Title: Secure Identity Management
1(No Transcript)
2 Secure Identity Management
Solving the Password Problem
John Stewart Kate Holden
3Introduction to Signify
- John Stewart CEO with 16 years Internet
expertise - 1987 founded Unipalm/Pipex The Pioneers of
European Internet - 1992 founded ElectricMail UKs first Internet
Security Integrator - Experienced senior management team
- Dave Abraham CTO, 9 years creating Internet
e-business systems - Paul Beesley Sales Mgr, 11 years at Unipalm,
Pipex, UUNet, Shopcreator - Richard Broad non exec VP Finance, FD of Kewill
Systems plc - Steve Mann non exec VP Sales, ex board director
Microsoft UK - Signify established in Jan 2000
- Deeply involved in ASP and Internet Data Centre
revolutions - 100 focussed on Secure Identity Management
- The Internet Authentication Service
-
4The three Essentials for the e-Business Economy
- Security
- Control who has access to sensitive resources
- Manage your business risk
- Accountability
- Hold people responsible for their on-line
transactions - Non-repudiation
- Auditability
- Prove your business history to your shareholders
and auditors, the taxman and the courts
5The five elements of e-Security
A comprehensive security strategy must encompass
all five disciplines If the identification
process is flawed the rest of the security
infrastructure is worthless
Firewalls
The e-Security Puzzle
Signify is 100 focussed on Secure Identity
Management
6Whatever kind of project - assured identity is
essential
Doct mgmt
Online banking
Apps
Web portal
Thin client
Web e-mail
Broker Extranet
VPN
Security
Firewall
MSP
Audit
RAS
Network mgmt
W2K rollout
Wireless LAN
Network
Single sign-on
Data Centre Hosting
7Every user holds a key to your e-Security
- If your firewalls and VPNs
- create the walls and doors of your virtual office
- Your users digital identities
- are the keys to your front door
It only takes one user to be careless with their
key . . . . . . and you dont know who is going
to walk in
8 The e-Business Economy is being built upon an
vulnerable and insecure foundation
The Password
9Passwords are a nightmare
- A hassle for users
- with multiple passwords, always changing
- A headache for management
- can never know if passwords have been stolen . .
. until its too late - Identity Theft is the fastest growing on-line
crime (CSI/FBI 2001) - 65 of all helpdesk calls are password
problems (Gartner Sept 2000) - A dream for the hacker
- he knows he can break in
- by shoulder surfing, social engineering, simple
guesswork or by snooping, sniffing, hacking
cracking
10People just dont care about their passwords
- Computer Weekly April 12th 2002
- Interviewers at Victoria station asked 150
commuters about their office password . . .
- "Only one-third of those questioned refused to
reveal passwords, and 64 had already told
colleagues. - 'I am the boss and everyone knows my password,'
one company director told the interviewers . . . - . . . to the dismay of his IT director, who said,
'I never divulge my password. It would give admin
rights to the whole system.'
11The Top 10 Security Vulnerabilities
- Latest report from the leading security advisory
orgs - Sans Institute, CERT and FBI
- Last updated Oct 10th 2001
Poor password practices moves up the chart from
8th place to 2nd
Find out more at www.sans.org/top20.htm
12And the nice people at L0pht have made it dead
easy to crack your companys passwords . . .
"No kidding, this is one bad tool. We ran
L0phtCrack against a base of 5,000 users and it
cracked passwords that had previously been
uncrackable."
Major. V. Glenn Schoonover Chief, Network
Security Pentagon IT Services
13Can your passwords take the heat?
- L0phtCrack was used to audit a large hi-tech
company. - The company operated a rigorous password policy
- longer than 8 characters with upper case, numeric
symbols - L0phtCrack cracked 90 of the passwords in 48
hours - Running on a basic Pentium II laptop,
- 18 of the passwords were cracked in under 10
minutes. - The Administrator most Domain Admin passwords
were cracked
And once they are into your system as Admin
they can play God with your business
14L0phtCrack in action
L0phtCrack will find your most complex admin
passwords within 48 hours or so
15Passwords fail e-Business on all counts
- Security
- Passwords can be easily stolen by hackers or
competitors - Identity Theft is the fastest growing on-line
crime - Accountability
- Passwords are not strong enough to legally tie a
person to their on-line activities - Auditability
- Without individual accountability, the entire
audit trail is worthless
Passwords only deliver Weak Authentication
16What is Strong Authentication?
