from leader meets visionary to leader and visionary...6 automation and ease of administration are...
TRANSCRIPT
SafeNet Authentication
Service for
Your Business Introducing Strong Authentication
as-a-Service Marko Bobinac PreSales Engineer CEE, Russia &
CIS
Agenda
SafeNet introduction
Introduction to Authentication as a Service
SafeNet Authentication Service
• Service architecture
• Key features
• Additional features
Summary and Benefits
Next steps
2
Insert Your Name
Insert Your Title
Insert Date
Introduction to
SafeNet Authentication Service
for Your Business
4
2012 Authentication News
March 2012: SafeNet
Acquires Cryptocard
January 2012 : Gartner’s Magic Quadrant
for User Authentication
Gartner Magic Quadrant for User
Authentication 2012
5
“Gartner predicts that, by 2017, more than 50% of
enterprises will choose cloud-based services as the
delivery option for new or refreshed user authentication
implementations, up from less than 10% today.”
Market Trends
6
Automation and ease of administration are
the biggest desires for Authentication
Source:- Forrester. March 20, 2009 -
Authentication-As–A-Service
Figure 2: Cost Of System Administration Is The
Greatest Challenge Enterprises Face
“What challenges does your organization face with its
current customer authentication process?”
48%
41%
40%
Cost of administering the
authentication system
Cost of
Deploying additional
authentication factors
Frequency of
password resets,
replacing OTP generators
Together with flexibility and further cost reduction
“Thinking about authentication-as-a-service, what are
some of the benefits that you could foresee for your
organization?”
51%
46%
44%
Improved technical
flexibility
Improved scalability
Reduced cost for
providing additional
authentication factors
42% Reduced costs of adding
strong authentication to
new Web-based services
7 © SafeNet Confidential and Proprietary
How 2FA works
1
2
RADIUS, SAML, API,
SafeNet agents
WebPortals
Online banking
Domain logon, VDI
VPN, SSL VPN
...
SafeNet Authentication Service
SafeNet Authentication Service delivers fully automated strong Authentication-as-a-Service from the cloud
With no infrastructure required, SafeNet Authentication Service • Protects everything – SaaS, apps, networks
• Protects everyone – multiple token options
Choose from a leading range of Software, SMS, Hardware and Grid tokens
Benefit from simple service delivery and reduced overheads through • Automation of everything: provisioning, reporting, self service
• Security policy engine and templates
• Total flexibility to customize everything: tokens, processes, policies
8
“as a Service” benefits
A full virtual enterprise authentication server
available from the cloud
• ready to go in minutes and available 24*7
A powerful management portal which allows you to
automate “everything”
Highly secure infrastructure and service delivery
“Per user per year” OPEX pricing
9
Cost Reduction, Simplicity and Flexibility
10
It’s about
Total Cost of OPERATION
Why is SAS “Total Cost of Operation”
lower? Simple all-inclusive pricing with no extra costs for agents, replica
servers
Huge range of non-expiring physical tokens and re-assignable
software and SMS tokens reduce token costs
Integration into existing user stores such as LDAP and automation
of management tasks reduces management time by 90%
User self-service that removes the need for help desks to fix most
common user issues
11
Rule driven management system
Core Components Overview
12 © SafeNet Confidential and Proprietary
User
Authentication
Tokens & Users
Service Provider
Subscriber Companies
Introduction - Protect Everything:
Networks, Applications and Cloud Services
13
Online
Storage
Applicatio
n Hosting
Disaster
Recovery
SAML
Tokens &
Users
Administrator
Agent
RADIUS
API
Private Networks
Corporate
Network
Corporate
Network
Corporate
Network
Corporate
Network
LDAP / Active
Directory
LDAP / Active
Directory
LDAP / Active
Directory
LDAP / Active
Directory
Cloud
Services
Cloud
Applications
SAML
SAML
Introduction - Widest Choice of Tokens,
including Tokenless & 3rd Party
Authenticators for every user type – and an increasing
focus on commoditization
Authenticators that:
