Product offering, positioning & roadmap

obtainablerabbiData Management

Jan 31, 2013 (3 years and 10 months ago)

152 views

ES Product Management | W. Kalny | 2006
-
11
-
28

1

VACMAN Middleware 3.0

Product Presentation

ES Product Management | W. Kalny | 2006
-
11
-
28

2

Enterprise Security Division

VACMAN Middleware 3.0


What is it?
-

Product Positioning


Strong Authentication Solution


Based on One
-
Time
-
Password technology


Huge variety of supported tokens


„Out
-
of
-
the
-
Box“ product


Suitable for all sizes of companies


ES Product Management | W. Kalny | 2006
-
11
-
28

3

Enterprise Security Division

VACMAN Middleware 3.0 Functionality


2 Major Functional Areas



Supported Authentication Environments


Administration

ES Product Management | W. Kalny | 2006
-
11
-
28

4

Enterprise Security Division

Supported Authentication Environments


Deployment Scenarios


RADIUS environments


WEB server environments


RADIUS and WEB server environments


RADIUS environment, stand
-
alone scenario

ES Product Management | W. Kalny | 2006
-
11
-
28

5

Enterprise Security Division

Supported Authentication Environments

RADIUS environment, with RADIUS Server as
primary authentication instance

ES Product Management | W. Kalny | 2006
-
11
-
28

6

Enterprise Security Division

Supported Authentication Environments

RADIUS environment, with RADIUS Server as secondary
authentication instance, with User ID and OTP only

ES Product Management | W. Kalny | 2006
-
11
-
28

7

Enterprise Security Division

Supported Authentication Environments

RADIUS environment, with RADIUS Server as secondary
authentication instance, with User ID, password and OTP

ES Product Management | W. Kalny | 2006
-
11
-
28

8

Enterprise Security Division

Supported Authentication Environments

VM in a Web environment, with User ID and OTP

ES Product Management | W. Kalny | 2006
-
11
-
28

9

Enterprise Security Division

Supported Authentication Environments

VM in a Web environment, with User ID, password, and OTP

ES Product Management | W. Kalny | 2006
-
11
-
28

10

Enterprise Security Division

Supported Authentication Environments

VM in a Web environment, with RADIUS Server as secondary
authentication instance, with User ID, password, and OTP


RADIUS
Server


Authentication Request,
User ID and password

Accept / Reject and
RADIUS attributes

ES Product Management | W. Kalny | 2006
-
11
-
28

11

Enterprise Security Division

VACMAN Middleware Data Model


Following Record Types are provided by VM:



DIGIPASS Record


DIGIPASS User Account Record


Component Record


Policy Record


Back
-
End Server Record


Domain Record


Organizational Unit Record

ES Product Management | W. Kalny | 2006
-
11
-
28

12

Enterprise Security Division

VACMAN Middleware Data Model


DIGIPASS Record


for each DIGIPASS in use and contains:


DIGIPASS serial number and model


Names and paramaters of applications in DIGIPASS


Status of various options (e.g. lock, etc.)

ES Product Management | W. Kalny | 2006
-
11
-
28

13

Enterprise Security Division

VACMAN Middleware Data Model


DIGIPASS User Account Record


for each DIGIPASS user and contains


Authentication Settings


DIGIPASS assignment



Using Active Directory:


DIGIPASS User Account Record is attached to the AD user
account as an auxiliary class.


DIGIPASS User Account Record is not required for administration
(AD account is used)


Using ODBC Database:


DIGIPASS User Account Record stored in standard database
table


Administrative Privileges assigned to User Account, therefore
necessary

ES Product Management | W. Kalny | 2006
-
11
-
28

14

Enterprise Security Division

VACMAN Middleware Data Model


Component Record



Created to represent:


Authentication servers


Authentication Client Components (RADIUS Clients, IIS
Modules)


Administration Client Components (when required)



Main purposes for Component Records:


For authentication clients to indicate that it is permitted to
process an authentication request from that client and to specify
an authentication policy


