Axiom protect-2.0-with-one identity

MOLLA Technologies presents

Next Generation Security

Axiom Protect

1 Molla Technologies (www.mollatech.com)

1 What is the Need?

What is the need to have a dedicated future ready iden5ty protec5on pla8orm


Need of Identity Protection And Signing

E-Banking M-Banking Branch / ATM

Banking

Need Branch Internet (PC) Mobile

Execute Transac5on Yes Yes Yes

Authen5ca5on Physical Presence Login Creden@als/Strong Authen@ca@on (what you know? And what you have? )

Accessibility Physical Secure HTTP Secure WAP / HTTP Or Added Authen@ca@on

Transac5on Integrity (+Non Repudia5on) Physical Signature

Strong Authoriza@on/ Digital Signature (What you have? And What you are? )

Points to note from Regulator’s side

Source: hLp://www.mas.gov.sg/resource/legisla@on_guidelines/risk_mgt/IBTRMV3.pdf

Appendix A

2 AXIOM Protect Pla8orm

Where does AXIOM Protect Pla8orm play a role for us?


One Stop Protection Platform brings

Address P.A.I.N (Privacy, Authen@ca@on, Integrity and Non repudia@on)

On Premise OR Cloud Based Consolidated Iden@ty Management Enforces Strong Protec@on Simplifies User Experience Reduces Cost and Effort Gives Best of Security


Mul@ Factor Mul@ Layered

End To End

Challenge Response

Time Stamp Device Profiling

One Time Passwords

Geo Fencing Digital Cer@ficate

(PKI)

E-‐PIN Password

Biometric (coming soon)

Axiom Protect 2.0 Security Stack (Beyond HSM)

Risk Analy5cs

Online Retail Banking

Online SME Banking

Online Corporate Banking

Corporate User

Online Trading

Retail User SME User Traders Phone Banking User

Scalable (Multiple Apps: Users: Tokens) Axiom Protect 2.0 Appliance

Mobile Banking

Mobile Token, SMS Token, Mini Token

Mobile / Web / PC Token

USB Token And CR token

Hardware Tokens Mobile Token Web Token & mini Token

Retail User

Online Retail Banking

Online SME Banking

Online Corporate Banking

SME User Corporate User

Online Trading

Traders Mobile Banking User

Consolidation with Choice (single identity)

Mobile Banking

Single Iden@ty And Single Token for mul@ple services

Axiom Protect 2.0 Pladorm

AXIOM Protect 2.0 Dashboard

Channel-‐User Management

Token-‐Cer@ficate Management

Helpdesk

User – Operator Audit Trails

Operator Management

System, User, ROI Reports


3 One size does not fit all

Any form of hardware, soQware, clientless form of authen5ca5on along with PKI / Cer5ficate Support


13

Consolidated Login User Experience [Single Identity]!

ACS/Card Access

Single User Iden5ty across all applica5ons

Online Banking CRM Interface

…..

Note: Single Iden@ty Management allows you to map mul@ple aLributes from different system into single iden@ty. You can administer password management along with user creden@als details.

14

2FA Login User Experience [Authentication]!

Login With Username And Password OTP generated through registered Token AQer OTP Verifica5on, access is allowed

User can use ac5ve OTP Token(s)

15

Transaction User Experience [Authorization]

A New Transac5on is created (D-‐A-‐S) Transac5on is signed using Signature OTP AQer SOTP Verifica5on, TX is commi[ed

Transac5on Signing OTP Tokens

16

PKI Signing User Experience [Non Repudiation]

A New Transac5on is created (D-‐A-‐S) Transac5on Signed using Cer5ficate AQer Signature Verifica5on, TX is commi[ed

Transac5on Signing using Cer5ficate Based Tokens

3 Closer Look at Tokens And

Security Layers

AXIOM Protect Pla8orm offers wide variety of tokens. Lets have a look at them.


Molla Technologies (www.mollatech.com) 18

One-‐Iden@ty Mul@ple Sources to one iden@ty. User, Password and ALributes Management. Synchronize with Ac@ve Directory/LDAP/DB Integra@ons with SAML (ADFS2.0) Web Service integra@on with other sources. Exposes Web Service APIs for integra@on. Single place to De-‐provisioning And Change. Ideal for mul@ple systems consolida@on.


