Identity Assurance Trends and Solutions

Identity Assurance

Trends and Solutions

Vincenzo Vosa

Sales Manager Italy

[email protected]

+39 3288577930

2An ASSA ABLOY Group brand

PROPRIETARY INFORMATION.

© 2014 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Contents are confidential and proprietary and not intended for external

distribution.

About HID Identity Assurance

2

Quick Facts

Founded June 1987

Acquired in December

2010 by HID Global

Users 28+ million

credentials issued

Customers 3,000+

Patents 200+

Employees 204

Sales Offices 10+ countries

The HID Identity Assurance portfolio protects your

organization with cost effective and risk appropriate

security solutions that go beyond simple passwords

The industry’s broadest portfolio of user authentication

and credential management solutions that provide:

• Multiple authentication methods managed through a

single appliance.

• Comprehensive smart card solutions for network,

application and physical access.

• Converged credential issuance for physical and

logical access.

What we do

PROPRIETARY INFORMATION. © 2011 HID Global Corporation. All rights reserved.




distribution.

Government Enterprise Online Banking




distribution.Page � 4

Identity Assurance is the Issuance, Management and Authentication of a Users’ Credential

CredentialsCredential

ManagementAuthentication

Smart CardMobile

Token

Applications

Buildings PCsNetworks

Doors Laptops Cloud Apps

Mobile DevicesVPNs




distribution.

Trends




distribution.

Mobile




distribution.

Peripheral overload




distribution.

Cloud




distribution.

Physical & Logical Access Convergence




distribution.

Yesterday’s Separate Credentials

� Often based on weak or no

cryptography (e.g. prox)

� Hardwired to PACS

infrastructure

� Promised multi-application but

have not delivered

� Passwords or One Time

Password tokens

� Incompatible with PACS

infrastructure

� Managed by a different group

with a different culture

PACS Credentials IT Credentials

3 drivers for changeG.




distribution.

Drivers for change

1. Increased

collaboration

between Security

and IT

2. IT needs new

solutions

3. Availability of new

technologies (in

particular NFC)




distribution.

Collaboration within the Enterprise

� Break down of traditional stereotypes

� Role of the CSO

� PACS systems becoming more dependent

on IT infrastructure - IP at the door,

networked video, leveraging Active

Directory, Mobile credentials




distribution.

Passwords are failing

� Breaking passwords is easy

� Almost every data breach involves a

cracked password




distribution.

A better way?

Credential are “Issued by the

organization through a secure,

controlled, audited process”

This does not come cheap.

Why do it twice?




distribution.

Drivers for change

1. Increased collaboration

between Security and

IT

2. IT needs new solutions

3. Availability of new

technologies (in

particular NFC)

Can we use same applications

in mobile as on the card?

Can we use same applications

on the card as in mobile?

NFC is contactless




distribution.

Security Tokens, Keys

and access cards

in your daily life

Converged onto a single

multifunction smart card

Used to open different

types of doors, Windows®

and cloud applications

An ASSA ABLOY Group brand


Converged Access




distribution.

One CredentialPhoto ID & Physical Access

Employees

accessing company

buildings




distribution.

One CredentialSecure Logon

Employees logging

to Windows and/or

applications




distribution.

One CredentialRemote Access (2fA)

Remote employees

logging into VPN

from home / hotel /

airport etc..




distribution.

One CredentialSecure Signing and Printing

Employees signing an

email or encrypting a

document




distribution.

A new generation of

Smart Employee ID’s




distribution.

ActivID DisplayCard Delivers Value

Secure Access to Doors, Data and Cloud




distribution.

DisplayCard configurations




distribution.

Identity & IT Access

Authentication

Management

Security Clients

Integration

Physical Security

HID Value Proposition

Invest with Confidence




distribution.

Enables customers to securely issue and manage

digital credentials on the network, and securely update

applications and credentials after issuance

Credential

Management

Enables employees to use credentials to login

authenticate, or sign and encrypt data Security Clients

Authentication

Devices

Enables enterprises, banks and governments to

authenticate employees and customers seeking

access to online resources

Strong

Authentication

Physical devices such as smart cards, USB sticks,

tokens and mobile card readers that hold the

credentials

Identity Assurance Solution Portfolio




distribution.

ActivID Card

Management System

ActivID

CMS Appliance

Market

� National Government and large enterprises with

1,000 users to 1M users

Key Features

� Deployed with external CA, Database, HSM

� Support for US PIV & PIV-I cards

� Multiple card policies

� Heterogeneous ecosystems (IDMs, LDAPs, CAs,

DBs, OSs, devices, HSMs, etc...)

� Highly customizable, 3rd parties can add new

devices, credentials and application integrations

More effort required for deployments

Market

� Local government and small to medium

enterprises with 50 users to 10,000 users

Key Features

� Embedded CA, Database and HSM

� Support for enterprise authentication

certificates

� Limited number of card policies

� Vanilla deployment (Active Directory)

� Limited customization options available

Typical deployments completed in one week, with

no to minimal Professional services required

Enables customers to securely issue and manage digital credentials on the network, and

securely update applications and credentials after issuance

Credential Management




distribution.

