Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
ActivIdentity “D2D Security” Emma Cabban – Channel Manager Northern Europe Fredrik Pahlsson – Security Consultant EMEA Agenda • • • • ActivIdentity – Who are we The Real World - Advanced Persistent Threat Introducing CMS Appliance Omnikey Readers ActivIdentity Quick Facts Mission Provide strong authentication and credential management to confidently establish a person’s identity when interacting digitally. Vision To make every digital interaction trustworthy. Founded June 1987 Employees 237 Revenue $57.7 million (FY10) Patents 200+ Customers 2,500+ And now part of the Assa Abloy Group… • Assa Abloy, global leader in door opening systems, was created in 1994 from the merger between Assa (Swedish company, separated from Securitas AB) and Abloy Oy (Finnish company), followed by a series of acquisitions in the United States, Australia, Great Britain, the Netherlands, France, Norway, Sweden and Spain. • Today, Assa Abloy comprises 150 brands, such as Fichet, Vachette, Mul-TLock, Yale for locks. • HID Global is an ASSA ABLOY Group brand • Assa Abloy Group has some 30,000 employees in over 40 countries in 5 Divisions • HID Global (including ActivIdentity): 2400 employees • In 2010 HID Global finalized the acquisition of ActivIdentity: http://www.actividentity.com/company/acquisitionnews Introducing ActivIdentity December 2010 “ActivIdentity will become the centre of gravity for Digital Identity Assurance within HID” Tony Ball, HID Senior VP Identity and Access Management Employees Revenue Patents Customers 220 $60 million 200+ 2,500+ Advanced Persistent Threat New types of attacks aimed at social networking, Web 2.0 and mobile apps Legacy authentication systems becoming ineffective Defending the perimeter no longer protects corporate data and networks Summary • Today strong authentication is mainly deployed to secure the perimeter of an enterprise • But, mobile computing, sophisticated malware and popularity of social networks are making it increasingly difficult to keep the perimeter secure • Once inside the perimeter, the only thing that stands between an attacker and the data he is trying to steal is a static password • Securing cloud applications is as import as securing internal systems • Enterprise’s need to look beyond just One Time Password tokens • ActivIdentity has solutions The history of enterprise security Perimeter Desktops File Servers Cloud based applications Email Database Servers Remote Access Web Servers Email Servers Web 2.0 Securing the perimeter is … ? A. No longer worth the effort B. Still important, but not enough C. The kind of thing that people talk about at conferences, which sort of makes sense at the time but is pretty irrelevant once you’ve go back to doing a real days work Real World RSA Breach – Feb 2011 http://blogs.rsa.com/rivner/anatomy-of-an-attack/ • The first thing is seek publicly available information about specific employees – social media sites are always a favorite. • The two emails were sent to two small groups of employees; The email subject line read “2011 Recruitment Plan.” The spreadsheet contained a zero-day exploit that installs a backdoor through an Adobe Flash vulnerability • the next step is to install some sort of a remote administration tool that allows the attacker to control the machine. In our case the weapon of choice was a Poison Ivy variant. now the attacker starts digital shoulder surfing • The next phase is moving laterally inside the network. The initial entry points are not strategic enough for the attackers; they need users with more access, more admin rights to relevant services and servers, etc. • The attacker first harvested access credentials from the compromised users (user, domain admin, and service accounts). They performed privilege escalation on non-administrative users in the targeted systems, and then moved on to gain access to key high value targets, which included process experts and IT and Non-IT specific server administrators. Perimeter Security – still important but not enough “the point about APTs being, first and foremost, a new attack doctrine built to circumvent the existing perimeter and endpoint defenses. “ Uri Rivner, RSA Security, Anatomy of an attack, 1st April 2011 Compromise spreads due to weak authentication Desktops File Servers Cloud based applications Email Database Servers VPN Access Web Servers Email Servers Web browsing Once inside the perimeter were able to access, the AD server and extract the servers SAM file. “ We We then successfully cracked all of the passwords in that file, We found that the same credentials were used across multiple systems. As such, we were not only able to access desktops and servers, but also able to access Cisco devices, etc. “ NetraGuard, Hacking your bank “ The next phase is moving laterally inside the network. The initial entry points are not strategic enough for the attackers; they need users with more access, more admin rights to relevant services and servers, etc. RSA Breach “ Information is stolen from the enterprise Desktops File Servers Cloud based applications Email Database Servers VPN Access Web Servers Email addresses / key data / corporate IP Email Servers Web browsing Advanced persistent threat Insecure perimeter Poison ivy VNC cracking tool malware What am I going to wear Personal mobile phones Weak passwords Securing individual compartments helps limit the impact of hull breaches We can help Implementing strong authentication across the enterprise ensures – Malware on infected machines can’t capture passwords to gain access to critical servers “We found that the same credentials were used across multiple systems” – There’s no password file to steal “ We were able to access, the AD server and extract the servers SAM file. “ Summary • Today strong authentication is mainly deployed to secure the perimeter of an enterprise • But, mobile computing, sophisticated malware and popularity of social networks are making it increasingly difficult