Single Sign-on and Biometrics

Transcription

1 F. Wildbergh Single Sign-on and Biometrics Introducing into the organization

2 Introduction Frédéric Wildbergh Responsible (amongst other) for Business Continuity Management of the ING Financial Markets and Support departments in Amsterdam BCM is part of Business Quality & Control With ING since 1990 Experience in various areas of Operations and IT in Netherlands, Europe and Latin- America ING is one of the world's largest financial services companies, offering banking, insurance and asset management in over 50 countries

3 Setting Dealingroom environment - Critical environment for any financial institution - High volume transactions ( ) - Time critical - Many different products: FX/MM, Bonds, Derivatives, Equities, etc. - Many different customers: Banks, Corporates, Internal With an IT infrastructure supporting - Many different systems & applications > Including Legacy applications Tight control requirements Security increasingly became a problem - Users have to manage too many passwords

4 Problem - Manage application access Post-it s & manual password resets Easy passwords Password policy is not always sustainable in legacy applications Systeem ID Wachtwoord Pinnacle JansenJ geheim01 02 UrsuMayor JanJ Geheim01% 02% Acropolis JanJansen Geheim123 Security organization needed to support time critical activities Difficult to obtain consolidated overview of all applications in use per staff?

5 Solutions Continue as is: Continuing with non-compliant application access is not allowed Adapt all legacy applications: Is not realistic (feasibility, timelines & development budget may be an issue) Access management We chose a Single Sign-on solution with biometric authentication - The idea of having a User-ID and a secret password is to prove a certain individual at the computer is indeed the intended authorized person to access a system - But what better proof than using unique characteristics of this person (a fingerprint)? - The benefits are obvious (easy, support, overview) - CA etrust SSO combined with BioKey allows to access applications by a fingertip s touch

6 Business needs are addressed SSO increases IT security around a concentration of high-risk applications Addresses irritations from password policy & working comfort to front office users Gives a relatively fast & cheap way of ensuring the (legacy) applications meet password requirements Solve audit findings and SOx deficiencies Increase efficiency through automated application logon using fingerprint readers Increase efficiency through automated password resets As passwords are managed by SSO, passwords can t be forgotten It decreases the need of Security Operations staff (cost savings through less maintenance of passwords) Improved Operational Risk score because of increased control and solving audit findings Not realizing SSO would mean that identified risks need other mitigating controls (particularly investments in application development)

7 Implementation aspects Enrollment SSO is high risk application too Change management Readers in other offices (Needed? No!) Event logging & monitoring Business Continuity / Disaster Recovery Convince business owners - Need for SSO - Cost - Concerns about availability locally (and worldwide) - Concerns about application functionality - Technology - Privacy

8 Functionality best of both methods User action User action biometrics 1 Manual logon Application in SSO still allows the use of normal credentials Applications not in SSO require normal credentials CA etrust SSO User action User action Script Script Script Script Manual UID & password Manual UID & password Application Application Application Application Application Access via SSO, passwords unknown to users Access via SSO, or direct with from locations without SSO Direct access, passwords managed by users

9 Architecture - failsafe SSO + fingerprint becomes the master key to end-user s applications - Failsafe solution therefore required Dealingroom Server (prod) Synchr. Server (fail-over) Disaster Recovery dealingroom Network Synchr. Server (Disaster Recovery) Any location compatible to dealingroom

10 Questions