Embed Size (px)
Citation preview
Authentication and Authorisation Baltimore Technologies (UK) Ltd
Charles Pierson Director of Government Business
Introducing Baltimore
E-security products, solutions and professional services 25 years security industry experience UK Company of c 350 staff Established blue-chip customer base
– Government – Financial Institutions
Worldwide reach – Europe, Asia Pacific, US
Leading influencer of security standards
Baltimore Products and Services
PKI Digital Certificate Management System – UniCERT Access Control solutions – XML and LDAP based authorisation
product - Select Access Integrated security solutions - Trusted Business Suite Developer toolkits for easy PKI enabling of applications; Professional Services and consultancy on all aspects of e-security
design and implementation ; KeySteps PKI Structured Methodology; Global 24*7*365 Support.
The Emerging Connected Digital World
New challenges in securing on-line transactions…
Multi-channel, web-enabled applications & communications
Increasing mobility of people, devices and applications
Web Services connecting users to application services
Federated Identity Management
Establishing identity
Security Challenges
Providing access to entitled resources
Conducting e-business with integrity
Authentication
Authorization
Digital Signatures
Security Management Challenges
ProvisioningIdentity and
Entitlemewwnts
ManagingIdentity andEntitlements
EnforcingIdentity and Entitlements
Authentication, Authorisation, Digital Signature Technology
Identity Proved
Authorization GrantedTransaction Signed
Any Device, any Platform, any Network
Core Products
SelectAccess - Authorisation Management System
Provision, manage and enforce entitlements Easy to use management features, unique GUI Web-based single sign on for intranets, extranets and portals Role-based access control with delegated administration Performance-based scalability, architected for the Internet and web services
UniCERT - Digital Certificate Management
Provision and manage digital certificates Enable digital signatures and strong authentication Protect the privacy and integrity of data Carrier-grade performance, scalability and flexibility
STRONG & CONSISTENT POLICY
MANAGEMENT
Authentication and Digital Signing
Digital CertificatesDigital Certificates
A Digital Certificates provide proof of identity– A Certificate Authority is the trusted third party
that certifies the authenticity of users– It does this by creating a digital certificate
which binds the user’s identity to their public key
– User is required to present the certificate to prove identity (authentication)
– Proof of identity can then be used to determine access rights (authorisation)
A Certificate is the equivalent of a Digital Passport
Digital Certificates v Digital Certificates v PINs / PasswordsPINs / Passwords
There are many ways to provide security…Digital Certificates are the only way to provide persistent trust
Password Systems– Well established methodology– Easy to “crack” or too difficult to remember– Do not provide full strength authentication
Digital Certificates– A tamper-proof ID– Provides highly secure and robust authentication– Often deployed with two-factor authentication tokens– Reusable across multiple applications / SSO– Necessary for ‘trusted’ transactions
Digital SignaturesDigital Signatures
The sender’s credentials are used to create a digital signature which can be attached to a transaction, message or document and used to authenticate the sender as well as proving the integrity of the received data
Digital signatures enable– Authentication
An entity is as claimed
– Data integrityData has not been changed
– Non-repudiationThe signing party (or parties) cannot deny involvementin the transaction at a later date
– AuthorisationEntitlement to access to a resource (Using signed policies & signed authentication data)
Digital Signatures in Digital Signatures in BusinessBusiness
Digital Signatures help resolve– Lack of trust– Manipulation of data– Repudiation of a transaction– Fraud– Legal standing on electronic
transaction– Chain of ownership and change
management– Lack of an on-line trusted approval
mechanism
Authorisation
The Need for Authorisation
Enterprises face increased demand to make resources (data, applications, web sites) available to both internal and external users
Different users need to have access to different information and applications
Business managers determine user privileges and which data and applications are users are entitled
– Payables clerk doesn’t get rights to generate invoices– Marketing can’t change salary information – only HR
Privileges enforced by users signing on to access resources Access controlled at the application level – on a server by server,
application by application basis
Who’s problem is it?
End Users – Multiple logons and lost passwords – Lost productivity & frustrated users
Business Manager – Reliance on IT to Add/Change user rights – Time consuming & error prone
IT Help Desk Manager – 40%-60% of calls password related IT Administrator – Increasing users and resources to secure
– No economies of scale & a growing backlog of requests IT Security Manager- Leaves gaps in security
– Servers and application control lists out of sync– Lags between business requests and changes
How SelectAccess Solves the Problems
End users – SSO eliminates multiple IDs and passwords to web based info and transactions
Business Manager – Reduces reliance on IT to manage user profiles and access
IT Help Desk Manager – Significantly reduces calls related to lost passwords and resets
IT Administrator – Provides a unified centralized means to maintain privilege rights across servers and applications
– With delegation for economies of scale IT Security Manager – Provides real time security uniformly updates
servers and applications– Allows for businesses to make real time changes
SelectAccess Architecture Summary
Validator
SAML Server
Secure Audit ServerEnforcer Plug-In
Admin Server
Directory Server
Web ServerPortal
Java App ServerApplication
Trusted Business SuiteIntegrated Security Solutions
Baltimore’s Solutions Strategy
Create solutions – That offer “out-of-the-box” functionality – Packaged and priced to meet clear departmental business
needs Based on UniCERT and SelectAccess functionality Fully tested, KeySteps Blueprinted and globally supported Designed to offer a highly functional & responsive but
invisible PKI
Baltimore Solutions
A suite of high trust business applications, designed to remove the complexity and cost of public key infrastructure
Built upon core authentication and authorisation technology, the solution modules work out of the box to deliver immediate business benefit.
