Secure Access Control for Mobile, Cloud, and Web Apps

Transcription

1

2 Secure Access Control for Mobile, Cloud, and Web Apps SecureAuth IdP is a revolutionary platform that provides flexible and secure access control through strong authentication, single sign-on, and user management in a single solution. Not only does it mitigate external attacks, it also offers flexible options for enterprises to create an improved experience for all end-users. Accept Identity verification is simple and effective with IdP. It can accept any ID, including all industry-standard, social identity providers, and in-house solutions. Once an identity is submitted to IdP, the system maps it to on-premises directories to extract the necessary information for authentication. Authenticate Our patented and versatile 2-Factor Authentication meets regulations for all industries and protects corporate data from external attacks. Risk analysis is also included in IdP, which increases your security posture with automated detection and challenge of questionable users. Assert Once authenticated, a security identity token for web, cloud, and mobile resources is asserted without any additional coding. Users can access virtually any present and future application securely from any device with a single set of credentials. Accept Authorize Analyze Authenticate Assert Mobile SAML/OpenID/WS-* Business Execution Software Oracle CRM Web Token X.509 Certificate Microsoft ASP.NET IDENTITY TYPE IdP can consume any enterprise ID and translate it into artifacts specific to any application. This allows users to employ only one set of credentials for all resources. User Login (Browser) SecureAuth Web SSO Token Third-party Web Token SAML / OpenID WS-Fed / Trust IWA (Kerberos) X.509 Certificate CAC / PIV Basic Auth Enterprises are not required to alter their pre-existing infrastructure because IdP can extract information required for authentication. This eliminates the need to duplicate or migrate the data stores already residing securely in your network. AD v3 LDAP MS-SQL MySQL DIRECTORY ODBC REST APIs Web Service ANALYSIS IdP includes risk analysis in its workflow to immediately respond to flagged users and events. It analyzes user login behavior for anomalies and challenges their identity if any are found. Device Type IP Address Location Domain Geo-velocity Browser Fingerprint Login History TOR / Robot Detection AUTHENTICATION PROTOCOL IdP offers over 20 different authentication methods, which are configured by you and enforced by us. X.509 SMS OTP Telephony OTP OTP Yubikey (USB) CAC / PIV Static PIN Help Desk Kerberos (IWA) Password NFC Mobile OATH Token PUSH And more In addition to post-authentication SSO, IdP enables logging and auditing of all actions from users, applications, and devices. Admins can record all events that transpire and use the data for compliance reporting. Text Syslog SQL AUDIT The SecureAuth IdP Appliance Integrates easily with existing systems Comes with: Hardened OS Embedded Web Server Data Store Connectors Pre-built Web Pages Packaged Encrypted Modules Web Service Client Connectors Physical appliance available as either standard or advanced model Virtual appliance available for the following platforms: VMWare Citrix Tel: ASSERT YOUR IDENTITY

