View
655
Download
11
Category
Preview:
DESCRIPTION
SAS presentatie, Rob Buddingh'
Citation preview
Insert Your Name
Insert Your Title
Insert Date
SafeNet Authentication Service Introducing Authentication “as-a-Service”
Rob Buddingh’
IP4SURE
© SafeNet Confidential and Proprietary 2
Algemeen
2
Werken met web applicaties
Bedrijf/organisatie oogpunt
Met web applicaties kunnen we gebruikers meer zelf
laten doen: medewerkers, maar ook klanten en
leveranciers. Dit bespaart kosten, opent nieuwe markten en levert
efficientie op.
BeveiligingsoogpuntWeb applicaties zijn individueel goed te beveiligen.
Echter doordat de gebruiker steeds meer logins krijgt, neemt over het geheel de beveiliging af: men kiest voor
hetzelfde wachtwoord of gaat wachtwoorden opschrijven in agenda.
GebruikersoogpuntIk wordt geconfronteerd met steeds meer web applicaties. Aan de ene kant handig omdat ik
altijd en overal bij kan, maar ook een groeiend aantal wachtwoorden die ik moet onderhouden.
© SafeNet Confidential and Proprietary 3
Situatie - Behoefte
Bring Your Own Device (BYOD)
Tijd / plaats onafhankelijk werken
Flexibiliteit
Afrekenen op output?
Een “goede” werkgever zijn
© SafeNet Confidential and Proprietary 4
Situatie - Behoefte
4
• Beveiliging– Indien 1 keer inloggen of gegevens zijn
kritisch dan alleen extra beveiligd toestaan– Pro-actieve monitoring van wat er gebeurt
• Bedrijf /organisatie– Elimineren van apart aanloggen van
bestaande en nieuwe web applicaties– Korte implementatietijden tegen acceptabele
kosten
• Eindgebruiker– Het liefst 1 keer inloggen (Single Sing On)– Situatieonafhankelijk: plaats, tijdstip,
computerdevice
© SafeNet Confidential and Proprietary 5
Bent u wel wie u zegt wie u bent?
© SafeNet Confidential and Proprietary 6
Bent u wel wie u zegt wie u bent?
© SafeNet Confidential and Proprietary 7
Wachtwoorden zijn zwak en onveilig
© SafeNet Confidential and Proprietary 8
Wachtwoord en het beleid
© SafeNet Confidential and Proprietary 9
Wachtwoord en het beleid
© SafeNet Confidential and Proprietary 10
Gebruikers en wachtwoorden
© SafeNet Confidential and Proprietary 11
Gebruikers en wachtwoorden
© SafeNet Confidential and Proprietary 12
Oplossing
12
Gebruiker
Multi factor login
Werk met de web applicaties zonder extra wachtwoord te hoeven te gebruiken
Ik heb mijn eigen extra beveiligde token dat mij toegang geeft tot mijn web applicaties. Er zijn meerdere tokens mogelijk, ik heb gekozen wat voor mij het beste aansluit.
Mijn token werkt op alle devices en ik heb op alle devices toegang tot dezelfde web applicaties
Computerdevices die ik gebruik
Web-, nonweb applicaties, netwerken
© SafeNet Confidential and Proprietary 13
Welk token past bij mijn gebruikers?
13
Hardware?
“Tokenless”?
“apps” op smartphone?
SMS authenticatie?
Of een combinatie?
