Usher: a comprehensive. enterprise security guide

Transcription

1 Usher: a comprehensive enterprise security guide

2 TABLE OF CONTENTS Introduction 5 Logical access controls 6 Physical access controls 6 Identity authentication solutions 7 Chapter 1: Components of an enterprise security deployment with Usher 8 Mobile credentials (Usher Security) 8 Usher badge 9 Time-limited Usher codes 9 Validation panels 11 Digital keys for physical access 13 Sight code panel (only available in SDK) 13 Chapter 2: Badge security and configuration bit AES encryption of user attributes 14 Integration with Touch ID 15 Offline capabilities 15 Add a badge from deep link in 15 Badge information 16 Upload profile image 17 Remove a badge locally 17 Badge recovery 18 Image caching 18 Encrypted access tokens for authentication 19 Offline Usher code generation 19 Encrypted X.509 PKI certificates 20 Out-of-band identity transmission 20 Encrypted channel for data transmission 21 Chapter 3: Network management 22 Network creation 23 User management 24 Usher agent for Active Directory 24 Network administrators 25 Badge management and design 26 Chapter 4: Authentication and access 27 Logical access and methods 28 Physical access and methods 31 Behavioral-based conditions/fencing 34 Extension to Apple Watch 35

3 Chapter 5: Workforce productivity with Usher Professional 36 Discovery views 37 User profiles 38 Search capabilities and saved groups 39 Chapter 6: Intelligence and reporting with Usher Analytics 40 Interface 41 Transaction logs 43 Pre-built dashboards 44 Chapter 7: Usher server 46 Server architecture 47 Server components 47 Common library and tools 47 Server deployment 48 Deployment architectures 48 Secure Cloud 48 Certifications and controls 48 FIDO certification 48 Systems 49 Current server environment (multi-tenant) 49 Operations 50 Technology 50 Monitoring 50 Maintenance 50 Security operations 51 Vulnerability management 51 Event logging and auditing 52 Chapter 8: Custom implementation (SDKs) 53 Mobile SDK workflows 54 Usher as a mobile app authentication mechanism 55 Usher as an enterprise SSO provider 56 Usher as a step-up authorization provider 56 Usher as a peer-to-peer authentication provider 57 Mobile SDK 57 Server-side SDK 57 Platform RESTful API 58 Physical Access Control System API 58 Chapter 9: Deployment scenarios 59 Higher education 60 Federal government 62 International airport 63 Financial services 64

4 Chapter 10: System requirements 66 Up-to-date documentation links 67 Recommended production configuration 67 Development and pilot configuration 68 Usher Professional and Usher Analytics 68 Usher physical gateways 69 Usher evaluation edition license keys 69

5 Introduction The threat of industrial espionage today is all too real; it seems that every day another company s confidential information is hacked and the cost of these security breaches is escalating at an alarming rate. According to a study conducted by the Ponemon Institute, the average cost of an information security breach to a U.S. company is $3.5 million; this figure doesn t even include the mega-corporations who were most recently the victim of an attack. What the Ponemon figure also doesn t represent is the post-attack cost to a company s reputation. We all know public trust is a key requirement for revenue and business continuity. Reputation can be a company s biggest value driver, or its worst enemy. For one highly visible retailer, the latter came true in This namebrand retailer estimated that in Q2 2014, the costs associated with their security breach exceeded $148 million. Forrester Research Analyst John Kindervag suggests that over time, those costs could eclipse $1 billion. The moral of the story: your information is too valuable to be protected by traditional and outdated security measures. As a result of these trends, businesses of all types are making 2015 the year of information security, or InfoSec. MicroStrategy has identified three crucial types of investments in the field of identity and access management (IAM) and advanced authentication (AA) and built all three of them into a single security offering, Usher. This Usher product guide addresses industry issues as well as capabilities, security details, and use cases.

6 Introduction Investment 1: Logical access controls Logical access controls ensure only appropriately credentialed employees have access to your workstations, applications, and information networks. Unfortunately, at many companies, employees across the organization have unhindered access typically resolved by controlling access via passwords. Here s an alarming statistic: 76% of all cybersecurity breaches are caused by weak or compromised passwords. Equally striking, it costs your firm anywhere from $51 $147 every time someone needs a password reset. This cost is driven by the number of calls your help desk fields exclusively for password resets (Fact: 30% of all help desk calls are a result of forgotten passwords). Standard logical access controls like passwords are surprisingly expensive to your firm even without a breach. By relying on passwords, your organization is leaving itself vulnerable to even greater costs, as passwords are easily hacked by internal and external threats alike. It is critically important for your organization to secure its sensitive information using effective logical access controls. Essentially any access control utility that relies on simple data entry including passwords, PINs, and knowledge-based questions is not enough. Security measures like these cannot account for the person inputting the data. Much like physical security platforms, logical access platforms must leverage the person s true, non-replicable identity. Investment 2: Physical access controls Most companies utilize various forms of physical locks and keys for access control; these solutions have obvious weaknesses. These weaknesses do not, however, stem from the solutions themselves. Rather, they are the result of the user. Studies have shown that the top threat to an organization s data is its own employees. In fact, it has been reported that 69% of serious organizational data leaks are caused by employee activities both malicious and non-malicious in nature. With activities of malicious intent, these leaks are often a result of employees physically accessing server rooms and devices that contain sensitive information. In these situations, physical access controls are either abused or, even worse, non-existent. usher.com 6

