fundamentals of safenet identity and access management

Fundamentals of SafeNetIdentity and Access Management

Manav Khanna – Product Manager

Holger Schulze – Director Product Marketing

Why Smart Tokens?Better Regulatory Compliance

Certified and standards compliant solutions - HSPD 12, HIPPA, SOX

Mitigation of Security RisksTamper-resistant storage for protecting private keys and other forms ofpersonal informationSafeNet has a strong security pedigree (FIPS, NSAs)Enable portability of credentials and other private information between computers at work, at home, or on the road

Integrated Physical and Logical SecurityWindows Desktop logon and door entrance (HID)

Employee accountabilityNon-repudiation

Increased Productivity Information is more accessible through easy and fast authenticationID mobilityInsignificant Administrative OverheadsEnforcement of password policies

Market Trends for Smart Tokens

“The market for identity and access management (IAM) products will grow to almost $5 billion by 2011” - IDC

Rapid growth in the USB token market is projected (55% CAGR)

IDC projects the USB token market to grow from US$ 38M in 2004 to US$ 206M in 2009

Growth of the smart card “logical access control” market will be driven by USB tokens [Frost and Sullivan]

Smart card market size (physical and logical) growth from $62.4 million (2003) to $86.9 million (2008)

Growth in smart card enabled applications is a contributing factor in this growth. (Microsoft, UNIX/Linux, business applications)

At 10 million USD, SafeNet’s market share is 5%

There is potential!

PKI CertificatesPKI Certificates

User Name & User Name & PasswordsPasswords

Biometric Biometric CredentialsCredentials

Barcode & Magnetic Barcode & Magnetic Swipe encoding*Swipe encoding*

Access Controls*Access Controls*

Photo ID*Photo ID*

* Photo ID, Access Control, Bar Code/Magnetic Swipe are applicable to smart cards only

Applications of Smart Tokens

PKI Authentication Non-PKIUser Name / Password

AuthenticationSystem AuthenticationWindowsTerminal ServersCitrixRemote Desktop

System AuthenticationWindowsTerminal ServersCitrixRemote Desktop

Application AuthenticationOutlookVPNsEntrustNetscape

Two-factor Authentication

SafeNet Protects Access to Data

Comply w/ Legislation –Proven compliance w/ mandates requiring secure access

Implement access controls for compliance with mandates

Protect Data at Risk –Most advanced two-factor authentication, storage of digital credentials

Protect access to sensitive data & applications

Minimize cost of providing identity and access management

Business Need

Reduce Operational Cost –Lowest operational cost through single management platform and easy to integrate SDK

SafeNet Solution

SafeNet smart tokens provide the most advanced authentication technology for securing access and protecting digital identities.

SafeNet’s Token Product Offerings

Mac OS X 10.4.6 –10.5.1

Win 2K, 2K3, XP,

Vista

Mac OS X 10.4.6 –10.5.1

Win 2K, 2K3, XP,

Vista

Win 2K, 2K3, XP,

VistaOperating

System

SC 400 iKey 4000

SC 330iKey 2032iKey 1000Hardware

BSec PK for Mac v1.0

BSec PK 7.0.x

BSec PK for Mac v1.0

BSec PK 7.0.x

iKey SDK v4.xSoftware

SafeNet iKey Authentication Tokens

iKey 4000

The most advanced authentication token

• On-board cryptographic key generation, verification and signing

• 64 kB EPROM for secure storage of keys, passwords, certificates, applications and data

• FIPS 140-2 Level 3 (in process). Smart Card chip is CC EAL5+.

• Complete crypto support incl. RSA/DSA, AES, Diffie-Hellman, SHA-1

• Supports all common APIs and OS

• Optional biometric support

MyID

Best-in-class Identity Management Platform

• Enables quick and efficient lifecycle management of users, identity devices and credentials

• Reduces cost of token administration

• Pre-integrated with most identity systems for fast deployment

• Easy to use with intuitive, web-based user interface

• Provides complete audit trail for proof of compliance

iKey 1000iKey 2032

The easiest to use authentication token



• FIPS 140-1 Level 2. Smart Card chip CC EAL3.

