Adoption of PKI. Where are we, where should we be, what s holding us back, and where do we want to go?



Similar documents
Arkansas Department of Information Systems Arkansas Department of Finance and Administration

Oracle Security. Joyce Peng Senior Product Manager, Life Sciences Oracle Corporation

White Paper. The risks of authenticating with digital certificates exposed

Entrust Secure Web Portal Solution. Livio Merlo Security Consultant September 25th, 2003

2003, Rainbow Technologies, Inc.

A brief on Two-Factor Authentication

MAESON MAHERRY. 3 Factor Authentication and what it means to business. Date: 21/10/2013

Strong Authentication. Securing Identities and Enabling Business

Multi-Factor Authentication Protecting Applications and Critical Data against Unauthorized Access

Protecting Networks and Data with Public Key Infrastructure (PKI)

National Information Management Conference and Exposition Thursday, April 23, 2009

Ubiquity of Security Compliance and Content Management

Meeting the FDA s Requirements for Electronic Records and Electronic Signatures (21 CFR Part 11)

Dissecting Electronic Signatures for the Life Sciences

Entrust Managed Services PKI. Getting an end-user Entrust certificate using Entrust Authority Administration Services. Document issue: 2.

Securing Corporate Data and Making Life Easier for the IT Admin Benefits of Pre Boot Network Authentication Technology

Schlumberger PKI /Corporate Badge Deployment. Neville Pattinson Director of Business Development & Technology IT & Public Sector

Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance

White Paper. From Policy to Practice: A Practical Guide to Implementing HIPAA Security Safeguards

Entrust Managed Services PKI. Getting started with digital certificates and Entrust Managed Services PKI. Document issue: 1.0

Cyber-Ark Software and the PCI Data Security Standard

Unique Challenges in Architecting a Healthcare PKI that Spans Public and Private Sectors

Using Entrust certificates with VPN

CoSign for 21CFR Part 11 Compliance

Oracle WebCenter Content

User Authentication for Software-as-a-Service (SaaS) Applications White Paper

Managed Portable Security Devices

Strong Authentication for Secure VPN Access

Sophistication of attacks will keep improving, especially APT and zero-day exploits

Authentication Solutions. Versatile And Innovative Authentication Solutions To Secure And Enable Your Business

SSL VPN vs. IPSec VPN

State of Arkansas Policy Statement on the Use of Electronic Signatures by State Agencies June 2008

ELECTRONIC SIGNATURES AND ELECTRONICALLY SIGNED RECORDS

Management Update: The Outlook for the PKI Market

Tools to Aid in 21 CFR Part 11 Compliance with EZChrom Elite Chromatography Data System. White Paper. By Frank Tontala

Network Security Protocols

The Four "A's" of Information Security

MOBILE GAMING SYSTEM POLICIES

Best Practices in Identity and Access Management (I&AM) for Regulatory Compliance. RSA Security and Accenture February 26, :00 AM

CHOOSING THE RIGHT PORTABLE SECURITY DEVICE. A guideline to help your organization chose the Best Secure USB device

CHIS, Inc. Privacy General Guidelines

Internet File Management & HIPAA A Practical Approach towards Responding to the Privacy Regulation of the Act

Ensuring the security of your mobile business intelligence

Authentication Levels. White Paper April 23, 2014

PROTECT YOUR WORLD. Identity Management Solutions and Services

Part III-a. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

Chapter 12. Security Policy Life Cycle. Network Security 8/19/2010. Network Security

Best Practices for Securing Your Enterprise:

Lesson Plans Microsoft s Managing and Maintaining a Microsoft Windows Server 2003 Environment

Thai Digital ID Co.,Ltd.

WHITE PAPER Usher Mobile Identity Platform

Pilot WEDI Review

TNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business

Security (II) ISO : Security Architecture of OSI Reference Model. Outline. Course Outline: Fundamental Topics. EE5723/EE4723 Spring 2012

ADDING STRONGER AUTHENTICATION for VPN Access Control

Security Controls What Works. Southside Virginia Community College: Security Awareness

White Paper Preventing Man in the Middle Phishing Attacks with Multi-Factor Authentication

Security Considerations for DirectAccess Deployments. Whitepaper

Whitepaper MODERN THREATS DRIVE DEMAND FOR NEW GENERATION TWO-FACTOR AUTHENTICATION

Implementing and Administering Security in a Microsoft Windows Server 2003 Network

Replacing Sneaker Net with the Internet. DREXEL UNIVERSITY ischool INFO614 DISTRIBUTED COMPUTING & NETWORKING FINAL PROJECT

An Introduction to Entrust PKI. Last updated: September 14, 2004

VPN Solutions FAQ North America International Germany Benelux France Spain Israel Asia Pacific Japan

Security Services and Solutions. Full security, from planning through implementation to operation.

Authentication Solutions VERSATILE AND INNOVATIVE AUTHENTICATION SOLUTIONS TO SECURE AND ENABLE YOUR BUSINESS

HIPAA Security Checklist for Healthcare Providers - Self-Evaluation Checklist

French Justice Portal. Authentication methods and technologies. Page n 1

The Costs of Managed PKI:

Strong Authentication: Enabling Efficiency and Maximizing Security in Your Microsoft Environment

Security + Certification (ITSY 1076) Syllabus

Agilent MicroLab Software with Spectroscopy Configuration Manager and Spectroscopy Database Administrator (SCM/SDA)

Two-Factor Authentication

VeriSign PKI Client Government Edition v 1.5. VeriSign PKI Client Government. VeriSign PKI Client VeriSign, Inc. Government.

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

The Information Security Problem

Introducing etoken. What is etoken?