OTP Token OATH Time or Event compliant Supports iOS, Android, Java & BB Offline or Online Ac@va@on Device Bound Token PIN Protected Access Self Destroy on 5 aLempts SDK for Mobile Banking Ideal for Login Does not protect from MITM


SOTP Token OATH OCRA Time or Event compliant Supports Visual or QR Input Op@ons Single Or Mul@ple Data Signing Self Destroy on 5 aLempts SDK for Mobile Banking Integra@on Ideal for Transac@on Authoriza@on


Hardware OTP BaLery Life 4 years with 35,000 otps Tamper proof casing Provides OATH compliant tokens Support 3rd Party Tokens RSA Compliant Cer@ficates (for pki) Prefect Secondary Token


Clientless OTP OATH Time and OCRA based Out of Band Authen@ca@on IVR, USSD, SMS and Email Dual Channel PIN Delivery Extendable to Push No@fica@on Prefect Secondary Token


Somware OTP OATH Time and OCRA based Web OTP thru’ JS + Encrypted Cookies Windows and Mac Client Device Bound & PIN Protected Prefect Secondary Token Popular in enterprises

End To End Encryption

E2E Encryp@on

Must Have Security Entropy driven Session keys Works for S2S, S2M, S2W Protect Sensi@ve Data RSA-‐1024 Keys, AES, SHA256 SDK Available Ideal for Branches, Agents, Merchants


Portable Reader for Mobile and PC

mReader EMV Cer@fied Hardware Supports iOS, Android, Windows & MAC Plain and PIN Protected Supports MyKad Comes with Point of Sale(Web & Mobile) SDK Available for integra@on Ideal for User Acquisi@on, Agent Banking and Mobile Merchants


Mutual Authentication (needed protection beyond 2FA)

Mutual Auth

Protects from MITM, BITM No Somware to install Uses Image, AJAX and JS Not Visual Image Flow Works for Web & Mobile SDK Available Ideal for Internet Banking


Digital Certificate based Signing on Mobile App

PKI Token RSA 1024 / 2048 bit key pair Supports Visual or QR Input Op@ons Single Or Mul@ple Data Signing Extendable to Malaysian CAs SDK for Internet and Mobile Banking Ideal for High Value Transac@ons


Available as SDK for Mobile Banking Or Standalone App


iOS, Android and Windows Mobile Apps

Device Tracking and Hardware Profile

Geo loca@on Fencing

Signature OTP for Online Banking

Time Stamp with Mutual Authen@ca@on

Push No@fica@on Alerts

Cer@ficate based Signatures

29

Profiling and Policy Enforcement

!

!

System policies based rules combined with user profile and archived historical data analysis.

30

Historical Data Analytics

!

31

Secure 2FA Remote Access

Secure 2FA Server,

Workstation Access

Secure 2FA Database & Web Access

Internal Systems that demand 2FA

5 Typical Usage

Where does AXIOM Protect Pla8orm play a role for us?


One Identity based login and password reset

Internet

Applica@on AXIOM Protect 1 User logs into the applica@on with single

iden@ty creden@als like Card number, Ibuserid, mobile number etc.

2 Radius, SAML ADFS 2.0 Or Web Service API call for verifica@on

Bank’s Infrastructure

3Check if the user is valid and allow login

Internet

SMS Gateway

Mobile Operator(s)

CSends password to the user’s number

D User gets new password via SMS (or email or mobile push)

A User requests for password reset or change password by passing

B Checks the details and then issues the new password via SMS/email

operator

user

Transaction Protection using SMS Signature One Time Password

Internet

Internet Banking

AXIOM Protect 1 User makes transac@on by providing

Payee, Amount, Saving Account (=Data).

2 Calls SendSOTP() for this user and data .


3Generates @me Signature OTP for data

Internet

SMS Gateway

Mobile Operator(s)

4Sends Signature OTP to the user’s number

5 User gets Data Summary and Signature OTP delivered on the phone

6 User views data summary and inputs Signature OTP.

7 Calls VerifySignatureOTP() with data and user’s OTP 8 Verifies

Signature One Time Password

Transaction Protection using Mobile Signature One Time Password

Internet

Internet Banking

AXIOM Protect 1 User makes transac@on by providing

Payee, Amount, Saving Account (=Data).


2User keys in data and generate Signature OTP.

