Building a Fully Trusted Authentication Environment IBM-SafeNet Joint Solutions Strong Authentication for ISAM-Protected Resources An Introduction to IBM-SafeNet’s Joint Solutions 2014 Hi, Today we’ll review IBM and SafeNet’s joint solutions for providing strong authentication to online resources protected by IBM’s Secure Access Manager for Web.
Who we Are Trusted to protect the world’s most sensitive data We control access to the most sensitive corporate information– more than 35 million identities protected via tokens, smartcards, and mobile devices managed on-premise and in the cloud. We protect the most money that moves–over 80% of the world’s intra-bank fund transfers and nearly $1 trillion per day. We monetize the most high-value software–more than 100 million license keys protect and manage on-premise, embedded, and cloud applications globally. We are the de facto root of trust–deploying more than 86,000 key managers and protecting up to 750,000,000 encryption keys. FOUNDED 1983 Baltimore, MD OWNERSHIP Private REVENUE ~330m GLOBAL FOOTPRINT +25,000 Customers in 100 countries EMPLOYEES +1,400 In 25 countries ACCREDITED Products certified to the highest security standard
Gartner Magic Quadrant for User Authentication 2013 The most highly ranked vendor Considered the most visionary Cited for the best execution Recognized as having: Very sound market understanding Very strong product strategy Innovation
Today’s Enterprise Challenges Web Mobile / PC Network IT SECURITY BOUNDARIES CHANGING PASSWORDS EASILY COMPROMISED IBM has recently partnered with SafeNet for the purpose of extending strong, two factor authentication to web resources protected by ISAM, or IBM Secure Access Manager for Web. Before we delve into how the solution works, let’s take a look at the challenge the joint solution aims to solve. Threats [] Traditional enterprise IT security boundaries are disappearing due to tablets, smartphones, a growing number of critical web-based applications, and increased workforce mobility. [] And while an increasing amount of sensitive information is being moved outside the on-premises firewall, usernames and passwords still serve as the main authentication method to sensitive resources, such as email, VPNs, CRMs and ERPs. This means that an organization’s most important resources—its network, its data and its applications--are being accessed using one-factor authentication solutions which we all know are easily compromised by phishing attacks, keyloggers, and password-hacking techniques. [] On top of that, organizations are increasingly required to comply with regulations as well as conduct security audits. This challenges organizations to balance regulatory requirements with considerations such as usability and increased overhead. So how can you safeguard access to sensitive applications and resources, without relying on username/password combinations? ---------- IGNORE from this point on: This means that in order to access the corporate network, an office, CRM or ERP application, the user will also be required to enter a one-time password. Leading identity and access management solutions address security concerns for the traditional enterprise perimeter, which is limited to a Windows-based network, enterprise applications such as Microsoft Office and Oracle iprocurement, and may include internally-hosted ERP or CRM applications. As a result of these emerging challenges, enterprises are starting to ask themselves how they can strengthen security to their online resources, without creating So how can enterprises provide their employees, contractors, partners with access to critical web and network resources, without depending on weak username/password credentials, and w Sensitive information, is whether it’s financial, personal, or operational, now resides outside. And despite an information being Usernames and passwords, once adequate to defend sensitive information inside the perimeter, often prove to be the weakest link in the security chain, as they can easily be compromised by phishing, leaked databases, or hacking. As online corporate resources increase, however, organizations become more vulnerable because passwords serve as the main gating factor in granting access, and more and more passwords are required for average users to do their jobs. COMPLIANCE WITH REGULATIONS REQUIRED POLICIES
The Solution: Comprehensive IAM Solution + Strong, Two-Factor Authentication The answer is that you can safeguard these critical resources by adding strong, two-factor authentication to your access control procedures. This in turn gives you a higher level of assurance that the person attempting to access the protected resource is in fact who they claim to be. SafeNet and IBM have joined hands to offer you a seamlessly integrated solution to resources protected by IBM Secure Access Manager for Web/Mobile, or ISAM for Web/Mobile. In ISAM for Web/Mobile’s case, strong authentication can protect any web-based resource hosted within the enterprise network, such as an ERP application, IT administration applications, intranets and wikis, partner portals, and development platforms, among others. Strong, two factor authentication can be based on two technologies –the first being PKI certificate-based (or CBA) authentication, which is based on public key infrastructure, and the second being one-time-passwords (or OTPs).