7 Introduction The most infamous information security hack of 2014 is a poignant example of failed physical access controls. According to the hacker group responsible, they were able to obtain their victim s private information by leveraging employees on the inside with physical access to the target network. If this is true, it implies employees physically injected a virus into the network that enabled the hackers to access their victim s data remotely. Additionally, if the hacker group did in fact leverage employees, then it will be very difficult for the victim to recover fully. As CSO Online points out, physical security related breaches are hard to contain and recover from because evidence can be tampered with or simply removed. What makes this story even more worrisome is that the employees were said to have similar interests to the hacker group. No organization wants to believe their employees are capable of being adversarial. However, it is nearly impossible for an organization to prevent the possibility of a bad egg there s always the risk of a disloyal or embittered employee attempting an information security breach. When this happens, it is critically important that your company has suitable physical access controls to prevent a breach. So what can your organization do to prevent a physical security-related attack? Most importantly, consider how your employees currently access your physical computer network environment. Is it with the turn of a key? Is it an electronic key fob? Is there an actual guard standing at the door? All of these methods lend themselves to human error. Physical keys or key fobs can be lost or stolen. A guard can mistakenly grant access to an unauthorized person. Every organization needs a physical access control solution that authenticates individuals based not only on something they have (such as a key, key fob, or physical badge), but also on something they know (like passcodes and PINs), and something they are (biometrics). From the user s standpoint, the access tool needs to be difficult to lose, steal, and replace. Investment 3: Identity authentication solutions As greater emphasis is placed on improving physical and logical access controls, it becomes increasingly important to manage these controls centrally. Information security is simply too important to be directed by individual departments. Distributed ownership leads to unclear accountability, making it difficult to identify security vulnerabilities and breaches without a single unified platform. This trend toward centralized administration is called converged access management (CAM). CAM is the ideal that every organization must strive to achieve. However, CAM is all but impossible to achieve when employees are forced to use different forms of identification for different types of authentication purposes. If employees use a physical badge to gain physical access and a password to gain logical access, it is highly likely that separate administrators manage each type of access. Organizations in this position sacrifice both efficiency and security. To guarantee the best protection, organizations must adopt a single, comprehensive identity authentication solution. For employees, this means a single authentication tool that is simple to use. For administrators, this means an authentication platform that is difficult to defeat and doesn t require a specialized skillset to manage. And crucially, the identity authentication solution must provide comprehensive threat monitoring and analysis. usher.com 7

8 Introduction Chapter 1: Components of an enterprise security deployment with Usher Mobile credentials (Usher Security) Mobile security badges allow enterprises to replace outdated methods of authentication such as passwords, ID cards, keys, and security tokens, with a mobile app. Mobile security badges are a more secure solution because they offer multi-factor authentication, dynamically changing codes, encryption, telemetry, geo-fence controls, time-fence controls, and biometrics, all running on a single instance on mobile devices. Swipe up for additional profile information Employee Badge Swipe left and right for additional badges Ying Gayle Le Marketing Manager 0621 BADGE KEYS QR CODE READER SETTINGS usher.com 8

9 Chapter 1 Usher badge The badge is the center of the Usher user experience. Badges are uniquely branded for a given enterprise and present publicly viewable information like name, title, and a photo. Users can have multiple badges in the same app, and simply swipe left or right to switch between them. Locally on the mobile phone, the Usher badge stores nothing more than basic user information (such as name, title, and photo), an access token that authenticates the user, and a X.509 PKI certificate that identifies the smartphone to the server as an Usher-enabled device. Usher badge data User attributes Only a simple, descriptive part of the identity is stored on the phone Picture X.509 PKI certificate A photo of the user for visual identification An X.509 PKI certificate ensures that only Usher identities are authenticated Access token An access token for authentication of the user The Usher mobile app stores data on the smartphone in an encrypted format. Time-limited Usher codes Usher acts as an extension of a user s identity and communicates that identity to a wide range of devices and systems within the enterprise, including watches, phones, tablets, computers, systems, and doorways. It does so using three different methods: 1. Usher codes: human-readable time codes of 4 to 8 digits that expire every 60 seconds or other configurable time period. 2. QR codes: machine-readable, dynamic QR codes for scanning that expire every 60 seconds. 3. Bluetooth signals: Bluetooth low energy (BLE) signals that can transmit and detect Usher users in close proximity using very low power consumption. usher.com 9