4 Calls VerifySignatureOTP() with data and user’s OTP

5 Verifies Signature One Time Password

3 User reads and enters Signature OTP from mobile.

Login Protection using Hardware One Time Password Token

Internet

Internet Banking

AXIOM Protect


1 User users hardware token to generates OTP

2 User provides OTP for 2FA login.

3 IB calls VerifyOTP() for 2FA login.

4 Verifies One Time Password

6 Axiom Protect for PRASAC

Lets go through the workflow for PRASAC Needed Workflow and Systems interac5ons


38

Token Assignment and Activation

Online Portal

Automated Efficient Way However Integra@on Needed is maximum

Through ATM

Another Automated Efficient Way With larger Reach

Over the Counter

Least Integra@on with face to face Human Involvement.

Through Phone Call

Least Integra@on with least human Involvement.

1. User Account Creation

Card Management System

AXIOM Protect

AAuthorized Operator will come connect to CMS and pull the file (text/xml).

1Periodically CMS dumps the flat file/xml having all new/exis@ng user with their email id and phone number.

2

Axiom picks up the file from SFTP directory securely with configured seung in axiom.

Secure FTP Server

B Operator uploads same file with userid, emailid and phoneno.

Op@on 2. A and B are operator manual steps for user account crea@on.

Op@on 1. Automated flow where Secure FTP is shared file media for CMS to push files and Axiom to pull files.

operator

1. Consolidating Identities as one

Card Management System

AXIOM Protect

AAuthorized Operator will come connect to CMS and pull the file (text/xml).

1Periodically CMS dumps the flat file/xml having all new/exis@ng user with their email id and phone number.

2

Axiom picks up the file from SFTP directory securely with configured seung in axiom.

Secure FTP Server

B Operator uploads same file with userid, emailid and phoneno.

Op@on 2. A and B are operator manual steps for user account crea@on.

Op@on 1. Automated flow where Secure FTP is shared file media for CMS to push files and Axiom to pull files.

operator

2. User Token Assignment – Hardware, Mobile and SMS/Email

AXIOM Protect

12

User fills the form for internet and mobile banking with op@ng for hardware, somware

(mobile), SMS / Email Clientless token.

User

Branch Staff

1.  If hardware token, Branch staff will pick up a new hardware token and assign in Axiom.

2.  If mobile token, staff will assign mobile token in axiom and share user with axiom issued ac@va@on code.

3.  If SMS OR Email, staff assigns same to user in axiom.

3

1.  Hardware Token: User is given hardware token. 2.  Mobile Token: user downloads the mobile

Security token app and entered ac@va@on code.

3. Multi Channel Protection (web, and mobile both)

Switch

AXIOM Protect

1

User uses the hardware / mobile token / SMS/email token in IB or MB or any other channel.

SMS/IVR/Email Gateway

MB

IB

Internet

Internet

2Switch gets the request for front facing applica@ons.

3Calls VerifyCreden@al() to handle all the tokens including SMS,Email, Mobile, Hardware token for the users.

a

Internet Banking

Mobile Banking

Note: Mobile token can be used for both internet and mobile banking as it is separate mobile security token.

Sending SMS/Email out to user’s device

4. Free Notification (no more SMS $$$)

Switch AXIOM Protect

2

Calls SendMessage() API for sending Alerts/No@fica@on/Sensi@ve Data

Internet

Push no@fica@on Gateway

*Secure Encrypted Data inside Push no@fica@on message.

3 User gets the no@fica@on anywhere any@me in the world for free of cost. More importantly it is secured for this user to deliver sensi@ve data also.

1 Marke@ng Alerts/Promo@on can be send by branch staff

Integration through Web Services

Integra@on Secure Web Services (WS) User, Token, Keys WS Authen@ca@on WS Digital Signing WS E2E Encryp@on WS Token Provisioning WS Integrate with Dashboard


Stress Test Performance

60tps@Peak On 1U Server, Qual Core, 64bit Linux, 4 GB RAM, Oracle MySQL Enterprise DB

140tps@Peak On 1U Server, 8 Core CPU, 64bit Linux, 16 GB RAM, Oracle MySQL Enterprise DB


For More Details: Visit us at www.mollatech.com Contact us at [email protected]

Thank you


Axiom protect-2.0-with-one identity

Technology

Transcript of Axiom protect-2.0-with-one identity