Software Token Security & Provisioning: Innovation Galore!

Software Token Security & Provisioning: Innovation Galore! Kenn Min Chong, Principal Product Manager SecurID, RSA Emily Ryan, Security Solution Architect, Intel Michael Lyman, Product Marketing Manager, Intel

Overview Software Tokens: Recap Where Could We Go Next? ios/android Windows Protecting RSA SecurID Software Tokens with Intel 5 th Generation vpro Systems

Software Tokens: 2015 Recap AM 8.1 SP1 Self Service Console QR Code Provisioning QR Code Provisioning of Software Tokens will reduce provisioning time and costs by 80% Increase user self-service Eliminate help desk calls Streamline the provisioning process with fewer, intuitive steps QR codes are becoming more accepted by end users Software tokens are QR Code Ready (ios and Android)

Software Tokens: 2015 Recap Windows Desktop Token: RSA + Intel Available on all Intel 5 th generation vpro Systems(PCs/tablets) Encryption and signing of token record using Intel hardware based Platform binding key Plug-in fully built and supported by Intel Available for download today at Intel with whitepaper and guides (https://downloadcenter.intel.com/download/24788) Intel IPT based Token Provider

Where Could We Go Next? ios/android: Fingerprint 2 Concepts PIN Convenience: Fingerprint to submit stored PIN App Security: Fingerprint to launch app Proposed Approaches: SW Token Type Biometric Approach Benefits PINPad PIN Convenience Convenience Fob Style App Security Extra Factor PINLess App Security Extra Factor

Where Could We Go Next? ios/android: Enterprise Mobility Management (EMM) Integration Example vendors: AirWatch, MobileIron, Good, etc Proposal Push data from EMM server to managed RSA Software Token app App configuration (Mask PIN, enable/disable TouchID) Provisioning Token Record (no emails, QR Code, behind the scenes provisioning) Pull data from managed RSA Software Token app to EMM server Binding ID (auto user provisioning by EMM server at RSA Authentication Manager server) Question: Are you willing to get an EMM solution to get these features?

Protecting RSA SecurID Soft Tokens with Intel 5 th Generation vpro Systems

Business Megatrend: Security >500Mu active business clients are vulnerable to the same attack Ground 0 for Many Recent Breaches is a Compromised Login Credential

1 source: Check Point Security Report 2014 2 source: BI Intelligence Investments 2014 Number of devices in use globally (in billions) How Big is the Emerging Attack Surface? An Average Day In An Average Enterprise 1 Every 1min a host accesses a malicious website Every 3mins a bot is communicating with its command and control center Every 9mins a High Risk application is being used Every 10mins a known malware is being downloaded Every 27mins an unknown malware is being downloaded Every 49mins sensitive data is sent outside the organization 24 H 49 27 10 9 3 mins mins mins mins mins 1 min Forecast: Global Internet Device Installed Base 2 20 The Internet of Everything 18 16 14 12 10 8 6 4 2 0 2009 2010 2011 2012 2013E 2014E 2015E 2016E 2017E 2018E Every 24h a given host is infected with a bot Connected Cars Wearables Connected TVs Internet of Things Tablets Smartphones PCs

Note: Not all features available across all products The Four Pillars of Intel s Security Focus Protect Detect Correct Identity Data Protection Anti-Malware Resiliency Protect user & device identities Protect data at rest and in transit Detect malware based on signature & behavior Correct security weaknesses & breaches Intel platforms ship with Security built-in!

Where is Intel Security Engine? CPU Intel 5 th Gen CPU- PCH 8 USB3 (4 Muxed) 12 USB2 X4 DMI PCH SMBus SMLink GbE Phy 2 I2C Skylake PCH 4 SATA Gen3 16 PCI-E, 8Ports (2x4, 4x1) Superior I/O and Great Flexibility TPM 2.0 EC/SIO FWHx SPI/eSPI SP I HDA FLASH CODEC BIOS AMT Code GbE SDIO WLAN Intel Audio DSP on I2S, HD Audio SPI TPM 2 SPI, 3 UART Software and workloads used in performance tests may have been optimized for performance only on Intel microprocessors. Performance tests, such as SYSmark and MobileMark, are measured using specific computer systems, components, software, operations and functions. Any change to any of those factors may cause the results to vary. You should consult other information and performance tests to assist you in fully evaluating your contemplated purchases, including the performance of that product when combined with other products. For more information go to http://www.intel.com/benchmark Intel Confidential *Other names and brands may be claimed as the property of others