10 Chapter 1 Prior to Usher, personal identity validation was limited to two imperfect systems: 1. The low-cost, low-security system that uses laminated pictures on official looking cards, which are easily forged, stolen, or counterfeited. 2. The high-cost, higher-security solution that provides electronic validation using dedicated biometric readers or smartcards with card readers or sensors. With Usher, users enter time-limited Usher codes into their Usher badge s user validation panel to verify the identity of other users. After the pre-set time period expires, each code is refreshed and replaced with a newly generated code. The previous code is rendered invalid and can no longer be used. All Usher codes are linked to a specific device, enabling the server to precisely identify the device being used. This architectural design ensures that the security risk associated with stolen Usher codes is minimal, preventing replay attacks. Given the time sensitivity, these codes are designed to withstand brute force attacks with the server throttling guessing attempts. In short, the attacker only has the time period for which the Usher code is valid to try each and every combination, making it highly improbable for the in-use Usher code to be guessed s 120s 180s New Usher code generated New Usher code generated 9867 Old Usher code is expired 6231 Old Usher code is expired One-time, time-limited Usher codes act as short-lived, temporary identifiers of the client. usher.com 10

11 Chapter 1 Validation panel The QR validation panel, which is the third tab in the bottom navigation pane in the Usher Security app, is a built-in QR code scanner. This panel lets users capture Usher QR codes, allowing them to open entryways, unlock workstations, log in to applications, and authorize transactions (an SDKonly functionality). For low-light situations, there is a built-in flashlight button at the top-left corner. Validation Scan QR code for access Ying Gayle Le Marketing Manager Organization Badge Acme Corp. Employee Badge Issue Date Sep 04, yinggle@acmecorp.com User Validation You can validate users by their Usher Code or by scanning their QR code. Usher Code 0621 QR Code The User Validation panel (accessed by tapping on a badge to bring up the Badge Information view, and then selecting User Validation ) empowers users to verify the identities of other Usher users, both remotely and in-person. usher.com 11

12 Chapter 1 When remote, any Usher user can ask another Usher user via phone or chat for their 4- or 8-digit Usher code, then type it into the User Validation panel and press Enter. When in-person, navigate to the QR code tab and scan the other user s personal QR code from their badge information view. Either workflow should return the same result: You can then tap on the envelope in the top-right-hand corner to conveniently add the validated user to your phone s contact list. usher.com 12

13 Chapter 1 Digital keys for physical access Plastic ID cards used for physical access are easily lost, stolen, or counterfeited problems that can go days without being discovered. Additionally, physical ID cards grant entry based on possession, without regard to the cardholder s identity. By interoperating with the world s most prevalent physical access systems (Lenel, Honeywell, Paxton, Datawatch, S2 Security), physical entry points can be controlled by Usher using encrypted digital keys attached to a mobile device. Users can rely on the smartphone or Apple Watch to securely access virtually every entryway with digital keys that can be remotely distributed and revoked in an instant. Favorite Keys All HQ P3 Garage L3 exit L2 exit L2 enter L1 enter HQ 14 Flr Elevator S HQ P3 Lane 2 Entry HQ P3 Lane 2 Exit HQ P3 Lane 3 Exit Innovation Lab Sight code panel (only available in SDK) Sight codes are animated, time-limited fractal images that are impossible to counterfeit and provide instant visual indication that people are members of the same Usher network. They are revealed by swiping left on an Usher badge, and are perfect for quick visual identification of a group of people (i.e. employee identification in emergency response situation, quick identification of event attendees). This has applications for any physical space that hosts multiple events concurrently: badges for attendees of each event will display different sight codes. usher.com 13

14 Chapter 2 Chapter 2: Badge security and configuration 256-bit AES encryption of user attributes Only basic identity information, such as a user s name, title, company, and photo, is stored locally on the client. All user attributes are encrypted with 256-bit AES encryption and stored in the phone s encrypted storage area, ensuring that the user s data cannot be compromised. 256-bit AES encryption AB123NOSJCV NI39UR84HNJ ILWSNHIOE8949U4JJIOEWNF OWEU0490R094JRFMEFI0QI4 30UR9U043JFIOEJFI0EJR9034 NJKJUIJAOIENOFEUFNAU932 2I02I92UE93IUJIFIOSDHVIOSF D0V9KGSDFSDJFISVNSODV0S D9FI1VS0DUV0SUJCSIDF0VUS EWI JAOIENOF Basic user information is stored in a n encrypted format on the smartphone. usher.com 14