- The rigorous proof of your digital identity
- Must present two different factors or credentials
- something you have
- a token, smartcard or other unique physical
device - plus
- something you know
- secret PIN number
- We use 2-factor strong authentication every day
- Home security key alarm PIN
- Bank ATM cashcard PIN
17The Authentication Space
Security
- Mission critical systems
- Military grade access controls
- Commercial grade apps
- Sensitive corporate systems
- Remote staff access
- Dealer extranets
- High value transactions
- Electronic contracts
- Basic authentication
- consumer/e-shopping
- low grade corporate info
Two factor authentication
Convenience Utility
Cost
- Anonymous Apps
- Public services
- Bulletin boards
Each application requires a different trade-off
of cost vs. security vs. convenience
18RSA SecurID is the market leader
- 9 year proven track record
- Over 11 million users worldwide
- 85 of Fortune 100 companies
- Growing at 1M users per quarter
- Simple, portable and ideal for securing
e-business - Delivered on various devices keyfob, m-phone and
PDAs
- but
- Complex to implement and manage in-house
- significant technical skills required
- must develop logistics, support management
processes
19The SecurID from Signify service in action
1) User needs secure access to company e-mail
The Signify Authentication Network
2) Gives Signify one-time passcode
3) Passcode sent to Signify service over
encrypted link
Internet
4) Signify verifies users passcode and responds
5) Users session accepted and logged
6) Manage user privileges and get 24 x7 help at
IMC
Secret PIN Token code
20Secure Identity Management
Isnt just about technology . . . . .
its a management process
21Strong authentication technology
Secure Identity Management
Management policy processes
User logistics support
22How does Signify deliver Secure Identity
Management?
- As a managed on-line .NET service
- integrated into your on-line apps security
systems - offering a range of authentication technologies
- with secure management processes and procedures
built-in - Signify handles the technical logistics burden
- and delivers a service that is
- easier for your end users to understand and use,
- less demanding on your technical team,
- more resilient, secure, accountable and
auditable, - more flexible, scalable and future-proof,
- costs less and can be deployed quicker
- than any in-house authentication system
23Signify One-time Passcode Solutions
- SMS Mobile Passcode
- Extranets for
- Partners brokers
- On-line quotes orders
- Clients
- Subscription services
- Virtual deal rooms
- On-line banking
- Web portals ASPs
- On-line collaboration, applications, etc
- SecurID
- VPN Remote Access
- Secure access via all Firewall, VPN RAS systems
- Web-enabled applications
- Web e-mail all web apps
- Thin Client Computing
- Citrix Windows Terminal Server
- Remote Control Management
- PC Anywhere
- NT/Unix systems login
Secure anywhere access from any Internet device
24Signify SmartID solutions
PKI Smartcards USB Smartkeys
- Signify Digital Signatures
- Secure signing of
- e-mail
- e-documents contracts
- Ties your identity to data
- Verifies authorship accuracy of signed document
- Signify Smart Login
- Secure, one-step PKI login to
- Windows 2000 networks
- VPNs (eg Checkpoint NG)
- Any web application
- Can be combined with PhotoID building access
(smartcard only)
Signify SmartID suits Intranet and multi-function
applications
25Signify Service Coverage
Security
Signify SmartID PKI Smartcards or Smartkeys for
secure authentication digital signatures
SecurID from Signify Strong authentication for
regular secure access
Two factor authentication
Convenience Utility
Cost
Signify Password Control brings rigorous
Identity Management to standard password
authentication
Signify SMS Passcodes One-time passcode to
mobile phone for securing occasional access
26Strong Authentication - find the solution to your
application
Use any PC, anywhere Robust easy to use
Remote access to RAS, VPN Web portal or extranet
No new device needed Needs reliable SMS Low cost
Occasional remote access to Web portal, extranet
or e-commerce site
Corporate SSO projects VPN or web remote
access Secure e-mail, e-contracts Intranets not
extranets
Slick network sign-on/off Digital signing of
docs Need control of user PC
Easy to clone - insecure Tied to single PC
Low value e-shopping
Always with you Variable cost/reliability Privacy
liberty issues
Desktop sign-on Ultra high security needing 3
factor authentication
27Integrated Identity Management
Personnel data privileges
Shipping token replacement
HR
Systems
Logistics
Users
Tech systems mgmt
End user support training
IT
Helpdesk
Identity management involves people all across
the enterprise
Finance
Billing, cost centre accounting
Security Risk Mgmt
Auditing, activity monitoring, threat assessment
28In House System
HR
Systems
Logistics
Users
IT
Helpdesk
An in-house ACE Server focuses all the work on
the IT team
Finance
Security Risk Mgmt
29Signify Secure Identity Management
HR
Systems
Logistics
Administrators in each department can manage
their part of the service
Users
IMC
Users self-manage their personal data at the IMC
IT
Helpdesk
Finance
Security Risk Mgmt
Signify Identity Management Centre lets you
distribute the routine work and responsibility to
users and their departments
30Signify serves all your users
IMC Fulfillment manages token delivery to end
users
HR
Systems
Logistics
Users
IMC
IT
IMC Helpdesk handles end user support
Helpdesk
Signify Training trains and supports your
Administrators
Finance
Security Risk Mgmt
