Authentication As A Service

Why new Cloud based Authentication solutions will be adopted by about 50% of the companies by 2017?

Jason Hart CISSP CISMVP Cloud Solutions

What a great world

Remote UsersInternal people 3rd Party AccessBranch Offices PDA Users

Users and their workspaces

Today's World

Cloud ApplicationsSaaS Apps

Virtual Word With Virtual Back Doors

Welcome to the Future

Cloud Computing

Virtual Environment

With Virtual Security holes

During the past 15 years with learnt nothing

We have forgotten

Confidentiality

Integrity

Availability

Accountability

Auditability

We have not learnt a thing?

Welcome to the 3rd Age of Hacking

1st Age: Servers Servers

FTP, Telnet, Mail, Web.

These were the things that consumed bytes from a bad guy

The hack left a foot print

2nd Age: Browsers: Javascript, ActiveX, Java, Image Formats, DOMs

These are the things that are getting locked down

Slowly

Incompletely

3rd Age: Mobile devices: Simplest & getting easier Target the mobile devices to gain someone's password is the

skeleton key to their life and your business

Totally invisible no trace

Password Attack

Welcome to the Future of Hacking

Attack channels: web, mail, open services

Targeted attacks against users and business and or

premium resources

Password attack is totally invisible to you

Mobile devices are becoming an easy target for

Advanced persistent threats (APT)

During the Past 7 Days

8

Quoted from the report:

..So, it really comes as no surprise that authentication based attacks (guessing, cracking, or reusing valid credentials) factored into about four of every five breaches involving hacking in our 2012 dataset.

... 66% of the breaches in our 2013 report took months or even years to discover (62% months, 4% years).

Verizons annual Data Breach

Protect Everything with SAS

1111

Online Storage

Application Hosting

SAML

Tokens & Users

Administrator

Agent

RADIUS

API

Private Networks

Corporate

Network

Corporate

Network

Corporate

Network

Corporate

Network

LDAP / Active

Directory

LDAP / Active

Directory

LDAP / Active

Directory

LDAP / Active

Directory

Private Cloud Services

Public Cloud Applications

Collaboration Tools

SAMLSAML

SafeNet Authentication:

Provides the ability to rapidly scale, deploy authentication

Simple, easy and low-cost, driving strong authentication into all markets

The most powerful enterprise authentication server in the market

Offer a multi-tenant, multi-tier authentication platform that allows an

almost infinite number of virtual authentication servers for you

business

More than Authentication

Automate Service Delivery - features include a policy engine that can automatically provision, suspend or revoke tokens based on changes in the user repository

Scheduled Automated Usage - Audit and Billing Reports

Branding - You can brand everything - Self-service, enrolment and messaging services.

Token Selection - The widest range of authentication token options

More than Authentication

Security - Customers can define their own security controls and policies

Multi Tenant - The only true Multi Tier platform in the world

Multi Tier - manage centrally or fully devolve all administration

Service Alerts - Full Automation of user and administrator alerts

API - Detailed API sets for authentication and administration

Open platform Every enterprise is different full customisation to meet your needs

Multi-tenant architecture Scales to thousands of business units Unlimited numbers of users per business unit

Manage multiple business units from one centralised interface Unlimited numbers Supports multiple domains

Secure Only view one level down Isolation & Access Control

Delegated management for lower tiers Deliver enhanced service wrappers Great for multi-region networks

Inherit capabilities to lower level SMS / SMTP gateways Branding

Virtual Service Provider

Subscriber B

Managed Subscriber

Subscriber A

Enterprise Subscriber(Virtual Service Provider)

Region 1

Region 2

Region 3

Delegated

Multi-Tenant Multi-Tier Overview

Multi-tenant architecture Unlimited Domains

None Directory stores

Localisation

Automation User fulfilment Provisioning, Enrolment etc

User Self healing

Reports

Secure The ability to Manage clients if rights granted by

Client

Branding and region Adding of custom SMS Gates

Everything can be fully Branded

Features Meets all markets requirements

Division 1

Regional Office

Helpdesk

Multi-Tenant Multi-Tier

Division 2

Division 3

Division 4

HR

Your Enterprise

Flexibility and Customisation

Language - by region or Admin

Alert messages including language

SMS Gateways - by region

Branding - Even by region or business unit

OTP policy - Even by region or user base

User experiences

Role Management

Reporting

Pretty much everything

Even the service you would like to offer

Example Flexibility

SAS offers full automation, including:

Token provisioning

Security rules definition engine Once created rules applied automatically

Alerts

SAML service registration

Self enrolment

Self service

Reporting

LDAP

Changes

LDAP

Changes

Auto Update

SAS

Auto Update

SAS

Auto-

Provision

User

Auto-

Provision

User

Self-

Enrollment

Self-

Enrollment

Reporting

and Alerts

Reporting

and Alerts

LDAP / Active Directory / User Source

Corporate

Network

SafeNet supports any user store via a sync agent

SQL, LDAP, AD ,ODBC, Lotus, Novell, anything (via custom field mapping)

No schema change

Non intrusive/Read only

Multiple domains

No hardware required

Encrypted transmission of data

Users can also be bulk imported via .csv files and / or created locally

Corporate

Network

LDAP / Active Directory / User Source

LDAP / Active Directory

/ User Source

Corporate

Network

User Directory Sources

Unified Authentication Platform

20

Custom

Widest Choice of Tokens

Authenticators for every user type and an increasing focus on commoditisation

Authenticators that:

Dont expire

Seed keys can be owned by the subscriber

Can be easily re-assigned to new users

Easy deployment saves cost and time

A token can be included in the service charge

H/W SMSBlackBerry iOS Android Microsoft Java

Multi Platform

USB GridMicrosoftOSx

Token Choice

22

Choose the right token type for each user:

Phone based

Software

Multiple hard tokens

Tokenless either SMS or Grid based

Our Authenticators:

Dont expire

Can be included in the service charge

Seed keys can be generated by the customer

Can be re-assigned to new users

Self enrollment options reduces administration

OTP & PIN complexity defined by the customer

Provides the lowest overall total cost of ownership

Supporting 3rd party tokens enables an orderly and

cost effective migration

Customizable

Icons

Colors

Services

Multi-language

Request Token

Approve, Issue, Ship workflow

Self-service API (WSDL)

Build into existing portals

Self Service

User Aliases

User has multiple IDs

1 UserID + up to 2

Aliases

All can use the same

token(s)

Allows for different

privileges with only 1

token

Standard

User

Applications

Router &

Server

Management

UserID: Bill

UserID: SysAdmin

Finance

Servers

Enterprise

Resources

UserID: Billy

Security

Hardware HSMs Support

All token seed records encrypted

and protected by HSM

All encryption/decryption

executed internally by HSM

Data center to data center

failover

SAML Single Sign on

Single Sign-on

Authentication at one

allowed SAML site

access to all allowed

sites

Logoff at one allowed

site, logged off at all

allowed sitesUserID: Bill

Password: OTP

UserID: Bill

Password: OTP

SAML Assertion

bill@gmail.com

SAML Assertion

blaham@cryptocard.com

SAML Assertion

bill

SafeNet Authentication Architecture

27

SafeNet Authentication

ServiceDataCenter

DataCenter

AdministratorUsers

Tokens

Internet

SMSGateway

Email via SMTP

SMS viaHTTP(S)

(Subscriber or SP selected)

SMS message

Group

Subscriber

User Self-Service

LDAP Synch

Migration

Solutions

Authent