Identity and Access Management (IAM) Securing the Front Door a Key Challenge Many authentication factors including Passwords, Tokens, Key Infrastructure. But no unifying framework to simplify implementation, management, enforcement. Known challenges with current authentication methods: Passwords: Complex Users and IT = vulnerable Tokens and Smart Cards: Costly to maintain Software-based Keys: are at greater risk User Presence and context: Location confirmation is difficult Many weaknesses in traditional security make it difficult and expensive to optimize identity and access management

What is Multi-Factor Authentication? Industry is adopting an experience-based approach to verifying identity (biometrics, MFA) using a combination of two (ex - fingerprint and device) or more factors. NOTE: A single factor (password, pin, etc.) is not deemed secure, presence detection is a new requirement. Multi-Factor Two Factor Single Knowledge Username One Factor + Password Knowledge + Possession or Inheritance 2 Factors Knowledge + Possession and Inheritance 2+ Factors Multi-factor authentication increases your security posture, but traditionally has been at the cost of user experience

Intel IPT with MFA For Corporate and Managed Small Businesses 1 Hardened with Intel s Security Technologies rooted in firmware and hardware Devices OS, Domain Login 3 Network VPN Apps & Websites Single Sign-on & more 4 3 4 3 4 2 Supports a variety of hardened authentication factors 3 Designed as a horizontal capability and available to ISVs & OEMs 4 Easily integrates with existing corporate infrastructure Business Users Authenticate yourself Intel IPT w/ MFA Multi-Factor Authentication 1 2 IT Admin Manage your companies Authentication Policy 5 Provides hardened MFA policy management using your choice of console (e.g. McAfee epo, Microsoft* SCCM) Simply & Securely PIN Proximity Biometrics Location to securely login anywhere 5 Securely & Reliably Intel Identity Protection Technology with Multi-Factor Authentication (Intel IPT with MFA)

Market Leading Identity Provider RSA Now Integrated with 5 th Generation Intel vpro Platforms RSA SecurID Software Token is protected in hardware by Intel Identity Protection (IPT) based Token Provider supported by 5 th Generation Intel vpro Platforms SecurID seed record protected and signed by encryption key that is stored on Intel chipset Provides a hardened solution against removing the SecurID seed record (with malware) and running on a different machine Offers hardware level token security with the convenience of a software token Easy to install Driver install package, then same process as provisioning SecurID software token

Set up of RSA SecurID Software Token on 5 th Generation Intel vpro 1 2 Install Intel Token Provider.dll, Intel CSP and Intel ME Driver Install RSA SecurID Software Token v. 5.0 or later 3 RSA SecurID server provisions SecurID Software Token Seed to hard disk RSA SecurID Software Token v. 5.0 Intel IPT Based Token Provider.dll Intel Crypto Service Provider Intel MEI Driver Windows OS RSA SecurID Server 4 Import the Token Seed by selecting Import Token from the pull down and choose Intel Token Provider from list of Storage Devices to store Token Seed Intel IPT PKI Applet Intel Chipset/Intel SE Intel SE Dynamic Application Loader

Protecting RSA SecurID Software Client with Intel IPT Token Provider 1 Intel CSP Generates public/private key pair in ME RSA SecurID Software Token 2 RSA SecurID Software token seed encrypted with public key and signed by private key. Intel IPT Based Token Provider.dll Intel Crypto Service Provider Intel MEI Driver 3 Signed and Encrypted RSA Software Token (seed) is stored in Persistent Storage in Intel IPT Based Token Provider Intel IPT PKI Applet Windows OS Intel Chipset/Intel SE Intel SE Dynamic Application Loader

Using RSA SecurID Software Client with Intel IPT Token Provider 1 2 3 4 Get OTP request from SecurID Software Token request to Intel IPT Based Token Provider Private key stored in ME is used to decrypt SecurID Software token and verify signature. SecurID Software token generates OTP. Seed record is re-encrypted and stored again in the Intel IPT Based Token Provider. RSA SecurID Software Token Intel IPT Based Token 2 Provider.dll Intel Crypto Service Provider Intel MEI Driver 1 Intel IPT PKI Applet Windows OS Intel Chipset/Intel SE Intel SE Dynamic Application Loader RSA SecurID Software Token Seed Record Cannot be Removed by Malware and Run on Another PC

Demo Intel Confidential

Notices & Disclaimers Intel technologies features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No computer system can be absolutely secure. Check with your system manufacturer or retailer or learn more at intel.com. All information provided here is subject to change without notice. Contact your Intel representative to obtain the latest Intel product specifications and roadmaps Copyright 2015, Intel Corporation. All rights reserved. Intel and the Intel logo are trademarks of Intel Corporation in the U.S. and/or other countries. *Other names and brands may be claimed as the property of others.