31IMC creates an identity management framework
- Defined policy procedures
- security officer defines organisations security
policy - appoints administrators to perform specific roles
- User set up, fulfillment registration
- accountable work flow manages the deployment
processes - users register and manage their own personal
details at the IMC - Lifetime 24x7 hotline support
- web-based helpdesk resolves end users support
problems - Reporting lost tokens, forgotten PINs, emergency
access etc - Every action on the IMC
- is strongly authenticated, encrypted and audited
- full user and administrator accountability
32Key benefits of the Signify Service
- Simple per user service fee
- lower TCO
- End user logistics managed
- Security policy defined by SO
- Web self-help
- 24 x 7 support for users admins
- Resilient secure
- service contract defines SLAs
- Not just SecurID
- migration to future devices
- Low cost of entry
- start small grow as you need
- Fast deployment
- operational within days
- professional packaging docs
- Zero technical overhead
- no tech expert required
- Clear admin roles
- easy to delegate and train
- defined per organisation
Signify runs the infrastructure so you can
concentrate on your core business
33Reference clients
- 60 clients including
- FTSE International
- Amalgamated Metals Corp
- Minster Trust
- Eurotunnel
- Kier Construction
- Eversheds (Law)
- Pannell Kerr Foster (Accountants)
- Carlisle Group (Recruitment)
- Theofinance (Financial service provider)
- ITNET (Outsourcing partner)
- Hertfordshire Careers Service
Our 100 service renewal record shows positive
client satisfaction
34Signify provides an integrated framework for
Secure Identity Management
An end-to-end set of processes that are secure,
efficient, accountable and auditable
35Signify Service Matrix
36SecurID from Signify - Service Options
37What about the multi-token problem?
- If every company service provider implements
strong authentication themselves . . . - Users will end up with a different token, smart
card or other device for each service
Unacceptable
38Secure sign-on for the entire Internet
The Signify Authentication Network
One Personal Token, One Secret PIN Signify
provides consistent, secure access to any on-line
service
39The Signify Authentication Service delivers
Single, Secure Sign-on for the Internet
40Secure Identity Management is simply
- the control and management of the entire life
cycle of your users digital identities - from sign-up, to daily use, to final revocation
- essential to establish an end-to-end process
that is secure, efficient, accountable and
auditable
41Changes in the Marketplace
- New work patterns corporate structures
- Fewer large stable corporates, more small dynamic
firms - Companies outsourcing responsibility for
management - IT, HR, Call Centre and Logistics operations
- System owner must have power to control the
operators - People work for multiple organisations
- Consultants, contractors, outsourcers
- Have varying privileges on each employers system
- Identities must be managed across organisational
boundaries - Need complete separation of powers
- User will need to own their digital identity
not their employer
42The elements of an Authentication system
Users
Authentication Nodes
Logistics Support
Administrators
Technical
Authentication Servers
Traditionally all elements have been part of one
organisation
43The barriers between organisations are fading
Outsourced HR
Client users
Managed Service Provider
How co-ordinate access rights, logistics and
support to all users and administrators?
44Signify co-ordinates identity management between
organisations
Client Orgn
Outsourced HR
Managed Service Provider
Consultant
Allowing single secure sign-on across Internet
services, with full accountability
45Defined roles and responsibilities
- Role based administration
- Allocate specific responsibilities to appropriate
people - Security Officer
- defines security profile for the organisation
- appoints sets the authority levels for all
administrators - HR Administrators
- orders Signify service for new end users
- cancels end user privileges on authnodes
- Technical Administrators
- manages operation and support of authnode devices
- Billing Administrators
- manages invoices and payment issues
- One person can take on multiple roles and several
people may be appointed to each role
46New token fulfillment
4) Users automatically sent Welcome E-mail
3) Fulfillment Administrator dispatches token
pack to user
End User
5) User connects to Signify website to register
and set PIN
Internet
2) Requests tokens to be sent to end users
6) Signify activates token user ready to
start working securely
Customer
7) User can access Signifys 24 x7 web
callcentre for help support
1) HR Administrator authenticates at Signifys
website
47 Signify Service Architecture
Signifys Modular and Extensible Authentication
Infrastructure
48Key issues with Identity Management
- Security
- balance strength of authentication with
sensitivity of information - Accountability auditability
- you need to hold people accountable for their
on-line actions - and an audit trail back to whoever authorised the
users access - Manageability and support
- reduce load on technical helpdesk and
- allow non technical administrators to manage day
to day issues - Logistics
- delivering devices, PINs and passwords verifiably
to users - User Satisfaction
- happy users make for a secure system
49Signify addresses the key Identity Management
issues
- Security
- Choice of authentication techniques
- tokens, smartcards/keys, SMS phone or passwords
