Safenet Authentication Service, SAS

Insert Your Name

Insert Your Title

Insert Date

SafeNet Authentication Service Introducing Authentication “as-a-Service”

Rob Buddingh’

IP4SURE

© SafeNet Confidential and Proprietary 2

Algemeen

2

Werken met web applicaties

Bedrijf/organisatie oogpunt

Met web applicaties kunnen we gebruikers meer zelf

laten doen: medewerkers, maar ook klanten en

leveranciers. Dit bespaart kosten, opent nieuwe markten en levert

efficientie op.

BeveiligingsoogpuntWeb applicaties zijn individueel goed te beveiligen.

Echter doordat de gebruiker steeds meer logins krijgt, neemt over het geheel de beveiliging af: men kiest voor

hetzelfde wachtwoord of gaat wachtwoorden opschrijven in agenda.

GebruikersoogpuntIk wordt geconfronteerd met steeds meer web applicaties. Aan de ene kant handig omdat ik

altijd en overal bij kan, maar ook een groeiend aantal wachtwoorden die ik moet onderhouden.


Situatie - Behoefte

Bring Your Own Device (BYOD)

Tijd / plaats onafhankelijk werken

Flexibiliteit

Afrekenen op output?

Een “goede” werkgever zijn


Situatie - Behoefte

4

• Beveiliging– Indien 1 keer inloggen of gegevens zijn

kritisch dan alleen extra beveiligd toestaan– Pro-actieve monitoring van wat er gebeurt

• Bedrijf /organisatie– Elimineren van apart aanloggen van

bestaande en nieuwe web applicaties– Korte implementatietijden tegen acceptabele

kosten

• Eindgebruiker– Het liefst 1 keer inloggen (Single Sing On)– Situatieonafhankelijk: plaats, tijdstip,

computerdevice


Bent u wel wie u zegt wie u bent?


Bent u wel wie u zegt wie u bent?


Wachtwoorden zijn zwak en onveilig


Wachtwoord en het beleid


Wachtwoord en het beleid


Gebruikers en wachtwoorden


Gebruikers en wachtwoorden


Oplossing

12

Gebruiker

Multi factor login

Werk met de web applicaties zonder extra wachtwoord te hoeven te gebruiken

Ik heb mijn eigen extra beveiligde token dat mij toegang geeft tot mijn web applicaties. Er zijn meerdere tokens mogelijk, ik heb gekozen wat voor mij het beste aansluit.

Mijn token werkt op alle devices en ik heb op alle devices toegang tot dezelfde web applicaties

Computerdevices die ik gebruik

Web-, nonweb applicaties, netwerken


Welk token past bij mijn gebruikers?

13

Hardware?

“Tokenless”?

“apps” op smartphone?

SMS authenticatie?

Of een combinatie?

User Directory Sources

16© SafeNet Confidential and Proprietary

BlackShield Cloud supports any user store

Simple Agent installed on any server• No hardware required

SQL, LDAP, AD ,ODBC, Lotus, Novell, • Others via custom field mapping

Secured using SSL links Read only / Non intrusive Multiple domains Full customisation Zero schema change

In Addition users can be: bulk imported via .csv files created locally

users LDAPIntegration

LDAP / Active Directory / User Source

CorporateNetwork

CorporateNetwork



CorporateNetwork

Introduction: Protect Everything: Networks, Applications and Cloud Services

17

Online Storage

Application Hosting

SAML

Tokens & Users

Administrator

Agent

RADIUS

API

Private Networks

Corporate Network

Corporate Network

Corporate Network

Corporate Network

LDAP / Active Directory




Private Cloud Services

Public Cloud Applications

Collaboration Tools

SAMLSAML

Introduction: Widest Choice of Tokens, including Tokenless & 3rd Party Authenticators for every user type – and an increasing

focus on commoditisation

Authenticators that: Don’t expire Seed keys can be owned by the subscriber Can be easily re-assigned to new users Easy deployment saves cost and time A token can be included in the service charge

H/W SMSBlackBerry iOS Android Microsoft Java

Multi Platform

USB GridMicrosoftOSx

Token policies and security

Ability to set token Policies• Pre-configured to best practice for optimal security • Reconfigurable to match each customer’s policy• Multiple options can be re-defined

