© 2004 Aladdin July 20, 2004 © 2004 Aladdin IDENTITY MANAGEMENT The Power of Digital Credentials...
-
Upload
leon-hampton -
Category
Documents
-
view
226 -
download
0
Transcript of © 2004 Aladdin July 20, 2004 © 2004 Aladdin IDENTITY MANAGEMENT The Power of Digital Credentials...
© 2004 AladdinJuly 20, 2004
© 2004 Aladdin
IDENTITY MANAGEMENTIDENTITY MANAGEMENTThe Power of Digital CredentialsThe Power of Digital Credentials
Daniel Pfeifle, Director of National Accounts, eTokenOffice: 847.637.4003 Email:[email protected]
Aladdin Knowledge SystemsEducause PKI SummitAugust 2004
© 2004 Aladdin
Today’s DiscussionToday’s Discussion
1.1. Introduction – Who is Aladdin?Introduction – Who is Aladdin?
2.2. ““Who” Tried To Access My Network?Who” Tried To Access My Network?
3.3. Identity and Access Management (What Is It?)Identity and Access Management (What Is It?)
4.4. The Power of Digital CredentialsThe Power of Digital Credentials
5.5. The Pitfalls of Digital CredentialsThe Pitfalls of Digital Credentials
6.6. The Pain TodayThe Pain Today
7.7. Aladdin Product SuiteAladdin Product Suite
8.8. Concept of Federated IdentityConcept of Federated Identity
9.9. The Challenges of Federated IdentitiesThe Challenges of Federated Identities
10.10.SummarySummary
© 2004 Aladdin
We strive to be the leading provider of security We strive to be the leading provider of security
solutions used by our customers to:solutions used by our customers to:• protect digital assetsprotect digital assets• enable secure businessenable secure business• maximize the benefits from creating, selling, maximize the benefits from creating, selling,
distributing and using digital contentdistributing and using digital content
The Aladdin Vision and Overview
Employees: 360 Worldwide
Segments: Software Security DRM, Enterprise Security
NASDAQ: ALDN (SINCE 1993)
Founded: 1985
Sales: $54.7 Million (2003); $33.4 Million (H1/2004)
Vision
© 2004 Aladdin
Aladdin Around the Globe
Customers in 100 countries
Nine global subsidiaries
Distributors in 50 countries on 5 continents
© 2004 Aladdin
“Who” Tried to Access My Network?
© 2004 Aladdin
We All Have a Bone In This Game?We All Have a Bone In This Game?
AuthenticationAuthenticationParties can identify which Dog they’re dealing withParties can identify which Dog they’re dealing with
Authorization Authorization Dog gains permission to access toys that are rightfully theirsDog gains permission to access toys that are rightfully theirs
ConfidentialityConfidentialityInformation is accessible only to the intended dogInformation is accessible only to the intended dog
Data IntegrityData Integrity Information in a transaction is unalteredInformation in a transaction is unaltered
Proof of Source Proof of Source Public/private key encryption to verify the source of a documentPublic/private key encryption to verify the source of a document
Non-RepudiationNon-RepudiationBoth the Dog, and iPets, are verified with public/private encryptionBoth the Dog, and iPets, are verified with public/private encryption
© 2004 Aladdin
Identity & Access ManagementIdentity & Access Management“What is it”?“What is it”?
3 Critical Elements of Identity & Access Management3 Critical Elements of Identity & Access Management
•Authentication:
The ability to validate or prove the identity of a user or transactionDigital Credentials in the form of passwords, digital certificates, smartcards, tokens, and biometrics (These provide the basis of which the user will be known in the world) Backbone of authentication is based on trust.
•Access Management:Who gets to access what company resources or complete/execute a transaction?Access/authorization can have many layers across an enterprise. Policy defines who gets to access to “x” or execute “x” transaction
•Administration:Management of identities and/or transactions must administered (provisioned, revoked, audited) across the enterprise or platform
© 2004 Aladdin
The Power Digital CredentialsThe Power Digital Credentials
• Provide the ability for people and organizations to Provide the ability for people and organizations to interact/transact over the internetinteract/transact over the internet
• Offer the possibility of providing more secure platforms for Offer the possibility of providing more secure platforms for transacting and authenticationtransacting and authentication
• Legislation such as ESIGNLegislation such as ESIGN (Electronic Signature in Global & National (Electronic Signature in Global & National
Commerce Act)Commerce Act) validated “digital signatures” as a legal form of validated “digital signatures” as a legal form of transacting and authenticationtransacting and authentication
• Flexibility in the type of form factor that can be used to Flexibility in the type of form factor that can be used to “create” your digital credential:“create” your digital credential:• PasswordsPasswords• Digital certificates (PKI)Digital certificates (PKI)• Smartcards (Traditional and USB)Smartcards (Traditional and USB)• OTP (One Time Password Fobs & Tokens)OTP (One Time Password Fobs & Tokens)• BiometricsBiometrics
© 2004 Aladdin
The Pitfalls of Digital CredentialsThe Pitfalls of Digital Credentials
• How do I know “who” is trying to access my network or How do I know “who” is trying to access my network or transact with my platform?transact with my platform?