3 2-Factor Authentication Secure and Flexible Authentication Solution IdP 2-Factor Authentication deploys quickly and integrates into current infrastructures, utilizing data from established directories. IdP pulls the necessary information from the enterprise data store that corresponds to the user s profile to validate the identity without storing or moving profile information to the cloud. Please choose the delivery method for your registration code. Voice SMS Customizable Authentication Enterprises are given full control of their security configurations. They can designate access to individual users, groups, devices, or applications; and can choose from over 20 different authentication mechanisms, including SMS, Telephony, and OTPs, Device Fingerprinting, and PUSH Notifications. Admins can also design authentication workflows that evaluate various risk factors (contextual authentication). By simply modifying the parameters using the SecureAuth GUI console, an administrator can customize the access control workflow for the various corporate resources, whether cloud, mobile, web, or network-based. Flexible Workflow Integration Multi-factor Authentication 20+ Forms of Authentication Mobile or Desktop (BYOD) Cloud, Mobile, Web, Network No Coding Required GUI Drop-downs No APIs Authentication Mechanisms OTP: One-time Password A one-time password delivered via Short Message Service, Telephonically, or to the phone number or address recorded in the user s profile. Static PIN A personal, unchanging PIN code. Yubikey (USB) A USB key that plugs into a user s device and transmits a one-time passcode to the device. Password A user s known password. KBA/KBQ: Knowledge-based Authentication Knowledge-based answers/questions that are stored in the user s profile. Kerberos (IWA) A desktop SSO system that uses Microsoft s Active Directory. X.509 Certificate An X.509 certificate that is placed in a device s builtin OS certificate store (native) or in a browser s Java certificate store (Java). Help Desk A one-time password delivered by the help desk after verifying the user s identity. PUSH Notification A one-time password delivered to a user s preregistered mobile device (smartphone, tablet). Flexible Configuration Options ID + PW ID + 2FA + PW ID + 2FA + 3FA + PW ID + Device ID + Device + PW ID Token (SAML, OpenID) ID Token + 2FA ID Token + 2FA + PW Flexible Persistency: Device Fingerprinting A patent-pending process in which IdP pulls unique characteristics from a device and then maps that identifying value to the user s profile. This enables frictionless subsequent authentications for mobile or desktop users. Social ID A form of user authentication that uses data from social identity providers, such as Facebook, LinkedIn, Twitter, and Google. Federated ID A token that is issued in a trusted language (SAML, WS-Fed, OAuth) that validates the user s identity without transferring password information. NFC Object Any object that utilizes Near Field Communication for information regarding the object s identity, like cards or tags. Smart Card Cards such as CAC/PIV Cards, NFC Proximity Cards, NFC MiFare Cards, Entrust IdentityGuard Gridcards, and HID Cards. OATH Token A time-based one-time OATH password generated on a user s mobile device, browser interface, desktop, or from a third-party provider. Can be hardware- or software-based. Symantec VIP Symantec s cloud-based VIP service used for authentication into a SecureAuth-protected resource. Device Fingerprinting Desktop/Mobile Mobile/Desktop X.509 Certs Java Certificates 2FA based on Data Stores AD, v3, LDAPs, SQL ODBC, REST APIs, Web Services Risk-based Authentication for Internal/External Desktop/Mobile Group, Country IP Address User Self-services 2-Factor Enrollment Password Reset

4 Analysis Complete Access Control Solution Automated Responses IP Reputation To enhance the security of access control, SecureAuth has included risk analysis feature into its latest release. IdP s analysis includes four factors that work together to mitigate attacks and to automate an organization s desired response. IP Address IP Reputation Group Membership Geo-location / Geo-velocity Each of the four analysis elements can be enabled and configured independently along with their responses. The automated responses to an analysis failure include URL redirection, 2-Factor Authentication, or hard stop. SecureAuth s risk analysis data and responses are all logged for reports and audits alongside other authentication events to continually maintain security and to mitigate potential attacks. RECOGNIZED LOCATION UNRECOGNIZED LOCATION Utilizing a real time threat intelligence service, the user s IP Address is examined and a risk score is returned based on various criteria. Administrators can set risk thresholds, which determine what the acceptable risk should be for that particular application. The options are low, medium, high, and extreme. USER S DESKTOP USER S LAPTOP UNKNOWN DEVICE Please choose the delivery method for your registration code. IP Address The first level of analysis concerns the IP Address. This immediately determines whether the user is working from a recognized IP address and whether they are currently in the network or accessing the resources externally. Group Membership The step following IP Reputation (right, above) in the analysis works with the user s existing group membership information. Here, administrators can allow or deny access to an application based on the group list provided. Geo-location / Geo-velocity Using the IP Address to calculate the user s current coordinates, IdP can compare the current log-in attempt s time and location with the previous attempt. Based on the acceptable velocity that the administrator defines, users that normally log in from California can be prevented access from Russia one hour later. Voice SMS SecureAuth Analysis Included in IdP IP Address, Group Membership, Geo-location / Geo-velocity Integrate with Third-party Sources IP Reputation Automatic Responses 2-Factor Authentication URL Redirection Hard Stop Configurable By each Feature For each Realm / Workflow Over 40 Different Items Included in Analysis CnC, Bot, Spam, SpywareCnC DDoSTarget, Brute_Force IPCheck, Compromised Mobile_Spyware_CnC, others

