Authentication As A Service Why new Cloud based Authentication solutions will be adopted by about 50% of the companies by 2017? Jason Hart CISSP CISM VP Cloud Solutions
What a great world
Today's World Internal people Branch Offices PDA Users Remote Users 3 rd Party Access Users and their workspaces SaaS Apps Cloud Applications
Virtual Word With Virtual Back Doors Welcome to the Future Cloud Computing Virtual Environment With Virtual Security holes During the past 15 years with learnt nothing
We have forgotten Confidentiality Integrity We have not learnt a thing? Availability Accountability Auditability
Welcome to the 3rd Age of Hacking 1 st Age: Servers Servers FTP, Telnet, Mail, Web. These were the things that consumed bytes from a bad guy The hack left a foot print 2nd Age: Browsers: Javascript, ActiveX, Java, Image Formats, DOMs These are the things that are getting locked down Slowly Incompletely 3rd Age: Mobile devices: Simplest & getting easier Target the mobile devices to gain someone's password is the skeleton key to their life and your business Totally invisible no trace
Password Attack Welcome to the Future of Hacking Attack channels: web, mail, open services Targeted attacks against users and business and or premium resources Password attack is totally invisible to you Mobile devices are becoming an easy target for Advanced persistent threats (APT)
During the Past 7 Days 8
Verizon s annual Data Breach Quoted from the report:..so, it really comes as no surprise that authentication based attacks (guessing, cracking, or reusing valid credentials) factored into about four of every five breaches involving hacking in our 2012 dataset.... 66% of the breaches in our 2013 report took months or even years to discover (62% months, 4% years).
Protect Everything with SAS Tokens & Users Public Cloud Applications Private Networks Corporate Network API LDAP / Active Directory SAML RADIUS Corporate Network LDAP / Active Directory Agent Private Cloud Services SAML SAML Corporate Network LDAP / Active Directory Application Hosting Corporate Network Online Storage Collaboration Tools Administrator LDAP / Active Directory 11
SafeNet Authentication: Provides the ability to rapidly scale, deploy authentication Simple, easy and low-cost, driving strong authentication into all markets The most powerful enterprise authentication server in the market Offer a multi-tenant, multi-tier authentication platform that allows an almost infinite number of virtual authentication servers for you business
More than Authentication Automate Service Delivery - features include a policy engine that can automatically provision, suspend or revoke tokens based on changes in the user repository Scheduled Automated Usage - Audit and Billing Reports Branding - You can brand everything - Self-service, enrolment and messaging services. Token Selection - The widest range of authentication token options
More than Authentication Security - Customers can define their own security controls and policies Multi Tenant - The only true Multi Tier platform in the world Multi Tier - manage centrally or fully devolve all administration Service Alerts - Full Automation of user and administrator alerts API - Detailed API sets for authentication and administration Open platform Every enterprise is different full customisation to meet your needs
Multi-Tenant Multi-Tier Overview Multi-tenant architecture Scales to thousands of business units Unlimited numbers of users per business unit Manage multiple business units from one centralised interface Unlimited numbers Supports multiple domains Secure Only view one level down Isolation & Access Control Delegated management for lower tiers Deliver enhanced service wrappers Great for multi-region networks Inherit capabilities to lower level SMS / SMTP gateways Branding Delegated Managed Subscriber Subscriber A Virtual Service Provider Subscriber B Enterprise Subscriber (Virtual Service Provider) Region 1 Region 2 Region 3
Multi-Tenant Multi-Tier Multi-tenant architecture Unlimited Domains None Directory stores Localisation Automation User fulfilment Provisioning, Enrolment etc User Self healing Reports Secure The ability to Manage clients if rights granted by Client Branding and region Adding of custom SMS Gates Everything can be fully Branded Features Meets all markets requirements Your Enterprise Division 1 Division 2 Division 3 Division 4 Regional Office Helpdesk HR
Flexibility and Customisation Language - by region or Admin Alert messages including language SMS Gateways - by region Branding - Even by region or business unit OTP policy - Even by region or user base User experiences Role Management Reporting Pretty much everything Even the service you would like to offer