to keep the perimeter secure • Once inside the perimeter, the only thing that stands between an attacker and the data he is trying to steal is a static password • Securing cloud applications is as import as securing internal systems • Enterprise’s need to look beyond just One Time Password tokens • ActivIdentity has solutions How can we help….. Fredrik Pahlsson – Technical Consultant EMEA Introducing the ActivID CMS Appliance 21 Confidential © 2009 ActivIdentity Proposed Solution – Door to Desktop • Replace passwords with smart cards or secure USB tokens: – Proven: supported since Windows 2000 and millions of users today! – Better for users, fewer credentials to remember – Familiar ATM-like user experience plus government-grade security – Enables more secure and simpler authentication to applications supporting PKI • Enables Door to Desktop with a multi function smart card • Use an appliance to get benefits quickly and easily – 30 minute installation – Manage the life cycle of authentication devices – Self service for end-users 22 External Use © 2009 ActivIdentity CMS Appliance Solution Consists Of… • ActivIdentity ActivID CMS Appliance – ActivIdentity ActivID CMS-Lite software – Embedded Certification Authority – Embedded HSM (RealSec) – Embedded database • ActivIdentity ActivID ActivClient • Smart Card or ActivKey SIM secure USB token • ActivIdentity SecureLogin SSO (optional) 23 External Use © 2009 ActivIdentity ActivIdentity ActivID CMS Usability • Easy for end users – ATM-like PIN usage well understood – Faster, simpler than handling multiple credentials, password rules – Web-based self service for quick resets • More efficient for IT Help Desk – Enhanced productivity with single platform to issue and manage devices and credentials – Fewer calls because of self-service resets • Easier for IT Admins – Appliance pre-configuration of database, HSM, CA & profiles – Streamlines & automates much of credential management – Proven technology used to issue millions of highly secure credentials 24 External Use © 2009 ActivIdentity ActivIdentity ActivID CMS Appliance & Physical access card • Crescendo C800: One card for PACS & IT Systems – Smart card chip for IT access – Contactless antenna for physical access – iClass, MIFARE Classic, MIFARE DESFire (all with optional Prox 2nd antenna) – One credential to carry means more convenience for end-users and less card forgotten at home 25 Confidential © 2011ActivIdentity CMS Appliance Unique Selling Points Issue & Manage Smart Cards with certificates PIV-C Support 30-minute install Pre-configured HSM, database, PKI CA Works out of box with Win7 & Mac OS Simple bundle with award winning middleware OMNIKEY Reader Portfolio Desktop Reader 3- Series 5-Series Mobile Reader 4- Series 6- Series Embedded Reader Chipsets Reader boards Desktop Readers - Contact 7121 Biometrics 3121 USB Primary Markets: • Corporate ID • Government • Service related (Banking, Insurance, etc.) • Public Service • Industry with IT workplace • GSA approved • Standing Bases variants Primary Markets: • Public Safety & Administration/Government (eg Police, Border control) • Loyalty & Payment • High security companies User Benefits: • Two-Factor –authentication 3821 USB Pinpad Primary Markets: 3021 USB Primary Markets • Public Service • Insurance • Loyalty User Benefits: • • • • Small form factor Platform interoperability PC and Laptop logon GSA Approved • Commercial and Public • Transactions/service • Contractual/Legal • eBusiness • eGovernment User Benefits: • Enables use of digital signatures • Limits transactional risks & PIN theft Desktop Readers - Contactless Primary Markets: 5321 USB Primary Markets: • Service related (Banking, Insurance, etc.) • Commercial • Government 5321 CLi USB • Physical and Logical Access Convergence • Health Care User Benefits: • Plug & Play HID iCLASS reader User Benefits: • Heterogeneous environments • Convergence of Contact and Contactless technology 5325 CL USB Prox 5325 USB Prox Primary Markets: • Physical and Logical Access Convergence • Health Care User Benefits: • Plug & Play HID Prox reader • Enables converged access solutions in PROX environements Primary Markets: • Physical and Logical Access Convergence Prox • Health Care User Benefits: • Plug & Play HID Prox reader • Enables converged access solutions in PROX environements Desktop Readers: 5321 CR Summary • New design line • Water- and dust-proof • iCLASS & 13.56MHz cards Features & functions • USB 2.0 support • Stylish design • Broad contactless support 13.56MHz cards incl. iCLASS and Mifare DESfire • TAA compliant • No edges and grooves for easy cleaning • IP67 protection class Customer benefits • • • • • Mitigation of germs Easy to clean and disinfect Stands rough environment Suitable for representative area Easy administration due to OMNIKEY driver platform Mobile Readers 6121 USB Primary Markets: • Service related (Banking, Insurance, etc.) • Sales organizations • Government User Benefits: • SIM-sized SCR for ultra-mobile PKI applications 6321 USB Primary Markets: • Service related (Banking, Insurance, etc.) • Sales organizations • Physical and Logical Access Convergence User Benefits: • Easy to install • Contact & Contactless Interface Mobile Readers 4040 PCMCIA Primary Markets: • Corporate ID • Mobile Service Industry (Banking, Insurance, etc.) • Sales organizations • Government User Benefits: 4321 Express Card • Enables convenient contact authentication for mobile users • Platform interoperability Mobile Readers: 6221 MicroSD Summary Versatile mobile dongle-sized SIM-sized contact reader & Micro SD in a single device Features & functions • Compound Device (internal USB Hub) • Key Ring • Hot-plug Driver available • Easy administration due to OMNIKEY driver platform Customer benefits • Convenient form factor for mobile users • Allows combination of strong authentication and portable encryption in single device • Allows standards-based access to cards for software programmers Thank you 35 Confidential © 2011 ActivIdentity