5 Single Sign-on IdP for Access to All Resources IdP provides revolutionary Single Sign-on (SSO) capabilities without thick clients or third-party tools to enterprise cloud, web, network, and even native mobile applications. IdP combines strong authentication and SSO in a single solution, ensuring secure access control no matter the target and subsequent resources. Having one login for all applications is not only user-friendly, but it also simplifies and secures the application deployment lifecycle, therefore reducing maintenance costs. Full and Secure Identity Assertion No matter where corporate resources lie (cloud, mobile, web, or network), IdP can assert authenticated identities to them without requiring additional logins. IdP includes a Security Token Service (STS), which consumes the ID and transforms it into an appropriate artifact in which to communicate with applications (e.g. SAML, OpenID, WS-Fed, OAuth, etc.), and works as a turnkey to continually generate the appropriate token for all applications. Uniquely, IdP enables SSO to native mobile applications, using the same ios, Android, or Windows apps that users already know and understand. Instant and Simple Integration IdP easily integrates with existing infrastructures, including user data stores. The information from the stores is used to authenticate the user, and then that authenticated ID is asserted to the target application(s). IdP creates an SSO token to the relying party; and can then authorize SSO into additional apps. IdP SSO can be enabled for any corporate app, whether it is in your network or on external devices. SSO from IdP to: Cloud Applications Mobile Applications Web Applications Network Resources No Coding Required: No APIs, No Agents ID Assertion via SAML, OpenID, WS-Trust, etc. No Thick Clients Required Generates SSO Token: Security Token Services (STS) GUI Selected SSO Enabled by: Individual User, Group Application, Device App-to-App SSO: Web App -- Cloud App Cloud App -- Mobile App Mobile App -- Mobile App Integration with Popular SaaS Apps: Salesforce Google Apps WebEx SuccessFactors Workday, and more Web Apps:.NET J2EE SharePoint WebSphere, and more Mobile Apps: ios, Android Windows, Blackberry One Password; Any App The list of application protocols with which we operate is massive. Through IdP, your business can continue to work with your existing applications and ensure integrations of future additions.

6 for Mobile The Ideal Mobile Solution IdP for Mobile enables 2-Factor Authentication through a variety of mechanisms and single sign-on to web, cloud, and native mobile applications without requiring any hardware or thick clients. With IdP, employees, partners, contractors, and customers can securely access corporate applications from their personal devices without relinquishing control or the convenience of mobility. SecureAuth solves the dilemma of native application and mobile device integration by deploying into existing infrastructures, making this solution is ideal for enterprises that deploy mobile applications to large populations of users, such as banking portals. SecureAuth is checking your browser for a user credential. Restart Login Device Fingerprinting IdP Device Fingerprinting allows users to securely work on anything by utilizing the uniqueness of each device as a fingerprint. It is 100% browser-based and works with the device that the user already owns, but enables enterprise control over the user s access. Device Fingerprinting not only pulls device information, it also tags each device with a unique identifier. These two mechanisms are then combined to ensure that the device is registered to a specific enterprise user. For subsequent authentications, IdP scans the device and if recognized, Device Fingerprinting is utilized as the second factor. Risk-based Authentication for Mobile Users IdP 2-Factor Authentication is flexible and secure, but it can also be stepped up for remote access or for unrecognized devices. Mobile users will experience the same look and feel as those on desktops, but organizations can also implement 2-, 3-, or even 4-Factor Authentication to ensure protection outside of the secured network. IdP for Mobile can be deployed on any ios, Android, Windows, or Blackberry device. Users can employ their personal devices and because of IdP s user self-service, they can enroll their own device, provision their own account for 2-Factor Authentication, and even revoke access from a device if lost or stolen. This is a public computer This is a private computer User ID: Registration Code: C Please choose the delivery method for your registration code. Voice SMS PUSH Please enter the password associated with your User ID. User ID: Password: Single Sign-on to Native Mobile Apps Through IdP s Mobile Applications Management, SSO to native mobile apps is achieved without any rooting or MDM required. By simply incorporating the IdP code into an application, organizations can enable strong authentication and SSO to and between mobile apps without burdening the user experience. Not only can users achieve transparent SSO between mobile applications, but IdP also enables SSO to web and cloud applications from mobile devices. The same security is extended to all resources with IdP SSO and end-users will appreciate the convenient workflow. Enterprise-grade Security and SSO to Mobile Apps ios, Android Windows, Blackberry Smartphones, Tablets 2FA and SSO based on: AD, v3 LDAPs, SQL, ODBC, REST APIs SSO to Native Mobile Apps No Rooting or MDM for Devices Full Enterprise Integration: Multi-Factor Authentication Single Sign-on Federation to SaaS Apps Device Fingerprinting Device Fingerprinting authentication for all enterprise deployments Supports all desktop and mobile devices Deployed without any thick client or download Ideal for B2C and BYOD environments Integrates with Existing Infrastructure Active Directory, LDAP, SQL Fully Integrated Authentication System 2-Factor User Registration Configurable Device Duration 1-Touch Device-based Revocation Integration to All Platforms

