Advanced Authentication for everyone - Frank Schmaering, PreSales Consultant - G+H Systems
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Advanced Authentication for everyone Frank Schmaering, PreSales Consultant
Authentication = proof of the identity of a user logging
on to some network
(Source: Wiktionary.org)
It is the foundation of every legitimate digital transaction!
2
why authentication is a driver
Talking about the product
Demo
Agenda
why authentication is a driver 5
Do you think this is an old list ??? Source: http://www.computerworld.com/article/3024404/security/worst-most-common-passwords-for-the-last-5-years.html
the 25 Worst Passwords of 2017
▪ 1 - 123456
2 - password
3 - 12345678
4 - qwerty
5 - 12345
6 - 123456789
7 - letmein
8 - 1234567
9 - football
10 - iloveyou
11 - admin
12 - welcome
13 - monkey
14 - login
15 - abc123
16 - starwars
17 - 123123
18 - dragon
19 - passw0rd
20 - master
21 - hello
22 - freedom
23 - whatever
24 - qazwsx
25 - trustno1
7 Source: https://www.entrepreneur.com/article/306499
Passwords in the news
General challenges and main compliance
requirements
#1 Compliance
NIST, GDPR, PSD2, MaRisk, KRITIS, PCI DSS, Audits (e.g. Volkswagen)
#2 Security
Hacks (PtH, MiM, Ramsomware etc.), Insider abuse etc.
#3 Digitalization
Innovation, User Experience, Process optimization
Inhibitors: The Global WEF Risks Landscape 2018
Notes & Conclusion
Survey respondents were asked to assess the likelihood of the
individual global risk on a scale of 1 to 5 (1: very unlikely to happen
and 5: very likely to occur). They also assess the impact on each
global risk on a scale of 1 to 5 (1: minimal impact and 5: catastrophic
impact). Read more about the methodology
Source:
http://reports.weforum.org/global-risks-2018/global-risks-landscape-
2018/#landscape
The Report concludes by assessing the risks associated with how
technology is reshaping physical infrastructure: greater
interdependence among different infrastructure networks is
increasing the scope for systemic failures – whether from
cyberattacks, software glitches, natural disasters or other causes – to
cascade across networks and affect society in unanticipated ways.World Economic Forum 2018: Top 5 Global Risks 16
Willing To Reveal Passwords For Chocolate
▪ 1,208 Participants
▪ 43.5% Willing to provide password
if chocolate was offered before ask
▪ 29.8% Willing to provide password
if chocolate given after ask
17What is the daily routine of a user today?
usage: SERVERAL deviceS | Services | Apps | Self-Services2FA possibilities 22
Where 2 FA is possible…. Source: https://twofactorauth.org/#
would it also be good for the enterprise ? THE PRODUCT!
What possibilities do we have?
Something
you know + Something you
are
Something
you have
Password Fingerprint Token
PIN Face Smartcard
Passphrase Iris RFID Card
Voice Telephone
two factor AuthenticationWhat possibilities do we have?
Something
you know + Something you
are + Something
you have
Password Fingerprint Token
PIN Face Smartcard
Passphrase Iris RFID Card
Voice Telephone
Multifactor AuthenticationAuthenticators
Password Pin Passphrase
many more …Authenticators
OTP (OATH) FIDO U2F Smartphone GPS Position
many more …
RFID / NFC Smartcard SMS OTPAuthenticators
Fingerprint Face Iris Voice
many more …Fingerprint- and Vein-Scanner
many more …Advanced Authentication (AAF)
Radius CRL (PKI)
Business applications, functions,
transactions and data
Directory
Business applications
802.1x device Single
sign-on
Internet (eSSO)
Enterprise
network
Generic applications,
Databases, Servers
Remote
Operating systems
Enterprise
AAF
IT-environment
Web Business
VPN Single
Web
sign-on Internet
User devices: Directories: applications
(wSSO)
• Desktops/laptops • AD/ADLDS
• Windows x86/x64, Citrix, RDP, VDI • eDirectory
• Mobile device, tablet, smartphone • Linux
• Thin/zero clients (Linux)Capabilities
Linux Windows Mac OS X Security NAM NSL Cloud Access
SSO
SSO/Federation/Web Enterprise SSO SaaS Federation
SMB Focus
Pluggable Auth Credential Authentication RADIUS/HSM APIs APIs APIs
Module Provider Plug-in
AAF
ADFS Plug-in Mobile APIs/ RADIUS/APIs Web Service APIs APIs APIs
RADIUS API
