fact that your users do not represent the same online risk level is understandable; after all student account does not represent the same online risk level as corporate account. Moreover, when a corporate account user logs from their work computer, situated at the work address and its doing that during working hours, it represents relatively low risk level.But what if the same user logs to the same account from different country, using different computer? – does that represent the same low risk level?Obviously it doesn’t.This is why IDentiWall deploys “Risk based Security”, precisely to avoid situations of over securing those low-risk sessions while other who need higher level of security are under secured.The dynamic nature of IDentiWall’s Risk-based security, fits the appropriate security measures the specific situation.(enter)As layered security technology IDentiWall starts protecting the web site from being cloned for Phishing purposes as well as protecting the user from being lured into entering their password onto these rouge sites.(enter)The second layer of protection is the User Authentication layer that is meant to make sure we’re in session with an authenticated user.There’s a lot that IDentiWall offers in this area and we’ll elaborate about that later.(enter) The third layer of security is the Device Authentication. It’s not enough to determine that we’re in session with an authenticated user but rather, there's a needs to make sure from which device he’s coming from.(enter)As attacks such as the man-in-the-browser attacks kick-in after the authentication of the user was performed successfully, there’s a crucial need to verify the user’s transaction content.IDentiWall is equipped with this security layer as well.(enter)Regulators such as the FFIEC require that banks execute “Customer Security Awareness Program”.As an all-in-one solution, IDentiWall offers this layer as well.(enter)It’s a well known fact that users do tend to use the same password in more than one site. This exposes both, the user and the bank to ID breach that may have started elsewhere, in a deferent site.IDentiWall notifies the use that its ID is breached and that constitutes an extra layer of security.(enter)Compliance is a serious issue and in IDentiWall it can be implemented by a click on a mouse.(enter)The transformation from physical cheques, on which the organizational requirement was that the bank will honor only if it has two signatures, to online transactions, seems to have lost the Dual Signature functionality.IDentiWall restores this layer of security for online transaction.(enter)Password policy is often a matter of compliance of security requirement.IDentiWall provides this security compliance layer right out of the box.
IDentiWall can be configured in various ways.(enter)It can be downloaded and installed as Virtual Appliance.(enter)And it can be installed as a traditional installation with a regular installation wizard.(enter)Anyway you may chose to install it, IDentiWall supports cloud architecture.It can either be installed on an external cloud or internally in your network.It can be used as a Security-as-a-Service known as SaaS and as such it supports both, single and multi tenants model.As a cloud based technology, IDentiWall fully supports the Realm concept and one can define separate realms for separate organizations, web servers or even for each separate web application.IDentiWall’s cloud model supports also Distributed Administration by which the cloud administrator deals with general cloud issues whereas the realm administrator deal with realm specific issues.
IDentiWall doesn’t support Domain User Authentication at the time of this presentation recording. However, we do have a plan to support that in the future.If this functionality is something you need, please check with us its current status.(enter)IDentiWall’s Domain supports domain user authentication layer, and…(enter) It supports Physical and IT security convergence layer, which will be explained later on.
The Anti-Phishing security layer consists of…(enter)Detection and reporting of copied rouge instances of you web site…(enter)Login page Personalization for the protection of the user from entering its password anyplace other than the real site.Down here on the login page image, you see that the user already entered User ID.Notice that the close area on the right hand side of the user id field is empty.(enter)Transferring control out of the user-id field, triggers the submission of the user-id back to the IDentiWall server.(enter)IDentiWall responds by sending the user’s associated picture which is being placed next to the credentials area.The user is asked, not to enter their password if the displayed picture is not its associated picture.Since the Picture catalogue consists of large amount of pictures and the user has only one specific associated picture, it transform the login page into a personalized login page.
