smartcard forum 2010 - enterprise authentication
DESCRIPTION
TRANSCRIPT
Entrust IdentityGuardVersatile Authentication Platform for Enterprise Deployments
Sam Linford
Senior Technical Consultant
© Copyright Entrust, Inc. 2009 2
Entrust is a World Leader in Identity Management and
Security Software
• Best-in-class technology, service and support –industry pioneer
• Over 2000 customers in 50 countries – global reach
• Geographic presence: U.S., Canada, UK, China, Germany, India and Japan
• 411 employees and 110+ patents
• 2008 Revenue: ~$100.0 million
© Copyright Entrust, Inc. 2009
Securing Digital Identities and Information…
3
Fraud Detection & Risk
Based Authentication
Platform
Public Key
Platform
Slovenia ePassport
© Copyright Entrust, Inc. 2009 4
The need for stronger enterprise authentication…
• Globalization and growing mobile workforce
• Unmanaged devices and locations
• De-perimeterization of networks
• Growing compliance regulations
Enterprise
• Applications
• Files
Mobile Workers
Mobile Devices
Partners
© Copyright Entrust, Inc. 2009 5
Factors to consider in deploying 2nd Factor
• Risk
– Sensitivity of resources
– Cost of breach
• Usability
– User expertise
– Solution flexibility
• Cost
– Initial cost
– Ongoing maintenance
– Future changes
© Copyright Entrust, Inc. 2009
Entrust IdentityGuard
• Single open platform, centralized policy management
• User self administration
• Deploy based on Risk, Usability, Cost
Username &
Password
Grid
Versatile
Authentication
Platform
Scratch
PadDigital
Certificates
OTP Tokens
Smartcards &
USB Tokens
Mutual Auth
IP-Geolocation
Machine/
Device Auth
Mobile
Knowledge-
Based
© Copyright Entrust, Inc. 2009
IP Geolocation
• Authentication based on
users physical location
• Register common access
points & record logon profiles
• Leverage IP black/white lists
& OFIN data
© Copyright Entrust, Inc. 2009
Machine Authentication
• Captures machine
parameters
• No user interaction
• With or without cookies
IP: 216.191.253.108
Browser: IE 7.0
Screen Depth: 1024
….…
© Copyright Entrust, Inc. 2009
Digital Certificates
• X.509 certificate support
• Existing certificates or
leverage Entrust Managed
Service Offering
• Standard SSL client or
application-based signature-
based authentication
• Stored in software, on smart
cards, or USB tokens
© Copyright Entrust, Inc. 2009 10
Multiple Identities, one device
Mix of Soft token only and
Transaction Notification
Independent activation and
control
Customizable branding per
identity
Mobile Authentication & Transaction Notification
© Copyright Entrust, Inc. 2009 11
OATH compliant
Time-based soft token
30 second time window
Brandable interface
IDG Mobile – Soft Token
© Copyright Entrust, Inc. 2009 12
IDG Mobile - with Transaction Notification
OATH Time-based Soft Token
Transaction details confirmed
out of band on mobile device
No data entry
OATH signature of transaction
contents
User confirms transaction or
acts on suspect details
© Copyright Entrust, Inc. 2009
Soft Token Mobile Authentication
• Single or multiple one-time passcodes to mobile device– SMS, email, voice
• Authenticate while out of cell range
• Out-of-band transaction detail confirmation and authentication OTP
• Automatic refresh of OTPs
© Copyright Entrust, Inc. 2009 14
Knowledge Authentication
• Configurable number of
questions
• User defined or imported
• Define number of correct
answers
• Randomly presented
© Copyright Entrust, Inc. 2009
• Each grid card unique
• Inexpensive to produce and
deploy
• Innovative eGrid in graphic
or PDF format
• Easy to use and support
C 2 3
Grid Authentication
© Copyright Entrust, Inc. 2009
Mini Tokens
Mini OT
• Time-Synchronous
• OATH Compliant
Mini AT
• Time & Event-Synchronous
• Standards Based Algorithm
© Copyright Entrust, Inc. 2009
Pocket Tokens
• Time & Event-Synchronous
• Pin unlock, Response,
Challenge + Response
• Standards Based Algorithm
© Copyright Entrust, Inc. 2009
DisplayCard Tokens
• Credit card format
• OATH based OTP
generation
• Multi-functional card
including optional on-
board chip (PKI and/or
EMV chip)
18
© Copyright Entrust, Inc. 2009 19
Mutual Authentication
