View
233
Download
3
Category
Preview:
Citation preview
Authentication As A Service
Why new Cloud based Authentication solutions will be adopted by about 50% of the companies by 2017?
Jason Hart CISSP CISMVP Cloud Solutions
Remote UsersInternal people 3rd Party AccessBranch Offices PDA Users
Users and their workspaces
Today's World
Cloud ApplicationsSaaS Apps
Virtual Word – With Virtual Back Doors
� Welcome to the Future
� Cloud Computing
� Virtual Environment
� With Virtual Security holes
� During the past 15 years with learnt nothing
We have forgotten
� Confidentiality
� Integrity
� Availability
� Accountability
� Auditability
We have not learnt a thing?
Welcome to the 3rd Age of Hacking
• 1st Age: Servers• Servers
• FTP, Telnet, Mail, Web.
• These were the things that consumed bytes from a bad guy
• The hack left a foot print
• 2nd Age: Browsers:• Javascript, ActiveX, Java, Image Formats, DOMs
• These are the things that are getting locked down
– Slowly
– Incompletely
• 3rd Age: Mobile devices: Simplest & getting easier • Target the mobile devices to gain someone's password is the
skeleton key to their life and your business
• Totally invisible – no trace
Password Attack
Welcome to the Future of Hacking
� Attack channels: web, mail, open services
� Targeted attacks against users and business and or
premium resources
� Password attack is totally invisible to you
� Mobile devices are becoming an easy target for
Advanced persistent threats (APT)
Quoted from the report:
“…..So, it really comes as no surprise that authentication based attacks (guessing, cracking, or reusing valid credentials) factored into about four of every five breaches involving hacking in our 2012 dataset. …
“... 66% of the breaches in our 2013 report took months or even years to discover (62% months, 4% years).”
Verizon’s annual Data Breach
Protect Everything with SAS
1111
Online Storage
Application Hosting
SAML
Tokens & Users
Administrator
Agent
RADIUS
API
Private Networks
Corporate
Network
Corporate
Network
Corporate
Network
Corporate
Network
LDAP / Active
Directory
LDAP / Active
Directory
LDAP / Active
Directory
LDAP / Active
Directory
Private Cloud Services
Public Cloud Applications
Collaboration Tools
SAMLSAML
SafeNet Authentication:
� Provides the ability to rapidly scale, deploy authentication
� Simple, easy and low-cost, driving strong authentication into all markets
� The most powerful enterprise authentication server in the market
� Offer a multi-tenant, multi-tier authentication platform that allows an
almost infinite number of “virtual” authentication servers for you
business
More than Authentication
� Automate Service Delivery - features include a policy engine that can automatically provision, suspend or revoke tokens based on changes in the user repository
� Scheduled Automated Usage - Audit and Billing Reports
� Branding - You can brand everything - Self-service, enrolment and messaging services.
� Token Selection - The widest range of authentication token options
More than Authentication
� Security - Customers can define their own security controls
and policies
� Multi Tenant - The only true Multi Tier platform in the world
� Multi Tier - manage centrally or fully devolve all
administration
� Service Alerts - Full Automation of user and administrator
alerts
� API - Detailed API sets for authentication and administration
� Open platform – Every enterprise is different – full
customisation to meet your needs
� Multi-tenant architecture• Scales to thousands of business units• Unlimited numbers of users per business unit
� Manage multiple business units from one centralised interface• Unlimited numbers• Supports multiple domains
� Secure• Only view one level down• Isolation & Access Control
� Delegated management for lower tiers• Deliver enhanced service wrappers• Great for multi-region networks
� Inherit capabilities to lower level• SMS / SMTP gateways• Branding
Virtual Service Provider
Subscriber B
Managed Subscriber
Subscriber A
Enterprise Subscriber(Virtual Service Provider)
Region 1
Region 2
Region 3
Delegated
Multi-Tenant Multi-Tier – Overview
� Multi-tenant architecture• Unlimited Domains
• None Directory stores
• Localisation
� Automation• User fulfilment – Provisioning, Enrolment etc
• User Self healing
• Reports
� Secure• The ability to Manage clients if rights granted by
Client
� Branding and region• Adding of custom SMS Gates
• Everything can be fully Branded
� Features • Meets all markets requirements
Division 1
Regional Office
Helpdesk
Multi-Tenant Multi-Tier
Division 2
Division 3
Division 4
HR
Your Enterprise
Flexibility and Customisation
• Language - by region or Admin
• Alert messages – including language
• SMS Gateways - by region
• Branding - Even by region or business unit