15 Chapter 2 Integration with Touch ID Mobile hardware and software are becoming sophisticated enough so that everyone with a smartphone can have a powerful, state-of-the-art biometric reader in their pockets. This added layer of security comes at no added cost to the enterprise, as no investment in additional biometric verification hardware is needed. With Touch ID, the device operating system (OS) determines the procedure for capturing a fingerprint in order to perform feature extraction and verification. A dialog that requests the user to present their fingerprint is displayed. This dialog disappears upon successful acquisition of the fingerprint image by the device, followed by a successful verification. The same dialog is displayed if the verification is unsuccessful for up to three consecutive tries. The fingerprint feature extraction is controlled and performed by the mobile OS; applications such as Usher have no access to the extraction process or to the template. Usher does not have fingerprint feature extraction explicitly in its workflow; instead, the presence of user enrollment is checked and verification functionality is disabled if the user has not enrolled their fingerprint. Offline capabilities Usher offers several options for situations where network connectivity is not available. 1. Physical access: you can have a Bluetooth reader at the door, which is connected to the network (hard-wired or Wi-Fi), and a disconnected Usher mobile client can unlock the door. 2. Logical access: a disconnected Usher mobile client can unlock a Mac workstation with Bluetooth. 3. Peer-to-peer validation: works when the validated user is offline, but the validator must be online. Add a badge from deep link in If a user has just installed the Usher app and has not yet added a badge, there will be a welcome screen displayed to remind this user to check his and see if there s an invitation to add a badge. After the administrator creates an Usher network and invites the corresponding users, the end user being invited (or the administrator user himself ) will receive an . If the user opens the mail on her phone and clicks the activation link in the mail, the badge will be automatically added in the Usher Security app (the mobile client). usher.com 15

16 Chapter 2 If the Usher mobile client is not detected on the phone, the activation link will redirect the user to the Usher Security app page on Apple Store or Google Play store to allow the end user to download and install it. After that, the user can click the activation link in the . The badge the end user has been invited to add will be loaded automatically in the Usher Security app and displayed to the end user. If this badge has already been added in the Usher Security app in the past, a message saying %Badge Name% badge has already been added previously will be displayed. Badge information A badge information section is located in the settings of the Usher Security app. All Badges added in the Usher Security app will be listed in this section. Clicking a badge listed here will display all information related to it, which includes: 1. Organization 2. Badge Ying Gayle Le Marketing Manager 3. Issue date Organization Acme Corp. 4. Badge Employee Badge Issue Date Sep 04, Time-limited Usher code (also found on the main view of the badge) User Validation yinggle@acmecorp.com 6. Time-limited QR code (scannable for You can validate users by their Usher Code or by scanning their QR code. the purposes of verifying the legitimacy of this badge) Usher Code QR Code 0621 usher.com 16

17 Chapter 2 Upload profile image If the administrator does not add an image for a user in his profile when they create a badge using Network Manager, no image will be shown in the user s badge. This user may be able to upload or change her picture from the badge by tapping on the image placeholder in the badge information view to activate the camera and photo library. Any new image captured or selected will be synced and stored on the server along with the user s other information. Remove a badge locally When in the badge Information view (accessed by tapping on any badge) scrolling down reveals a button that allows a user to remove the badge from the app altogether. A pop-up dialog will prompt the user to confirm the badge deletion. If this badge is the only badge in the Usher Security app, deleting it will redirect the user to the welcome screen. To remove multiple badges at once, navigate to the settings tab at the bottom of the app, and then select manage badges. Ying Gayle Le Settings Marketing Manager You can validate users by their Usher Code or by scanning their QR code. SERVER Usher Server 9 badges Usher Code QR Code 0621 YOUR BADGES Badge Recovery App Passcode Touch ID Passcode Not Required Not Required Manage Badges CONTACT US Send Feedback Remove Badge Report a Problem usher.com 17

18 Chapter 2 Badge recovery Badge recovery allows users to recover badges for the Usher Security app through the settings screen of the application when at least one badge has been added. Otherwise, users will need to enter an address on the application landing page at first launch. The user will receive an with a deep link to restore all of the badges associated with his or her address. Image caching In order to improve performance and reduce time/network traffic cost for users when switching between badges or validating other users in Usher, Usher offers an image cache policy. Each time a user validates another users badge in the validation panel or refreshes all his badges in the Usher Security app, the client will check the image cache for each of these badges. 1. If there is no image being cached, the client will fetch the image from server and cache it. 2. If there is an image being cached, the client will compare the timestamp of this badge image with the server to see if it is the latest one. 3. If the image being cached is not the latest one, the client will fetch the latest image from the server and update it. 4. If the image being cached is the latest one, the client will display the cached image. usher.com 18

19 Chapter 2 Encrypted access tokens for authentication Usher employs access tokens instead of usernames and passwords, eliminating the need to send user credentials over Wi-Fi, 3G or 4G networks for user authentication. This ensures that credentials cannot be intercepted or phished during data transmission. Access tokens are stored in an encrypted format on the smartphone and are only valid for a specific, but configurable, time period. Upon expiry, Usher users must re-authenticate themselves to Usher and obtain a new token. 256-bit AES encryption AB123NOSJCV NI39UR84HNJ ILWSNHIOE8949U4JJIOEWNF OWEU0490R094JRFMEFI0QI4 30UR9U043JFIOEJFI0EJR9034 NJKJUIJAOIENOFEUFNAU932 2I02I92UE93IUJIFIOSDHVIOSF D0V9KGSDFSDJFISVNSODV0S D9FI1VS0DUV0SUJCSIDF0VUS EWI JAOIENOF Offline Usher code generation All Usher codes used for identification can be generated on the client, including the QR code, and numeric Usher code. For numeric Usher code generation, the Usher server sends an initial key to the Usher-enabled device, which stores this key on the phone in an encrypted format. The Usher-enabled device then uses this key to generate time-limited numeric codes locally on the smartphone. The Usher architecture is designed such that the initial key remains valid only for a specific, configurable time period. Before expiry, the Usher server issues a new key to the device for generating a new set of codes. The time-limited codes, which expire after a pre-set time limit, not only are designed to withstand brute force attacks but also make it highly improbable for the code to be guessed. In addition, the Usher server will throttle any attempts to guess Usher codes, thereby preventing a brute force attack. QR CODE 2165 USHER CODE usher.com 19

