Axiom protect-2.0-with-one identity
-
Upload
vikram-sareen -
Category
Technology
-
view
109 -
download
2
Transcript of Axiom protect-2.0-with-one identity
MOLLA Technologies presents
Next Generation Security
Axiom Protect
1 Molla Technologies (www.mollatech.com)
1 What is the Need?
What is the need to have a dedicated future ready iden5ty protec5on pla8orm
2 Molla Technologies (www.mollatech.com)
Need of Identity Protection And Signing
E-Banking M-Banking Branch / ATM
Banking
Need Branch Internet (PC) Mobile
Execute Transac5on Yes Yes Yes
Authen5ca5on Physical Presence Login Creden@als/Strong Authen@ca@on (what you know? And what you have? )
Accessibility Physical Secure HTTP Secure WAP / HTTP Or Added Authen@ca@on
Transac5on Integrity (+Non Repudia5on) Physical Signature
Strong Authoriza@on/ Digital Signature (What you have? And What you are? )
Points to note from Regulator’s side
Source: hLp://www.mas.gov.sg/resource/legisla@on_guidelines/risk_mgt/IBTRMV3.pdf
2 AXIOM Protect Pla8orm
Where does AXIOM Protect Pla8orm play a role for us?
6 Molla Technologies (www.mollatech.com)
One Stop Protection Platform brings
Address P.A.I.N (Privacy, Authen@ca@on, Integrity and Non repudia@on)
On Premise OR Cloud Based Consolidated Iden@ty Management Enforces Strong Protec@on Simplifies User Experience Reduces Cost and Effort Gives Best of Security
7 Molla Technologies (www.mollatech.com)
Mul@ Factor Mul@ Layered
End To End
Challenge Response
Time Stamp Device Profiling
One Time Passwords
Geo Fencing Digital Cer@ficate
(PKI)
E-‐PIN Password
Biometric (coming soon)
Axiom Protect 2.0 Security Stack (Beyond HSM)
Risk Analy5cs
Online Retail Banking
Online SME Banking
Online Corporate Banking
Corporate User
Online Trading
Retail User SME User Traders Phone Banking User
Scalable (Multiple Apps: Users: Tokens) Axiom Protect 2.0 Appliance
Mobile Banking
Mobile Token, SMS Token, Mini Token
Mobile / Web / PC Token
USB Token And CR token
Hardware Tokens Mobile Token Web Token & mini Token
Retail User
Online Retail Banking
Online SME Banking
Online Corporate Banking
SME User Corporate User
Online Trading
Traders Mobile Banking User
Consolidation with Choice (single identity)
Mobile Banking
Single Iden@ty And Single Token for mul@ple services
Axiom Protect 2.0 Pladorm
AXIOM Protect 2.0 Dashboard
Channel-‐User Management
Token-‐Cer@ficate Management
Helpdesk
User – Operator Audit Trails
Operator Management
System, User, ROI Reports
11 Molla Technologies (www.mollatech.com)
3 One size does not fit all
Any form of hardware, soQware, clientless form of authen5ca5on along with PKI / Cer5ficate Support
12 Molla Technologies (www.mollatech.com)
13
Consolidated Login User Experience [Single Identity]!
ACS/Card Access
Single User Iden5ty across all applica5ons
Online Banking CRM Interface
…..
Note: Single Iden@ty Management allows you to map mul@ple aLributes from different system into single iden@ty. You can administer password management along with user creden@als details.
14
2FA Login User Experience [Authentication]!
Login With Username And Password OTP generated through registered Token AQer OTP Verifica5on, access is allowed
User can use ac5ve OTP Token(s)
15
Transaction User Experience [Authorization]
A New Transac5on is created (D-‐A-‐S) Transac5on is signed using Signature OTP AQer SOTP Verifica5on, TX is commi[ed
Transac5on Signing OTP Tokens
16
PKI Signing User Experience [Non Repudiation]
A New Transac5on is created (D-‐A-‐S) Transac5on Signed using Cer5ficate AQer Signature Verifica5on, TX is commi[ed
Transac5on Signing using Cer5ficate Based Tokens
3 Closer Look at Tokens And
Security Layers
AXIOM Protect Pla8orm offers wide variety of tokens. Lets have a look at them.
17 Molla Technologies (www.mollatech.com)
Molla Technologies (www.mollatech.com) 18
One-‐Iden@ty Mul@ple Sources to one iden@ty. User, Password and ALributes Management. Synchronize with Ac@ve Directory/LDAP/DB Integra@ons with SAML (ADFS2.0) Web Service integra@on with other sources. Exposes Web Service APIs for integra@on. Single place to De-‐provisioning And Change. Ideal for mul@ple systems consolida@on.