Elevating the user’s security awareness helps fighting cyber crime.(enter)The FFIEC and other regulatory entities across the world, require that the bank executesCustomer Security Awareness Program.(enter)With IDentiWall, this requirement is implemented with personalized Customer Learning Curve management that is capable of spreading the learning process over multiple exposures.For example:Deploying a method of 5x5 matrix of pictures, from which the user has to identify its associated picture, extract from it an embedded passcode and copy it into a data entry field, it becomes quite complicated.The way IDentiWall deals with this task is as follows:In the first 3 login page exposures – it shows a message explaining that in the near future an associated picture method will be implemented.In the following 5 or maybe 10 exposures – it shows a single picture with an explanation of the passcode concept.During the next 5 exposures - it’ll add the passcode to the picture and the customer will be asked to copy it into the field.Thereafter, in the next few exposures – the customer gets a 1X5 line of pictures and is asked to identify its picture and extract the passcode from it.Finally, the Learning Curve Management reached the final destination whereby the user gets a 5x5 or matrix.As security gets complicated, being able to mange the individual user’s knowledge level become handy tool.(enter)Based on IDentiWall’s support of Policy Per Page, security awareness activities can be embedded into certain pages as well.For example; it can be imbedded as part of the login process, or even as part of the help desk functionality by which the user gets to participate in learning activities as part of its wait for the next available customer service representative.
The area of user authentication is one of the areas that differentiates IDentiWall from the authentication vendor’s crowd.(enter)Typical authentication solution is equipped with one or two authentication methods.Since one size doesn’t fit all, we equipped IDentiWall with a variety of over 150 authentication methods covering all the spectrum of knowledge, possession, biometrics, location, acquaintances and past activities that the user has experienced.A good example of why one size doesn’t fit all is the one-time password over SMS method.No doubt that you came across many solution like that.But how many of these vendors shared with you the inherited shortcomings of that method?How many of them refrain from sending SMS to users who brows from a smartphone?After all they all know that sending such message directly to the hands of smartphone installed malware such as man-in-the-browser is forbidden by any security standard.IDentiWall, through it’s Browsing Platform Sensitivity functionality, detects the browsing device type and if found to be cellular, it falls back automatically to one of its alternative authentication methods, one that is secured even when a cellular device is the one that runs the client browser.(enter)Solid password management is considered one of the pillars of sound authentication policy and IDentiWall is equipped to enforce such policy.You’d be able to review such password management policy later on through the video link on the last page of this presentation.(enter)Obviously, any version of hybrid policy-based authentication can be defined and executed by IDentiWall.Your users are not homogeneous. Because their activities are not necessarily the same, your chosen security solution should be able to accommodate all this variety through simple click and run.
Authenticating users is not enough and there’s importance in authenticating the user’s browsing device as well.IDentiWall is equipped with comprehensive Device Authentication functionality with its…(enter)Device Fingerprinting management…(enter)With its Device Reputation management, that is meant to determine whether the device participated in previous fraud…(enter)And with its Device Geo-location management, that fills in the gaps in the big picture.Although it’s sometimes unjustified underrated, we deem possessing device’s intimate knowledge layer, fundamental for fortified cyber security.
Transaction Verification turned to be the last frontier between the cyber criminal and the money.Often, it’s the last check before the costly money stealing. (enter)Transaction Verification is recognized to be effective against any kind of the man-in-the-browser attacks, provided that it is being executed professionally.(enter)As you probably came to realize by now, IDentiWall supports multi methods of Transaction Verification which can be implemented based on the organizational policies, thus providing the most comprehensive, yet the most flexible platform for such implementation.
An added value of IDentiWall implementation is its Breach Notification Alerts.Imagine that while reviewing this presentation you get an SMS from your bank, sending you the supposedly required passcode.Since it was obviously, not you who required that code, you know that your user id and password are already been breached.You also know, that your account is still protected since the attacker didn’t get the one time passcode.However, if you use the same password elsewhere, in other sites maybe, you’d be better off if you take the time and change it everywhere.(enter)Notification messages can be sent through variety of infrastructures…(enter)Whereas the notification target can be also diverse and be sent to the user itself, to the security team and to any other targeted address, even to monitoring application.(enter)The fact that such credentials breach took place, can trigger out-of-schedule password change, executed by the password management, it can trigger special security awareness lessons and it can also trigger any other breach policy that the organization implemented.
