corporateinformationsecurity corporate information security user identification & logical access...

CorporateCorporateInformationInformationSecuritySecurity

Corporate InformationSecurity

User Identification & Logical Access ControlUser Identification & Logical Access Control

Corporate Information SecurityCorporate Information Security

Logical Access Control Logical Access Control – Heart of Security– Heart of Security

Efficient Control MechanismsEfficient Control Mechanisms User identification, authentication &

authorization Centralized user rights management Logging & auditing


Passwords: Passwords: Security BottlenecksSecurity Bottlenecks

Most Likely Security Breaches Easy to guess passwords Same password for all applications Password sharing Not keeping passwords secret


Security StatsSecurity Stats

Half of help desk calls are password-related

Source: Lenovo

$ 150 per user annually - operating expenses for managing user accounts

Source: SC Magazine

$ 25-50 - average cost of processing a single help desk call

Source: Compulenta


Biometrics: Biometrics: Efficient & ReliableEfficient & Reliable

Identification of a person, not of a password, token or card

Intuitive & easy to use technology Non-repudiation of biometrically confirmed

actions Users do not have to know or remember

passwords No password sharing


IntegrationIntegration

Corporate Corporate DataData

AD IntegrationAD Integration

Shared ResourcesShared Resources

WorkstationsWorkstations

VPNVPN

Physical AccessPhysical Access

ApplicationsApplications

E-mailE-mail

T&AT&A

InternetInternet


IDenium PurposeIDenium Purpose

Safeguard data against unauthorized access

Replace a vulnerable password system with biometric IDs


IDenium FunctionsIDenium Functions

User Access Control A fingerprint is a single key to network

data, applications, e-mail & Internet Secure Standby & screensaver modes Support for Windows & Novell

Logging Access Events


IDenium FunctionsIDenium Functions

Centralized User Management One-time enrollment of users &

credentials Domain controller interaction Network access from any

network PC


ArchitectureArchitecture

User Account of a Specific Application

Novell User Account

Windows User Account

CITRIX User Account

WorkstationsWorkstationsWindows Domain Controller

Applications & Applications & Web-applicationsWeb-applications

Workstations and/or Clients

CITRIX ServerNovell Server

WorkstationsWorkstations

Identification of Windows Users User Identification in Applications

Identification of CITRIX Users Identification of Novell Users


IDenium for ADIDenium for AD

Windows Domain Controller

Workstation

1

2

3

4

Identification Server

Microsoft Windows AD Database

11 Digital Fingerprint Template

22 Data Required for User Authentication

33 Data Required for User Authentication

44 Synchronization


AD IntegrationAD Integration

IDenium is fully integrated into Active Directory (AD):

Centralized storage, protection & transfer of user ID data via AD tools

Centralized user rights management

BioLink tabs in ADUC

BioLink - Enroll TabBioLink - Enroll Tab


IDenium ComponentsIDenium Components

Client SW IDenium Windows Logon Password Vault

Admin SW Admin Pack Synchronization Agent Password Changer


IDenium WindowsIDenium Windows LogonLogon

Verifying user identity when logging on to the OS or applications

User verification in other applications compliant with IDenium Windows Logon & Authenteon Server

Workstation unlocking by a fingerprint

Workstation UnlockingWorkstation Unlocking


Password VaultPassword Vault

Replacing passwords with biometric IDs in applications & Internet

Script recording to replace a password

Several scripts for an application

Automated script execution upon successful fingerprint identification

List of ScriptsList of Scripts


Admin ToolsAdmin Tools

Admin Pack Centralized enrollment of users &

fingerprint data Setting-up identification policies & other

administrative tasks Synchronization Agent

Synchronization of AD catalogue data & biometric ID data stored on Authenteon


Admin ToolsAdmin Tools

Password Changer Generation of random passwords Attaching new passwords to relevant user

accounts & biometric IDs Admin-defined generation frequency No access to unauthorized users by stolen

passwords


IDs EnrollmentIDs Enrollment

““Windows Security” window for users to Windows Security” window for users to enroll their fingerprint identifiersenroll their fingerprint identifiers

Biometric IDs can be enrolled while adding a new user account in AD - when hiring a new employee, at administrator’s workplace.

Biometric IDs can be enrolled by users themselves at their workplaces when deploying IDenium.


Selection of Identification Selection of Identification PoliciesPolicies

Selecting an Identification PolicySelecting an Identification Policy

User identification only by fingerprints is recommended for most users

User identification by a fingerprint OR password is recommended for administrators and security staff

Two-factor identification by a fingerprint AND password is recommended for the most sensitive data


Customization & Customization & ManagementManagement OptionsOptions

Окно настройки сервисаОкно настройки сервисаIDenium Settings windowIDenium Settings window

Add users (or user accounts), edit properties & delete

Enable/disable ID data caching

Hide the actual fingerprint image while scanning

Generate random passwords for Windows user accounts


Identification ServersIdentification Servers

BioLink Authenteon Software-and-hardware server Hot swappable Unlimited number of users

BioLink Authenteon Software Appliance (ASA) Software server for MS Windows Number of users – up to 1 000 Scalable


Biometric ScannersBiometric Scanners

Scanning Method Optical

Scanning Window Size 25.5 x 18 mm

Scanning Speed 15 fingerprints per second

Resolution 508 dpi

False Acceptance Rate (FAR)

10-9 (1 out of 1 000 000 000)

Interface USB 2.0/1.1, Plug&Play, 2 m cable included


Biometric ScannersBiometric Scanners

Compact & ergonomic

Cost-effective & durable

Quickly attached to a computer

Ready for operation upon installation of BioLink IDenium

Used to secure corporate networks & stand-alone PCs


Biometric ScannersBiometric ScannersBioLink U-Match 3.5 - BioLink U-Match 3.5 - USB Scanner for Office Use

Dimensions (length x width x height):45 x 63 x 26 mm

Weight:120 g

BioLink U-Match 5.0 - BioLink U-Match 5.0 - USB Scanner with a Card Reader

Supported smart card standards:ISO 7816, EMV 2000

Smart card power supply:5 V, 3 V & 1.8 V

Transmission speed:up to 119 Kbps

Card type detection:automatic


IDenium BenefitsIDenium Benefits

Data security increase

Cost-effectiveness

Scalability

Fault-tolerance

Ease of use


Data Security IncreaseData Security Increase

Reliable, accurate & quick user identification by distinct parameters

Eliminated threat of identification by lost/stolen identifiers

Multi-factor identification for sensitive data Integration options for logical & physical

access & T&A systems


Cost-EffectivenessCost-Effectiveness

Faster access to protected resources Biometric IDs never fail Reduced admin load Decreased access infrastructure

management expenses


ScalabilityScalability

Unlimited number of users Server clusters & load balance options Centralized installation & management Seamless integration into legacy

corporate systems


Fault-ToleranceFault-Tolerance

Hot swappable biometric ID servers Data replication options Local cache options in case of failed

LAN


Ease of UseEase of Use

One-time enrollment of users’ biometric data

Identification by any enrolled fingerprint A fingerprints is a single key to resources &

applications User-friendliness


CorporateCorporateInformationInformationSecuritySecurity

CorporateInformationSecurity

User Identification & Logical Access ControlUser Identification & Logical Access Control

www.bio-metrica.com

[email protected]

Thank You!Thank You!

corporateinformationsecurity corporate information security user identification & logical access...

Documents

user authenticationdata

user accountssource

passwordssame password

vulnerable password

network data

applications compliant

single help desk callsource

active directory ad