• PIN length and complexity• OTP length and complexity• Try attempts• Forced PIN change

• Portal shows details of EVERY individual token

Initialisation of tokens• Software/SMS tokens initialised at point of deployment• Hardware tokens can also be initialised

Security Policy Application

Introduction: Automate everywhere

SafeNet Authentication Service automates everything, reducing management time, the main cost of a strong authentication solution

20

User Synchronisation

Security Policy Application

Token Provisioning

Self Enrolment

SAML Service Registration

Alerts

Reporting

LDAP Changes

Automatic updates of LDAP changes

21

User Synchronisation

Users

User Changes

DirectoryServer

LDAPAgent

GroupsAccess Device or Application

Policies &Rules

Self Enrollment

Authentication

Multi-tier, Multi-tenant• Support multiple companies, divisions, business units,

LDAPs etc. on a single platform.

• Each appear as a distinct BlackShield server.

22

Service Provider

Multiple Business Unit entities, Groups & Containers

23

Main Company

USA

R&D Operations Sales

EMEA

R&D Sales Administration

APAC

R&D Operations

Gain power and flexibility to support• Delegated administration and localization within business units or

departments • Local and centralized user directories• Local and central authentication points: VPNs, applications and

network devices• Organizations lower in the hierarchy can inherit policies and settings• Avoid multiple instances of authentication servers

Multi-tier / Multi-tenant management Administration Portal

Delegatedmanagement

Defining the management structure Roles & Scope

A role decides “what an operator can do”

Hide, show, enable or disable tabs, modules and actions to form a role

The scope decides “who you can do it for”

Use organisations and containers to control the scope

Roles are defined per Organisation

Customization

Customize Everything

User Experiences

Branding

Reporting

Administrator Experience

Administrator and

Operator Role Management

Infrastructure

Security Policies

Customize Everything • User experiences

• User messages such as enrolment, token related (SMS or software) alerts etc

• Log-on experience• Self service experience

• Administrator experience • Language• Alert messages

• Branding• Infrastructure

• SMS Gateways • Modems

• Reporting• Security

• Policy engine• OTP policy

• Administrator and operator Role Management

Branding

Branding

Branding of Portal

Dedicated URLs

Branding of Documentation

Customisation of SMS

Messages and Emails

Token Branding Options

Branding of Self-Service

Portal

Brand Everything• Branding of Portal• Branding of Self-Service Portal• Token branding options• Customisation of SMS

messages and emails• Default messages• SP text within message• Customer text within message• Customise deployment

message

• Dedicated URLs• Portal• Self Enrollment• Self Service

• Branding of documentation

D Customization and Branding

Reporting

Major additions to reporting• Security Policy (11)• Compliance (13)• Billing (2)• Inventory (9)

Fully automated delivery• Output in html, csv, tab, xml• Delivery via FTP, SFTP, SCP• Restrict access by role

29

Simplify SAML registration

Users can automatically be added to multiple groups Sign-in to one service and during your session you are

automatically signed in to all your services Sign-out to leave all services

30

SAML Service Registration

UserID: Bill

Password: “OTP”

SAML [email protected]

SAML [email protected]

SAML Assertionbill

Migrating to your new service

31

SAS-Agents

RADIUS

SAML

RADIUS Access device or RSA Agent (any 3rd party agent)

RSA Authentication Manager w/RADIUS

(any 3rd party auth. Server)

RADIUS

Add Auth.Manageras an Auth Node

Add SASas a RADIUS Client

BEFORE

Use any token type

AFTER

Referenties

©CRYPTOCARD 2011 12

http://www.tennet.org/

http://images.google.com/imgres?imgurl=http://www.spen.nl/data/Image/Logo%20Isala(550px).jpg&imgrefurl=http://www.spen.nl/index.php?tmplpage=project&id=124&index=61&usg=__-m9_KmoZgfDgNI6dEOa1tuOlfZ4=&h=168&w=550&sz=13&hl=en&start=2&um=1&tbnid=GxcM9GNC1NChcM:&tbnh=41&tbnw=133&prev=/images?q=Isala+Klinieken&hl=en&rls=com.microsoft:en-us:IE-SearchBox&rlz=1I7ADRA_en&um=1