ActivID CMS: Distributed Card Issuance

over Unsecured Network

Issuance Station

Blank Card

Protected with

Manufacturer

Keyset

ActivID CardManagement System

ActivIdentity4TRESS

AAA Server

LDAP CAHSM databaseIDM

SSL v3ActivIdentityActivClient

Secure

Channel

Card Now

Protected with

Customer

Keyset

Customer Keyset

Generated Using

KMS

Manufacturer

Keyset Loading

during Key

Ceremony

PIN applet

OTP applet

PKI applet

Generic

Container

applet

PIN applet

OTP applet

PKI applet

Generic

Container

applet




distribution.

ActivID Authentication

Server

Market

� Commercial Banks with

10,000 to 10M users

Key Features

� Versatile authentication

� Multi channels

� Deployed with external

DB & HSM (optional)

� Heterogeneous ecosystems

� Highly customizable with

3rd party integration of

authentication methods

and application

More effort required for

deployments (PS?)

Market

� Mid sized banks & enterprise

with 200 to 1M users

Key Features

� Versatile authentication

� Multi channels & cloud service

providers

� Option to embed the Database

and HSM

� Standard deployment, with the

option for customization

Typical deployments completed

in one week (PS?)

ActivID (Authentication)

Appliance

ActivID AAA Server

Market

� Small to mid-sized enterprise

with 25 to 75K users

Key Features

� Multiple device support for

OTP tokens, smartcards,

and mobile devices

� Remote network access

� Deployed with embedded

database, but no HSM

� Standard deployment, with

the option for customization

Typical deployments completed

in one week

Enables customers to authenticate employees and customers seeking

access to online resources and define access based on user classifications

Authentication




distribution.

Market• Government and large enterprise with 1000

to 2M users

Key Features• Enables smartcards to be used for

authentication, encryption and signing

• No customization required for simple and

fast deployment

ActivClient

ActivIdentity Mini Driver

Market• Enterprises with 500 to 20,000 users

Key Features• Enables a smartcard to be used for

authentication, encryption and signing

• No additional purchase/cost required

Enables employees to use credentials to login authenticate, or sign and encrypt data

Security Clients




distribution.

CardsTokens

Markets - Banks and Enterprises with a limited number

of users

Key Features

� Authentication to remote networks and web portals

� Tokens can be carried on users’ keychain

� User manually enter passwords

� No software requirements on end user machine

� Cost effective for a limited number of use cases

Markets - Government and Enterprises

Key Features

� Authentication to local / remote networks, web

portals, documents, email signing / encryption,

physical access and photo badge

� Cards can be carried in users’ wallet

� Connected device (reader required) eliminates

rekeying

� Software dependencies on the end user machines

USB Keys

Markets - Banks and Enterprises

Key Features

� Authentication to local and remote networks, web

portals, document and email signing / encryption

� Token can be carried on users’ keychain

� Connected device eliminates rekeying

� Software dependencies on end user machine

Markets - Banks and Enterprises

Key Features

� Authentication to remote networks and web portals

� Device is already being carried by user

� Connected to the network

� Rich user interface

Mobile Devices

Credentials




distribution.

Employer to Employee




distribution.

E2E: 2fA Tokens

One Time Password




distribution.

E2E: Smart Card




distribution.

The Future – Just Tap-in




distribution.

Layered

Authentication

Strong 2FA

Authentication

Simple

Passwords

Today’s Layered Attacks Necessitates Layered Security

Evolution of Online Security

Contextual

Authentication

Versatile

Authentication

Driven by regulatory mandates/guidance




distribution.

Expanding layered authentication

approach to online security

• Cyber attacks and

internet crime is on the

rise

• Multi-layered

authentication can

address the Service

Providers’ Risk

Authenticate

device

Authenticate

channel

Authenticate

transaction

Authenticate

application

Authenticate user

Authenticate from

anywhere, anytime




distribution.

37

Multi-channel Versatile Authentication

ActivID Authentication Server

Security controls can be

tailored to customer type and

desired risk mitigation

strategy

– Improved customer

experience

– Reduced cost

– Better security

– Centralized auditing

– Flexibility for deployment

of new services

Call

Centre

IVR Internet Mobile

Call

Centre

IVR Internet Mobile

Call

Centre

Partners

IVR Internet Mobile

External Customers

Internal Customers




distribution.



ActivID Authentication Server

Key features

Authentication Services

• Session authentication

• Transaction authentication

• Threat DetectionVersatile platform

• Different population of users

• Authentication methods

• Usage scenarios

• Consistency across Service Channels

• Scalability

• Extensibility

• Multi-TenancyCentralization & Security

• Tamper evident audit

• Compliance

• Non-repudiation and integrity

• Marketing data




distribution.



All Scenarios Supported

• PCs / Laptops

• Smartphones, Tablets

• On-line Banking

• Mobile Banking

• Enterprise Application

• VPN, Thin Clients, Web Services

• Cloud Applications

ActivID Appliance

Secure Anytime, Any Place, Anywhere Access




distribution.

4

Plug-in

Plug-in

Broadest Authentication Methods




distribution.

ActivKey® SIM USB Token

ActivKey® Display USB Token

Smart DisplayCardToken

DisplayCard TokenDesktop OTP Token

Mini OTP Token

Pocket OTP Token

Keychain OTP Token

OTP Token

Crescendo Smart Card

SoftwareTokens

Authentication Devices Portfolio




distribution.

Identity Assurance Trends and Solutions

Documents

Transcript of Identity Assurance Trends and Solutions