Mobile Platforms Password Reset
Microsoft AD Applications Browser DRA PAMAdvanced Authentication 6.0
Methods Remote Access Edition Key Features Enterprise Edition Key Features
Smartphone Geo-Fencing FIDO U2F Bluetooth Windows Hello Multi-Tenant AWS / Azure ADFS Windows CP Citrix Devices
Out-Of-Band push Smartphone Based GPS “Fast Identity Online” Device-in-Range login Support Win10 - Support Multi Public cloud ADFS Credential Provider Win Citrix Device
to iOS, Android or Location Validation for Chrome / API and lock for Windows Hello Methods Divisions or Clients Deployment options Plug-in Integration 7, 8 and 10 Redirection Support
Windows Phones (Win) (Win) (Win) - Tenant Dashboard (ASML)
Out-of-Band Google Auth Microsoft Live Voice OTP SMS OTP SAML RADIUS REST Mac OS X Citrix SSO
Agent External Google External Microsoft Live Voice-call Short Message Connect application Internal RADIUS Server Light Weight OS X Authentication Facilitate user
Out-of-Bounds Authenticator OATH delivered Service delivered via SAML2 and RADIUS client Programming Interface Plug-In authentication to
OTP OTP OTP OTP Citrix App/Session
Face Soft Token Hard Token PKI – PKCS7 PKI – PKCS11 OAuth2 FIPS 140-2 Caching Linux PAM Card Tool
Face Biometrics on Application Device Smartcard (or other) Smartcard (or other) Connect applications “FIPS Inside” Second Factor Skipping RPM and DEB modules Identify found cards
Windows 8/10 OATH Based OATH Based w/Certificate Validation w/Certificate Validation via Open Authorization Via OpenSSL for admin specified with a tap
TOTP / HOTP TOTP / HOTP (Win, Lin, Mac) (Win, Lin, Mac) Token / Open ID FIPS Module window of time
NFC RFID Emergency PW Email OTP Swisscom Impersonation HTTP Proxy Dashboard RDP/Term Svcs Off-Line
13.56Mhz Cards, 125kHz Proximity Helpdesk Email External Swisscom Linked Account Secure AA Behind Customizable Card and PKI Workstation Login (Win,
Tokens, etc. Cards, Tokens, etc. Assisted Delivered SmartPhone PKI Authenticator Network with Proxy Administration Console Redirection Mac, Linux)
(Win, Lin, Mac) (Win, Lin, Mac) Password OTP Authentication
RADIUS Client Voice Call Challenge PIN Code BankID Incorporate App Policy Localization Tap-N-Go BYOD
Interface with existing Voice Call with User enrolled Challenge User enrolled Swedish BankID Mobile SDK Mobile App User facing interface Windows Login / Non-Domain
RADIUS Solutions Prompt for User / Response PIN Code (PKI) support to integrate with Policy strings all localized Logout with card tap Workstation Support
PIN validation as a Factor any App Enforcement (and PIN Caching)
Fingerprint Fingerprint Fingerprint Fingerprint Fingerprint Kerberos ReCaptcha Token NIST
Windows Biometric Support MS Modern Lumidigm / HID Direct Digital Persona Driver NEXT Biometrics SSO with Kerberos Force Google Standalone Use NIST
Framework Keyboard with API Integration Based Integration Direct API Integration Ticket Systems ReCaptcha for Web Token administration Biometric Image
Biometrics To Consoles based events Software
SAML OAuth2 TouchID AAaaS ConnectWise Migration
SAML Federated OpenID Connect Mac OSX MFA Available Partner Dashboard Export / Import
validation validation TouchID Fingerprint As-A-Service Integration for RMM- configuration
to-MSPs
Microsoft
RADIUS
Biometric
Image Software PKCS 7 / 11 FIPS Inside NFC ISO/IEC HSPD-12 OAuth2
Kerberos Mac OS X Google Auth
Live OATH Windows Hello
Standards and Integrations 35Use Cases
Daily Business Requirements…
I’m a Security Officer handling sensitive data and
I also have access to critical security dashboards
and systems. Therefore my digital identity needs
to be secured.
SEC
Frank
Privileged UserDemo: What you will see SEC
Frank
▪ Frank‘s Windows logon screen
▪ Frank‘s desktop with his mobile
▪ A credential provider with flexible authentication chain options:
▪ PIN + Smartphone (the new standard)Demo: 2FA Desktop Login
Daily Business Requirements…
I’m an external contractor and am helping out
the business in different projects. In case of
urgency and to save time and costs it is efficient
to work from home and need access to critical
security dashboards and systems.
