Assurity seminar 24 jan
-
Upload
jason-kong -
Category
Documents
-
view
157 -
download
0
description
Transcript of Assurity seminar 24 jan
1
2 2
3 3
Vulnerability of Smart Phones Smartphones are a permanent point of access to the internet (mostly on), they can be compromised easier than computers Implied permission • this infection is based on the fact that the user has a habit of installing
software. Most trojans try to seduce the user into installing attractive applications (games, useful applications etc.) that actually contain malware.
Common interaction • this infection is related to a common behavior, such as opening an
MMS or email.
http://www.us-cert.gov/GFIRST/presentations/2012/mobile_exploit_intel_guido.pdf
4 4
Dangers of Relying Solely on User ID / Password for sensitive data
• Flexispy is a commercially available application for spying.
• The program sends all information received and sent from the smartphone to a Flexispy server. It was originally created to protect children and spy on adulterous spouses.
5 5
6 6
Typical Mobile Malware Gameplan
http://www.us-cert.gov/GFIRST/presentations/2012/mobile_exploit_intel_guido.pdf
7 7
Get Malware installed by user
http://www.us-cert.gov/GFIRST/presentations/2012/mobile_exploit_intel_guido.pdf
8 8
What Hackers want to achieve
http://www.us-cert.gov/GFIRST/presentations/2012/mobile_exploit_intel_guido.pdf
9 9
Level of enforcement before allowing apps on AppStore/ Goggle Play
Will a hacker be deterred by the need to provide IP/SMS or Credit Card? Is Corporate ID and Personal ID ( Drivers License) numbers good enough to ensure malware is not disguised as an App ?
http://www.us-cert.gov/GFIRST/presentations/2012/mobile_exploit_intel_guido.pdf
10 10
Public Feedback on 2FA
11
National Authentication Framework
What is NAF • nationwide platform for the adoption of strong
authentication • for eServices that handle sensitive information and/
or facilitate transaction • provide trusted and cost-effective authentication.
Why • fulfill strong authentication requirements from
regulators, banks and financial institutions, government & healthcare
The National 2FA system has been operational since December 2011
12
Service Providers live on OneKey
12
13 13
• Stronger security is required to protect sensitive data
• This valuable repository of personal information includes income tax, CPF and HDB Loan Records.
• Assurity, a subsidiary of IDA is the sole bidder
• SingPass – set up for every resident aged 15 and above in 2003 …. There are more than 2.8 million SingPass users today.
14 14
OneKey can be used across multiple Service Providers, Banks, Government, online services, corporate VPN etc…
OneKey Mission: Consumer Security & Convenience
15 15
• Stronger protection against online
identity theft & fraud • Convenience to end-users: a single
authentication device across multiple online services ( e.g. banking, trading, govt e-services, insurance, online commerce etc)
• Giving consumer a choice to manage their own security policies
OneKey’s Value Proposition
16 16
• Current Offerings – Assurity provides 2FA services via the OneKey Pad – a robust
and integrated mechanism that is secure, convenient and cost-effective
– OneKey Pad offers 3 options of 2FA - OTP, Challenge
Response and Transaction Signing.
– OneKey SMS – OTP delivered via SMS for convenience to
users
• Under Development – OneKey Card – OneKey Mobile
OneKey: A Convenient, Secure Authentication Mechanism
17 17
*Compliances & Certifications • Certified to ISO/IEC 27001:2005 • **Complied to MAS IBTRM V3 & and 2012 Consultation Paper • Complied to Government IM8 • Complied to SS540 • Complied to TIA942 • Complied to FIPS *Certifications are renewed and audited annually ** Fully redundant active-active tier 3 data centres *** Assurity is the appointed NAF operator and works closely with MAS
OneKey: A Reliable & Trusted Security Device
Your complete solution to
compliance with ***MAS
2nd Factor Authentication requirements –
Quick,
Cost-Effective & Always Updated!
18 18
Send OneKey to End User Deliver SMS OTP to End User’s mobile device
SP – Service Providers OTP – One Time Password
Assurity’s Service Model
19 19
Basic Service Offering
§ 2FA using OneKey Pads
§ 2nd factor credential registration, issuance and management
§ Authentication Service : § 99.99% service availability § 90% within 800ms, 100% within 2 seconds
§ 24x7 technical support
Additional Service Offerings § Dedicated technical support packages
§ SMS OTP traffic charges
Committed Service Level
20 20
Item Service Level
Authentication Service Availability 99.99% in a month
Authentication requests completed 90% within 800 msec 100% within 2 sec
Issuance of tokens and password mailers to end-user
Within 3 and 3+2 working days*
Severity 1, 2, 3 requests 3 levels of service support • Basic • Gold • Platinum
Service Levels
21 21
Use Cases of OneKey
1. 2FA for online services
2. Incorporate OneKey 2FA into mobile apps so that consumers know that it is an authentic app
3. Corporate VPN 2FA to access corporate application
Assurity provide SPs with test environment and specifications to connect to OneKey
22 22
• Volume based pricing
• Early-adoption special for SPs that signs up before Dec 2013
• Billed monthly based on prorated volume • Fees waived for 1st 2 years from system live-date
(Dec 2011 – Dec 2013)
Volume per year up to 3M
¢/Transac/on 6 cents
¢/Transac/on 4.5 cents
Budget to leverage on OneKey
23 23
• SP’s Setup – Application 2FA Page (Resources to develop, test) – Connections to Assurity (MPLS or IPSec VPN over Internet)
• SMS Traffic Cost for Authentications Using SMS OTP – Connection to SMS aggregator, SMS traffic cost
• Customer Support – SPs handle 1st level of calls typically – Assurity provides training materials to help SP helpdesk – Assurity will offer 24 x 7 customer support for 2FA calls that require escalation
• NAF Gateway from accredited partners – Easier implementation – Time to market
• Budget range from SGD 70K – 250K depending on organisation’s requirements
Other Costs for Budgeting
24 24
Support Level Severity Initial Response* Communication Frequency ** Resolution ***
Basic Support
1 2 hours Every 2 hours 8 hours 2 4 hours Every business day 4 business days
3 8 hours Every 2 business days 7 business days
Gold Support
1 30 minutes Every 30 minutes 4 hours 2 1 hour Every 2 hours 8 hours 3 4 hours Every business day 4 business days
Platinum Support
1 15 minutes Every 15 minutes 2 hours 2 30 minutes Every 1 hour 4 hours 3 3 hours Every business day 3 business days
* Initial Response: First update to SP regarding the current status of the issue from the time the incident is reported. ** Communication Frequency: Frequency at which support team updates the SP on the status of the issue. *** Resolution: Time allowed to resolve the issue.
Service Support Levels
25
Fully redundant Architecture
2 Data centres with: • Dual tele-
communications providers and Internet service providers
• Dual power supply • Synchronised data
between both Active sites
NAF Technical Architecture
26
• Fully redundant architecture (active-active)
• NAF Systems to the SPs are NOT exposed directly to the Internet - NAF AO connects to SPs only via Private Network
• NAF’s infrastructure service availability and uptime ~ 99.999% availability and RTO=0
NAF Technical Architecture
27
THANK YOU
Jason Kong, Deputy Director Assurity Trusted Solutions, a wholly owned subsidiary of IDA [email protected] [email protected] Mobile: +65 9851 – 0020