Mobility, Security and Trusted Identities: It s Right In The Palm of Your Hands Ian Wills Country Manager, Entrust Datacard
WHO IS ENTRUST DATACARD? 2 Entrust DataCard Datacard Corporation. Corporation. All rights All reserved. rights reserved.
CREDENTIAL USE IN MULTIPLE APPLICATIONS & DEVICES 3
MOST SECURITY BREACHES ARE ATTACKS ON IDENTITY Session Riding Identity Key Logging password 4
QUESTION What device type do you feel is most secure for online banking? PC MAC ipad/iphone Android Tablet/Phone 5 Entrust DataCard Datacard Corporation. Corporation. All rights All reserved. rights reserved.
ARE MOBILE DEVICES SECURE? Device & Location Attributes Mobile devices have powerful features built in that organizations can leverage Secure Elements TEE Biometrics Application Sandbox Crypto Users want to carry them Always in hand Always connected Convenient Support work / personal balance Use continues to grow exponentially Out of Band channel Computing power makes them multi-purpose Multipurpose identity capability 6
TECHNOLOGY THAT CAN FACILITATE E-GOVERNMENT Strongly Identify the User Provide Secure Access to Information Authenticate Transactions
ISSUE STRONG MULTI-PURPOSE CREDENTIALS Strongly Identify the User Provide Secure Access to Information Authenticate Transactions ouser considerations Type of User What domain do they work in What are they using it for oadministrator considerations How easy does it integrate into existing systems How easy is it to use Can it meet short and long term objectives 8
QUESTION What second factor user authentication solution do you have in place? Hardware token Soft token SMS One time password None/Other 9 Entrust DataCard Datacard Corporation. Corporation. All rights All reserved. rights reserved.
MANY WAYS TO LEVERAGE ONE DEVICE Device Certificates Toolkits for mobile apps SMS One Time Password egrid Soft Token Out Of Band Transaction Verification Virtual Smart Credential Mobile devices can easily be provisioned with additional or temporary authenticators 10
VPN AUTHENTICATION Laptop 1 VPN Device Mobile Transaction Approval 3 Send notification Confirm Transaction 2 Fingerprint replace PIN
DEMO EMPLOYEE VPN ACCESS 12
DEMO WEB AUTHENTICATION NO PASSWORD 13
PHYSICAL LOGICAL CONSOLIDATION Strongly Identify the User Provide Secure Access to Information Authenticate Transactions Logical SAML Physical Logical Physical osingle credential, single admin interface o Smart card, USB, Mobile Smart Credential obenefits o Better usability o Simplified on-board and off-boarding process including credential issuance o Easy migration o Support for new and legacy physical access systems o Higher security 14
SECURITY OF A HARDWARE TOKEN WITH THE CONVENIENCE OF MOBILE Mobile Secure World Normal World Digital Identity Trustzone OS Authorized Request Proof of Possession ARM Mobile Microprocessor Mobile Application Mobile OS Authentication Optional validate device fingerprint Trusted Execution Environment Digital ID cannot be stolen, misused by an exploit in the Mobile OS Approve any transaction originated anywhere, securely 15
SECURE BROWSING AND EMAIL Strongly Identify the User Provide Secure Access to Information Authenticate Transactions Secure browser application to protect confidential information Strong certificate based authentication of user via a Mobile Smart Credential Leverages client authenticated SSL supported by Web Servers and Access Managers Secure, encrypted email client Digital signing with Mobile Smart Credential certificates
DEMO AUTHENTICATION WEB SINGLE SIGN-ON 1.Start Mobile Browser 2.Access corporate intranet 3.Outside firewall without VPN 4.Mobile application verifies enterprise server is authentic 5.Enterprise server authenticate mobile user 6.PIN allows virtual smart card to authenticate 7.Encrypt transfer of intellectual property 17
18
DEMO: ENCRYPTED EMAIL BROWSER LOGIN TO WEB RESOURCE Receive encrypted email on mobile Decrypt after PIN entry Link in email takes us to corporate intranet portal with no VPN Will report if intranet not trusted Enter PIN to authenticate to Web SSO portal November 13, 2015 19
20
Cryptographic functions available to mobile apps MOBILE AS THE ENTERPRISE DESKTOP Mobile Enterprise systems VIRTUAL SMART CARD Browser EMail WEB SSO Cloud Services Forms VPN Encryption Web EMAIL SAML IDP Exchange Sever Virtual Desktops Sign Transaction Access the same systems as a windows desktop PHYSICAL ACCESS LOGICAL ACCESS Mobile behaves like a smart card to windows & physical access 21
OUT OF BAND TRANSACTION VERIFICATION Strongly Identify the User Provide Secure Access to Information Authenticate Transactions Transaction Verification / Approval Login / Contract Signing Out of band confirmation and signing of a transaction Simplified process for the user Protects Against Man-in-the Middle, Man-in-the Browser attacks
DIGITALLY SIGN ON-LINE TRANSACTIONS Strongly Identify the User Provide Secure Access to Information Authenticate Transactions odigital signatures and transaction verification for non-repudiation of on-line transactions Employees Warrants Lab results Inspection reports Citizens Applications Healthcare submissions Bill payments 23
DEMO: APPROVE PAYMENT 1. Transfer money 2. Notification on mobile device at top of mobile screen. 3. Click on notification 4. OPTIONAL Authenticate with fingerprint or PIN 5. Transaction notification reviewed by mobile banking/payment application 6. User approves or rejects
DEMO: APPROVE PAYMENT WITH NO DATA CONNECTION Fallback to QR code if mobile data network not available 25
MOBILE PRESENTS AN OPPORTUNITY TO Mobile provides a nextgeneration solution for trusted identities Secure Convenient, ease to use, easy to provision Multi-purpose Mobile offers an opportunity to blend user experience and security like never before Lower costs Of authentication Of business processes Strengthen security for Logical & Physical Access Cloud Mobility 26
QUESTIONS Ian Wills Regional Sales Manager Entrust Datacard Ian.wills@entrust.com @iancwills