SERVICE DESCRIPTION Web Authentication

Transcription

1 SERVICE DESCRIPTION Web Authentication Date: Document: Service : Web Authentication

2 TABLE OF CONTENTS Page 1 INTRODUCTION 3 2 SERVICE DESCRIPTION Basic service Options Captive Portal Federation Single Sign-On Strong Authentication Test Instance SMS Flat 11 3 ADDITIONAL DOCUMENTS 12 4 DISCLAIMER 12 Copyright United Security Providers AG page 2/12

3 1 INTRODUCTION This document describes the Web Authentication managed service with all the options available from USP. This document. together with the agreed Service Level Agreement, constitutes the binding basis for the provision of the managed service. Field of application The Web Authentication service offers flexible technologies and concepts for the authentication of users. The service allows complete single sign-on solutions for different applications, taking account of the need for transaction protection and a seamless integration into your IAM processes. The Web Authentication service offers your users a uniform interface for all web applications. Centralized holding of user data makes the work of your IT department easier, saving valuable time and resources. Should the data structure change, the modifications need only be made at one place for all your applications. This considerably reduces the risk of errors and, in addition, changes can be implemented much more quickly. Copyright United Security Providers AG page 3/12

4 2 SERVICE DESCRIPTION 2.1 Basic service USP's Web Authentication service offers a uniform and easy-to-use interface the authentication of your users. Name of service Service abbreviation Web Authentication MSS-WA Service version 2.0 Status Operating hours Operational OH1: Monday Friday, 08:00 18:00 CET OH2: Monday Saturday, 07:00 21:00 CET OH3: Monday Sunday, 0:00 23:59 CET Availability guarantee ACA: Best effort ACB: 99.5% availability during operating hours ACC: 99.7% availability during operating hours ACD: 99.9% availability during operating hours The service is assessed on the basis of the number of concurrent users. The Web Authentication service provides a standardized interface between upstream services, such as the Web Application Firewall service, and the user database. The service consolidates different authentication systems and makes these further services available in a single interface. Modern applications, particularly web-based applications, take their user data from a wide range of sources. Different interfaces lead to very high degrees of complexity in all applications. Thanks to the Web Authentication service, all your web applications access user data on a common interface. If changes are made to the data structure, only the Web Authentication service has to implement these changes. Development costs are saved while the risk is minimized because your applications do not have to be modified. Compliance with the SLA parameters is measured against the availability of the service infrastructure. The following service-specific values are collated in the monthly reports: - infrastructure workload - number of valid/invalid logins - number of sessions The following measuring points are some of those watched to monitor the service: - CPU / RAM / HDD workload Copyright United Security Providers AG page 4/12

5 - listener processes - connection to the backend - accessibility An availability guarantee in excess of "best effort", requires redundant design of the service infrastructure. Copyright United Security Providers AG page 5/12

6 2.2 Options Captive Portal A self-registration portal is provided for your guest users. Name of the service option Abbreviation Captive Portal MSS-WA The service option is measured on the basis of the size of the basic service. This option makes a Captive Portal available to your guest users for self registration. When a user connects to the network, the request is first redirected to a web portal in which he must enter his user information including his mobile number. The correctness of his input is verified by means of a SMS challenge code. Once he passes the verification, the guest can use the network resources. Where users are offered a public WLAN, the provider must make identification of the users possible according to the provisions of the Swiss Federal law on Surveillance of Post and Telecommunications Traffic (BÜPF). The identification required is made possible by this options, so that you can meet your legal obligations in this regard in full. Your guests are registered automatically without further intervention by your staff. This means that you can even make access to network resources, for example Internet access, available to a large number of users without further effort. Compliance with the SLA is determined using the KPIs for the basic service. The number of users is added to the reported data. User activity information is provided following a corresponding request to the USP Security Operations Center. Accessibility of the web interface is checked. The Captive Portal must ether provide the network addresses to users itself, or forward these to the guests. Costs generated by sending text messages are not included in the monthly costs of the service. Copyright United Security Providers AG page 6/12

7 2.2.2 Federation This option provides support for SAML. Name of the service option Abbreviation Federation MSS-WA-FED The service option is measured on the basis of the size of the basic service. Modern IT environments are increasingly active across businesses. The Federation option makes the relevant user data available across companies for authorisation so that customers, partners and also staff can use their own, existing identities. Federation offers full SAML (Security Assertion Markup Language) support, both as an Identity Provider and as a Service Provider. This option gives you a user-friendly capability of mapping trustworthy and cross-company IT environments. You can, for example, give your staff access to Office 365 or to applications hosted by partners, without additional user accounts having to be created and administered. In Federation, you have control over what information is forwarded to service providers. You gain considerably in security as the user data stays where it belongs. Compliance with the SLA is determined using the KPIs for the basic service. This option is not listed separately in the reports. This option is not monitored separately. The conditions of use for the basic service apply. Copyright United Security Providers AG page 7/12