I assume that we established already the importance of DynamicRisk-based Policy and now is the time for actual understanding of what kind of risks are being taken into consideration.(enter)The first risk area that IDentiWall considers is the location based risks.By converting addresses into Geo-locations IDentiWall is able to build the Big Picture.If the browsing device’s IP address, that is converted to Geo-location, determined that the device is situated in New York while the user’s Cellular phone, or maybe its, just answered, landline phone, it situated in LA, that cross-location mismatch raises a red flag.And if the session as well as the user’s phone are in NY but the user’s credit or debit card has just withdrew, half an hour ago, money from an ATM in Amsterdam, it should again raise a red flag.(enter)Another type of risk is the content the user enters into the HTML forms.Many banks establish thresholds for transactions that they wish to check more thoroughly, or even to stop from being automatically processed.However, establishing the big picture with cross session, cross form and cross target accounts can become quite tricky and that’s exactly where IDentiWall kicks in.(enter)Wouldn’t it be helpful to know whether the transaction was entered by the account owner or by an automated attack?IDentiWall follows up pattern of behavior and singles out those of the automated attacks…(enter)Not all the risks can be detected within a specific online session. Some of the risks are external to the current online session.One example for such external risk can be the Department of Homeland Security Alert system and another might be a preannounced Anonymous attack.In such case all there’s to do is changing the external context by which IDentiWall runs and it’ll automatically change its behavior to reflect the new context’ pre implemented policies.Things that were allowed just a minute ago will, perhaps, be now forbidden.The Risk based policy facility, helps in determining the big picture as well as respond to its changing parameters.
(enter)The issue of online transaction’s dual signature for the most valuable commercial customers, is not only nice to have but rather a must have for those commercial accounts…(enter)Many regard this to be better control over commercial transactions, hence also better security for these accounts.(enter)However, for such Transaction’s Dual Signature to work, there is a need for special integration implementation effort to take place.Although this is not a huge effort, this one can’t be implemented entirely through IDentiWall’s Agnostic Mode, some integration must take place.
Users access not only from the internet. Some of them, such as employees, contractors and visitors, access also from within the company’s campus.Statistics shows that the majority of the fraud is committed internally by employees who use their peer’s credentials to commit the fraud.IDentiWall comes in handy in fighting this phenomena by drying out the fountain of unused credentials.(enter)Through convergence of the two worlds, the physical and the logical IT security, and…(enter)Through adding Location…(enter)And temporal based security,…(enter)IDentiWall is able to provide effective defense against such Internal Jobs.(enter)You can now view the demos of IDentiWall’s Dynamic Security, or you can access it later on from the links that are listed on the last page of this presentation.
Security professionals often need to investigate complex event.(enter)IDentiWall’s Forensic based Investigation, is our solution for such digital investigations.(enter)The FBI is based on the Semantic Web technology that stores the knowledge in Graph format…(enter)Another embedded technology is built-in analytics inference engine that enables what if analysis as well as many other analysis methods.(enter)The FBI is capable of recording the user’s session in it entirety; HTML, Voice, SMS etc., and than paly it back after it was synchronized along the timeline.(enter)The FBI can use digital data from multiple sources such as external log files, however it comes out-of-the-box with tightly coupled integration with all kinds of IDentiWall related information.(enter)As before, you can now branch out to the FBI demo presentation or you can choose to review it later by clicking on the appropriate link that you can find the last slide on this presentation.
A quick glance under IDentiWall’s hood reveals that(enter)IDentiWall has a built-in Radius server and client with full triple A (AAA) capabilities.(enter)IDentiWall has also a built-in LDAP server and client, as well as…(enter)Email server…(enter)Voice over IP server, and…(enter)A fully equipped, comprehensive, Face two Face server that facilitate High Definition peer-2-peer Voice, Chat and Video conference.There’s no need in pre-installed applications, such as Skype, but rather click ‘n talk directly from your browser to the browserof the party you wish to talk to.Because IDentiWall can be implemented in an agnostic mode to the existing web application, there’s no need in changing even one line of code of the application. IDentiWall will implement Face-2-Face externally to the application. You can leverage also on IDentiWall’s Policy Per Page functionality and implement Face-2-Face in a way that will connect the user with the appropriate CSR, depending on the HTML form they clicked from.For example, if the user clicked on the Face-2-Face icon from a mortgage form, it’ll establish Face-2-Face connection with one of the bank’s mortgage experts, but if the user clicked from the strong authentication form, it’s establish connection with security CSR or maybe with the user’s account manager that will have to authenticate the user manually before he’s allowed to proceed with its online banking.(enter)While we have the user engaged in a video conversation, IDentiWall can take its voice and face sample and authenticate the user in an un-interrupted way.(enter)There are many ways to utilize the IDentiWall Face-2-Face functionality.You can chose to use it as a registration facility such as secured account opening facility, as a help desk layer,or even as a Branch-in-the-Browser infrastructure.It’s all there and it’s only few clicks away.
