Authentication As A Service Why new Cloud based ... · PDF fileLDAP / Active Directory LDAP /...

Click here to load reader

  • date post

    03-May-2018
  • Category

    Documents

  • view

    217
  • download

    3

Embed Size (px)

Transcript of Authentication As A Service Why new Cloud based ... · PDF fileLDAP / Active Directory LDAP /...

  • Authentication As A Service

    Why new Cloud based Authentication solutions will be adopted by about 50% of the companies by 2017?

    Jason Hart CISSP CISMVP Cloud Solutions

  • What a great world

  • Remote UsersInternal people 3rd Party AccessBranch Offices PDA Users

    Users and their workspaces

    Today's World

    Cloud ApplicationsSaaS Apps

  • Virtual Word With Virtual Back Doors

    Welcome to the Future

    Cloud Computing

    Virtual Environment

    With Virtual Security holes

    During the past 15 years with learnt nothing

  • We have forgotten

    Confidentiality

    Integrity

    Availability

    Accountability

    Auditability

    We have not learnt a thing?

  • Welcome to the 3rd Age of Hacking

    1st Age: Servers Servers

    FTP, Telnet, Mail, Web.

    These were the things that consumed bytes from a bad guy

    The hack left a foot print

    2nd Age: Browsers: Javascript, ActiveX, Java, Image Formats, DOMs

    These are the things that are getting locked down

    Slowly

    Incompletely

    3rd Age: Mobile devices: Simplest & getting easier Target the mobile devices to gain someone's password is the

    skeleton key to their life and your business

    Totally invisible no trace

  • Password Attack

    Welcome to the Future of Hacking

    Attack channels: web, mail, open services

    Targeted attacks against users and business and or

    premium resources

    Password attack is totally invisible to you

    Mobile devices are becoming an easy target for

    Advanced persistent threats (APT)

  • During the Past 7 Days

    8

  • Quoted from the report:

    ..So, it really comes as no surprise that authentication based attacks (guessing, cracking, or reusing valid credentials) factored into about four of every five breaches involving hacking in our 2012 dataset.

    ... 66% of the breaches in our 2013 report took months or even years to discover (62% months, 4% years).

    Verizons annual Data Breach

  • Protect Everything with SAS

    1111

    Online Storage

    Application Hosting

    SAML

    Tokens & Users

    Administrator

    Agent

    RADIUS

    API

    Private Networks

    Corporate

    Network

    Corporate

    Network

    Corporate

    Network

    Corporate

    Network

    LDAP / Active

    Directory

    LDAP / Active

    Directory

    LDAP / Active

    Directory

    LDAP / Active

    Directory

    Private Cloud Services

    Public Cloud Applications

    Collaboration Tools

    SAMLSAML

  • SafeNet Authentication:

    Provides the ability to rapidly scale, deploy authentication

    Simple, easy and low-cost, driving strong authentication into all markets

    The most powerful enterprise authentication server in the market

    Offer a multi-tenant, multi-tier authentication platform that allows an

    almost infinite number of virtual authentication servers for you

    business

  • More than Authentication

    Automate Service Delivery - features include a policy engine that can automatically provision, suspend or revoke tokens based on changes in the user repository

    Scheduled Automated Usage - Audit and Billing Reports

    Branding - You can brand everything - Self-service, enrolment and messaging services.

    Token Selection - The widest range of authentication token options

  • More than Authentication

    Security - Customers can define their own security controls and policies

    Multi Tenant - The only true Multi Tier platform in the world

    Multi Tier - manage centrally or fully devolve all administration

    Service Alerts - Full Automation of user and administrator alerts

    API - Detailed API sets for authentication and administration

    Open platform Every enterprise is different full customisation to meet your needs

  • Multi-tenant architecture Scales to thousands of business units Unlimited numbers of users per business unit

    Manage multiple business units from one centralised interface Unlimited numbers Supports multiple domains

    Secure Only view one level down Isolation & Access Control

    Delegated management for lower tiers Deliver enhanced service wrappers Great for multi-region networks

    Inherit capabilities to lower level SMS / SMTP gateways Branding

    Virtual Service Provider

    Subscriber B

    Managed Subscriber

    Subscriber A

    Enterprise Subscriber(Virtual Service Provider)