Don’t expire
Seed keys can be owned by the subscriber
Can be easily re-assigned to new users
Easy deployment saves cost and time
A token can be included in the service charge
H/W SMS BlackBerry iOS Android Microsoft Java
Multi Platform
USB Grid Microsoft OSx
Introduction - Automate everywhere
SafeNet Authentication Service automates
everything, reducing management time, the main
cost of a strong authentication solution
15
User Synchronisation
Security Policy Application
Token Provisioning
Self Enrollment
SAML Service Registration
Alerts
Reporting
Introduction - Migrate Easily and Protect
Current Investment in Tokens
Continue to use your existing tokens
• Protect your investment
• Eliminate user disruption
• Replace on expiry
Import existing tokens into SafeNet Authentication Service
(uses your existing infrastructure to authenticate)
• Get a single view of all users and authentication activity
• Use the comprehensive reporting across all tokens
Automate the deployment of replacement tokens prior to
expiry of your existing tokens
• Zero effort and zero-touch migration of all users without
administrator intervention
• Secure and easy self-enrolment
16
17
Introduction – Save Money and Resources
Simple, low per-user per
year pricing model with
no hidden or extra costs No infrastructure
costs, no
maintenance costs
Huge range of non-expiring physical
tokens and re-assignable software
and SMS tokens reduce tokens costs
substantially
Reduces help desk load
massively via self-healing
tokens and user self-service
Cut management time by 90% via
integration with existing user
directories and automation of all
management and reporting tasks
Insert Your Name
Insert Your Title
Insert Date
Up and running in Minutes
19
Step Select Service Provider
Step Create Your Account
Step Set-up Administrator
Step Configure Access Device(s)
Step Link User Directory
Step Provision Tokens
Step Users self-enrol
1
2
3
4
5
6
7
Administrator Applications
Active
Directory
Access
Device
3
2
5
4
6
7
1
Tokens & Users
Your Provider
Your Company
SafeNet Authentication Service
Architecture
20
SafeNet
Authentication
Service EMEA DataCenter
North America DataCenter
Administrator Users
Tokens
Internet
SMS
Service
Provider Email via
SMTP
SMS via
HTTP(S)
(Subscriber or
SP selected)
SMS
message
Service Provider
Subscriber
User Self-Service
LDAP Synch
Migration
Solutions
Authentication
Provisioning
Reporting/Alerts
Agents
User Repository Token Repository
Virtual Server
Management
& Admin
Reports
& Alerts
User
service
requests
Authentication
Request Radius
Authentication
Request
SAML
Authentication
Request
SafeNet
Authentication
Service
Self-Enrolment
Portals
Security Policy
Engines
User
Repository
Agent
Access
Devices
Agents
User
information
Strong Authentication Made Easy
21
Automation
Reporting
Security
Customization and Branding
Multiple Business Unit Entities, Groups & Containers
Operator Role and Scope
Corporate Integration APIs
Automation
SafeNet Authentication Service automates everything,
reducing management time, the main cost of a strong
authentication solution
22
1. User Synchronisation
2. Security Policy Application
3. Token Provisioning
4. Self Enrolment
5. SAML Service Registration
6. Alerts
7. Reporting
User Directory Sources
Supporting any user store
• SQL, LDAP, AD ,ODBC, Lotus, Novell, anything (via
custom field mapping)
• Zero schema change
• Read only
• Non intrusive
• Full customisation
• Multiple domains
• No hardware required
• Secure
• In Addition users can be bulk imported eg via
.csv files and / or created locally
23
1. User Synchronisation
LDAP Changes
Automatic updates of LDAP changes
24
Users
User Changes
Directory
Server
LDAP
Agent
Groups Access Device
or Application
LDAP
Rules
Self Enrollment
Authentication
1. User Synchronisation
Token policies and your security
Ability to set token Policies • Pre-configured to best practice for optimal security
• Reconfigurable to match your policy
• Multiple options can be re-defined • PIN length and complexity
• OTP length and complexity
• Try attempts
• Forced PIN change
• Portal shows details of EVERY individual token
Initialisation of tokens • Software/SMS tokens initialised at point of deployment
