IBM Presentation Template Full Version

triangledriprockInternet και Εφαρμογές Web

7 Αυγ 2012 (πριν από 5 χρόνια και 1 μήνα)

386 εμφανίσεις

© 2011 IBM Corporation & SecurIT

Presenter’s name

Date

IBM Tivoli Access Manager
for

e
-
Business
and


SecurIT TrustBuilder
®

A UNIQUE COMBINATION

© 2011 IBM Corporation & SecurIT

Web Access Management

2

Products:


Tivoli
Federated Identity Manager
(TFIM) and Tivoli Access Manager for
ebusiness

(
TAMeb
)



IBM
is a viable option in almost every
WAM project, and
continues to
show
customer growth, even though most
other vendors' sales are flat or down
.


IBM TFIM combines the functionality of
three products: a well
-
featured WAM
product,
a full
-
featured
identity
federation tool suitable for enterprise
and service
provider deployments
, and
a moderately well
-
featured Web
services security tool.

© 2011 IBM Corporation & SecurIT

TrustBuilder Value Proposition for TAMeb & TFIM


Versatile Authentication


Transaction Signing and Validation

3

© 2011 IBM Corporation & SecurIT

Why Versatile Authentication ?

Ant Allen

IAM Summit, London March 2009

Static approaches to defining

security controls is no longer

adequate


Security controls need to

be flexible and meet the

needs of the diverse set

of user access requirements


4

© 2011 IBM Corporation & SecurIT

Improving Security Controls

with TAMeb and TrustBuilder


Security requirements
continue to evolve and
require more flexible
dynamic approaches to
protecting customer
information and user
access


Deeper security controls
are required to ensure
information is protected
and not tampered with

Introducing Versatile Authentication and
Transaction Signing

Customers need to review their
authentication strategies with an
eye towards moving up to true a
versatile authentication approach.

The ultimate goal, KuppingerCole
believes, is to be able to move
back and forth between different
authentication mechanisms freely
and flexibly without the need to
modify the applications
themselves.

Martin Kuppinger

5

© 2011 IBM Corporation & SecurIT

FFIEC Guidance:

Authentication in an Internet Banking
Environment

The
Federal Financial Institutions
Examination Council
, or
FFIEC
, is a
formal interagency body of the United
States government empowered
to:


prescribe
uniform principles, standards,
and report forms for the federal
examination of financial
institutions


make
recommendations to promote
uniformity in the supervision of financial
institutions
.

FFIEC guidance issued in 2005. New
recommendations issued on June 28
th
,
2011.

6

New
recommendation



Layered

Security Programs


the use of different controls at
different points in a transaction
process


can substantially strengthen the
overall security of Internet
-
based
services


be effective in protecting
sensitive customer information,
preventing identity theft, and
reducing account takeovers and
the resulting financial losses.


© 2011 IBM Corporation & SecurIT

What is Versatile Authentication ?


Access policy depends on User/Group/Role


Information needs to be protected based on its

value to the business


Access management must be flexible and modular


A layered security approach can provide the ability
to support course to fine grained access controls


ID

Please enter your ID and
password

Login

Password

C

13289576

SECURID

The ability to dynamically set the authentication methods,
based on workflow, can provide the flexibility to define the
access management policy

7

© 2011 IBM Corporation & SecurIT

What is Transaction Signing and Validation?

-
Ensure the critical data in a transaction cannot be altered by malicious invaders,
either on the endpoint or in the network

-
Maintain an undisputable proof of the Transaction Contents and Timing in a safe
place


APPLICATIONS

User

Sign

Seal

Vault

Provides the ability to
detect application data
tampering and keep
an undisputable proof

Typical Use cases


Internet Banking


IP Protection


Subscription


Registration


Proof of Access

8

© 2011 IBM Corporation & SecurIT

BUSINESS
NEEDS

TAMeB and SecurIT TrustBuilder
®

9

© 2011 IBM Corporation & SecurIT

Observed TrustBuilder Business Needs


Do
you

need

to

support
other

Authentication

mechanisms

than those provided by standard TAM


Do you need to
migrate

smoothly from
username/password to strong Authentication?