http://images.google.com/imgres?imgurl=http://www.parkstadgarderegiment.nl/NL/20_Sponsor/01_logo/nedcar.gif&imgrefurl=http://www.parkstadgarderegiment.nl/NL/20_Sponsor/20_sponsors.htm&usg=__T5NO8I_EjXrEkfHQVjqMLDIKU38=&h=140&w=140&sz=2&hl=en&start=7&um=1&tbnid=En0z368IV5nYMM:&tbnh=93&tbnw=93&prev=/images?q=nedcar&hl=en&rls=com.microsoft:en-us:IE-SearchBox&rlz=1I7ADRA_en&um=1

http://images.google.com/imgres?imgurl=http://upload.wikimedia.org/wikipedia/en/thumb/7/75/NIB_Capital_Logo_Historical.png/190px-NIB_Capital_Logo_Historical.png&imgrefurl=http://wiki.verkata.com/en/wiki/AlpInvest_Partners&usg=__y0bpCutd0LMl0zH8oy45RzEK2P8=&h=41&w=190&sz=6&hl=en&start=33&um=1&tbnid=hUi8y_vDnJRf1M:&tbnh=22&tbnw=103&prev=/images?q=NIB+Capital&ndsp=18&hl=en&rls=com.microsoft:en-us:IE-SearchBox&rlz=1I7ADRA_en&sa=N&start=18&um=1

http://images.google.com/imgres?imgurl=http://www.totaljobs.nl/CompanyLogos/raet_kader.jpg&imgrefurl=http://www.totaljobs.nl/CompanyBrowse/Raet-BV_Vacancies_c134718.html&usg=__-rKpfj1xP3HZ1JSrdoOtTwvNfJ0=&h=44&w=124&sz=9&hl=en&start=21&um=1&tbnid=kHBHh6Kgxg-yWM:&tbnh=32&tbnw=90&prev=/images?q=Raet+bv&ndsp=18&hl=en&rls=com.microsoft:en-us:IE-SearchBox&rlz=1I7ADRA_en&sa=N&start=18&um=1

http://images.google.com/imgres?imgurl=http://www.metrigroup.com/clients_casestudies/images/logo_szw.gif&imgrefurl=http://www.metrigroup.com/clients_casestudies/nl/index.html&usg=__3WPgkFpdGDErkS7OIHALvSGk5hc=&h=175&w=175&sz=3&hl=en&start=4&um=1&tbnid=ruNL-Ti9zyAThM:&tbnh=100&tbnw=100&prev=/images?q=Ministerie+van+Sociale+Zaken&hl=en&rls=com.microsoft:en-us:IE-SearchBox&rlz=1I7ADRA_en&sa=G&um=1

http://images.google.com/imgres?imgurl=https://beheer.ingoedebanen.nl/logo/502/maxima_medisch_centrum.jpg&imgrefurl=http://vacaturekrant.nl/vd.fpl?id=1512238&vkref=resultaat&usg=__N8C6HTZw_Zo_mqsLQVDFuFHrwTo=&h=87&w=250&sz=42&hl=en&start=1&um=1&tbnid=I3rYKOim9lnkrM:&tbnh=39&tbnw=111&prev=/images?q=Maxima+Medisch+Centrum&hl=en&rls=com.microsoft:en-us:IE-SearchBox&rlz=1I7ADRA_en&um=1

http://images.google.com/imgres?imgurl=http://www.europages.com/logos2/K94_000004366001_fr.gif&imgrefurl=http://banca-finanza-assicurazioni.europages.it/annuario-aziende/did-23/hc-21646/Investimenti-Consulenza.html&usg=__D5EhiJCVMpfzX5_8U7TCEWiG5WE=&h=100&w=100&sz=2&hl=en&start=15&um=1&tbnid=-7x1v-CAwpKtEM:&tbnh=82&tbnw=82&prev=/images?q=KBL+EPB&hl=en&rls=com.microsoft:en-us:IE-SearchBox&rlz=1I7ADRA_en&um=1