7 Identity Management Services Identity and Access Management Made Simple IdP enables full enterprise control of identities and access, which ensures security and lowers administration costs. Enterprises can configure their own authentication and SSO workflow based on users, groups, devices, or applications. Also within the Identity Management suite, admins can utilize numerous tools, including: Help Desk User Management Create User Audit Reporting of Authentication Events Meets Stringent Compliance Regulations X.509 Services 2-Factor Authentication Provisioning Native Certificate Revocation (1-Touch Revocation) Portal Page Mobile App Store Offered in both IdP s on-premises and cloud services are X.509 services, including: User Certificate Provisioning Device Certificate Provisioning User Certificate Validation User Certificate Revocation IdP has a powerful IdP-to-cloud ecosystem that allows an enterprise to create an X.509 certificate based on enterprise IDs and then have a user conduct a self-registration involving integrated SecureAuth 2-Factor Authentication.* Not only can an admin create certificates without knowledge of PKI, but they can also revoke certificates from the native directory without the use of archaic CRLs and OCSPs. Successful Authentications Failed Authentications /10/14 01/09/14 01/08/14 01/07/14 01/06/14 01/05/14 01/04/14 01/03/14 01/02/14 0 Phone SMS Successful Authentications (per hour) Hours Logging and Auditing IdP provides appropriate event reporting that deploys easily into the existing infrastructure. IdP meets the most stringent compliance regulations for various industries: Retail Financial / Banking Law Enforcement IdP s multi-factor authentication, secure federation, and logging and reporting capabilities are suitable for all compliance standards, including: PCI DSS NCUA FFIEC Healthcare Government CJIS / GFIPM HIPAA / HITECH IdP enables organizations to log, audit, and report all authentication events, from identity acceptance to identity assertion. SecureAuth supports PKCS #12, PFX, SCEP inbound, SCEP outbound, WSE3, BKS, DER, and CAC/PIV PKI standards; and the X.509 certificates can be used for: Validation to Web, Cloud, Mobile, and Network Resources VPN/WiFi Authentication X.509 Services For Both On-premises and Cloud Services Certificate Provisioning, Validation, and Revocation No CAs, CRLs, or OCSPs Required Easy-to-use GUI Admin Console No Coding, Third-party Tools, or Specialized Training Required. Logging and Auditing Meets Compliance Regulations PCI DSS, FFIEC, NCUA CJIS / GFIPM, HIPAA/HITECH, etc. Syslog, Text, SIEM, SQL Log of All Authentication Events 1-Touch Revocation of Certificates, Access, and Device Registration *U.S. Patents 8,301,877; 8,468,340; 8,613,067; and other approved patents. App Authentication MDM Registration Data Encryption Mobile App Store Easy Access to Corporate Apps ios and Android Devices Control Visibility and Download Access by User / Group Easy to Add and Manage Applications Personalized Interface with Company Logos and Preferred Designs Mobile App Store The IdP Mobile App store can be deployed on ios and Android devices to provide easy downloads of necessary corporate applications. Admins can control security and access to applications within the store by making them only visible and downloadable to specific users or groups. Mobile App Store Corporate App Corporate App Corporate App

8 User Self-service Lower Costs and Help Desk Calls IdP provides user self-service that removes timeconsuming procedures from admins responsibility and enables more self-control over user profiles. To reduce costs and unburden help desks, IdP enables user: 2-Factor Enrollment and Provisioning Profile Maintenance Self or Device Revocation Password Reset Easy Password Reset Traditionally, when users passwords have been forgotten or compromised, corporate time and money has been wasted to reset them. With IdP, not only can users self-enroll for 2-Factor Authentication, but they can also reset their own passwords at any time. The process to reset passwords is very simple: Self-service Console From the IdP portal or the enterprise portal, users select Reset Password IdP prompts the user for his/her username The self-service console is easy to use and accessible only after successful 2-Factor Authentication to ensure security. Users can enroll themselves into 2-Factor Authentication based on the existing profile information and the mechanisms chosen by the organization. Enterprises dictate which authentication mechanisms can be employed, and users then set up and maintain their profiles. Users can also update their profiles with current phone numbers, addresses, static PINs, and knowledge-based questions and answers; and can keep track of their registered devices and instantly revoke them in the event of compromise. A 2-Factor Authentication mechanism is then chosen by the user Any of the 20+ Authentication Mechanisms can be utilized for this process Once authenticated, the user can create a new password Many solutions enable password reset with question and answers only, but this can be problematic and insecure. By leveraging our flexible 2-Factor engine, users can employ stronger methods of authentication to ensure password security.