User Directory Sources
16© SafeNet Confidential and Proprietary
BlackShield Cloud supports any user store
Simple Agent installed on any server• No hardware required
SQL, LDAP, AD ,ODBC, Lotus, Novell, • Others via custom field mapping
Secured using SSL links Read only / Non intrusive Multiple domains Full customisation Zero schema change
In Addition users can be: bulk imported via .csv files created locally
users LDAPIntegration
LDAP / Active Directory / User Source
CorporateNetwork
CorporateNetwork
LDAP / Active Directory / User Source
LDAP / Active Directory / User Source
CorporateNetwork
Introduction: Protect Everything: Networks, Applications and Cloud Services
17
Online Storage
Application Hosting
SAML
Tokens & Users
Administrator
Agent
RADIUS
API
Private Networks
Corporate Network
Corporate Network
Corporate Network
Corporate Network
LDAP / Active Directory
LDAP / Active Directory
LDAP / Active Directory
LDAP / Active Directory
Private Cloud Services
Public Cloud Applications
Collaboration Tools
SAMLSAML
Introduction: Widest Choice of Tokens, including Tokenless & 3rd Party Authenticators for every user type – and an increasing
focus on commoditisation
Authenticators that: Don’t expire Seed keys can be owned by the subscriber Can be easily re-assigned to new users Easy deployment saves cost and time A token can be included in the service charge
H/W SMSBlackBerry iOS Android Microsoft Java
Multi Platform
USB GridMicrosoftOSx
Token policies and security
Ability to set token Policies• Pre-configured to best practice for optimal security • Reconfigurable to match each customer’s policy• Multiple options can be re-defined
• PIN length and complexity• OTP length and complexity• Try attempts• Forced PIN change
• Portal shows details of EVERY individual token
Initialisation of tokens• Software/SMS tokens initialised at point of deployment• Hardware tokens can also be initialised
Security Policy Application
Introduction: Automate everywhere
SafeNet Authentication Service automates everything, reducing management time, the main cost of a strong authentication solution
20
User Synchronisation
Security Policy Application
Token Provisioning
Self Enrolment
SAML Service Registration
Alerts
Reporting
LDAP Changes
Automatic updates of LDAP changes
21
User Synchronisation
Users
User Changes
DirectoryServer
LDAPAgent
GroupsAccess Device or Application
Policies &Rules
Self Enrollment
Authentication
Multi-tier, Multi-tenant• Support multiple companies, divisions, business units,
LDAPs etc. on a single platform.
• Each appear as a distinct BlackShield server.
22
Service Provider
Multiple Business Unit entities, Groups & Containers
23
Main Company
USA
R&D Operations Sales
EMEA
R&D Sales Administration
APAC
R&D Operations
Gain power and flexibility to support• Delegated administration and localization within business units or
departments • Local and centralized user directories• Local and central authentication points: VPNs, applications and
network devices• Organizations lower in the hierarchy can inherit policies and settings• Avoid multiple instances of authentication servers
Multi-tier / Multi-tenant management Administration Portal
Delegatedmanagement
Defining the management structure Roles & Scope
A role decides “what an operator can do”
Hide, show, enable or disable tabs, modules and actions to form a role
The scope decides “who you can do it for”
Use organisations and containers to control the scope
Roles are defined per Organisation
Customization
Customize Everything
User Experiences
Branding
Reporting
Administrator Experience
Administrator and
Operator Role Management
Infrastructure
Security Policies
Customize Everything • User experiences
• User messages such as enrolment, token related (SMS or software) alerts etc
• Log-on experience• Self service experience
• Administrator experience • Language• Alert messages
• Branding• Infrastructure
• SMS Gateways • Modems
• Reporting• Security
• Policy engine• OTP policy
• Administrator and operator Role Management
Branding
Branding
Branding of Portal
Dedicated URLs
Branding of Documentation
Customisation of SMS
Messages and Emails
Token Branding Options
Branding of Self-Service
Portal
Brand Everything• Branding of Portal• Branding of Self-Service Portal• Token branding options• Customisation of SMS
messages and emails• Default messages• SP text within message• Customer text within message• Customise deployment
message
• Dedicated URLs• Portal• Self Enrollment• Self Service
• Branding of documentation
D Customization and Branding
Reporting
Major additions to reporting• Security Policy (11)• Compliance (13)• Billing (2)• Inventory (9)
Fully automated delivery• Output in html, csv, tab, xml• Delivery via FTP, SFTP, SCP• Restrict access by role
29
Simplify SAML registration
Users can automatically be added to multiple groups Sign-in to one service and during your session you are
automatically signed in to all your services Sign-out to leave all services
30
SAML Service Registration
UserID: Bill
Password: “OTP”
SAML Assertionbill@gmail.com
SAML Assertionblaham@cryptocard.com
SAML Assertionbill
Migrating to your new service
31
SAS-Agents
RADIUS
SAML
RADIUS Access device or RSA Agent (any 3rd party agent)
RSA Authentication Manager w/RADIUS
(any 3rd party auth. Server)
RADIUS
Add Auth.Manageras an Auth Node
Add SASas a RADIUS Client
BEFORE
Use any token type
AFTER
Referenties
©CRYPTOCARD 2011 12
User Self-Service Portal
34
Request a new, replacement or
temporary token
Create workflows for approving
requests
Allow users to customise their
portal
Provide language variants to match
user needs
Users can resolve common problems
Rolling out an iPhone token (MP)
This email can be from any address and can be fully customised
Select target
Step 2 Confirm email address for OTA
Download and install App
click link (step 2) to load seed file (key)
User set pin (optional)
Secure login
Recommended