- give each user the appropriate level of security
clearance - Security profile and procedures enforced by IMC
- Lost tokens PINs, emergency access mode,
notaries etc - Processes and procedures defined per organisation
- Administrators only see users information
within their scope - Accountability auditability
- Users given responsibility for keeping their
credentials private - All admin operations on IMC create an audit trail
- Logs give independent record of access to
authnodes
50Signify addresses the key Identity Management
issues
- Manageability
- IMC models complex relationships between users
orgs - manage multiple organisations on single
infrastructure - maintains information required for lifetime
support of user - Role based administration
- devolve HR, billing, tech logistics tasks to
appropriate person - Every task driven through My Signify page
- Easy allocation revocation of devices, access
rights etc - Simple to migrate users
51Signify addresses the key Identity Management
issues
- Logistics
- Fulfilment module
- manages delivery of devices, PINs passwords
verifiably to users - multiple pools of tokens for local
fulfilment/replacement - easy selection of delivery medium post, courier,
by hand etc - User support satisfaction
- End users self-help themselves at web helpdesk
- Automated help scripts for support desk operators
- step non-expert helpdesk operator through problem
to resolution - Quality packaging, documentation and support
- all elements can be co-branded
- Happy users make for a secure system
52A modular architecture for SIM
53Signify Identity Management Centre
The IMC is the core of the Signify service
- Resilient, web-driven database engine
- Managing complex relationships between all
elements of Signify service - Self-service information management
- Users manage their personal data
- Administrators manage their organisations data
- IMC interfaces to a range of back-end authn
servers - Allowing Signify to deliver a choice of authn
services to user base - Automatically maintains and updates back-end
servers - Generates usage data for billing and customer
services
54IMC
Manages complex relationships between
- Users and their personal details
- Postal addresses
- E-mail addresses
- Phone numbers
- Secret questions and answers
- Users and their Signify devices
- Keyfob, PDA, mobile phone, smartcard
- Lifetime of device
- Users and their organisations
- Users login id on each customer system
- Signify, customer partner orgns
- Organisations contact details
- Relationships between partners customers
- Discounts commissions earned by partner
- Customers their authnodes
- User login ids on each authnode
- Users administrators
- Access rights on each authnode
- Special administrator privileges
- Activity logs
- Of each user
- On each authnode
- Generates billing information
55(No Transcript)
56(No Transcript)
57(No Transcript)
58A security system is only ever as strong as its
weakest link
And that normally means its people!
59Signifys unique added value
- IMC provides easy but secure management
- Web based for user self-help and administrator
management - Helpdesk scripts automated for your call centre
- End-to-end secure processes
- Security officer sets organisations security
profile - User fulfillment, replacement all integrated and
accountable - Emergency access can be offered securely
- Not just SecurID
- Secure e-signatures with SmartID and SMS OTP
- Single sign-on to any Internet service
- ID not restricted to any specific network or
application - Simple to buy and quick to deploy
- Straightforward service contract
60The Signify Partnership Scheme
61Types of Signify Partners
- Service Provider Partners
- MSPs, ISPs ASPs,
- hosting centres,
- b2b exchanges
- Deliver solution as an ongoing service to client
- Integration Partners
- systems integrators,
- web designers,
- e-business consultants
- Build solution then hand over to client to run
62The Benefits to Signifys Integration Partners
- Offer your client a fully managed alternative
- minimising the technical skills they need
in-house - low risk, zero-hassle choice for client
- Affordable and immediate
- even for small numbers of users
- deliver enhanced security within days not months
- Easy to integrate Signify security into your
solution - at network, web or application layer
- offer a choice of authentication devices and
technologies - you dont have to be authentication experts
- Generate healthy margin with minimal hassle
63The Benefits for Service Provider Partners
- Turn the SIM headache into a business
opportunity - Offer a premium secure version of your service
- Gives tangible security and confidence to end
user - Let your salespeople lead on security, not be on
the defensive - IMC, tokens, packaging docs can all be
co-branded - Delegate tasks responsibility back to your
clients - Let them manage their user base, and be
accountable for it - Lower your business risks and administrative
overheads - Turn an in-house overhead into a profit centre
- Eliminate major cost overheads and risk
- Aggregate all your users to achieve high volume
discounts
64Signifys Commitment to our Partners
- We will help you sell security to more of your
clients - We only do identification authentication
- No managed firewalls, VPNs or any application
services - So we wont encroach into your core business
- We solve just one part of the puzzle
- You deliver the complete solution to your clients
- We will always defer to our channel partner
We help you make money by solving the password
problem for your clients
65Any questions?
www.signify.net
john.stewart_at_signify.net 01223 472572