Enhancing IBM SAM E-SSO s Strong Authentication capabilities with smart phones, smart cards and other tokens Sven Gossel IBM Security Talk May 24 th, 2012
Desktop and Application virtualization are creating new challenges for the enterprise SECURITY COMPLIANCE Virtual desktops and applications accessed ubiquitously are protected by weak, shared passwords Do you know which nurse accessed which critical patient records from her virtual desktop? COSTS PRODUCTIVITY Help-desk calls due to forgotten passwords can be expensive Desktop and application lockouts, slow access to applications hamper productivity 2 2011 IBM Corporation
IBM Security Access Manager for Enterprise Single Sign-On is the most effective way to address those challenges! STRENGTHEN SECURITY DEMONSTRATE COMPLIANCE Strong passwords Strong Authentication Fine-gained audit logs Session Management REDUCE COSTS INCREASE PRODUCTIVITY Fewer helpdesk calls Save up to $25 per call! No Account Lockouts Fast access to information 3 2011 IBM Corporation
IBM Security Access Manager for Enterprise Single Sign-On (ISAM E-SSO) v8.2 Solution Overview Single sign-on Supports strong authentication Kiosk sharing Password self service Web-based administration Browser-based remote access User access tracking & audit No change to the infrastructure ISAM E-SSO enables visibility into user activity, control over access to business assets, and automation of the sign-on process in order to drive value for our clients. 4 4 2011 IBM Corporation
Latest IBM Security Access Manager for Enterprise Single Sign-On Desktop Single Sign-On, Strong Authentication and Fine-grained user activity audit logs Simplify password management and strengthen end user security Business challenge Reduce help desk costs, improve productivity and strengthen security on traditional, virtual, shared desktop environments Key solution highlights 5 Virtual Appliance for faster time to value - Easier deployment and management leading to lower TCO Security for your virtualized desktops and applications - Virtual Desktop Infrastructure: Secure your VMWare View cloud and virtual desktops and track fine-grained user activity inside them - Application Virtualization: Secure access to your virtualized Microsoft App-V or Citrix XenApp applications Wider platform support - Support for Windows 7 64 bit platform and applications, Windows 2008, Internet Explorer 8 & 9 Enhanced Strong Authentication Support - Hybrid RFID smart card, support for National IDs IBM s Security Access Manager for Enterprise Single Sign-On helped achieve a ROI of 244% over 3 years with a payback period of 11 months (Large UK financial services company) 2011 IBM Corporation
Charismathics Milestones 2005 2007 2010 Re-inventing PKI middleware Re-inventing Trusted Platforms Re-inventing smart cards 6
The world s only cross-platform authentication Get the Most Sophisticated Identity Client Ever For Any Size of Organization - Even for a single user Millions of Users Around the Globe Agnostic on software, hardware and platforms Fully interoperable with all major Certificate and TMS products, including IBM Security Access Manager for Enterprise Single Sign- On and Lotus Notes Re-invent access control by using smart phones Use you smart phone instead of expensive and un-handy hardware Support applications on computers and mobile phones Migrate in steps from domain passwords towards full PKI security Achieve a higher security level with less efforts and money Increase usability and transparency for both admins and users Upgrade Both Convenience and Security Migrate domain passwords towards 2-factor authentication Re-use your RFID cards introducing PKI on your computers Introduce the least costly PKI scheme ever Merge parallel infrastructures to streamline processes Unplug your accessories and clean up the office 7
Business Advantages for the customer The Most of Hardware Make use of smart phones and other tokens for ISAM ESSO Upgrade existing installations without changing the hardware Use RFID cards for certificate based access control Make use of SIM cards for your access control Make use of Trusted Platform Modules The Most of Software Increase your security level within ISAM ESSO installations Make use of the customer s software at its best Be independent when choosing additional software Be independent of hardware lifecycles Make hardware vendors competing against each other Simplify Your Infrastructure Increase the effectiveness of existing schemes Upgrade the usability for admins and users Reduce investments in devices and accessories Free your support of routine work and save money Eliminate Hardware Logistics out of your PKI equation 8