• Supports crypto algorithms incl. RSA, DES/3DES, SHA-1


The most cost-effective USB token

• Cryptographic key generation, verification and signing in software


• Supports common crypto algorithms

• MD5 and RNG in hardware


SafeNet iKey 4000

Designed for easy deployment in network and application authentication, email encryption, digital signatures and many other PKI-enabled applications from vendors such as Microsoft, Entrust, CA, VeriSign and more.

Crypto APIs: PKCS #11, Microsoft CAPI, Microsoft and Apple PC/SC

Best-in-class identity management platform (BSec) for quick, efficient, and effortless lifecycle management of authentication devices

Operating systems: Microsoft Windows 2000, 2003, XP, Vista, and Apple MacOS 10.4.6 – 10.5.0

Ease of Deployment

On-board key generation and crypto processing ensures that crypto keys remain secure in hardware at all times

64 kB EPROM ensures secure storage of keys, passwords, certificates, applications and other data

Algorithms supported: RSA 1024-2048, Diffie-Hellman, 3DES, AES128-256, SHA-1

Certifications: FIPS 140-2 Level 3 (in process); smart card chip is CC EAL 5+

Tamper proof casing

Security

The most advanced authentication token, pre-integrated with the leading PKI infrastructures.

SafeNet iKey 2032

Designed for easy deployment in network and application authentication, email encryption, digital signatures and many other PKI-enabled applications from vendors such as Microsoft, Entrust, IdenTrust, Computer Associates, VeriSign and more.


Best-in-class identity management platform (BSec) for quick, efficient, and effortless lifecycle management of authentication devices


Ease of Deployment



Algorithms supported: RSA 1024-2048, Diffie-Hellman, DES, 3DES, SHA-1

Certifications: FIPS 140-1 Level 2; smart card chip is CC EAL3

Tamper proof casing

Security

The easiest to use authentication token, pre-integrated with the leading PKI infrastructures.

SafeNet iKey 1000

Designed for cost effective deployment in network and application authentication, email encryption, digital signatures and many other PKI-enabled applications from vendors such as Microsoft, Entrust, Computer Associates, VeriSign and more.

Robust iKey1000 Software Development Kit (SDK) for integration with client-server and browser-enabled applications

Crypto APIs: PKCS #11, Microsoft CAPI

Microsoft and Apple PC/SC compliant


Ease of Deployment

Cryptographic key generation, verification and signing in software

MD5 Hashing and Random Number Generation (in hardware)

8kB EPROM ensures secure storage of keys, passwords, certificates, applications and other data

Algorithms: RSA 1024, DSA, DES and 3DES (in software)

Tamper proof casing

Security

The most cost effective authentication token, pre-integrated with the leading PKI infrastructures.

MyID Management Platform

Single self-service interface for all device and credential lifecycle activities

Workflow-driven, step-by-step walkthroughsEase of Use

Secure logon to MyID using two factor authentication

Signed operations

Complete audit trail and reporting

Security & Auditing

Multiple technologies and systems supported out of the box

Configurable business processes, roles, and policies

Toolkit and well documented APIs for easy integrationFlexibility

Best-in-class identity management platform for quick and efficient lifecycle management of users, identity devices and credentials.

SafeNet SmartcardsSmart Card 400

The most secure smart card


• Biometric capabilities available


• FIPS 140-2 Level 2, FIPS 201 (in process); smart card chip is CC EAL 5+

• Complete crypto support incl. RSA/DSA, AES, 3DES, Diffie-Hellman, SHA-1


MyIDSmart Card 330MSmart Card 330

The high performance smart card



• FIPS 140-2 Level 2

• Supports crypto algorithms incl. RSA, DES/3DES, SHA-1


The three-factor authentication card

• Cryptographic key generation, verification and signing in software

• Biometric capabilities available


• Supports common crypto algorithms


Best-in-class Identity Management Platform

• Enables quick and efficient lifecycle management of users, identity devices and credentials

• Reduces cost of token administration

• Pre-integrated with most identity systems for fast deployment

• Easy to use with intuitive, web-based user interface

• Provides complete audit trail for proof of compliance

SafeNet Smart Card 400

Designed for easy deployment in network and application authentication, email encryption, digital signatures and many other PKI-enabled applications from vendors such as Mirosoft, Entrust, CA, VeriSign and more.