• End user validation of
site
• Personalized for user
• Increased user
confidenceSerial Number Replay
Extended Validation Certificates
Image & Message Replay
© Copyright Entrust, Inc. 2009 20
Application: Remote Access
End User
Remote Access Applications
• Integrates with leading remote access solutions
• Leverages industry standards to streamline deployment
• Supports MS RAS, IP-SEC, & 802.1x clients
© Copyright Entrust, Inc. 2009 2121
Application: Enterprise Desktops & Servers
End User
• Integrated 2nd factor authentication
• Easy to use & deploy
• Leverages common security infrastructure
Any user
****
1 6 3
Enterprise Servers
Microsoft WindowsDesktops
Administrators
© Copyright Entrust, Inc. 2009 22
Application: Extranet Access
End User
Web Authentication Applications
• Range of authenticators
• Inexpensive to deploy
• Easy to use and support
© Copyright Entrust, Inc. 2009 23
Integrating IdentityGuard
Remote Access Applications
Microsoft Windows Servers
End User
Web Authentication Applications
Enterprise Applications &
Data
Repository
© Copyright Entrust, Inc. 2009 24
Policy & User Management
• Web based
Administration
© Copyright Entrust, Inc. 2009 25
Reporting
• Web based reporting
• User and
authentication
tracking and analysis
© Copyright Entrust, Inc. 2009
Self-Service Server
• User self administration of Entrust IdentityGuard accounts
– User self-enrollment, assignment, activation, change and reset of authenticators
– Authentication credential or personal information modification
– Account status information
• Customizable web-based user interface
• Anytime, anywhere access
New User
New User
Existing UserSelf Service Server
© Copyright Entrust, Inc. 2009
Self-Service Server
• Administrator control of options and permissions
• Web front end to existing IdentityGuard implementation
– No replication of data required
• Benefits
– Reduces help desk and administrator costs and effort
– Improves usability and acceptance by customers of strong authentication
New User
New User
Existing UserSelf Service Server
© Copyright Entrust, Inc. 2009
Self-Service Server
Manage authenticators and
account information in a single,
customizable interface.
© Copyright Entrust, Inc. 2009
Self-Service Server
Facilitate entering or
changing of specific required
information for
authentication…
© Copyright Entrust, Inc. 2009
Self-Service Server
Send or save an
electronic grid…
© Copyright Entrust, Inc. 2009 31
Industry Recognition
Named Leader in “Excellence in Security Solution for
Credit Unions” Information Security Products Guide, June
2006
Gartner “Leader”
Gartner Magic Quadrant, Feb. 2009
“Industry Innovators 2007”
SC Magazine, December 2007
SC Magazine “Recommended” in
Authentication Group Test, Feb. 2009
© Copyright Entrust, Inc. 2009
Enterprise Authentication Success
And many more……
3232
© Copyright Entrust, Inc. 2009 33
Customer Deployment Scenarios
U.S. Treasury Department
Customer Challenge:
• Provide secure access for 530,000 plus employees and customers
• Strong 2nd factor security
• Easy to use with minimal training and maintenance
Solution:
• Leveraging grid authentication option
• Addressing issue of visually impaired with Braille grids
© Copyright Entrust, Inc. 2009 3434
Customer Deployment Scenarios
XeroxChallenge:
• Provide secure remote access for 80,000 plus employees & third-party partners
Key Attributes
• Strong 2nd factor authentication for entire user population (vs. current subset)
• Replace current high priced tokens with usable, inexpensive alternative
• Alternative authentication choices
• Seamless integration with leading VPNs
Solution:
• Juniper SSL and IPSEC VPN solution
• 2nd Factor eGrid Authentication
‘Xerox was most pleased
with the operational
flexibility and ease of
execution’
© Copyright Entrust, Inc. 2009 35
Entrust IdentityGuard
• Single Open Platform
• Centralized Policy Management
• Deploy based on Risk, Usability, Cost
Username &
Password
Grid
Versatile
Authentication
Platform
Scratch
PadDigital
Certificates
OTP Tokens
Smartcards &
USB Tokens
Mutual Auth
IP-Geolocation
Machine/
Device Auth
Mobile
Out-of-Band
Knowledge-
Based
Thank-You