20 Chapter 2 Encrypted X.509 PKI certificates Usher uses X.509 PKI client certificates to help secure communications between the Usher mobile app and the Usher server. The Usher server issues a unique X.509 PKI certificate to each Usherenabled device when the Usher mobile app is launched for the first time on that device. This certificate is generated to the X.509 PKI standard, and, upon issue, is stored in the mobile phone s encrypted storage area. A mobile phone identifies itself as an Usher-enabled device to the Usher server by including its unique X.509 PKI certificate in every data transmission. This in turn prevents rogue devices from impersonating an Usher device and establishing fraudulent communication with the Usher server to steal identity information. 256-bit AES encryption AB123NOSJCV NI39UR84HNJ ILWSNHIOE8949U4JJIOEWNF OWEU0490R094JRFMEFI0QI4 30UR9U043JFIOEJFI0EJR9034 NJKJUIJAOIENOFEUFNAU932 2I02I92UE93IUJIFIOSDHVIOSF D0V9KGSDFSDJFISVNSODV0S D9FI1VS0DUV0SUJCSIDF0VUS EWI JAOIENOF Out-of-band identity transmission All identity information is transmitted out-of-band from the Usher server to the Usher mobile app. This ensures that no two Usher clients directly share identity data and that the Usher server always validates the identity independently. This includes identity validation through QR and numeric Usher codes. This approach also ensures that malicious apps can never steal identity data from the smartphone client. Additionally, since a malicious app cannot present a valid Usher-issued X.509 PKI certificate, the Usher server will immediately reject any communication attempts from it, ensuring that identities always remain secure. usher.com 20

21 Chapter 2 Usher mobile client 2 Offer personal code Other Usher mobile client 9867 Usher code QR code Generate time-limited personal code Submit personal code Receive identity information 3 4 Usher server 1:23 Usher code 1:23 Encrypted channel for data transmission The Usher server and the underlying identity management solutions use the TLS protocol with 256- bit AES cipher to send identity verification requests and verified identities to one another. These requests include the access token for user authentication, the X.509 PKI certificate to identify the device, and an Usher code; and the transmission is always encrypted. The Usher server matches the client s X.509 PKI certificate with a copy maintained in the Usher server database and, upon positive identification, sends the verified identity back to the client. This process ensures that only known Usher-enabled devices can send identity requests to Usher and receive identity information from it. Additionally, all identity requests are processed exclusively through the Usher server, which, in turn, accesses identity information through Usher connectors. Certificate pinning: To ensure that the client is talking only to known servers, all trusted servers certificates are pinned in the application to prevent a man-in-the-middle attack that may use fraudulent certificates or malicious proxy servers. The usage of certificate pinning also prevents cyber thieves from deploying a fraudulent server to masquerade as an Usher server. 1 At initial launch, the client sends Certificate Signing Request 256-bit AES Client public key CSR infromation signed with client private key 2 Server generates a certificate and maintains an encrypted copy Usher server 3 Usher client receives the certificate Certificate database 4 Usher client encrypts the certificate on the client side usher.com 21

22 Chapter 3 Chapter 3: Network management Security and IT personnel today are required to handle all information securityrelated issues, including replacing ID badges, resetting passwords, and managing databases with employee and customer information. The ideal security solution includes a management tool that allows IT personnel to manage all aspects of security systems including deploying mobile security badges, monitoring logical and physical access, and understanding all enterprise workforce activity. usher.com 22

23 Chapter 3 Network creation An Usher network is the group of users in your organization who can use the Usher app on their smartphone to validate their identity, log into applications, gain access to secure physical resources, and so on. Network creation is the process of developing and naming a specific Usher network, and is accessed at the Network Manager web portal. For both Secure Cloud and on-premise deployments, Network Manager will reside at a URL unique to that specific implementation, which you can get from your Usher account team. Network Manager is the web interface to the Usher Server that allows Usher Networks to be created and managed. The Network Manager is a PHP application that runs under Apache. Through it, Usher administrators can create an Usher network, configure gateways (to web applications, physical access systems and work stations), and then distribute or revoke access to gateways among their users, quickly and simply. Upon visiting the network manager site, administrators set up a network by following these steps: 1. Enter badge name 2. Enter network name 3. Edit badge design 4. Create an administrator account by submitting name, title, and photo (optional) 5. Enter valid address: Usher sends an message with instructions to install the Usher client and acquire the badge 6. Log into network manager with the newly acquired Usher badge (by scanning the QR code on the screen) usher.com 23