Molla Technologies (www.mollatech.com) 19
OTP Token OATH Time or Event compliant Supports iOS, Android, Java & BB Offline or Online Ac@va@on Device Bound Token PIN Protected Access Self Destroy on 5 aLempts SDK for Mobile Banking Ideal for Login Does not protect from MITM
Molla Technologies (www.mollatech.com) 20
SOTP Token OATH OCRA Time or Event compliant Supports Visual or QR Input Op@ons Single Or Mul@ple Data Signing Self Destroy on 5 aLempts SDK for Mobile Banking Integra@on Ideal for Transac@on Authoriza@on
Molla Technologies (www.mollatech.com) 21
Hardware OTP BaLery Life 4 years with 35,000 otps Tamper proof casing Provides OATH compliant tokens Support 3rd Party Tokens RSA Compliant Cer@ficates (for pki) Prefect Secondary Token
Molla Technologies (www.mollatech.com) 22
Clientless OTP OATH Time and OCRA based Out of Band Authen@ca@on IVR, USSD, SMS and Email Dual Channel PIN Delivery Extendable to Push No@fica@on Prefect Secondary Token
Molla Technologies (www.mollatech.com) 23
Somware OTP OATH Time and OCRA based Web OTP thru’ JS + Encrypted Cookies Windows and Mac Client Device Bound & PIN Protected Prefect Secondary Token Popular in enterprises
End To End Encryption
E2E Encryp@on
Must Have Security Entropy driven Session keys Works for S2S, S2M, S2W Protect Sensi@ve Data RSA-‐1024 Keys, AES, SHA256 SDK Available Ideal for Branches, Agents, Merchants
24 Molla Technologies (www.mollatech.com)
Portable Reader for Mobile and PC
mReader EMV Cer@fied Hardware Supports iOS, Android, Windows & MAC Plain and PIN Protected Supports MyKad Comes with Point of Sale(Web & Mobile) SDK Available for integra@on Ideal for User Acquisi@on, Agent Banking and Mobile Merchants
25 Molla Technologies (www.mollatech.com)
Mutual Authentication (needed protection beyond 2FA)
Mutual Auth
Protects from MITM, BITM No Somware to install Uses Image, AJAX and JS Not Visual Image Flow Works for Web & Mobile SDK Available Ideal for Internet Banking
26 Molla Technologies (www.mollatech.com)
Digital Certificate based Signing on Mobile App
PKI Token RSA 1024 / 2048 bit key pair Supports Visual or QR Input Op@ons Single Or Mul@ple Data Signing Extendable to Malaysian CAs SDK for Internet and Mobile Banking Ideal for High Value Transac@ons
27 Molla Technologies (www.mollatech.com)
Available as SDK for Mobile Banking Or Standalone App
28 Molla Technologies (www.mollatech.com)
iOS, Android and Windows Mobile Apps
Device Tracking and Hardware Profile
Geo loca@on Fencing
Signature OTP for Online Banking
Time Stamp with Mutual Authen@ca@on
Push No@fica@on Alerts
Cer@ficate based Signatures
29
Profiling and Policy Enforcement
!
!
System policies based rules combined with user profile and archived historical data analysis.
31
Secure 2FA Remote Access
Secure 2FA Server,
Workstation Access
Secure 2FA Database & Web Access
Internal Systems that demand 2FA
5 Typical Usage
Where does AXIOM Protect Pla8orm play a role for us?
32 Molla Technologies (www.mollatech.com)
One Identity based login and password reset
Internet
Applica@on AXIOM Protect 1 User logs into the applica@on with single
iden@ty creden@als like Card number, Ibuserid, mobile number etc.
2 Radius, SAML ADFS 2.0 Or Web Service API call for verifica@on
Bank’s Infrastructure
3Check if the user is valid and allow login
Internet
SMS Gateway
Mobile Operator(s)
CSends password to the user’s number
D User gets new password via SMS (or email or mobile push)
A User requests for password reset or change password by passing
B Checks the details and then issues the new password via SMS/email
operator
user
Transaction Protection using SMS Signature One Time Password
Internet
Internet Banking
AXIOM Protect 1 User makes transac@on by providing
Payee, Amount, Saving Account (=Data).
2 Calls SendSOTP() for this user and data .
Bank’s Infrastructure
3Generates @me Signature OTP for data
Internet
SMS Gateway
Mobile Operator(s)
4Sends Signature OTP to the user’s number
5 User gets Data Summary and Signature OTP delivered on the phone
6 User views data summary and inputs Signature OTP.
7 Calls VerifySignatureOTP() with data and user’s OTP 8 Verifies
Signature One Time Password
Transaction Protection using Mobile Signature One Time Password
Internet
Internet Banking
AXIOM Protect 1 User makes transac@on by providing
Payee, Amount, Saving Account (=Data).