• OTP policy - Even by region or user base
• User experiences
• Role Management
• Reporting
• Pretty much everything
• Even the service you would like to offer
Example Flexibility
SAS offers full automation, including:
• Token provisioning
• Security rules definition engine• Once created rules applied automatically
• Alerts
• SAML service registration
• Self enrolment
• Self service
• Reporting
LDAP
Changes
LDAP
Changes
Auto Update
SAS
Auto Update
SAS
Auto-
Provision
User
Auto-
Provision
User
Self-
Enrollment
Self-
Enrollment
Reporting
and Alerts
Reporting
and Alerts
LDAP / Active Directory / User Source
Corporate
Network
SafeNet supports any user store via a sync agent
� SQL, LDAP, AD ,ODBC, Lotus, Novell, anything (via custom field mapping)
� No schema change
� Non intrusive/Read only
� Multiple domains
� No hardware required
� Encrypted transmission of data
Users can also be bulk imported via .csv files and / or created locally
Corporate
Network
LDAP / Active Directory / User Source
LDAP / Active Directory
/ User Source
Corporate
Network
User Directory Sources
Widest Choice of Tokens
� Authenticators for every user type – and an increasing focus on commoditisation
Authenticators that:
� Don’t expire
� Seed keys can be owned by the subscriber
� Can be easily re-assigned to new users
� Easy deployment saves cost and time
� A token can be included in the service charge
H/W SMSBlackBerry iOS Android Microsoft Java
Multi Platform
USB GridMicrosoftOSx
Token Choice
22
Choose the right token type for each user:
� Phone based
� Software
� Multiple hard tokens
� ‘Tokenless’ either SMS or Grid based
Our Authenticators:
� Don’t expire
� Can be included in the service charge
� Seed keys can be generated by the customer
� Can be re-assigned to new users
� Self enrollment options reduces administration
� OTP & PIN complexity defined by the customer
Provides the lowest overall total cost of ownership
Supporting 3rd party tokens enables an orderly and
cost effective migration
� Customizable
• Icons
• Colors
• Services
• Multi-language
� Request Token
• Approve, Issue, Ship workflow
� Self-service API (WSDL)
• Build into existing portals
Self Service
User “Aliases”
� User has multiple “IDs”
• 1 UserID + up to 2
“Aliases”
• All can use the same
token(s)
• Allows for different
privileges with only 1
token
Standard
User
Applications
Router &
Server
Management
UserID: Bill
UserID: SysAdmin
Finance
Servers
Enterprise
Resources
UserID: Billy
Security
� Hardware HSMs Support
• All token seed records encrypted
and protected by HSM
• All encryption/decryption
executed internally by HSM
• Data center to data center
failover
SAML Single Sign on
� Single Sign-on
• Authentication at one
allowed SAML site –
access to all allowed
sites
• Logoff at one allowed
site, logged off at all
allowed sitesUserID: Bill
Password: “OTP”
UserID: Bill
Password: “OTP”
SAML Assertion
bill@gmail.com
SAML Assertion
blaham@cryptocard.com
SAML Assertion
bill
SafeNet Authentication Architecture
27
SafeNet Authentication
ServiceDataCenter
DataCenter
AdministratorUsers
Tokens
Internet
SMSGateway
Email via SMTP
SMS viaHTTP(S)
(Subscriber or SP selected)
SMS message
Group
Subscriber
User Self-Service
LDAP Synch
Migration
Solutions
Authentication
Provisioning
Reporting/Alerts
Agents
User Repository Token Repository
Virtual Server Management
& Admin
Reports & Alerts
User service
requests
Authentication
RequestRadius
Authentication
Request
SAML
Authentication
Request
SafeNet Authentication
Self-Enrolment
Portals
Security Policy
Engines
User Repository
Agent
Access Devices
Agents
User
informationMigrations
Agent
Existing RADIUSServer
Global Trends
28
“as-a-Service” is Accepted by Customers“as-a-Service” is Accepted by Customers
Source: The 451 Group Cloud Computing Market Monitor, August 2012
Authentication-as-a-Service is HOT!Authentication-as-a-Service is HOT!
$13bn by 2015, with 47% in North America
SAS is absolutely the hottest product!SAS is absolutely the hottest product!
“Gartner predicts that, by 2017, more than 50% of enterprises will choose cloud-based services as the delivery option for new or refreshed user authentication implementations, up from less than 10% today.”
Gartner MQ for User Authentication, 2012
Facing challenges you can’t address?
SaaS applications
VPNs
Web-based portalsVirtual Environments
� More users to protect: employees, partners, contractors
� More data and applications to protect
� More end points being used
3] CHOICE: Only one token
choice per user, and can’t use
existing authentication tokens
during the migration
34
Pricing!
It’s all about total cost of operation
Includes internal costs
Simple per user per year model, MP tokens
included, no extras
Opex or Capex models
Automate everything - massively reduces
administration costs
Recommended