SEC
Frank
Privileged UserDemo: What you will see SEC
Frank
▪ Frank‘s logon screen on his portable corporate device
▪ Frank‘s laptop with a YubiKey attached
▪ A credential provider with flexible authentication chain options:
▪ PIN + U2F (the new standard)
▪ U2F + TOTP
▪ U2F + SMS
▪ Password + U2FDemo: 2FA Desktop Login
Daily Business Requirements…
I’m an external contractor and am helping out
the business in different projects. In case of
urgency and to save time and costs it is efficient
to access information from everywhere
SEC
Frank
Privileged UserDemo: What you will see SEC
Frank
▪ A PC in an Internet Café or from my personal device at home
▪ Frank‘s smartphone
▪ Access to my companies CRM system using a restricted authentication
chain option:
▪ Password + Smartphone push notification (new standard for SaaS
applications while on the road)Daily Business Requirements…
I’m an external contractor and am helping out
the business in different projects. In case of
urgency and to save time and costs it is efficient
to access my homedrive from everywhere. Also
to share information with my colleagues and
externals like Kevin!
SEC
Frank
Privileged UserDemo: What you will see SEC
Frank
▪ A PC in an Internet Café or from my personal device at home
▪ Frank‘s smartphone
▪ Access to my companies File, Sync and Share solution using a restricted
authentication chain option:
▪ Password + Smartphone push notification (new standard for SaaS
applications while on the road)Daily Business Requirements…
I’m an external contractor and am helping out
the business in different projects. In case of
urgency and to save time and costs it is efficient
to access my e-mails from everywhere.
SEC
Frank
Privileged UserDemo: What you will see SEC
Frank
▪ A PC in an Internet Café or from my personal device at home
▪ Frank‘s smartphone
▪ Access to my Office365 hosted mails using a flexible authentication
chains option:
▪ Password for ADFS Login
▪ Hardware token
▪ PIN and SMS (the new Standard)
▪ Soft TokenDaily Business Requirements…
I’m an external contractor, colleague of Frank
and am helping out the business in different
projects. In case of urgency and to save time and
costs it is efficient to work from home. But I need
VPN access. Kevin just approved VPN access
and I can enroll.
SEC
Mike
Privileged UserDemo: Enrollment and 2FA VPN Access
Daily Business Requirements…
I’m an external contractor and am helping out
the business in different projects. In case of
urgency and to save time and costs it is efficient
to manage SQL databases
SEC
Frank
Privileged UserDemo: What you will see SEC
Frank
▪ A corporate device
▪ Frank‘s smartphone
▪ Access to manage SQL databases secured by NetIQ SecureLogin entering
username and password using a static authentication chain option:
▪ Password + Smartphone push notification (new standard for SSMS SQL
Management and applications secured my NetIQ SecureLogin)69
Be smart & relax #MFAnow Use this page style to put an image and a simple statement together for a nice emphasis.
Demo
Deployment options 80
Deployment options
Advanced Authentication Production and DR
Load Balancer
Load Balancer
Services AMProxy, AMProxy RestProxy ADLogin VPN AMProxy RestProxy ADLogin VPN
RestProxy, ADLogin and
VPN
Services can be serviced by WS1 WS3 WS5 WS7 WS1 WS3 WS5 WS7
specific web servers as per WS2 WS4 WS6 WS8 WS2 WS8
diagram AMProxy is serviced
WS4 WS6
by WS1 and WS2 if more
resources are required
additional WS s can be added
Cluster1 DR Cluster1
Web Servers (WS1 to 8)
Support 100 Authentications
SITE DR
per second (APS) per server if Is a replica of Site 1 and
more is required additional provide Disaster recovery
WS server can be added to WS1 WS2 WS3 WS4 WS5 WS6 WS7 WS8 functionality if and when
WS1 WS2 WS3 WS4 WS5 WS6 WS7 WS8
cater for the load required.
Global Master AA DR Database Master
Full Global Master replication to Database Master
Global Master (GM)
toget her with Database
servers (DB)
Support 0 - 3000
Authentications per second
(APS) per server if more is
required additional Database AA Database Server 1 AA Database Server 2 AA Database Server 1 AA Database Server 2
Master servers can be added
to cater for the load.
LDAP sources LDAP sourcesThank You.
You can also read
