SmartCard Forum 2010 - Enterprise authentication

Entrust IdentityGuardVersatile Authentication Platform for Enterprise Deployments

Sam Linford

Senior Technical Consultant

[email protected]

© Copyright Entrust, Inc. 2009 2

Entrust is a World Leader in Identity Management and

Security Software

• Best-in-class technology, service and support –industry pioneer

• Over 2000 customers in 50 countries – global reach

• Geographic presence: U.S., Canada, UK, China, Germany, India and Japan

• 411 employees and 110+ patents

• 2008 Revenue: ~$100.0 million

© Copyright Entrust, Inc. 2009

Securing Digital Identities and Information…

3

Fraud Detection & Risk

Based Authentication

Platform

Public Key

Platform

Slovenia ePassport

http://www.digitalinsight.com/home/home

https://www.dnbnor.no/

http://www.schufa.de/index.html

http://en.wikipedia.org/wiki/Image:SWIFT.jpg

https://www.bnz.co.nz/Personal_Solutions

http://ferrao.org/uploaded_images/cgd.jpg

http://images.google.com/imgres?imgurl=http://www.gijobs.net/media/USAA.logo1.jpg&imgrefurl=http://www.gijobs.net/magazine.cfm%3Fid%3D612%26issueId%3D48&h=224&w=216&sz=8&hl=en&start=3&um=1&usg=__8curAG8r0CAQpWfTyBXnOMBObdw=&tbnid=5gYi-GM2vAkawM:&tbnh=108&tbnw=104&prev=/images%3Fq%3Dusaa%26um%3D1%26hl%3Den%26rlz%3D1T4SKPB_enUS278US279%26sa%3DN


The need for stronger enterprise authentication…

• Globalization and growing mobile workforce

• Unmanaged devices and locations

• De-perimeterization of networks

• Growing compliance regulations

Enterprise

• Email

• Applications

• Files

Mobile Workers

Mobile Devices

Partners


Factors to consider in deploying 2nd Factor

• Risk

– Sensitivity of resources

– Cost of breach

• Usability

– User expertise

– Solution flexibility

• Cost

– Initial cost

– Ongoing maintenance

– Future changes


Entrust IdentityGuard

• Single open platform, centralized policy management

• User self administration

• Deploy based on Risk, Usability, Cost

Username &

Password

Grid

Versatile

Authentication

Platform

Scratch

PadDigital

Certificates

OTP Tokens

Smartcards &

USB Tokens

Mutual Auth

IP-Geolocation

Machine/

Device Auth

Mobile

Knowledge-

Based


IP Geolocation

• Authentication based on

users physical location

• Register common access

points & record logon profiles

• Leverage IP black/white lists

& OFIN data


Machine Authentication

• Captures machine

parameters

• No user interaction

• With or without cookies

IP: 216.191.253.108

Browser: IE 7.0

Screen Depth: 1024

….…


Digital Certificates

• X.509 certificate support

• Existing certificates or

leverage Entrust Managed

Service Offering

• Standard SSL client or

application-based signature-

based authentication

• Stored in software, on smart

cards, or USB tokens


Multiple Identities, one device

Mix of Soft token only and

Transaction Notification

Independent activation and

control

Customizable branding per

identity

Mobile Authentication & Transaction Notification


OATH compliant

Time-based soft token

30 second time window

Brandable interface

IDG Mobile – Soft Token


IDG Mobile - with Transaction Notification

OATH Time-based Soft Token

Transaction details confirmed

out of band on mobile device

No data entry

OATH signature of transaction

contents

User confirms transaction or

acts on suspect details


Soft Token Mobile Authentication

• Single or multiple one-time passcodes to mobile device– SMS, email, voice

• Authenticate while out of cell range

• Out-of-band transaction detail confirmation and authentication OTP

• Automatic refresh of OTPs


Knowledge Authentication

• Configurable number of

questions

• User defined or imported

• Define number of correct

answers

• Randomly presented


• Each grid card unique

• Inexpensive to produce and

deploy

• Innovative eGrid in graphic

or PDF format

• Easy to use and support

C 2 3

Grid Authentication


Mini Tokens

Mini OT

• Time-Synchronous

• OATH Compliant

Mini AT

• Time & Event-Synchronous

• Standards Based Algorithm


Pocket Tokens

• Time & Event-Synchronous

• Pin unlock, Response,

Challenge + Response

• Standards Based Algorithm


DisplayCard Tokens

• Credit card format

• OATH based OTP

generation

• Multi-functional card

including optional on-

board chip (PKI and/or

EMV chip)