For RADIUS clients to hold the shared secret


To hold the license key for authentication servers and IIS
Modules

ES Product Management | W. Kalny | 2006
-
11
-
28

15

Enterprise Security Division

VACMAN Middleware Data Model


Policy Record


Contains settings that affects the user authentication process, e.g.:



Whether Windows or RADIUS authentication should be
used


Whether various automatic management features should
be used


The DIGIPASS application types required


Backup Virtual DIGIPASS settings

ES Product Management | W. Kalny | 2006
-
11
-
28

16

Enterprise Security Division

VACMAN Middleware Data Model


Back
-
End Server Record



Required when a RADIUS server is used by VM for
authentication.


Possible to create more than one back
-
end server for
fail
-
over purposes


Possible to allocate different back
-
end RADIUS servers
for different user domains

ES Product Management | W. Kalny | 2006
-
11
-
28

17

Enterprise Security Division

VACMAN Middleware Data Model


Domain Record


Active Directory Environment:


Each DIGIPASS and DIGIPASS User must belong to one of the pre
-
existing AD domains


User
-
ID must be unique within a domain


DIGIPASS Configuration Domain is required for installation purposes



ODBC or Embedded Database Environments:


Domains are included to:


Mirror the AD domain structure


Provide ability to limit administrative activities (delegated
administration)


Allocate un
-
assigned DIGIPASS records to different domains


Master Domain required for default DIGIPASS assignment and
administrative purposes

ES Product Management | W. Kalny | 2006
-
11
-
28

18

Enterprise Security Division

VACMAN Middleware Data Model


Organizational Units Records


Active Directory Environment:


DIGIPASS User Accounts and DIGIPASS records are stored in
organizational units or the user container


Special container


called DIGIPASS pool


created during installation for
unassigned DIGIPASSes


Administration dutied to be assigned to administrators per organizational
unit



ODBC or Embedded Database Environments:


Domains are included to:


Mirror the AD domain structure


Provide ability to limit administrative activities (delegated
administration)


Allocate un
-
assigned DIGIPASS records to different
organizational units


ES Product Management | W. Kalny | 2006
-
11
-
28

19

Enterprise Security Division

The Authentication Process


Policy Based Authentication



For every authentication request, a Policy is identified that controls the
process and defines the authentication features to be used.


Policy to be used based on client component and organizational unit


All policy settings now in one location (Policy Record)


Additional flexibility through:


Windows Group Check can be used for RADIUS


For RADIUS Authentication, the RADIUS server or Windows can be
checked only for certain events (not for every login)


A RADIUS server can be used for IIS Modules


For IIS Modules, Windows or the RADIUS server can be checked for
every login.


Policies may be set in hierarchies including inheriting attributes from one
level to the other.

ES Product Management | W. Kalny | 2006
-
11
-
28

20

Enterprise Security Division

DIGIPASS Assignment


A
whole DIGIPASS is assigned to a user

(not just one
application)


user can use all applications in DIGIPASS


More than one DIGIPASS can be assigned to a user



user may be assigned a hardware DIGIPASS and a software
DIGIPASS for different situations


User accounts can share the same DIGIPASS



achieved
by linking the two DIGIPASS User Account Records


User Account Locking

instead of DIGIPASS application
locking


Grace period

feature applied to each DIGIPASS (instead to
the User Account)


Settings for Backup Virtual DIGIPASS

now located in
DIGIPASS Record (instead of DIGIPASS User Account
Record)

ES Product Management | W. Kalny | 2006
-
11
-
28

21

Enterprise Security Division

Extensive Authentication Settings


User Identification by User ID and Domain


Windows Name Resolution


Simple Name Resolution


Separate Domain Login field


Default Domain Setting in Policy


User ID Conventions


Up to 255 characters (all characters allowed) for User ID and
passwords (only 128 UTF
-
8 supported by RADIUS protocol)