• Hardware tokens can also be initialised
2. Security Policy Application
Provisioning rules
Rules Engines for auto-provisioning & authorization • Powerful and flexible auto-provisioning
• Token allocation, suspension and de-allocation and more
• Auto registration for SAML services
Central administration of rules that are automatically applied to users based on their group membership
• All token management can be done via group membership in LDAP
• Changes in LDAP initiate the provisioning process without any admin intervention
Access/authorization is controlled by the real-time application of another rules engine and authentication is allowed or denied based on criteria such as
• Access point
• LDAP attributes (group membership or time of day)
26
3. Token Provisioning
Provisioning rules
27
3. Token Provisioning
Simple Enrollment process
28
OR
Automated self-enrolment for all tokens
4. Self enrolment
• Customisable messages
• Fully automated with auto-provisioning
• Alerts highlight incomplete enrolments
Optional Enrollment workflows
29
4. Self enrolment
Status Updates
Standard Self-Enrollment
Requires OOB during
Self-enrollment
Approval Level 1
Approval Level 2
(Optional)
(O Issuing Authority
Shipping Authority
Request
Pro-active management
Pro-active alerts
• System, deployment and user events
• Capacity or SMS credits are running low
• Users who have not enrolled
• Provisioning
• Internal or external delivery
• SMS or email based
30
5. Alerts
Reports delivered to you
Reports can be scheduled
• Time-of-Day / Day-of-Week
• Cyclic repeat for regular reports
Email based delivery or via portal access
• Email to both internal or external recipients
Fully automated delivery
• Output in html, csv, tab, xml
• Delivery via FTP, SFTP, SCP
31
6. Reporting
Comprehensive Possibilities
Over 35 administration reports including
• Inventory management
• Progress reports
• Estate management
• User management
Reports are grouped for instant access
• Security policy
• Compliance
• Billing
• Inventory
Additional reporting suite available for managing multiple domain based networks
32
6. Reporting
Complete flexibility
Extensive customization options
• Time/date based parameters
• Specific user/token selection
• Include/exclude fields
• Export capability
All authentication and operator activities are captured
Logs can be viewed internally or exported
33
Security - Control and peace of mind
Unique policy engine allows centralized control of
security posture
Latest encryption algorithms used to generate
passcodes, to encrypt user data and to protect all
communication between different components
Operational role segregation and delegated
management
Highly secure infrastructure housed in tier-4 data
centres with appropriate certification such as
ISO27001 and PCI
34
Multiple Business Unit entities, Groups &
Containers
35
Main Company
USA
R&D Operations Sales
EMEA
R&D Sales Administration
APAC
Support multiple business units
R&D Operations
Multiple Business Unit entities, Groups &
Containers
Gain power and flexibility to support
• Delegated administration and localization within
business units or departments
• Local and centralized user directories
• Local and central authentication points: VPNs,
applications and network devices
• Organizations lower in the hierarchy can inherit policies
and settings
• Avoid multiple instances of authentication servers
36
Support multiple business units
Multiple Business Unit entities, Groups &
Containers
Groups of users allow actions or policy application to be applied to multiple users • Pre-auth based on security groups
• Auto-Provision / revoke based on security groups
• Internal and/or AD/LDAP groups
• RADIUS attributes either by user or group
Containers allow groups of people to see and manage users and tokens, enabling devolved management and separation of administrator functions • Independent containers hold objects (users, tokens or both)
• Objects exist in only 1 container
• Segregated management ( containers: administrators)
37
Groups and containers
Your Administration Portal
38
For multi-domain management: • Dashboard: Service Status.