IBM Maximo technology for business and IT agility

Integration Guide. SafeNet Authentication Client. Using SAC CBA for Check Point Security Gateway

Securing access to Citrix applications using Citrix Secure Gateway and SafeWord. PremierAccess. App Note. December 2001

Ensuring the security of your mobile business intelligence

How to use the Alertsec Service to Achieve HIPAA Compliance for Your Organization

Preemptive security solutions for healthcare

Department of Supply & Services (CIMS) RSA Web Express User Guide v1.2

Modern Multi-factor and Remote Access Technologies

Strong Authentication for Healthcare

Support for the HIPAA Security Rule

Token Security or Just Token Security? A Vanson Bourne report for Entrust

Written Information Security Plan (WISP) for. HR Knowledge, Inc. This document has been approved for general distribution.

Global Headquarters: 5 Speen Street Framingham, MA USA P F

Preparing for the HIPAA Security Rule

Briefly describe the #1 problem you have encountered with implementing Multi-Factor Authentication.

Oracle Identity Management Concepts and Architecture. An Oracle White Paper December 2003

how can I provide strong authentication for VPN access in a user convenient and cost effective manner?

Department of Defense INSTRUCTION. SUBJECT: Public Key Infrastructure (PKI) and Public Key (PK) Enabling

Achieving PCI-Compliance through Cyberoam

Presentation of the ICCS Platform for the international communication of civil-status data by electronic means

Security Requirements for Wireless Networking

Cisco Which VPN Solution is Right for You?

PRIME IDENTITY MANAGEMENT CORE

State of Arizona Policy Authority Office of the Secretary of State

Transcription:

Adoption of PKI Where are we, where should we be, what s holding us back, and where do we want to go? And: what about authentication vs. authorization? Rich Guida

What are the framing issues? What applications need authentication, e-e signatures, or confidentiality? What determines the degree of need? What is the nature of the population of users an application services? What is the span of control of the PKI intended to service that application? Do you justify a PKI based on Return on Investment or something else? Does the PKI handle user authorization or just authentication?

Where are we? PKI is being broadly used for SSL server-side side authentication Whether it provides all of the security one might like or not PKI is seeing growing acceptance within enterprises as a tool for user authentication, e-signatures, e and confidentiality Many examples, government and private sector PKI is starting to be used between enterprises and in IPSEC But PKI is NOT being used globally by consumers With some notable exceptions (e.g., ScotiaBank) And PKI is also not being used broadly for user authorization Attribute certificates still a work in progress

Where should we be? Using PKI broadly for authentication, and ultimately authorization Integrating PKI into the network and enterprise directory services, so it can benefit from them Providing a common look and feel at the application layer for certificate use Making the use of certificates seamless and reasonably invisible to the average user

What s really holding us back? Lack of applications that use certificates The race to be second Lack of common semantics (e.g., in certificate policies) Organizational politics (e.g., Intra-organizational and inter-organizational parochialism, NIH syndrome, namespace control, lawyers) Dealing with legacy application entanglements Lack of an ability to show ROI (a chimera) And least of all the technology

Where do we want to go? Depends a lot on your perspective Some want to see identity Some want to see identity-based PKI burgeon for intra-enterprise use first, then inter-enterprise enterprise Others want to see identity-based PKI burgeon for dealing with consumers or the public Others would like PKI to focus on authorization rather than authentication Still others think we should use some other technology entirely But what? Passwords? Biometrics? Each has its own set of problems

Authentication vs. Authorization If an application needs to do one, it probably also needs to do the other Or needs to trust another application (or the network operating system) which has done the other Can do both simultaneously, or separately Should I separate variables before solving this PDE? (Normally yes, especially if the PDE is Navier-Stokes!)

Why do Separately? Intuitively consistent with processes we are all familiar with Required by some (perhaps most) regulations (e.g., FDA 21 CFR Part 11, e-records, e and e-e signatures) Allows PKI to do one while some other process does the other (thus, supports legacy applications that use ACLs) Sometimes identity is important separate from authorization (or identity is sufficient by itself such as patient access to his/her records under HIPAA)

Examples Passport To get one, have to prove who you are (don t even have to indicate why ) but if you want to use it, may need a visa (authorization to visit foreign country) Driver s license To get one, had to prove who you are, not just that you can drive e a car, and license provides evidence of identity as well as authorization to do something drive a vehicle Getting a credit card To get the card, had to provide evidence of who you are and ability ity to pay your debts (former needed to establish latter) Arguably you should be asked to provide stronger evidence than credit card companies require (to combat identity theft) Using a credit card Some merchants accept card alone for purchase (so it is like an authorization token), but increasingly you have to produce separate ate identity ID because of problem with fraudulent purchases

Example: Johnson & Johnson PKI Directory-centric centric Enterprise directory serves as authoritative source Certificate contents come solely from directory Two identity certificates (signature, encryption), plus role/group certificates Hardware token preference (USB ikey2032) but also support software tokens In first phase of deployment (about 500 certificates issued), testing underway Second phase (full production) later this year Goal is certs for almost all J&J employees plus, where necessary, customers and business partners Expect total number ultimately to be >>100,000 Willing to accept non J&J certs through cross-certification certification or trust list model

J&J PKI Key Uses Remote authentication with hardware token only (VPN using Nortel Contivity client) Authentication to enterprise software (e.g., SAP, Siebel, Oracle) Digital signatures to comply with FDA 21 CFR Part 11 (authorization established separately) Encryption to comply with Healthcare Insurance Portability and Accountability Act Secure (signed/encrypted) e-mail e for clinical trials, financial data, mergers/acquisitions, law department activities Automated Lab Instrumentation Management Systems (signatures and encryption)

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information