View
239
Download
4
Category
Tags:
Preview:
Citation preview
Cognizance Identity and Access Management
Identity Management ● Authentication ● Authorization ● Administration
The next generation security solution
www.cognizancesecurity.com
2003 RSA Security Conference
3
Identity Management Objectives
The problem:Multiple accounts per employee
Growing number of applications and platforms
Access from employees, business partners, customers & suppliers
Open enterprise cannot rely on the disappearing physical perimeter for security
Network
SAP
Citrix
VPN
Web
More …
Finance
MarketingSales
ServiceB2B
Partners
Customers
Employees
60% of fraud is internal
Increase in portals failure
Control over email groups
Failing policies & procedures
4
Identity Management Objectives
The problem:Multiple accounts per employee
Growing number of applications and platforms
Access from employees, business partners, customers & suppliersOpen enterprise cannot rely on the disappearing physical perimeter for security
Increase access flexibility and security without budget increase
5
Cognizance Solution
The solution:Consolidated security framework: users, policy & applicationsConsistent user identity combines multiple user accountsStrong authentication and role based access control
The right information
To the right people
Any application
Any time
Anywhere
Role/Resource
Sales
Logistics
Guest
HR
Logon X X X
Print X X X
DB Access
X
CRM X
Web X X
Intranet App
X X X
Payroll X
Education
X X
This is a RoleThis is a Role
6
Cognizance Solution
The solution:Consolidated security framework: users, policy & applications
Consistent user identity combines multiple user accountsStrong authentication and role based access control
Delegated administration and user self-service
Centralized
Delegated
Self Management
User Self-Registration
7
Cognizance Solution
The solution:Consolidated security framework: users, policy & applicationsConsistent user identity combines multiple user accountsStrong authentication and role based access control
Delegated administration and user self-service
Built-in identity applications and services
Network logon
VPN and Remote Access
Single Sign-On
PKI support
Web Access
8
User Identity•User Profile•Network accounts•Application list•Encryption keys•Shared tokens•Certificates•Virtual Tokens•Multiple Roles•SSO XML scripts•Application data
Cognizance Identity & Access Management
•Password•Certificates•Smart cards•Biometrics•USB Tokens•Virtual tokens Other/Custom
•Authentication method•Time•Date range•Group/unit membership•IP Address range•Ports and protocols•Business rule based•Custom
•User administration•Profile maintenance •User registration•Group operations•Credential store •Multi directory support
Applications & Services
LogonMS & Novell
LogonMS & Novell
Web AccessWeb Access
Self Service Self Service
Single Sign-OnSingle Sign-On
VPNRemote Access
VPNRemote Access
CitrixMetaframe
CitrixMetaframe
PKI ClientPKI Client
AuthenticationAuthentication
AuthorizationAuthorization
IdentityManagement
IdentityManagement
9
The Market
Analyst firm IDC expects this market to grow from $2.6 billion in 2002 to nearly $6 billion by 2006
Based on a Gartner survey of 30 senior security executives in large companies, many organizations already have internal secure identity management initiatives underway:
• 80% of Financial Services• 70% of Retail• 70% of High Tech
10
What the analysts are saying…
“The typical enterprise must manage increasingly virtual relationships with employees, contractors, customers, partners, suppliers, and a variety of other network constituents. The old way of thinking about corporate boundaries and network security—the firewall as an impenetrable perimeter—no longer apply.
Suddenly, the ability to manage identity has a direct impact on your company’s brand and its ability to adapt to new business models. Do it well and your company can make money in new ways. Do it poorly and your company will be damaged severely.”