Unicode support


ES Product Management | W. Kalny | 2006
-
11
-
28

22

Enterprise Security Division

Extensive Authentication Settings


More Features


Forwarding of authentication requests from 3rd RADIUS Server


Supports more than one RADIUS authentication port


Default RADIUS ports are now 1812/1813


Support for event based Digipass (using OATH)


Self
-
Assignment process


„2
-
Step“
-
Login for Primary Virtual Digipass and
Challenge/Response authentication requests


Login Failure Reasons are displayed in form
-
based IIS Modules


Customizable Realm Name for the Login prompt in basic
authentication IIS Module


ES Product Management | W. Kalny | 2006
-
11
-
28

23

Enterprise Security Division

Active Directory Integration


Storage of Digipass and User Data in Active Directory


User account settings for VM stored as extension to normal AD
user account (using Auxiliary Class)


Digipass data stored with User accounts wherever they are
located


Digipass is moved to ist user‘s organizational unit during
assignment procedure


Location of unassigned Digipass is kept flexible


Administration Directly with Active Directory


Connectivity to Middleware server not rquired for administration


Admin privileges not controlled by Middleware Server


Middleware user account not required to perform administration

ES Product Management | W. Kalny | 2006
-
11
-
28

24

Enterprise Security Division

Active Directory Integration


Delegated Administration


Granular privileges available set up in Active Directory


Property Sets defined for common groupings of attributes


Active Directory „Delegation of Control“
-
Wizard shows option for
full Digipass adminsitration


Administration Interface


Full property sheet used for Digipass records


Extensive bulk adminsitration operations (like Reset Application,
Reset PIN, Force PIN Change)


Administration MMC Interface used for configuration records


Connection Handling


Connections to Active Directory will be closed periodically and
checked if another Domain Controller should be used instead.


LDAP requests show excellent performance

ES Product Management | W. Kalny | 2006
-
11
-
28

25

Enterprise Security Division

Extensive ODBC Database Support


New embedded Database: PostgreSQL 8.1


Improved Support for Other ODBC Databases


Microsoft SQL Server 2000 and 2005


Oracle 10g


IBM DB2 8.2


Sybase Adaptive Server Anywhere 9.0


Domains and Organizational Units


Where VM user accounts are based on WIN user accounts,
Domains can be used to match WIN domains


Domains and Organizational Units allow allocation of Digipass to
quotas or geographical reality


Domains and Organizational Units support delegated
administration


Service Provider can user Domain and Organizational Units to
represent their customers

ES Product Management | W. Kalny | 2006
-
11
-
28

26

Enterprise Security Division

Extensive ODBC Database Support


Administration Controls


Improved implementation to support larger scale and service
provider environments


Administrative privileges at individual operations level such as
View Digipass, Reset Digipass Application, Update Policy


Adminsitrative access to data controlled at the Domain and
Organizational Units level


Adminsitrative programs restricted to defined locations


Maximum number of concurrent administrative sessions


Policy for authentication of administrative logons available


New Replication Mechanism


High reliability through maintaining a queu of changes to
transmit to disk


Monitoring of replication process with detailed audit messages
and monitoring of connection status and queue size


ES Product Management | W. Kalny | 2006
-
11
-
28

27

Enterprise Security Division

Audit System


Multiple Audit Methods available and configurable


Text File Ouput


Event Log Output


ODBC Database Output


Live Connection to Audit Viewer


Ability to Analyze / Report on Audit Data


Extensive message documentation


Extensive search and filter functionality


Audit Viewer


Messages from different sources


Flexible filtering


Multiple Document Interface for report comparison


Masseges to be viewed in different time zones

ES Product Management | W. Kalny | 2006
-
11
-
28

28

Enterprise Security Division

TCL Command Line Administration


Designed for scripted administration


Implemented as an extension to the TCL scripting
language


Complex Bulk Administration Tasks


Reporting of data in a data store


ES Product Management | W. Kalny | 2006
-
11
-
28

29

Enterprise Security Division

Secure Licensing Model


License Key to be loaded into the Data Store


Number of users controlled through DPX files


VASCO Licensing Web Site will only permit license keys
for the correct number of Middleware Servers