24 Chapter 3 User management User management allows administrators to set up a user population for their Usher network. Administrators do so using one of the following methods: Manual user entry User import from supported applications User import from CSV file Identity Management (IDM) system synchronization Active Directory OpenLDAP Please note that a combination of manual entry and IDM synchronization is not supported at this point in time. Usher agent for Active Directory Many organizations use Active Directory as a central repository for user management. With the Usher agent, an administrator can now synchronize their Usher user base with Active Directory in a matter of minutes. All of this is done through a lightweight agent running as a service on a Windows machine. It connects to Active Directory and synchronizes the user groups, or the organizational units one wishes to incorporate into their Usher deployment. In this deployment scenario, the Usher Active Directory agent is installed on customer premises. The Usher agent connects to the customer s active directory via LDAPS. Communication between the Usher security server and the Usher agent is secured with TLS. The two-way communication channel is used for authentication purposes, as well as to update settings (i.e. import more user groups or synchronize more LDAP fields). The one-way communication channel is dedicated to send updates from Active Directory to the Usher network to keep user information up to date (every 20 seconds). usher.com 24

25 Chapter 3 This architecture can be deployed over a proxy or a firewall and as the communication is outbound, it doesn t require any change in firewall settings. The AD credentials are encrypted on the Usher agent, and the decryption key is stored on the Usher server The tool is entirely self-service, and has the benefit of letting changes performed on your user information in Active Directory be reflected in the Usher user base in seconds one can even synchronize users pictures between Active Directory and Usher. Disabled users in Active Directory will be removed from the Usher user base in seconds as well. Network administrators Network manager allows administrators to: Add, delete, and manage other Usher network users and administrators View the status of other administrators active or inactive usher.com 25

26 Chapter 3 Badge management and design Badge management includes various functions to change badge functionality: Design allows an administrator to modify badges: Color (gradient option available) Patterns choose from eight provided background patterns Background image upload PNG or JPG files Icon upload PNG or JPG files Properties allows an administrator to: Edit badge name Enable Usher code broadcasting to access high-security door readers Toggle location tracking on or off Set location or time-based restrictions for badge usage usher.com 26

27 Chapter 4 Chapter 4: Authentication and access control options Today s methods of authentication and access are both wide-ranging and outdated because enterprises continue to rely on twentieth-century thinking to secure a digital world. The solution needed today includes authentication and access methods that replace the outdated methods (passwords, badges, ID cards, keys, security tokens), and can connect to all enterprise assets, including applications, domains, data and processes, with physical systems: watches, phones, tablets, computers, doors, facilities, vehicles, safes, and gates. Access to these resources and spaces may be granted using one of several methods and customization options with the Usher Security app. These fall under the categories of logical access, physical access, and behavioral-based conditions. usher.com 27

28 Chapter 4 Logical access and methods Web applications refer to resources that users access through a browser (web browser or mobile browser). These can be cloud applications or enterprise-grade, internally hosted applications. While Usher can be configured to provide authentication into any SAML 2.0-enabled web application or any VPN solution that supports FreeRadius, the Usher gateway configuration interface provides customized templates for several high-profile, prolific applications. These include, but are not limited to: Amazon AWS Salesforce.com MicroStrategy Web Google Apps Github Rally Wordpress Dropbox Zendesk Flowdock Box Asana New Relic Active Directory Federation Services Slack Join.me Yammer GoToMeeting RemedyForce Cisco VPN Juniper VPN Citrix VPN Usher s VPN functionality is implemented as a module that sits on a RADIUS server, one of the most popular VPN servers in the market. As a result, Usher s VPN solution is designed to work with vendors that support the RADIUS protocol, like Cisco, Juniper, Citrix, and F5. In this way, Usher adds an additional layer of security for remote system access that is convenient to the end user. usher.com 28

29 Chapter 4 Method 1: QR code scan When accessing a shared logical resource, such as an open workstation, the resource s front-end Usher user interface is assigned a time-limited QR code by the Usher server. A user then scans the QR code from the validation panel of her Usher client, telling the Usher server who she is, as well as the gateway identifier associated with the QR code. The Usher server confirms the validity of the user and then passes the corresponding parameters to the web application using the SAML protocol in order to request access to the resource on behalf of the user. Method 2: pairing (push notifications) When performing a QR code scan on any SAML-enabled web application, the user can request that the system remember the specific user on this particular machine. This is known as pairing the client to the gateway. The Usher server will remember the user s device token the next time the user goes to access the resource. The site will display a button to log in with Usher. Clicking on the button will trigger the Usher server to send a push notification to that user s Usher client. The user can simply confirm the notification to log in. This feature works on Apple Watches with the Usher WatchKit app on them, as well as Android Watches, for which there is no native Usher application currently in production. As long as the phone is locked and configured to send its push notifications to an Apple/Android watch that is paired with it, the user will receive a push notification on his watch that allows one-tap access to a paired, logical resource gated by Usher. usher.com 29