Two Solution Suites: Trusted Business Suite Trusted Portal Suite
BASEBASE
Trusted Business Suite
A comprehensive suite of high-trust, solutions that :
– Meet business security needs without the cost of implementing large & complex security infrastructures
– Tightly integrated with businessapplications
– Open new markets for Baltimore’s products and technology
A Solution Suite comprising 3 application areas:
Trusted Workplace Trusted Networks Trusted Messaging
Trusted Business Suite
WEB WEB
VLAN
WLAN
VLAN
WLAN
BBaltimore altimore AApplied pplied SSolutions olutions EEnginengineUser Provisioning & Certificate ServerUser Provisioning & Certificate Server
Trusted Network Trusted VPNTrusted Web
Remote / Mobile Users
Customers
Suppliers
Partners
Now is the time fro all Now is the time fro all good men o come to the good men o come to the aid of the party..aid of the party..
Now is the time for all Now is the time for all good men to come to the good men to come to the aid of the partyaid of the party
1) User Authentication3) User Security Management3) User Security Management
2) Non-repudiation2) Non-repudiation
Trusted VPN
Trusted WebSSL Class III
Trusted Messaging Trusted E-Mail
Trusted Web-Mail
Trusted WorkplaceTrusted Documents
Trusted FormsTrusted Collaboration
Trusted Portal SuiteTrusted Oracle Portal
Trusted WebAuthorisation
Internal Users
Business Solution Architecture Key Differentiators
All Baltimore Solution Modules have been designed to feature:– The use of existing or bulk loaded user data - to simplify user registration– Simple installation for both an administrator and end users– An automated process to invite authorised users to enrol - for each
solution– A registration page to guide users through enrolment
The managed download of any client side code On-line key generation and certificate request processing
– A single management interface for managing users & solutions To set and manage all solution policy controls, with controlled delegation To manage users, their registration data, groups, roles and digital credentials
– Multiple solution credentials within a single credential store Enterprise SSO, third party SSO with strong authentication & authorisation A choice of smartcard, token, soft-token or roaming & mobile/wireless
– Ease of solution expansion, ease of adding new solution modules– A minimum requirement for security management overheads
Smart Cards
Smart Cards
The move towards “user-centric” computing and the expectations of “anytime / anywhere” access means portability of security credentials is a growing demand
Smart cards are a good fit , being:– Secure environments for credential storage ( cryptographic keys
and digital certificates)– Familiar formats – Able to carry additional information (photo / logo)
Baltimore has undertaken interoperability testing with many major smart card vendors
EU Smart Card Initiatives
Austria - Citizen Card with certificates , c 2003 Belgium -National Electronic ID Card , c 2003 Finland - National Electronic ID Card , rolling out France - Multi application card being studied Germany - Multifunction card being studied Ireland - Pilots planned in 2003 for public service cards Italy - National EID card and Regional projects underway Netherlands - Plans for National Electronic ID card with certificates Norway - Planning stages Spain - Government internal use for civil servants, National ID card
planned Sweden - Multipurpose ID card with credentials , operational
Challenge to leverage the National Identity Card to accessWeb-based ‘e-government’ services
System based on standard issuance of national ID cards– new cards also have certificates– workflow exactly the same as before– municipality to police authorities to Ministry of the Interior– card printed with photograph and issued to citizen at the municipal office
UniCERT enables flexible architecture and registration processes, all in full compliance with EU and Italian digital signature legislation
– Architecture involves 3 subordinate CAs to national root CA- 2 for citizens- 1 for local operators
– 100,000 certificates issued to date Partners include Getronics, Bull and Siemens
Italian National ID Card System
Regional Government of Lombardia, Italy 9 million citizens in the region Using UniCERT to strenthen the authentication,
integrity, confidentiality and non-repudiation of e-healthcare services
Issuing a health card with digital certificate to all citizens
used to securely access public healthcare services system based around smartcards
– 300,000 issued so far– focus on citizens and local Government staff
Partnered with Ericsson, Elsag and Context System
RegioneLombardia
Summary
Baltimore Technologies provides solutions to enable e-business to be conducted in a secure, trusted manner
The solutions are built around Authentication , Authorisation and Digital Signing
Smart cards are a natural part of the solution to provide secure and portable credential stores to support authentication and digital signing
Many EU Governments are planning roll-outs of smart cards at national or regional levels