• No standardization of “what” constitutes a digital signature?No standardization of “what” constitutes a digital signature?
• Legacy application limitationsLegacy application limitations
• End-user confusionEnd-user confusion
• Flexibility in the type of form factor that can be used as or to Flexibility in the type of form factor that can be used as or to “create” your digital credential:“create” your digital credential:
• PasswordsPasswords
• Digital certificates (PKI)Digital certificates (PKI)
• Smartcards (Traditional and USB)Smartcards (Traditional and USB)
• OTP (One Time Password Fobs & Tokens)OTP (One Time Password Fobs & Tokens)
• BiometricsBiometrics
• Where is the First Court Case?Where is the First Court Case?
© 2004 Aladdin
The Pain TodayThe Pain Today
• Web Based PasswordsWeb Based Passwords• Application Based PasswordsApplication Based Passwords• PKIPKI• X.509X.509• Biometrics Biometrics • OTP TokensOTP Tokens• Soft TokensSoft Tokens
How Do I Manage Multiple Disparate Identities...
© 2004 Aladdin
SSO- Single Sign On
SSO- Single Sign On
Secondary Logons CitrixCitrixUnixUnix Main Frame
Main FrameWebWeb
Any Logon VPNVPN MF LogonMF
LogonLaptop/ PC EncryptionLaptop/ PC Encryption
Network Logon
Network Logon
SecureeMail
SecureeMail WebWeb
Across Disparate Platforms...Across Disparate Platforms...
PKI & CertificateAuthentication
PKI & CertificateAuthentication
Password Authentication
Password Authentication
Key Generation
Key Generation
Authentication credential Caching
© 2004 Aladdin
•Easy to Implement
•Easy for the End-User
•Easy on the Budget
Authentication Solutions Must Be:
The Goal: ‘EASY STREET’The Goal: ‘EASY STREET’
•Easy to Manage
© 2004 Aladdin
The Market NeedsEnhanced Security: Strong user authentication and information confidentiality is becoming a critical need for protecting organizational networks and digital information.
Improved password and identity management: Passwords are becoming an increased security problem with high maintenance & support costs.
Mobility of keys, profiles and certificates: Enabling users to carry their authentication credentials with them for easy access and convenience.
IDC, June 2004
© 2004 Aladdin
• Convenient & cost-effective USB with smart card technology
• Enables two-factor user authentication
• Stores passwords, private keys and digital certificates
• Enables rapid rollout of Public Key Infrastructure (PKI)
• Integrates seamlessly with all
major PKI and smart card standards
© 2004 Aladdin
eToken R2
eToken PRO
eToken NG-OTP• Industry first USB smart card Token with (OTP)
One-Time Password Functionality
• Based on eToken PRO technology
• Stores OTP data securely within the smart card
• Integrated with VeriSign's Universal Strong
Authentication (OATH)
• PKI compliant
• 128 Bit DESX for strong encryption• 8/16K-Byte of secured memory• Key & certificate storage for PKI support• Unique protected ID of 64 bits• Compatible implementation with smart cards
• True reader-less smart card• Cryptography in hardware RSA1024, SHA-1 Hashing
Algorithm• RSA private keys never leave the token
© 2004 Aladdin
eToken For PKI Solutions eToken For Network Logon
eToken Simple Sign On eToken for WSO Solutions
How We Categorize eToken How We Categorize eToken Enterprise SolutionsEnterprise Solutions
© 2004 Aladdin
eToken ArchitectureeToken Architecture
© 2004 Aladdin
• Robust management system enabling deployment, provisioning and
maintenance of security tokens, smartcards and ID badges
• Seamlessly folds the process into existing Microsoft Active Directory
• Supports a comprehensive range of security applications (i.e.
Network Logon, VPN, Web Access, Secure eMail, Data Encryption
and others)
eToken TMS
© 2004 Aladdin
Concept of Federated Identity?Concept of Federated Identity?