30 Chapter 4 Method 3: mobile single sign-on (app switching) The Usher Security application supports mobile SSO workflows, which lets users log into third-party mobile applications running on the same device. Third-party mobile apps may implement the Mobile SDK to call the Usher Security app with a request to verify the user s identity and obtain an access token. The communication between the Usher Security app and third-party apps is achieved via deep-linking between the applications. Method 4: one-time-passwords (Usher codes) On the main screen of each badge, the small white bar under the time-limited Usher code will degrade over time to let a user know that it is about to expire. Aside from entering the time-limited Usher codes into their client to validate the identities of other users, a user can use her Usher code to log into organizational VPNs in much the same way as one-time-passwords generated by security tokens do. Usher s VPN authentication inherits all security settings you set for your network, allowing you to customize the security based on your needs usher.com 30

31 Chapter 4 Physical access and methods For physical access, Usher has Usher Physical Access (PACs) Web Services (specialized for specific Physical Access systems such as Honeywell EBI, Lenel OnGuard, and Tyco C-Cure) that broker calls between the Usher Server and the Physical Access System s API layer. Some web services run on Windows Server under IIS (Lenel, Honeywell), while others run under Tomcat containers (S2). A Standard PACS Adapter also exists which allows for system integrators to write their own Web Services for PACS systems that are not supported by Usher out of the box. Method 1: Digital keys The key panel lets users tap on a key to unlock doors, elevators, and gateways. Virtually any entryway that is controlled by a PACS can be unlocked using Usher keys. Usher offers a list of all entryways a person has authorization to unlock and lets him organize his favorite keys on the key ring panel. The favorites key ring is also accessible in the Usher app on the Apple Watch. By default, the key panel shows your favorite keys. Tap on the All button at the top-right of the screen to bring up all the keys you have access to, organized by badge. Here, you can then add and remove your favorite keys. These keys can be accessed by providing up to three factors of authentication having your phone with you, knowing your phone s passcode, and presenting your fingerprint (with ios Touch ID). Most importantly, administrators can monitor and record who accesses each entry point at any given time providing unparalleled insight into potential threats. usher.com 31

32 Chapter 4 Method 2: QR scans Another way to unlock doors is by simply scanning the Usher QR code affixed to a door. An organization can place an Usher QR code at each entryway. A user then scans the Usher stamp with his validation panel, and Usher communicates with the PACS to unlock the door to which the Usher stamp is affixed. With the key panel and QR scans, Usher bypasses legacy door readers and communicates directly with the PACS, so enterprises can use Usher without purchasing new door reader hardware. Method 3: Bluetooth readers For hands-free door entry, Usher uses Bluetooth to automatically unlock the door without the user needing to remove the smartphone from a pocket or purse. Using the same information advertised for peer-to-peer user discovery, a door reader can obtain the badge ID via Bluetooth and then make a request to the PACS, which unlocks the door if the user is both within a customizable physical range and is authorized to enter. With Bluetooth low energy (BLE), Usher minimizes battery consumption, as the user does not need to have the Usher Security app running in the foreground. Whether access was granted or denied is displayed on the door reader. usher.com 32

33 Chapter 4 Method 4: ibeacons Another method of context-based physical access is the Usher Nearby widget in the Today view of iphone s drop-down notification center, which is accessible from the lock screen. ibeacons, which are relatively inexpensive, are deployed to powered sources near physical entryways, and set to constantly broadcast its presence via Bluetooth. When an Usher user is within range of the ibeacon and opens her Usher Nearby widget, the client on the phone receives the number the ibeacon is transmitting. It then maps the ibeacon to its associated key, and calls the Usher server for access to this resource. In this way, just one button in the widget can take on the identity of the key for any specific door the user is standing next to. This feature is also integrated with the glance of the Usher app for the Apple Watch. When a user swipes up from the bottom of their Apple Watch, the glance searches for ibeacons associated with physical entries nearby and displays them to the user for access. Furthermore, ibeacons and Usher can be configured to automatically unlock doors when a user reaches a certain distance from the door. This delivers maximum convenience, as a user can leave their phone in-pocket. usher.com 33

34 Chapter 4 Method 5: NFC chips Near Field Communication (NFC) chips are similar to Bluetooth chips and allow the sharing of small payloads of data. Most Android devices have NFC chips located somewhere on the device. When Usher-configured NFC chips are deployed throughout an enterprise environment, Android device end-users can take advantage of NFC for convenience. Users simply need to place the spot of their device where the NFC chip is located against the shown sticker located near the door. The location of the NFC chip is different depending on the Android device. The Usher client does not have to be open, but must be running in the background of your device. For the majority of devices, the NFC chip is located near the camera, but some trial and error may be needed for your particular device. Tap Here to open NFC Behavioral-based conditions/fencing Network administrators can set restrictions for how Usher badges are used, based on time and geolocation for better control and security over network resources. In other words, any resource (logical or physical) can be gated so that access is only possible during certain hours or in certain geographic locations. usher.com 34

