ENTERPRISE SECURE IDENTITY IN THE CLOUD WITH SINGLE SIGN-ON AND STRONG AUTHENTICATION

Transcription

1 ENTERPRISE SECURE IDENTITY IN THE CLOUD WITH SINGLE SIGN-ON AND STRONG AUTHENTICATION Giuseppe Paternò, Director of MAKING THE CLOUD A SAFER SPACE

2 ABOUT ME IT Architect and Security Expert with 20+ years background in Open Source and Cloud (OpenStack, OpenNebula,...). Former Network and Security architect for Canonical, RedHat, Wind/Infostrada, Sun Microsystems and IBM and Visiting Researcher at the University of Dublin Trinity College. Past projects: standard for J2ME Over-The-Air (OTA) provisioning along with Vodafone, the study of architecture and standards for the delivery of MHP applications for the digital terrestrial television (DTT) on behalf of DTT Lab (Telecom Italia/LA7) and implementation of HLR for Vodafone landline services. Lot of writings, mainly on computer security. CTO and Director of GARL, a multinational company based in Switzerland and UK, owner of SecurePass and SecureAudit.

3 IT security products and virtualization services focused on identity protection on the Cloud. Born from Symantec, conducting pentest and vulnerability assessment on their behalf in EMEA Extensive OpenSource experience and large-scale Open Source projects such OpenStack, OpenNebula,... Most of the customers in finance and telco operators MAKING THE CLOUD A SAFER SPACE HQ based in Switzerland (Lugano and Zurich) and office in London. User privacy is protected by strict Swiss privacy regulations, no UE or US exceptions allowed.

4 THE CLOUD IN THE ENTERPRISE It s easy to span new instances (often) it takes less time than internal IT to have a virtual machine Great for prototyping and then they bring it into production Might have discounts from HW/SW vendor (especially HP Cloud, Azure,...) Some applications are outsourced (eg: SalesForce,...) Small software suppliers prefer to sell software-as-a-service

5 WHAT HAPPENS IN REALITY Applications and instances are out of control Not always possible to enforce IT security policies Each application have its own username/ password Prone to identity frauds and bruteforce attacks Can t have a central point of control

6 62% Increase breaches in 2013 (1) TOO MANY THREATS 2,5 billion exposed records as results of a data breach in the past 5 years (5) 1 in 5 organizations have experienced an APT attack (4) 3 Trillion$ total global impact of cybercrime (3) 8 months Is the average time an advanced threat goes unnoticed on victim s network (2) 1,3,5: Increased cyber security can save global economy trillions, McKinsey/World Economic Forum, January : M-Trends 2013: attack the security gap, Mandiant, March : ISACA s 2014 APT study, ISACA, April Source: ISACA Cyber Security Nexus

7 THE CLOUD CONTROL Cloud Orchestrator 2FA/SSO Hosted Apps

8 SECUREPASS FEATURES 3-in-1 identity management for maximum security in cloud and internet services: One Time Password Identity Management Single Sign-On Strong authentication: no more passwords to remember but one time password generated by a token. Identity management: manage users and group lifecycles from a control panel Single Sign-On: SecurePass recognize users for every application or network integrated

9 CENTRAL IDENTITY MANAGEMENT SERVICE FOR ALL DISTRIBUTED APPLICATIONS AND FIREWALLS OTP is built-in and mandatory, the way around of standard services - OTP generated on mobile and hardware tokens - Ensure the protection against brute force password attacks Works out of the box with all VPN/SSL VPN software Works with Web applications with little or no effort Works with corporate SaaS applications like SalesForce and Google Apps Works with virtualization software such as Citrix XenApp, VMWare Horizon/vCloud & more...

10 SECUREPASS IS OPEN Open protocols: RADIUS, LDAP, CAS and SAML Seamless integration: works out of the box with more than 98% of the software Clients and APIs available on GitHub Python, Java, PHP, C# NSS Plugin for Linux Apache Plugin Plugin for popular CMS Wordpress, Joomla & Drupal

11 GARL WORKS UPSTREAM TO ENSURE MAXIMUM Modules are now upstream in the main Linux distributions: - Debian Jessie - Ubuntu Vivid Vervet - Builds tested & available for Fedora and RHEL/CentOS - In talk with SuSE COMPATIBILITY Python modules available in the Python Installer (PIP)

12 WHY SECUREPASS IS SECURE 3 high-secure high-speed datacenters with business continuity in different networks. High-encryption and best practices as deployed in standard military environments. Core keys in a secret location, former Swiss military premise, resistant up to 10 megatons nuclear attack. Only few people has keys to access the data in the production environments and their identities is secret also to any member of GARL staff, including the board itself. Processes to revoke the above keys if one of the administrator is leaving the company or under any personal threat. Emergency procedures and legal coverage against attack targeted to GARL. PCI-DSS and ISO 17799/27001 compliant. SecurePass do not deal with your data In no case we will be handling your application data and we won t be even able to understand what kind of application or device is behind the login process. All GARL services are covered with an insurance policy with a premier Swiss-based multinational that will be able to refund up to CHF per incident. With special agreements, GARL is able to cover up to 5 Million CHF per incident (ask for update).

13 CASE STUDY WITH ING DIRECT RSA VS. SECUREPASS 100 Financial advisors access to European leasing system % difference Replacement of RSA 2 factor solution, more than 70% of savings 0 TIME COST MTN IBM labs created plugin for IBM Websphere portal RSA SecurePass

14 GARL IS NOT ONLY SECUREPASS Password manager for teams with delegation Strong authentication and identity management for cloud and internet services BANK OF PASSWORDS Secure storage for backup to comply to industry s regulations Secure Data VULNERABILITY ASSESSMENT Network security assessment up to 8 public IP Secure data collection app to your centralized server Build a virtualization service on standard hardware without licence Tailored security audit for web app, network, VPN and devices

15 CUSTOMERS PARTNERS

16 Q&A