• Disparate identity management systems have created Disparate identity management systems have created platforms that are not natively interoperable; i.e. digital platforms that are not natively interoperable; i.e. digital credentials are not uniformly accepted and hence are limited credentials are not uniformly accepted and hence are limited in their portabilityin their portability
• The concept of Federated Identity makes identity and access The concept of Federated Identity makes identity and access portable across autonomous domains by creating an portable across autonomous domains by creating an accepted trust platformaccepted trust platform
• The goal is to provide an interoperability system analogous The goal is to provide an interoperability system analogous to a Drivers License; one state provides the credential that is to a Drivers License; one state provides the credential that is trusted in all states with mutually agreed upon standards, trusted in all states with mutually agreed upon standards, technology, and legal acceptancetechnology, and legal acceptance
© 2004 Aladdin
Business Drivers for Federated Identity?Business Drivers for Federated Identity?
• User ConvenienceUser ConvenienceElimination of multiple passwords via an SSO platformElimination of multiple passwords via an SSO platform
• Risk ManagementRisk ManagementThe ability to create trust across disparate organizations where user The ability to create trust across disparate organizations where user convenience is balanced with strong securityconvenience is balanced with strong security
• Business EnablementBusiness EnablementEnables business partners within the Federated Identity network safely Enables business partners within the Federated Identity network safely share sensitive information to collaborate and serve a larger customer share sensitive information to collaborate and serve a larger customer populationpopulation
• Cost ReductionCost ReductionBy utilizing a centralized infrastructure/accepted platforms the cost of By utilizing a centralized infrastructure/accepted platforms the cost of managing and supporting different technologies will be significantly managing and supporting different technologies will be significantly reduced.reduced.
© 2004 Aladdin
Challenges of Federated IdentityChallenges of Federated Identity
• Liability TransferLiability TransferThe identity provider, or authenticator, financially backs its identity assertions, The identity provider, or authenticator, financially backs its identity assertions, effectively saying to a relying party, "I guarantee you this is Dan; if I'm wrong, I pay effectively saying to a relying party, "I guarantee you this is Dan; if I'm wrong, I pay you. Agreement upon who accepts this liability and is liable to pay in cases of fraud you. Agreement upon who accepts this liability and is liable to pay in cases of fraud may cause for a breakdown of the systemmay cause for a breakdown of the system
• What Security Gains Are Really Made?What Security Gains Are Really Made?FI doesn’t necessitate better encryption or authentication in fact it still relies on a FI doesn’t necessitate better encryption or authentication in fact it still relies on a username/password platform. Have we done a good enough job protecting peoples username/password platform. Have we done a good enough job protecting peoples privacy with our current systems? It could be argued that by implementing SSO once privacy with our current systems? It could be argued that by implementing SSO once someone as my “password” they would gain access and could impersonate me to someone as my “password” they would gain access and could impersonate me to ALL trusted accounts. ALL trusted accounts.
• Subjective PartnershipsSubjective PartnershipsWhat if a customer does not want to use a vendor in the FI alliance? Do I as a What if a customer does not want to use a vendor in the FI alliance? Do I as a customer want my data shared with other FI partners? What are the risks of customer want my data shared with other FI partners? What are the risks of targeted marketing (spam) and limiting choices to the customer in obtaining targeted marketing (spam) and limiting choices to the customer in obtaining competitive pricing?competitive pricing?
• Simplified Sign OnSimplified Sign OnHow does the consumer truly benefit if the “opt out” aspect is eliminated, e.g. How does the consumer truly benefit if the “opt out” aspect is eliminated, e.g. Microsoft Passport?Microsoft Passport?
© 2004 Aladdin
SummarySummary
• Digital Credentials are the prerequisite for access and identity Digital Credentials are the prerequisite for access and identity managementmanagement
• Digital Identities must be seamlessly and securely managed across Digital Identities must be seamlessly and securely managed across applicationsapplications
• Legal, social and regulatory trends have raised the bar for Legal, social and regulatory trends have raised the bar for protecting critical infrastructure, networks and identities. Federated protecting critical infrastructure, networks and identities. Federated Identity is one aspect of a sophisticated challenge but is it the Identity is one aspect of a sophisticated challenge but is it the solution for everyone?solution for everyone?
• All authentication solutions must be judged for ease in All authentication solutions must be judged for ease in implementation, manageability, cost and end-user convenienceimplementation, manageability, cost and end-user convenience
© 2004 Aladdin
© 2004 Aladdin
Major Product Certifications
Customers
Partners
Sample eToken Partners & Customers