• On Boarding: “Business” functions for all
subscribers
• Virtual Servers: “Operation” functions for
all subscribers
• Administration: Role, Scope, Billing &
Reporting
For local management: • Virtual Server management for Service
Provider and Subscriber
• Token / User management,
provisioning
• ACLs, RADIUS attributes
• Local Roles/Scope
• Reporting
• Policies
• Branding
• Delegation of management
EMEA
APAC
Operator Role and Scope
A role decides what an operator can do
Hide, show, enable or disable tabs, modules and
actions to form a role
The scope decides “who you can do it to”
Use organizations and containers to control the
scope
39
User Self-Service Portal
40
Fully customisable throughout – images, text, options
User Self-Service Portal
Provide alternative log-in methods for “lost” tokens
• Email password, SMS password, Use Q&A
Integrate into workflows
• Self registration
• Management sign-off
• Wrap into logistics services
41
Customization and Branding
Customize Everything
User Experiences
Branding
Reporting
Administrator Experience
Administrator and
Operator Role Management
Infrastructure
Security Policies
Customize Everything • User experiences
• User messages such as enrolment, token related (SMS or software) alerts etc
• Log-on experience
• Self service experience
• Administrator experience • Language
• Alert messages
• Branding
• Infrastructure • SMS Gateways
• Modems
• Reporting
• Security • Policy engine
• OTP policy
• Administrator and operator Role Management
Customization and Branding
Branding
Branding of Portal
Dedicated URLs
Branding of Documentation
Customisation of SMS
Messages and Emails
Token Branding Options
Branding of Self-Service
Portal
Brand Everything • Branding of Portal
• Branding of Self-Service Portal
• Token branding options
• Customisation of SMS messages and emails
• Default messages
• SP text within message
• Customer text within message
• Customise deployment message
• Dedicated URLs • Portal
• Self Enrollment
• Self Service
• Branding of documentation
Migrating to your new service
44
SAS-Agents
RADIUS
SAML
RSA Agent
(any 3rd party agent)
RSA Authentication
Manager w/RADIUS
(any 3rd party auth. Server)
RADIUS
Add Auth.Manager
as an Auth Node
Add SAS
as a RADIUS Client
BEFORE
Use any token type
Corporate Integration APIs and Web
Services
Authentication and management APIs availability • Made available as WSDLs, so any programming language
capable of consuming WSDLs can call the APIs
Authentication API allows custom authentication • From an application or network device that does not support
or does not want to use industry standards such as RADIUS and SAML
Management API supports user and token management without use of the standard web UI • Extensive functionality available
• Highly secure
Invoke any or all of the UI functionality from external applications
45
Additional value – documentation
Documentation and agents
47
Microsoft integrations
48
Microsoft integrations – sample
49
Office 365
AD
User synchronization ADFS
SAS OTP cloud server
SAS Cloud Agent
ADFS proxy
50 © SafeNet Confidential and Proprietary
1st and 2nd Line Troubleshooting guides
Summary
Summary – Key Features and Benefits
Widest choice of tokens, including tokenless & 3rd
party e.g. RSA
Protect everything: networks, applications and
cloud services
Drastically reduce management time by up to 90%
through automation and user self service
Save money and resource
Migrate easily from your existing solution whilst
protecting your current investment in tokens
52
Summary – Key Features and Benefits
Rules and policy engines that automate everything
Scheduled, automated, fully-customizable
reporting
Customize everything, brand everything
Use multiple business units, groups and containers
to find the perfect mix of central management and
devolved administration
Increase security – from token options to granular
operator roles
53
Summary
Authentication Must Haves • Choose any token
• Protect everything, now and in the future
• Automate everything
• Migrate easily, with zero impact on your end users
Save time, money and the environment by going SaaS • Ditch unnecessary local servers and take advantage of
our world class SaaS infrastructure and SLA
• No ongoing hassle and costs for infrastructure
• Save money with simple per user per annum pricing
54
Thank You