License Key to be obtained for each IIS module


Main Administration MMC Interface provides ability to
request and load licenses at any time

ES Product Management | W. Kalny | 2006
-
11
-
28

30

Enterprise Security Division

Pricing Structure


4 Elements for a complete offer:


Token prices (one time fee)


Software Licenses for timely unlimited Usage (one time fee)


Maintenance (annual fees) include support during business
hours, software updates and bug fixes, annual user data license
fees (were included in token prices in the past)


Any services (one time fee)


VS 6.x, VM 2.x to VM 3.0 upgrades available


For customers with existing maintenance agreement:


70% discount


For customers without existing maintenance agreement:


35% discount


ES Product Management | W. Kalny | 2006
-
11
-
28

31

Enterprise Security Division

Migration Procedure


Existing 2.3 customer sends PO to VASCO


Customer receives invoice with respective discount
(70% discount with Maintenance, 35% without)


Customer receives software with new serial number


Customer installs software and gets activation request
code


Customer activates software at licensing web page
using serial number activation request code and
receives the encrypted licensing key


Customer copies licensing key into DAT directory of VM
installation

ES Product Management | W. Kalny | 2006
-
11
-
28

32

Enterprise Security Division

Available Documents

Collateral

Where

Marketing

Collateral


Product

Announcement

Intranet,

Apollo

Server

Customer/Sales

Presentation

(VC

3
.
0
)

Intranet,

Apollo

server

Data

Sheet

(VM

3
.
0
)

Intranet,

Apollo

server

FAQ

(VM

3
.
0
)

Intranet,

Apollo

server

Product

Documentation

VM

Product

Guide

Intranet,

Apollo

server

VM

2
.
3

to

3
.
0

Upgrade

Guide

Intranet,

Apollo

server

VM

3
.
0

Release

Notes

Intranet,

Apollo

server

Technical

Collateral

VM

Getting

Started


Intranet,

Apollo

Server

VM

Installation

Guide

Intranet,

Apollo

Server

VM

Administration

Reference

Intranet,

Apollo

server

VM

Audit

Console

Guide

Intranet,

Apollo

Server

VM

Active

Directory

Guide

Intranet,

Apollo

Server

VM

Virtual

Digipass

Guide

Intranet,

Apollo

Server

VM

User

Self

Management

Web

Site

Guide

Intranet,

Apollo

Server

VM

RADIUS

Client

Simulator

Users

Guide

Intranet,

Apollo

Server

ES Product Management | W. Kalny | 2006
-
11
-
28

33

Enterprise Security Division

Competition

Company

Product Name

Vasco Competitive advantages

RSA Security (EMC
affiliate)

RSA Authentication Manager

SecureID®

Added

value

for

Radius

Server

vendors/partners

Price

in

line

with

the

needs

because

of

the

modular

structure


Easy

Install



30

minutes

Easy

Configuration

-

Templates

Full

Digipass

Range

supported

without

the

need

of

additional

software

Virtual

DIGIPASS

support

Flexible

Backup

OTP

delivery

methods


with

Virtual

Digipass

Large

user/token

automated

deployement

capabilities

Extensive

Interoperatebility

Functionalities

with

third

party

2
FA

vendors

Clientless,

Extensive

Interoperatebility

with

third

Party

products
.


High

Quality

migration

methods

to

other

Vasco

products

Advanced

access

control

Migration

path

from

RSA

to

Vasco

through

proxy

functionality

ActivIdentity

ActivIdentity AAA Server

4TRESS Authentication Server

Extensive

IIS

enabled

application

support(owa,

citrix,

web

portals,

.
)

Virtual

DIGIPASS

support

Modular

server

offering

Simple

deployment

procedure

Aladdin

No Comparable server available

Xiring

No comparable server available

ES Product Management | W. Kalny | 2006
-
11
-
28

34

Enterprise Security Division



Thank you


Any Questions?



wkalny@vasco.com