    Region 1

    Region 2

    Region 3

    Delegated

    Multi-Tenant Multi-Tier Overview

  • Multi-tenant architecture Unlimited Domains

    None Directory stores

    Localisation

    Automation User fulfilment Provisioning, Enrolment etc

    User Self healing

    Reports

    Secure The ability to Manage clients if rights granted by

    Client

    Branding and region Adding of custom SMS Gates

    Everything can be fully Branded

    Features Meets all markets requirements

    Division 1

    Regional Office

    Helpdesk

    Multi-Tenant Multi-Tier

    Division 2

    Division 3

    Division 4

    HR

    Your Enterprise

  • Flexibility and Customisation

    Language - by region or Admin

    Alert messages including language

    SMS Gateways - by region

    Branding - Even by region or business unit

    OTP policy - Even by region or user base

    User experiences

    Role Management

    Reporting

    Pretty much everything

    Even the service you would like to offer

  • Example Flexibility

    SAS offers full automation, including:

    Token provisioning

    Security rules definition engine Once created rules applied automatically

    Alerts

    SAML service registration

    Self enrolment

    Self service

    Reporting

    LDAP

    Changes

    LDAP

    Changes

    Auto Update

    SAS

    Auto Update

    SAS

    Auto-

    Provision

    User

    Auto-

    Provision

    User

    Self-

    Enrollment

    Self-

    Enrollment

    Reporting

    and Alerts

    Reporting

    and Alerts

  • LDAP / Active Directory / User Source

    Corporate

    Network

    SafeNet supports any user store via a sync agent

    SQL, LDAP, AD ,ODBC, Lotus, Novell, anything (via custom field mapping)

    No schema change

    Non intrusive/Read only

    Multiple domains

    No hardware required

    Encrypted transmission of data

    Users can also be bulk imported via .csv files and / or created locally

    Corporate

    Network

    LDAP / Active Directory / User Source

    LDAP / Active Directory

    / User Source

    Corporate

    Network

    User Directory Sources

  • Unified Authentication Platform

    20

    Custom

  • Widest Choice of Tokens

    Authenticators for every user type and an increasing focus on commoditisation

    Authenticators that:

    Dont expire

    Seed keys can be owned by the subscriber

    Can be easily re-assigned to new users

    Easy deployment saves cost and time

    A token can be included in the service charge

    H/W SMSBlackBerry iOS Android Microsoft Java

    Multi Platform

    USB GridMicrosoftOSx

  • Token Choice

    22

    Choose the right token type for each user:

    Phone based

    Software

    Multiple hard tokens

    Tokenless either SMS or Grid based

    Our Authenticators:

    Dont expire

    Can be included in the service charge

    Seed keys can be generated by the customer

    Can be re-assigned to new users

    Self enrollment options reduces administration

    OTP & PIN complexity defined by the customer

    Provides the lowest overall total cost of ownership

    Supporting 3rd party tokens enables an orderly and

    cost effective migration

  • Customizable

    Icons

    Colors

    Services

    Multi-language

    Request Token

    Approve, Issue, Ship workflow

    Self-service API (WSDL)

    Build into existing portals

    Self Service

  • User Aliases

    User has multiple IDs

    1 UserID + up to 2

    Aliases

    All can use the same

    token(s)

    Allows for different

    privileges with only 1

    token

    Standard

    User

    Applications

    Router &

    Server

    Management

    UserID: Bill

    UserID: SysAdmin

    Finance

    Servers

    Enterprise

    Resources

    UserID: Billy

  • Security

    Hardware HSMs Support

    All token seed records encrypted

    and protected by HSM

    All encryption/decryption

    executed internally by HSM

    Data center to data center

    failover

  • SAML Single Sign on

    Single Sign-on

    Authentication at one

    allowed SAML site

    access to all allowed

    sites

    Logoff at one allowed

    site, logged off at all

    allowed sitesUserID: Bill

    Password: OTP

    UserID: Bill

    Password: OTP

    SAML Assertion

    [email protected]

    SAML Assertion

    [email protected]

    SAML Assertion

    bill

  • SafeNet Authentication Architecture

    27

    SafeNet Authentication

    ServiceDataCenter

    DataCenter

    AdministratorUsers

    Tokens

    Internet

    SMSGateway

    Email via SMTP

    SMS viaHTTP(S)

    (Subscriber or SP selected)

    SMS message

    Group

    Subscriber

    User Self-Service

    LDAP Synch

    Migration

    Solutions

    Authent