Bank’s Infrastructure
2User keys in data and generate Signature OTP.
4 Calls VerifySignatureOTP() with data and user’s OTP
5 Verifies Signature One Time Password
3 User reads and enters Signature OTP from mobile.
Login Protection using Hardware One Time Password Token
Internet
Internet Banking
AXIOM Protect
Bank’s Infrastructure
1 User users hardware token to generates OTP
2 User provides OTP for 2FA login.
3 IB calls VerifyOTP() for 2FA login.
4 Verifies One Time Password
6 Axiom Protect for PRASAC
Lets go through the workflow for PRASAC Needed Workflow and Systems interac5ons
37 Molla Technologies (www.mollatech.com)
38
Token Assignment and Activation
Online Portal
Automated Efficient Way However Integra@on Needed is maximum
Through ATM
Another Automated Efficient Way With larger Reach
Over the Counter
Least Integra@on with face to face Human Involvement.
Through Phone Call
Least Integra@on with least human Involvement.
1. User Account Creation
Card Management System
AXIOM Protect
AAuthorized Operator will come connect to CMS and pull the file (text/xml).
1Periodically CMS dumps the flat file/xml having all new/exis@ng user with their email id and phone number.
2
Axiom picks up the file from SFTP directory securely with configured seung in axiom.
Secure FTP Server
B Operator uploads same file with userid, emailid and phoneno.
Op@on 2. A and B are operator manual steps for user account crea@on.
Op@on 1. Automated flow where Secure FTP is shared file media for CMS to push files and Axiom to pull files.
operator
1. Consolidating Identities as one
Card Management System
AXIOM Protect
AAuthorized Operator will come connect to CMS and pull the file (text/xml).
1Periodically CMS dumps the flat file/xml having all new/exis@ng user with their email id and phone number.
2
Axiom picks up the file from SFTP directory securely with configured seung in axiom.
Secure FTP Server
B Operator uploads same file with userid, emailid and phoneno.
Op@on 2. A and B are operator manual steps for user account crea@on.
Op@on 1. Automated flow where Secure FTP is shared file media for CMS to push files and Axiom to pull files.
operator
2. User Token Assignment – Hardware, Mobile and SMS/Email
AXIOM Protect
12
User fills the form for internet and mobile banking with op@ng for hardware, somware
(mobile), SMS / Email Clientless token.
User
Branch Staff
1. If hardware token, Branch staff will pick up a new hardware token and assign in Axiom.
2. If mobile token, staff will assign mobile token in axiom and share user with axiom issued ac@va@on code.
3. If SMS OR Email, staff assigns same to user in axiom.
3
1. Hardware Token: User is given hardware token. 2. Mobile Token: user downloads the mobile
Security token app and entered ac@va@on code.
3. Multi Channel Protection (web, and mobile both)
Switch
AXIOM Protect
1
User uses the hardware / mobile token / SMS/email token in IB or MB or any other channel.
SMS/IVR/Email Gateway
MB
IB
Internet
Internet
2Switch gets the request for front facing applica@ons.
3Calls VerifyCreden@al() to handle all the tokens including SMS,Email, Mobile, Hardware token for the users.
a
Internet Banking
Mobile Banking
Note: Mobile token can be used for both internet and mobile banking as it is separate mobile security token.
Sending SMS/Email out to user’s device
4. Free Notification (no more SMS $$$)
Switch AXIOM Protect
2
Calls SendMessage() API for sending Alerts/No@fica@on/Sensi@ve Data
Internet
Push no@fica@on Gateway
*Secure Encrypted Data inside Push no@fica@on message.
3 User gets the no@fica@on anywhere any@me in the world for free of cost. More importantly it is secured for this user to deliver sensi@ve data also.
1 Marke@ng Alerts/Promo@on can be send by branch staff
Integration through Web Services
Integra@on Secure Web Services (WS) User, Token, Keys WS Authen@ca@on WS Digital Signing WS E2E Encryp@on WS Token Provisioning WS Integrate with Dashboard
44 Molla Technologies (www.mollatech.com)
Stress Test Performance
60tps@Peak On 1U Server, Qual Core, 64bit Linux, 4 GB RAM, Oracle MySQL Enterprise DB
140tps@Peak On 1U Server, 8 Core CPU, 64bit Linux, 16 GB RAM, Oracle MySQL Enterprise DB
45 Molla Technologies (www.mollatech.com)
For More Details: Visit us at www.mollatech.com Contact us at [email protected]
Thank you
46 Molla Technologies (www.mollatech.com)