IBM and SafeNet’s Joint Solution Combines two best-in-class products: IBM Security Access Manager (ISAM for Web/Mobile) SafeNet Authentication Solutions Streamlines and hardens access to resources by providing: Identity and Access Management (ISAM for Web/Mobile) Web SSO (ISAM for Web/Mobile) Strong multi-factor authentication (SafeNet Authentication) Offers added layer of protection via: One-time passwords (OTPs) Certificate-based authentication (CBA) Is certified by IBM as Ready for IBM Security Intelligence Let’s take a closer look at the joint solution. The joint solution -- Combines two best-in-class products: IBM Security Access Manager (ISAM for Web/Mobile) SafeNet Authentication Solutions Streamlines and hardens access to resources by providing: Identity and Access Management (ISAM for Web/Mobile) Web SSO (ISAM for Web/Mobile) Strong multi-factor authentication (SafeNet Authentication) Offers added layer of protection via: One-time passwords (OTPs) Certificate-based authentication (CBA) Now let’s take a look at how each of these technologies is used with ISAM for Web/Mobile.
ISAM for Web/Mobile with SafeNet Authentication In an authentication scenario that leverages one-time-passwords, the user would go to the resource’s login page or click a login button, and then be prompted to enter their LDAP (or regular network) credentials, as well as their 2nd factor credentials – in this case, a one-time-password. ISAM would verify the LDAP credentials against the LDAP server, and then redirect the user’s OTP to SafeNet Authentication Service (or SAS) for verification. In this scenario, SAS would serve as the OTP-authentication platform, verifying the user’s OTP, and returning an ‘accept’ or ‘reject’ response to ISAM. Since ISAM functions as a reverse proxy, the user does not directly access the resource, but rather the resource is provided to the user through ISAM.
ISAM for Web/Mobile with SafeNet Certificate-based Solutions In an authentication scenario that leverages certificate-based authentication, the user would log on to the network as usual, and when accessing a protected enterprise resource, such as an ERP application, Office application, or intranet, ISAM would intercept their access attempt and prompt them for their x.509 certificate credentials. The user would then enter their USB token and type their PIN, thereby authenticating to ISAM and gaining access to the protected resource. Acting as a reverse proxy, ISAM would then provide the resource to the user on behalf of the protected server.
Key Benefits of IBM and SafeNet’s Joint Solution Enables secure access to corporate resources Identity and access control policies centrally managed from ISAM Limits the number of passwords vulnerable to compromise Restricts user access to the corporate resources necessary to a job function Provides organizational efficiencies IBM/SafeNet solution reduces the total cost of ownership for an organization’s identity management and user authentication scheme Deploys without changing existing architecture Supports a wide range of authentication methods Supports existing investment in authentication solutions and incremental migration OTP authentication provided by SafeNet Authentication Service–a 100% cloud-based service that does not require additional hardware or infrastructure Certificate-based authentication–performed locally on user’s system, eliminating need for architectural changes Mobile Access – Supports strong authentication to web-based applications Supports numerous use cases, for example, requiring strong authentication for privileged users, such as IT admins, mandating strong authentication for remote access (VPNs) or remote workforce (contractors and partners, etc.) Key Benefits of IBM and SafeNet’s Joint Solution Enables secure access to corporate resources Identity and access control policies centrally managed from ISAM Limits the number of passwords vulnerable to compromise [for example, instead of 1000 users’ passwords being vulnerable to a phishing or hacking incident, the number can be reduced to 500, if only 500 users are required to use strong authentication in addition to their standard passwords.] Restricts user access to the corporate resources necessary to a job function Provides organizational efficiencies IBM/SafeNet solution reduces the total cost of ownership for an organization’s identity management and user authentication scheme Deploys without changing existing architecture Supports a wide range of authentication methods Supports existing investment in authentication solutions and incremental migration OTP authentication provided by SafeNet Authentication Service–a 100% cloud-based service that does not require additional hardware or infrastructure Certificate-based authentication–performed locally on user’s system, eliminating need for architectural changes Mobile Access – Supports strong authentication to web-based applications Supports numerous use cases, for example, requiring strong authentication for privileged users, such as IT admins, mandating strong authentication for remote access (VPNs) or remote workforce (contractors and partners, etc.)
Why SafeNet? Next Generation Authentication from the Leading Authentication Vendor Frictionless Authentication Choice of delivery platforms Automated administration, user & token management Broadest range of authentication methods Broad use case support Security and Trust Use of industry standards Hardware-based root of trust Control over authentication data Certified products Transparency and Visibility Extensive reporting and auditing
Thank You Questions? Thank You 11