Example Flexibility SAS offers full automation, including: Token provisioning Security rules definition engine Once created rules applied automatically Alerts SAML service registration Self enrolment Self service Reporting Auto Update SAS Auto- Provision User Reporting and Alerts Self- Enrollment LDAP Changes
User Directory Sources SafeNet supports any user store via a sync agent Corporate Network SQL, LDAP, AD,ODBC, Lotus, Novell, anything (via custom field mapping) No schema change Non intrusive/read only Multiple domains No hardware required Encrypted transmission of data LDAP / Active Directory / User Source Corporate Network LDAP / Active Directory / User Source Corporate Network Users can also be bulk imported via.csv files and / or created locally LDAP / Active Directory / User Source
Unified Authentication Platform Custom 20
Widest Choice of Tokens Authenticators for every user type and an increasing focus on commoditisation Multi Platform H/W BlackBerry ios OSx Android Microsoft Microsoft SMS Java USB Grid Authenticators that: Don t expire Seed keys can be owned by the subscriber Can be easily re-assigned to new users Easy deployment saves cost and time A token can be included in the service charge
Token Choice Choose the right token type for each user: Phone based Software Multiple hard tokens Tokenless either SMS or Grid based Our Authenticators: Don t expire Can be included in the service charge Seed keys can be generated by the customer Can be re-assigned to new users Self enrollment options reduces administration OTP & PIN complexity defined by the customer Provides the lowest overall total cost of ownership Supporting 3 rd party tokens enables an orderly and cost effective migration 22
Self Service Customizable Icons Colors Services Multi-language Request Token Approve, Issue, Ship workflow Self-service API (WSDL) Build into existing portals
User Aliases User has multiple IDs 1 UserID + up to 2 Aliases All can use the same token(s) Allows for different privileges with only 1 token UserID: Bill UserID: SysAdmin UserID: Billy Standard User Applications Finance Servers Enterprise Resources Router & Server Management
Security Hardware HSMs Support All token seed records encrypted and protected by HSM All encryption/decryption executed internally by HSM Data center to data center failover
SAML Single Sign on Single Sign-on Authentication at one allowed SAML site access to all allowed sites Logoff at one allowed site, logged off at all allowed sites UserID: Bill SAML Assertion bill@gmail.com SAML Assertion blaham@cryptocard.com Password: OTP SAML Assertion bill
SafeNet Authentication Architecture SafeNet Authentication Service SafeNet Authentication DataCenter DataCenter SMS via HTTP(S) User Repository Portals Group Subscriber Agents LDAP Synch Token Repository Engines Security Policy Authentication Email via SMTP Internet SMS Gateway (Subscriber or SP selected) User Self-Service Migration Provisioning Self-Enrolment Solutions Reporting/Alerts SMS message Virtual Server Management & Admin Reports & Alerts User service requests User information Migrations Agent SAML Radius Authentication Authentication Request Request Authentication Request Agent Administrator Tokens Users User Repository Existing RADIUS Server Access Devices Agents 27
Global Trends as-a-service is Accepted by Customers Authentication-as-a-Service is HOT! Gartner predicts that, by 2017, more than 50% of enterprises will choose cloud-based services as the delivery option for new or refreshed user authentication implementations, up from less than 10% today. Gartner MQ for User Authentication, 2012 $13bn by 2015, with 47% in North America Source: The 451 Group Cloud Computing Market Monitor, August 2012 SAS is absolutely the hottest product! 28
Leaders in the Market Gartner ranks SafeNet @ the top of the Leader s Quadrant 29
Facing challenges you can t address? SaaS applications VPNs More users to protect: employees, partners, contractors More data and applications to protect Virtual Environments Web-based portals More end points being used
1] CONTROL: It is complex to set up, and hard to implement 31
The real world 32
2] AUTOMATION: Difficult and time-consuming to re-provision existing users, and enrol new users 33
3] CHOICE: Only one token choice per user, and can t use existing authentication tokens during the migration 34
4] TCO: hidden service & maintenance costs and high upfront infrastructure costs 35
TCO 36
Pricing! It s all about total cost of operation Includes internal costs Simple per user per year model, MP tokens included, no extras Opex or Capex models Automate everything - massively reduces administration costs
Summary Fully Automated Authenticate Your Way Migrate Easily Protect Everything & Everyone Lower TCO