35 Chapter 4 Additionally, administrators can set up Usher to require fingerprint verification every time a person uses it, or before accessing specific resources. This is significantly more convenient than typing in a password, and prevents unauthorized use of the Usher badge by providing an additional authentication factor for highly secure situations. Since only certain types of smartphones contain fingerprint readers, a passcode alternative is available for devices lacking this feature. Extension to Apple Watch Usher for Apple Watch turns Apple s most personal device into the key that unlocks the enterprise, both logically and physically. It s a new take on enterprise security that combines the powerful security capabilities required by modern organizations with the simplicity of a consumer WatchKit app. The iphone and Apple Watch work in concert and are contextually aware of the systems, hardware, and entryways that users approach. Users receive push notifications on their Apple Watch, prompting them to unlock their workstation, log into a system, or open a doorway, and they can do so with a tap or gesture. In addition, the WatchKit app boasts a digital keychain which synchronizes with the digital keychain in the Usher app on its owner s smartphone that is paired with it. A user can also use Apple Watch Force Touch to switch between badges and access the dynamic 4-digit Usher codes associated with various badges for multi-factor authentication (e.g., into a VPN) or identity verification. The glance feature of the WatchKit app mirrors the Usher Nearby widget on the phone; it searches for the nearest ibeacon and lets an authorized user unlock any door they are standing in front of. usher.com 35

36 Chapter 5 Chapter 5: Workforce productivity with Usher Professional With Usher Professional, a mobile application available on both smartphone and tablet, managers gain access to personalized and localized intelligence about resource utilization, transaction authorization, and all other activity being performed by their subordinates in the enterprise context. It is especially applicable to teams where employees are in the field. usher.com 36

37 Chapter 5 Discovery views There are three discovery views for Usher Professional: grid, list, and map view. By tapping on each individual team member, a manager can contact a team member directly or be kept informed of their recent enterprise access activity with usage data collected from their Usher Security application. usher.com 37

38 Chapter 5 User profile Tapping on a user brings up their user profile. The first tab of the user profile shows trend lines for their usage of both physical gateways and logical resources. The second tab is a bar graph of the locations the user performed Usher actions from, as well as how many actions were performed at each location. The third tab maps out the locations the resources were accessed from. Tapping on each location provides a scrollable log of actions taken at the location. From within the Usher Professional interface, a manager can directly initiate an to a subordinate if the manager notices unusual items or patterns in the access history. For added insight, Usher Professional can integrate individual access data with other types of individual data (e.g., HR information) that is stored in analytics projects, such as those created in MicroStrategy Analytics. usher.com 38

39 Chapter 5 Search capabilities and saved groups In Usher Professional, a manager can filter, search, and create groups. Usher Professional can be calibrated to display users in the immediate vicinity, users within 300 feet, users within five miles, or all users in your badge network. A manager can save a group discovered by using any of these filter options, and check up on members of that particular group later. For example, a manager may wish to bookmark anyone who attended a particular planning meeting. To help with sorting through every user in a particular network, a manager can search based on name or title keyword, and save groups based on this. An example would be everyone who has associate in his or her title. Groups that are saved from the search functionality can be edited to clean out irrelevant search results (e.g., if the previous associate search was for intended to find junior-level employees, but also included a couple associate vice presidents in the results.) Usher Professional can be customized with more detailed user profiles for searches. The flexibility to add fields such as skills or certifications enables managers to more efficiently utilize the human capital theoretically at their disposal. Additionally, a manager can create and save a group of employees based on geo-location in the map view by creating a circle of a certain radius from a point or by using a freeform selection tool. After creating and saving a group, a manager can also send communications to the entire group as they would to an individual. usher.com 39

40 Chapter 6 Chapter 6: Intelligence and reporting with Usher Analytics Built on the industry-leading MicroStrategy Analytics Platform, Usher Analytics captures, analyzes, and displays visualizations of all Usher activity, providing both global visibility of users and an audit trail for governance, risk management, and cyber security oversight. It also provides proactive alerts when abnormal activity is detected or when thresholds are exceeded, and delivers a full spectrum of analytic capabilities, from simple time analysis to sophisticated correlations and data mining. Whenever an action is taken on an Usher Security client, the action is passed to the Usher server log and then to Usher Analytics, where it is stored in a MySQL database. If the Usher server is installed on-premise, a customer has flexibility in storing these action logs in a variety of ways. Usher Analytics provides complete visibility of all identity actions across a network in near real time, enabling state-of-the-art risk management, cyber security, and auditability to provide actionable insights at all times. For example, immediate detection of abnormal activities and irregular patterns (such as afterhours access), outlier behavior, or users who seem to be in two places at once. As an offering, Usher Analytics comes out-of-the-box with a set of pre-built MicroStrategy Analytics schema and objects, such as reports, dashboards, metrics, and filters. However, organizations also have the flexibility to upload their own data to the project for additional analysis. The current Usher Analytics solution, hosted in our cloud environment, utilizes the latest innovations in in-memory architecture to enable world-leading data warehousing options for massive datasets shown against traditional online analytical processing (OLAP) services. usher.com 40