http://images.google.com/imgres?imgurl=http://www.biocop.org/content_images/RIVM_logo_Hans_P2_.jpg&imgrefurl=http://www.biocop.org/news_print.html?id=68&usg=__jQPbYhga79Y7SthvernYfsrWbYg=&h=814&w=1772&sz=50&hl=en&start=1&um=1&tbnid=NgNExJYXZwaC1M:&tbnh=69&tbnw=150&prev=/images?q=RIVM&hl=en&rls=com.microsoft:en-us:IE-SearchBox&rlz=1I7ADRA_en&um=1

http://images.google.com/imgres?imgurl=http://www.brandsoftheworld.com/brands/0010/1171/brand.gif&imgrefurl=http://www.brandsoftheworld.com/history/2004/02/101171.html&usg=__5Cl5gB49mUCrFWk1VFu-zBuAXWo=&h=200&w=200&sz=2&hl=en&start=1&um=1&tbnid=R38zCMN9PFWKXM:&tbnh=104&tbnw=104&prev=/images?q=PWN+Waterleidingbedrijf+Noord-Holland+NV&hl=en&rls=com.microsoft:en-us:IE-SearchBox&rlz=1I7ADRA_en&sa=X&um=1

http://images.google.com/imgres?imgurl=http://nts1.cgu.cz/portal/page/portal/geocapacity/participants/netherlands/tno-nitg/tno.jpg&imgrefurl=http://nts1.cgu.cz/portal/page/portal/geocapacity/participants/netherlands/tno-nitg&usg=__Z_4NxhhYQqes_AKz6eFcvgpW094=&h=100&w=133&sz=5&hl=en&start=12&um=1&tbnid=KdanM3Vcy_oxQM:&tbnh=69&tbnw=92&prev=/images?q=TNO-NITG&hl=en&rls=com.microsoft:en-us:IE-SearchBox&rlz=1I7ADRA_en&um=1

http://www.alysiszorggroep.nl/web/Home.htm

http://images.google.nl/imgres?imgurl=http://www.eo.nl/db.images/10501581/Logo_TROS_2005.jpg&imgrefurl=http://www.eo.nl/programma/openhuis/2006-2007/page/-/episode.esp?broadcast=9954476&usg=__xjCZfHa5CmbrkrOrwEPxMb8d6V4=&h=440&w=340&sz=13&hl=nl&start=1&um=1&itbs=1&tbnid=IuAjJrwO7ApQwM:&tbnh=127&tbnw=98&prev=/images?q=tros&um=1&hl=nl&tbs=isch:1

http://www.google.nl/imgres?imgurl=http://www.grienlinks.nl/wp-content/uploads/2009/01/essent.jpg&imgrefurl=http://www.grienlinks.nl/category/energiecentrales/&usg=__r4Nr_FFkLCsegtIen00xrTBXI2o=&h=200&w=500&sz=42&hl=nl&start=2&um=1&itbs=1&tbnid=UhZUeIlGqvUk3M:&tbnh=52&tbnw=130&prev=/images?q=essent&um=1&hl=nl&sa=N&tbs=isch:1

http://www.storkprints.com/

http://images.google.com/imgres?imgurl=http://www.juridischevacaturebank.nl/uploads/companylogos/bdo.gif&imgrefurl=http://www.juridischevacaturebank.nl/bedrijven/bekijk/bdo-campsobers-holding-b-v/227&usg=__lzsBbu2znmrjfSlmAWdrPQZg1XI=&h=234&w=200&sz=4&hl=en&start=3&um=1&tbnid=KlfTqG8CmUwOsM:&tbnh=109&tbnw=93&prev=/images?q=BDO+CampsObers+Holding+B.V.&hl=en&rls=com.microsoft:en-us:IE-SearchBox&rlz=1I7ADRA_en&sa=N&um=1

User Self-Service Portal

34

Request a new, replacement or

temporary token

Create workflows for approving

requests

Allow users to customise their

portal

Provide language variants to match

user needs

Users can resolve common problems

Rolling out an iPhone token (MP)

This email can be from any address and can be fully customised

Select target

Step 2 Confirm email address for OTA

Download and install App

click link (step 2) to load seed file (key)

User set pin (optional)

Secure login

Technology

Safenet Authentication Service, SAS