The IDentiWall’s Polite Implementation concept was invented when we got a worried phone call from one of IDentiWall’s customer’s Help Desk manager, asking how many more attendants he needs to employ on the ‘going live’ day.He’s argument was that when users are going to face the new security measures, they’re going to bombard the help desk with phone calls.(enter)Realizing that his concern is also our problem, we immediately developed the Deployment pace manager which had a tremendous calming effect on him.In essence what it does is, it give the implementer full control over the implementation blaze level.The implementer defines, for example, that IDentiWall will implement only 100 new users per hour, a number that the help desk can handle without special stress.All the rest of the users are going to pass-through IDentiWall un-interrupted and IDentiWall will implement them during one of their future logins.Obviously, it is up to the implementer to change the level of the blaze after getting assured that user’s do not call as much as was anticipated, perhaps due to the intelligent usage of the User’s Learning Curve Management facility.(enter)IDentiWall’s Polite Implementation facility is equipped with an Automated database administrator, so the Cassandra database that IDentiWall deploys, remain a black-box that doesn’t need to be maintained by the customer.(enter)IDentiWall is also equipped with the OmniChief watchdog technology that monitors and controls the whole IDentiWall environment and when it detects an operational problem, it fixes it automatically.(enter)Learning Curve Management is another IDentiWall’s facility that is designed to close the user’s knowledge gaps, if needed and if implemented.Security can be somewhat complex for the typical user and since their cooperation is indispensable for the security process, there’s a need in elevating their security awareness and knowledge levels. That’s exactly what the Learning Curve management is designed to do.
IDentiWall is architectured as High Availability technology, and as such it comprises of…(enter)High Throughput capabilities…(enter)Sophisticated workload balancing…(enter)It is based on the Cassandra non-SQL database that it considered to be the top infrastructure for high availability.(enter)With IDentiWall you do not have to be considered with issues such as hot data replication, since Cassandra does all that automatically.(enter)And again, the utilization of IDentiWall’s OmniChief watchdog technology, which is similar to having a system manager working for you 24x7.All these technologies contribute to the High-Availability and the Scalability of IDentiWall.
IDentiWall’s implementation projects can become quit comprehensive.Typically, after the organization realizes the embedded potential of this technology, it tend to use it as the prime solution for many of its security needs, while taking advantage of IDentiWall’s versatility and scalability.However, for those customers who wish to experience fast implementation, we equipped IDentiWall with the “First-day Return On Investment” technology.This technology takes the implementer by the hand and guides them through IDentiWall best-practices implementation in some of the security main areas such as:Anti-PhishingUser AuthenticationDevice AuthenticationPassword ManagementTransaction VerificationAnd others…The First-day ROI utilizes IDentiWall’s Agnostic mode while teaching IDentiWall the specifics of your web application, as well as your operational environment.The First-day ROI wizards provides new implementation experience, one that flattens out the pre-required knowledge and delivers on the First-day commitment.(enter)For organizations who are willing to implement best practices, first the First-day holds huge promise.But if you think that this is too good to be true, we’re offering the convenience of Best Practices Implementation service through remote access, for the amazing price of just $999.
That concludes today’s IDentiWall presentation.On this page, you can find access to more resources such as presentations and demos that will help you deepen your understanding of the IDentiWall technology.IDentiWall can be licensed in various way ranging from traditional licensing through Pay-as-you-Go option.We encourage you to talk to us on any technical or commercial issue, after all, we’re here to accommodate your needs.(enter)Thank you and we hope to see you protected soon by the IDentiWall’s amazing technology.