9 What s New ACCEPT AUTHORIZE ANALYZE AUTHENTICATE ASSERT - Resource Types AirWatch AWS Concur Juniper Office 365 Salesforce Workday SharePoint Dropbox ASSERT Google Apps IdP Configurator The visual IdP Configurator makes configuring each workflow as easy as the workflows themselves are for endusers The IdP Configurator guides administrators through application configuration, using the 5 A s of SecureAuth s funnel: Accept, Authorize, Analyze, Authenticate, and Assert. By using simple drag-and-drop movements alongside preassembled templates to design each realm, configuring IdP has never been easier (or more attractive). Transformation Engine IdP now includes dynamic post-authentication attribute transformation to map manipulated data to resources. With this feature, information that is missing from the data store or that require calculations for specific applications can be added to a user s post-authentication token for appropriate assertion, resulting in a delivery of a single token to the consuming application. This reduces the amount of information stored in directories and management of user profiles. Account Provisioning and Synchronization This is a time-based provisioning mechanism that synchronizes user identities from the local databases to external repositories, like Google Apps, Workday, and Salesforce. Administrators can create or update a user in the local directory and have that information provision an associated identity to the cloud repository. Most importantly, when administrators delete users from the local directory, the usernames will automatically be removed from the other resources, thereby immediately disabling all access. 2-Factor Login for Windows OAuth 2.0 and OpenID Connect SecureAuth has built into IdP full support for OAuth 2.0 with OpenID Connect, enabling IdP to be an OpenID Connect Provider and an OAuth 2.0 Authorization Server. The combined support of OAuth 2.0 and OpenID Connect creates a more trusted relationship between IdP and relying parties with JSON Web Tokens ( JWTs ), while utilizing the flexibility of the protocol framework. IdP acts as the Authorization Server in the relationship, authorizing, authenticating, and then generating trusted access tokens for the purpose of accessing secured resources, such as APIs. Both two-legged and three-legged OAuth flows are supported, as well as the four authorization grant types: authorization code, implicit grant, resource owner password credentials, and client credentials. Username Password OTP Log on to: SecureAuth For Windows Vista, Windows 7, Windows 8, Windows 2008, and Windows 2012 operating systems, users can employ 2-Factor Authentication for initial login as well as to unlock the system. Using SecureAuth s mobile and desktop, and third-party OATH tokens, users can secure their devices via low-friction authentication. IdP via OAuth 2.0 with OpenID Connect enables organizations to assert identities securely to OAuth 2.0 and OpenID Connect native and mobile applications in the same trusted manner as with SAML or WS-Federation.

10 SecureAuth Corporation About SecureAuth SecureAuth is a technology leader, providing 2-Factor Access Control for hundreds of customers and more than 10 million users worldwide. SecureAuth s Identity Provider (IdP), winner of numerous awards and named Network World s best authentication product, uniquely delivers multi-factor authentication and single signon together in a powerful solution for mobile, cloud, web, and network resources without the requirements of supplementary components or add-ons. SecureAuth delivers on the vision of Security as a Productivity Enabler in every deployment by providing a streamlined workflow of secure access to corporate data from any device. The company has consolidated all key components: engineering, product management, support, sales, and executive in its Irvine, California headquarters, resulting in numerous patents, major customer wins, and the highest ranking customer service, acknowledged by both Forrester and Gartner. For the latest insights read the SecureAuth Blog, on Twitter, or visit Visionary Vendor 2013 Magic Quadrant for User Authentication Positive Rating 2013 WAM Marketscope Analysts and the Media Agree SecureAuth has been honored with numerous awards, U.S. patents, and recognition from major analyst groups, including Gartner and Forrester. #1 in Customer Satisfaction Fastest Growing Company 2012 SecureAuth IdP - Best Mobile Identity, Safeguard & Security Product SecureAuth Top 100 Info Security Products Guide Winner Best Authentication Solution Best Single Sign-on Solution 2012 Winner for Favorite New Product - Security Solution SecureAuth: One of Fifteen Solutions to Watch SecureAuth IdP Awarded 5 Stars from SC Magazine 2013 & 2014 Over 10 million users assert their identity on cloud, mobile and web with SecureAuth IdP SecureAuth IdP wins test of 8 software-based authentication systems

11