Jamie LewisCEO and Research ChairBurton Group
11
Cognizance Administration Center
Cognizance Administration CenterManages users, user profiles, policies and applications from a single administration toolManages all aspects of user identities across multiple directoriesProvides a consistent view of the enterprise security modelSupports delegated administrationWeb enabledIncludes a complete smart card management systemAllows centralized SSO application registration
13
Cognizance Multifactor Authentication
Provides the following authentication methods out-of-the-box:PasswordSingle-use passwordSmart card and USB tokenVirtual token (encrypted containers with the user identity)Digital certificatesBiometrics
Supports any arbitrary combination of the above authentication methods
Allows the use of multiple alternative authentication methods per user
Supports interface for plug-in authentication methods
14
Cognizance Role-Based Authorization
Dynamic and static policy elements Authentication method, time, date, IP address and protocolsAutomatic policy generation based on business rulesUser sets allow combining users from different groups and directories
Role Based Authorization and Access Control (RBAC)
Maps complex policies and business rules to multiple rolesSimplifies policy managementReduces the number of policy relationshipsSimplifies application managementProvide both application role and role application views of the enterprise access control
15
Cognizance Role-Based Authorization
Role of a Sales PersonADS biometric LogonSSO biometric accessCRM biometric accessWeb – anonymousEmail – ADS authenticationCitrix published applications – biometric accessVPN access `- password
Role of a Sales PersonADS biometric LogonSSO biometric accessCRM biometric accessWeb – anonymousEmail – ADS authenticationCitrix published applications – biometric accessVPN access `- password
Role of a Finance PersonADS biometric LogonSSO biometric accessCRM biometric accessWeb – anonymousEmail – ADS authenticationHR – biometric with revalidationSAP – biometric authentication
Role of a Finance PersonADS biometric LogonSSO biometric accessCRM biometric accessWeb – anonymousEmail – ADS authenticationHR – biometric with revalidationSAP – biometric authentication
Application Roles AccessActive Directory Sales, Financing AllowSingle Password (Win32, Web) Sales, Financing AllowCRM Sales, Financing AllowWeb access Everyone AllowEmail Sales ADS, Financing ADS AllowCitrix published applications Sales AllowVPN access Sales AllowSAP Financing AllowAll Services & Applications Everyone Deny
Authentication User Set Schedule Location RoleBiometric Sales Worktime only Internal network SalesBiometric Finanicing Worktime only Internal network FinancingADS Auth Sales Worktime only Internal network Sales ADSADS Auth Finanicing Worktime only Internal network Financing ADSAny method All Users Anytime Anywhere Auth Users
16
Cognizance Built-In Applications
Logon for Microsoft Windows, NDS and CitrixVPN and Remote Access client for CheckPoint and MicrosoftEnterprise Single Sign-On (SSO)
MS Windows, Web- or host-based applicationsCentralized, administrator-initiated and user-based SSO modelBuilt-in XML scripts for popular applicationsPowerful language for new applications registration
PKI client with support for CAPI and PKCS#11Supports smart cards and virtual tokensCertificate issuanceAutomatic delivery of the certificates
Self-service administration toolMaintains user profilesManage SSO applicationsRegister credentials
New user sign upAllows policy driven new user self-registration
17
Cognizance User Self-Services
Single user self-service tool allows:Centrally controlled profile maintenance by the userRegister new SSO applications Enroll/change user credentialsRegister new network/VPN accountsIssue and install new certificatesStore/load identity to smartcard, USB or virtual token
Launch PanelInstant access to all authorized applications
New user sign upPolicy driven registration sequenceIncludes profile creation and credentialenrollment
18
Benefit Analysis
Productivity increase – AdministratorSingle administration tool increase administrator efficiencyRole-based access control simplifies policy and application managementAutomatic policy generation reduces administrator workload Unified user identity model reduces number of duplicate accountsSingle deployment installs multiple integrated applications, including network logon, SSO, VPN, user self-service and PKI clientEasy and flexible smart card/virtual token deploymentSimplified PKI deployment and use via user self-servicesUser self-service tool reduces administrative workloadBuilt-in enterprise SSO eliminates multiple password requirementsUse of smart cards or biometrics can reduce need for passwords
19
Benefit Analysis –– Continued
Productivity increase – UserSingle easy to learn self-service user interfaceLaunch panel provides immediate access to authorized applicationsUser can add new SSO applications, eliminating need for passwordsBiometrics or smart card can reduce needs for passwordsAutomated sign up: fast productivity for new employeesDisconnected user identity with virtual tokensEasy PKI deployment
20
Benefit Analysis –– Continued
Security benefitsCentralization of the information securityConsistent security policy throughout the enterpriseFlexible security targets specific danger areas, such as external access or after hours, without complicating regular user accessStrong multifactor user authenticationEasy deployment of smart card/virtual token combination
21
Benefit Analysis –– Continued
Architecture benefitsFramework approach: expandable architecture via Cognizance SDK
Add custom data sources, authentication methods, policies, and applications
High performance authorization architecture does not require fast connection between Cognizance server and authorized applications
Special case: user identity on a smart card does not require connection to Cognizance server
Large enterprise scalability with a standard load balancer and multiple installations of Cognizance serverCan be used as part of managed services to provide security services to multiple enterprises
Recommended