18


Mutual Authentication

• End user validation of

site

• Personalized for user

• Increased user

confidenceSerial Number Replay

Extended Validation Certificates

Image & Message Replay


Application: Remote Access

End User

Remote Access Applications

• Integrates with leading remote access solutions

• Leverages industry standards to streamline deployment

• Supports MS RAS, IP-SEC, & 802.1x clients

http://www.f5.com/


Application: Enterprise Desktops & Servers

End User

• Integrated 2nd factor authentication

• Easy to use & deploy

• Leverages common security infrastructure

Any user

****

1 6 3

Enterprise Servers

Microsoft WindowsDesktops

Administrators


Application: Extranet Access

End User

Web Authentication Applications

• Range of authenticators

• Inexpensive to deploy

• Easy to use and support

http://ca.com/


Integrating IdentityGuard

Remote Access Applications

Microsoft Windows Servers

End User

Web Authentication Applications

Enterprise Applications &

Data

Repository

http://www.bea.com/framework.jsp?CNT=homepage_main.jsp&FP=/content


Policy & User Management

• Web based

Administration


Reporting

• Web based reporting

• User and

authentication

tracking and analysis


Self-Service Server

• User self administration of Entrust IdentityGuard accounts

– User self-enrollment, assignment, activation, change and reset of authenticators

– Authentication credential or personal information modification

– Account status information

• Customizable web-based user interface

• Anytime, anywhere access

New User

New User

Existing UserSelf Service Server


Self-Service Server

• Administrator control of options and permissions

• Web front end to existing IdentityGuard implementation

– No replication of data required

• Benefits

– Reduces help desk and administrator costs and effort

– Improves usability and acceptance by customers of strong authentication

New User

New User

Existing UserSelf Service Server


Self-Service Server

Manage authenticators and

account information in a single,

customizable interface.


Self-Service Server

Facilitate entering or

changing of specific required

information for

authentication…


Self-Service Server

Send or save an

electronic grid…


Industry Recognition

Named Leader in “Excellence in Security Solution for

Credit Unions” Information Security Products Guide, June

2006

Gartner “Leader”

Gartner Magic Quadrant, Feb. 2009

“Industry Innovators 2007”

SC Magazine, December 2007

SC Magazine “Recommended” in

Authentication Group Test, Feb. 2009

http://www.gartner.com/silentlocalechooser.jsp?locale=wcw

http://www.entrust.com/resources/download.cfm/23160/

http://www.entrust.com/resources/download.cfm/23690/


Enterprise Authentication Success

And many more……

3232


Customer Deployment Scenarios

U.S. Treasury Department

Customer Challenge:

• Provide secure access for 530,000 plus employees and customers

• Strong 2nd factor security

• Easy to use with minimal training and maintenance

Solution:

• Leveraging grid authentication option

• Addressing issue of visually impaired with Braille grids


Customer Deployment Scenarios

XeroxChallenge:

• Provide secure remote access for 80,000 plus employees & third-party partners

Key Attributes

• Strong 2nd factor authentication for entire user population (vs. current subset)

• Replace current high priced tokens with usable, inexpensive alternative

• Alternative authentication choices

• Seamless integration with leading VPNs

Solution:

• Juniper SSL and IPSEC VPN solution

• 2nd Factor eGrid Authentication

‘Xerox was most pleased

with the operational

flexibility and ease of

execution’


Entrust IdentityGuard

• Single Open Platform

• Centralized Policy Management

• Deploy based on Risk, Usability, Cost

Username &

Password

Grid

Versatile

Authentication

Platform

Scratch

PadDigital

Certificates

OTP Tokens

Smartcards &

USB Tokens

Mutual Auth

IP-Geolocation

Machine/

Device Auth

Mobile

Out-of-Band

Knowledge-

Based

Thank-You

SmartCard Forum 2010 - Enterprise authentication

Technology

Transcript of SmartCard Forum 2010 - Enterprise authentication