Typical use cases for ISAM ESSO and Charismathics products with high customer value PKI based Windows logon schemes within banks, insurances and private enterprises Connect PKI tokens towards ISAM ESSO and Windows logon Fully interoperable with smart phones, also using passwords Compatible with all major Full Disk Encryption products Hands-free SSO operation in Hospitals Use Bluetooth features to keep hands-free operations Reach security compliance using different user accounts Upgrade from passwords to certificates on-the-fly Make use of national eid cards for SSO implementations One-stop shop rather than multiple vendor relations Smooth migrations paths in-between different card solutions Other: Company mergers and product migration projects Enabling trusted platform based PKI logon Re-use non-pki RFID cards for SSO implementations Improving customer set-ups for token supplier independence 9
Turn your smart phone into a smart card 10 Product: ienigma Scalable from single users up to full enterprise solution No need to deploy a smart card and smart card reader Certificate-based authentication with your smart phone 100% seamless integration into PKI schemes Windows Mobile, ios, Android, RIM via Bluetooth or WIFI Also supports domain passwords Supports all standard applications on both computer and smart phone using standard PKI interfaces High convenience through proximity-based Bluetooth features Allows a simple 4-eyes principle and automatic logon/logoff*) Fully supports ISAM ESSO in password and PKI mode Significant price benefit with same security Secure PIN Entry by concept no premium charge Supports multiple token form factors including NFC and secure SD *) ienigma 2.0 and higher
ienigma logon with ISAM ESSO start ienigm a app phone CTRL ALT DEL user interaction*) computer enter user PIN ienigma on phone transfer digital sign. to ISAM ESSO CP transfer stored PW to CP iengima on phone via SSL channel through bluetooth account logon account logon computer transfer to ISAM ESSO access agent transfer PW to ISAM ESSO access agent ienigma CP via OS logon ISAM ESSO access agent logon ISAM ESSO access agent computer 11
CSSI: Charismathics Smart Security Interface Comprehensive and independent client solution for smart card tokens Also supporting soft tokens and standard RFID cards Proprietary Devices (Privaris, Goldkey, MXI, Zvetco, WIBU) Compliant to MS FIM, Intercede, VPS, Novell, ISAM ESSO and others 12 Product: CSSI Application Interface: PKCS11 for all platforms, CSP, Minidriver, TSS, Pre-boot, TokenD Applets, profiles, tools an utilities to initialize, manage and debug middleware, smart card services and hardware. Hardware Support Smart Card Platforms Including Gemalto (incl- MUltOS), G&D, Oberthur, Sagem, Siemens, KEBT ActivIdentity, AET, G&D, HID, Nexus, Cryptovision Suported eid card schemes IAS ECC, CNS, FineID, PIV, RIC, SSID, INSS, KISA, eid Portugal, Spain, etc. TPM (Broadcom, Intel, Infineon, ST, Atmel, Nuvoton)
ienigma architectural set-up with ISAM ESSO Smart Phone Applications Adobe Acrobat Cisco VPN MS Applications: Windows Network Provider MS Office, RDP, others Checkpoint VPN Smart phone OS CAPI Smart Phone Applications Firefox others MS CAPI iengima CP iengima CAPI on smart phone iengima PKCS#11 on smart phone CSSI PKCS#11 PC client CSSI - CSP PC client iengima Blue tooth API CSSI framework API PC smart card USB key flash drive iengima CCID driver CCID simulator phone token 13
CSSI Roadmap 2012 14
ienigma Roadmap 2012 15
Video: ienigma applied to ISAM ESSO User case of ienigma for Windows and ISAM ESSO logon 1-user scenario 2-user scenario (http://www.charismathics.com/memberships/ibm-partnerworld/) 16
Red Book with IBM Configuring Strong Authentication with IBM IBM Security Access Manager for Enterprise Single Sign-On IBM Security Access Manager for Enterprise Single Sign-On automates sign-on and access to enterprise applications, eliminating the need to remember and manage user names and passwords. The Red Paper shows additional technologies and specific examples based on charismathics CSSI to increase the security access level with the use of smart cards. Download here (http://www.redbooks.ibm.com/redpapers/pdfs/redp4808.pdf) 17
charismathics listings on IBM directories IBM Global Solution Directory charismathics Smart Security Interface charismathics plug n crypt USB token charismathics smart security card IBM Integrated Service Management Library charismathics Smart Security Interface charismathics plug n crypt USB token 18
contact charismathics charismathics.team youtube.com/charismathics twitter.com/charismathics charismathics.com/facebook charismathics.com/linkedin charismathics.com/googleplus flickr.com/charismathics 19