Leveraging Authentication

Size: px

Start display at page:

Download "Leveraging Authentication"

Marvin Copeland
8 years ago
Views:

1 Leveraging Authentication Annual Workshop on Intelligence and National Security Cyber Security: Vulnerabilities at Home and Abroad October 28, 2009 Securing the Supply Chain Dennis McCallam Principal Architect, Security NGIS Technical Fellow Northrop Grumman

2 The authentication value proposition We must look for consistency. Where there is want of it we must suspect deception. Authentication Consistency All facets of the data seem to match (Joe is on vacation, not in the plant, not on the interior network, on the portal) Authentication Inconsistency Something is out of line (Joe is on vacation, not in the plant, on the interior network, not on the portal)

3 Variety in Authentication Token 13 th Century Today Name William Wmcleve2 Location William of York Hard (Provisioned) Possession Medallion, sword, crest Soft Possession Password Password Appearance Hair/eye/height Facial scan Knowledge Secret Secret Provisioned laptop, key fob, BlackBerry Biometric Scar Retina, fingerprint Certification (3 rd party verification) Letter from king, with seal Medium assurance soft PKI certificate 3

4 Authentication Single factors Method/Artifact Self-registered User ID/Shared Password/User Id Biometric: no control on biometric initialization. IP Address Private Password associated with User ID Biometric: Trusted initialization local verification Site Key Biometric: Trusted initialization + central verification Trusted Medium assurance SW/ x.509 certificate One-time Password, Soft token RSA Hard token/pin Medium Assurance HW/x.509 Assurance Little or no trust Little or no trust Little or no trust Low Trust Low Trust Low Trust Medium Trust Medium Trust Medium Trust Strong Trust Strong Trust

5 Aggregation Results Strength and Resilience Aggregated Authentication Artifacts (examples) Active Directory Id and Password (AD/PW) Site key + AD/PW Enterprise medium assurance certificate + AD/PW (RSA) One Time Password + AD/PW Medium assurance certificate + pin +AD/PW Trusted medium assurance certificate + verified biometric + AD/PW Properly provisioned laptop + fingerprint + physical access

6 Provisioning: an Authentication Artifact Requires a vetted and certified trusted provisioning process User is vetted Provided with laptop serial #aa-tt, that is fingerprint enabled Certified/trusted examiner loads laptop TPM with user s fingerprint and locks it in User plugs into internal corporate network, swipes finger, is authentication no need for user id/password Why does this work? User was properly vetted by organization Laptop was specifically assigned to user Laptop only accessible by user and selected admins Fingerprint properly loaded and vetted serves as combination user id/password but is stronger Laptop is something you have and was specifically assigned to you (so it is something you have and to some degree something you know and are) Fingerprint is something you are

7 Government-industry partnership focused on mitigating risks related to compliance, complexity, cost and IT that are inherent in large-scale, collaborative programs that span national jurisdictions. To do international business, companies must balance the need to protect intellectual property (IP) while demonstrating willingness and ability to meet contractual requirements from government customers for auditable, identity-based, secure flows of information. Common Framework for Federated Collaboration Identity Management & Assurance: Data Protection: Facilitate Secure Collaboration:

8 Leveraging the A&D Supply chain Leverages business processes for the A&D Industry Reduced Supplier on boarding/network costs (benefit to both A&D and Supply Base) Accelerated time to value for supply chain management technology initiatives Enhanced Security through strong authentication Authenticated Assurance through access management TSCP TSCP A&D A&D Companies Companies discussing discussing Cost sharing for a supplier credential using TSCP specifications e.g. ECA s & Keyfobs Cost sharing for a supplier credential using TSCP specifications e.g. ECA s & Keyfobs

9 Thank you and any Questions?

Two-Factor Authentication over Mobile: Simplifying Security and Authentication

SAP Thought Leadership Paper SAP Mobile Services Two-Factor Authentication over Mobile: Simplifying Security and Authentication Controlling Fraud and Validating End Users Easily and Cost-Effectively Table