Is there a requirement to support
multiple

Authentication mechanisms
simultaneously
?


Security Driven
(
authentication

vs

strong
authentication
)


Business
Driven

(
cost

/
user
-
friendliness
/
legacy

/
rules
)


Do you need to
determine

the authentication
requirements
based on variables
, such as the type
of User, the Protected Resource, the User’s
location, context
-
based variables, etc.?



10


Username/Password:
LDAP, AD, RACF, etc.


OTP: hardware, software,
outbound / mobile


Digital Certificates: SSL,
challenge/response


Biometrics


Etc.

AUTHENTICATION

© 2011 IBM Corporation & SecurIT

Observed TrustBuilder Business Needs


Do you want
to
reduce

the
development time & costs
of adding
Transaction Validation services to applications?


With
TrustBuilder

the transaction data integrity and non
-
repudiation services
can be centralized in the security infrastructure in stead of
including them
into every application.


Is there need
to
support different Transaction Proofing
mechanisms?


Do you
want
to ensure transactions are not tampered with?


Do you
want
to
protect

your
intellectual
property
?


11

TRANSACTION VALIDATION

© 2011 IBM Corporation & SecurIT

VALUE PROPOSITION

TAMeB and SecurIT TrustBuilder
®

12

© 2011 IBM Corporation & SecurIT

TAMeb and TrustBuilder


Context aware
access control


Out of the box
support for many
validation
mechanisms


Workflow driven
authorization policy
definition


Protecting the
Integrity of the
application
transaction contents


Keep a non
-
repudiated proof of
the transaction
.

Access

Authentication

Authorization

Access

Policy

Logging

Versatile

Authentication

Workflow

Extended

Policy Controls

Connectors

for

Validation

TrustBuilder

TAMeb

TrustBuilder extends TAMeb capabilities to
extend authentication controls, introduces
transaction layer protection, and provides a
workflow based UI to define policies

13

© 2011 IBM Corporation & SecurIT

How it fits together

APPLICATIONS

User

Authentication

Access Control

Web SSO

Identity Federation

Cross
-
domain SSO

Versatile Authentication

Adaptive Access Control

Transaction Validation

14

© 2011 IBM Corporation & SecurIT

TrustBuilder Security Services Platform

Available

as
WebSphere
®

Application
and

Software Appliance

Plug
-
ins

15

© 2011 IBM Corporation & SecurIT

TrustBuilder Workflow Manager


This management component will determine how the
request will be handled in a particular use case


Graphical User Interface for ease of use


Drag and drop configuration


Easily create new or edit existing
workflows


Quick and simple analysis of a complex
security model


The transaction can be managed by a
policy.


set the boundaries of acceptable security levels
and alike.


16

© 2011 IBM Corporation & SecurIT

Benefits for a TAMeB or TFIM customer


Save

considerable
Time and Money
by
extendingTAMeB

with other Authentication
capabilities from # vendors. (Vasco, RSA,
Gemalto
,
Kobil

& all RADIUS)


Ability to dynamically update
authentication mechanisms, without affecting
TAMeB

or
Applications.


Simply accommodate
# user communities with # authentication requirements and/or
mechanisms.


Easily map
authentication tokens to a known
TAMeB

ID (e.g. certificate).


Considerably
reduce the workload
on
WebSEAL

by offloading authentication to
TrustBuilder

Server.


Share
TrustBuilder

Server authentication services
between
TAMeB

and other platforms
(Network Access, Portals, Applications, etc.)

Versatile Authentication

17

© 2011 IBM Corporation & SecurIT

Benefits for a TAMeB or TFIM customer


Transaction Validation Services
can be
combined

with
Authentication Services
on the
same
TrustBuilder

system


Minimal impact
on existing and new applications,
reducing development time


Transaction Validation services can now
easily

be
shared

by multiple applications, allowing
significant savings


Open to support
different
Transaction Proofing mechanisms


OTP (
Gemalto
, RSA, Vasco)


X.509 Signatures


Compliant with CAP/EMV (VISA/MC)


Open to support
new Transaction Types
by generating a highly
-
configurable challenge
over any transaction or data submitted to it


Solution
meets

many

industry

standards

and

aids in
compliance management
.