8 2.2.3 Single Sign-On Users access various different applications but need only log in once to do this. Name of the service option Abbreviation Single Sign-On MSS-WA-SSO The service option is measured on the basis of the size of the basic service. Different web applications have different authentication methods and the user needs to enter different user data. With the Single Sign-On option, the login process is standardized for all applications: the users enter their user name and the associated password (and, if need be, a further factor, see section 2.2.4) to start. The Single Sign-On option forwards this information to the applications so that the users are automatically logged in to them. Where users have to remember a number of passwords they tend to use simple passwords, or even to write the passwords down. With the Single Sign-On option your users need learn only one password. In this way, you achieve greater user-friendliness which is reflected in your users' satisfaction and in greater security, as the simplest passwords and writing down of passwords are avoided. The service option is measured on the basis of the size of the basic service. This option is not listed separately in the reports. This option is not monitored separately. The conditions of use for the basic service apply. Copyright United Security Providers AG page 8/12

9 2.2.4 Strong Authentication A second factor is introduced alongside a password for user authentication. Name of the service option Abbreviation Strong Authentication MSS-WA-SA The service option is measured on the basis of the size of the basic service. This option introduces a second factor for user authentication. In addition to entering the password (something that he knows), the user has to enter a second attribute (something that he has or is) to confirm his identity. Various different adapters for linking different attributes are available for this. For example, interfaces are offered to SuisseID, to Mobile ID, to a variety of hard tokens, to text messaging and much more. Introducing a second factor for the authentication of your users considerably enhances your security. A potential attacker does not need to know just his victim's user name and password, but also has to possess a further factor, or purport to be something. Compliance with the SLA is determined using the KPIs for the basic service. This option is not generally listed separately in the reports. Individual factors can be listed separately if required, the status of certificates or the number of text messages sent, for example. This option is not generally monitored separately. Individual factors can, however, require special measuring points; the availability of the text messaging gateway is checked, for instance. Any costs for the two-factor authentication infrastructure are not included in the monthly service fees and must be covered separately by the customer. The customer is responsible for the rollout of infrastructure components for two-factor authentication, for example hard tokens or certificates. Copyright United Security Providers AG page 9/12

10 2.2.5 Test Instance Operation of an additional instance which is not used in production. Name of the service option Abbreviation Non-Prod Licence MSS-WA-TEST The service option is assessed on the basis of the number of instances. This option operates another instance of the Web Authentication infrastructure. The additional instance is not used operationally and can thus be used as a test or development environment for example. The additional instance will be equipped with the same options as the operational instances. Changes can be tested before implementation in an environment similar to the production environment by the use of a non-operational instance. The risk of an error in a subsequent live implementation of amendments on the production environment is considerably reduced by the option of first testing modifications on a non-operational environment. Test instances are operated on a best-effort level during office hours, whatever the SLA for the basic service. This option has no particular KPIs. No reports are prepared for test instances. The availability of the instance will be monitored. MSS-WA-TEST is not offered until at least two operational instances have been procured. Copyright United Security Providers AG page 10/12

11 2.2.6 SMS Flat The SMS messages required for the SMS token are made available through this option. Name of the service option Abbreviation SMS Flat MSS-WA-SMS The service option is included on the basis of the number SMS messages included. The following numbers are possible: SMS SMS SMS SMS A predefined number of SMS messages is procured in advance through this option. The procurement of the SMS messages is not restricted in time. This option makes the costs for sending the SMS messages required easy to calculate. This option has no influence on the compliance with the SLA. The number of text messages sent are reported in monthly reporting. No additional measuring points are introduced for this option. No additional conditions of use. Copyright United Security Providers AG page 11/12

12 3 ADDITIONAL DOCUMENTS The present document describes the functional scope of USP's Web Authentication service. General information on the Service Level Agreement and on operation may be found in the additional documents. Service management and SL catalogue Services catalogue Price list This document contains all the information relating to the Service Level Agreement parameters. It defines the support processes and collaboration obligations, for instance, along with operating hours and availability guarantees. The services catalogue defines the operation tasks and the standard changes. The document also describes the processes by which the corresponding changes can be triggered in a qualified fashion. The prices of all services and options are laid down in the price list. 4 DISCLAIMER This document is the intellectual property of USP AG and may not be copied, reproduced, handed on or used for execution without its permission. Unauthorized use is punishable in accordance with section 23 in conjunction with section 5 of the Swiss Federal Act against Unfair Competition. This work is protected under copyright. The rights consequently justified, particularly of translation, reproduction, the use of illustrations, distribution by photomechanical or other means and storage in data processing systems, even in extract, remain reserved. The functions, data and illustrations described in this documentation are applicable with the reservation that amendment is possible at any time. They are provided for better understanding of the material, without claiming completeness and correctness in detail. The programs described in this document are only provided on the basis of a valid licence agreement with USP AG and can only be used in compliance with the conditions laid down in the licence agreement. USP's General Terms and Conditions shall apply unless higher-ranking provisions apply. Copyright United Security Providers AG. All rights reserved. Copyright United Security Providers AG page 12/12