Transaction Validation

18

© 2011 IBM Corporation & SecurIT

Signing as a Service

1.
Transaction Preparation


Collect sensitive information from Transactions


Generate Challenge


2.
Transaction Signing


Present Signature Form


Embed Challenge


Embed signing logic


3.
Transaction Validation


Capture Signature


Validate Signature


Store validation result



19

© 2011 IBM Corporation & SecurIT

Transaction Validation Use Cases

20

User

APPS

TrustBuilder

TAMeB

Authentication

Signing & Validation

User

APPS

TrustBuilder

TAMeB

Authentication

Signing & Validation

Web Service
provided to
Applications

Service
provided via
TAM
Authorization
Policy

SSO

SSO

© 2011 IBM Corporation & SecurIT

USE CASE

Versatile AUTHENTICATION

Business Drivers:

Using # authentication
mechanisms for # user
communities


Retail banking


Wholesale banking


Internal


Foreign Agencies


Username/Password



validated against RACF


VASCO
Digipass



OTP device



Unconnected Card Reader


X.509 Certificates



Certificate on USB dongle



Certificate on
SmartCard


21

© 2011 IBM Corporation & SecurIT

22

European Organization
for the Safety of Air
Navigation


Username/Password



validated through TAM API


RSA
SecurID



Radius backend shared with VPN



including Token life cycle
Mgmt


X.509 Certificates



Certificate to TAM ID mapping



Online and offline Revocation check


USE CASE

Versatile AUTHENTICATION

SecurIT TrustBuilder

© 2011 IBM Corporation & SecurIT

Benefits for the Customers


Simultaneous support for multiple Authentication
methods to accommodate use cases


More flexibility in the rapidly changing world of security.


The environment can easily be extended with other
Authentications methods.


Less Development Costs


Compliance with Government and Industry regulations.


23

© 2011 IBM Corporation & SecurIT

USE CASE


TRANSACTION

SIGNING & VALIDATION


Align with regulatory demands


Migrate to CAP
-
EMV using an UCR


Business requirements


SSO for customers within retail & wholesale segments


Support crossing of customer segments


Support external hosted applications


Support employees


branch of the future


Support newer paradigms: Federation, Mobile …


Buy versus Build, also for Security

24

© 2011 IBM Corporation & SecurIT

Translated into reality …


One integrated architecture


Supporting the vision to become a ‘Direct’ bank


Supporting ‘Universal’ access by employees


The architecture supports cross over behaviour


The customer employee user wants to check on its private affairs


The customer employee user is interested in seeing the offers of the bank her/his
employer is using


Combination of TAM/TFIM and TrustBuilder.

Security Proxy
Ext
ernal

Hosted
Service
Home
Bank
Authentication
Signature
New Token Back
-
End

TrustBuilder


Extends the Authentication
capabilities of TAM/TFIM


Acts as gateway to
Authentication & Signing
Services


Enables Flexibility in defining
Security Workflows.


TAM/TFIM

TrustBuilder

25

© 2011 IBM Corporation & SecurIT

TrustBuilder: Key Features


Enterprise Security Services platform


Versatile Authentication


Transaction Signing & Validation


Out
-
of
-
the
-
Box solution


Plug
-
in Architecture with comprehensive Connector Library


Supports many Vendor/Validation mechanisms


Integrates with many User & Data Repositories


Guarantees Flexibility


Easily adapt to changing requirements


Supports migration needs


Configurable Workflow to accommodate # Use Cases


Ease of Implementation


No development


Choose, Pick or Change Connectors


Drag
-
and
-
drop GUI Workflow set
-
up


Field proven, robust and scalable Technology



26

© 2011 IBM Corporation & SecurIT

SecurIT

info@securit.biz

www.securit.biz

27