Best-in-class identity management platform for quick, efficient, and effortless lifecycle management of authentication devices


Ease of Deployment


Optional biometric support


RSA 1024-2048, Diffie-Hellman, 3DES, AES128-256, SHA-1

Certifications: FIPS 140-2 Level 2, FIPS 201 (in process); smart card chip is CC EAL 5+

Security

The most advanced authentication token, pre-integrated with the leading PKI infrastructures.

SafeNet Borderless Security Middleware

Easy token personalization by users

Comprehensive “C” API SDK supporting PKCS#11 and MS CAPI interfaces

Supports signing PDF and Word documents

Supports Email signing and encryption (Microsoft Office Outlook and Outlook Express).

Supports Entrust and Identrust certificates for signing and encryption

Operating Systems: Microsoft Windows 2000, 2003, XP, Vista

Flexibility & Ease of Use

Centralized configuration

Easy mass deployment via Microsoft Group Policy Object (GPO) or Microsoft Systems Management Server (SMS)

Ease of Configuration & Deployment

Secure storage of PKI-based digital credentials on tokens (Public and Private keys, Digital certificates)

Secure storage of Non-PKI-based logon credentials on the tokens (User names and passwords)

Security

Middleware enables rapid and custom integration of two-factor authentication into IT systems and applications.

Going to Market

Ideal Customer Profiles1,000+ users

Has regulatory compliance pressures (Sarb-Ox, HIPAA, HSPD #12)

Company has high value assets (customer data, financial assets, intellectual property)

Company wants strong, or “stronger” authentication

Authentication needs are both inside and outside the traditionalnetwork

Salespeople

Remote employees

Business partners

Want to integrate employee badge with IT access badge

Integration with SafeNet ProductsDatabase & Application

Encryption

Disk & FileEncryption

High-Speed NetworkEncryption

Hardware Security Modules

3rd Party PKI and Application Authentication

Why we winOut-of-the-box solutions

Broad interoperabilityStandards-based

Platform Compliance – Windows, MAC OS, Linux

Entrust PKI + Tokens, Identrust ready

Citrix + Tokens

Security certificationsFIPS

Solution oriented, sell the companyCustomers buying tokens also buy HSM, CMS, DARP

Token products are believe to be great door openers

ABOVE ALL - COMMITTED TEAMWORK!

IAM Roadmap

Tokens Product Roadmap 2008

Q1 Q2 Q3 Q4

Low Cost iKey 2032HW

SW

BSec 7.1-Microsoft MinidriverImplementation for 330/2032-Enhance (a) IdentrustReadiness(b) Entrust Readiness

iKey 1000 SDKDriver/Client Installation Improvements

BSec 7.1.x-Microsoft MinidriverImplementation for 400/4000-Enhance (a) Entrust Readiness

iKey 1000 SDKConsolidate Windows 32/64 bit driver installers

BSec 7.1.y-Localization Programs(French, Spanish)

-Driverless iKeys*-PKI PIV Interoperability*-New “first mover” Innovation**subject to convincing business drivers

BSec for Linux (RHEL 2.6 and 2.4)

IAM Solutions

Case Studies

CASE STUDY - 1

OEM Market

• The ProblemLaptop Vendor to deliver laptops to customer that were to be shared by customer’s contractors working on the field. Laptops were highly prone to identity and data theft.

• The SolutioniKey1000

Driver/Application built with iKey1000 SDK for Authentication/Unlocking for notebook BIOS lock

Developed by Notebook Vendor

• The ResultAchieved Cost Effective Secure Identities for shared notebooks

Rendered Sleep-well factor to the Customer

Higher Accountability to Contractors

CASE STUDY - 1

OEM Market

• The ProblemLaptop Vendor to deliver laptops to customer that were to be shared by customer’s contractors working on the field. Laptops were highly prone to identity and data theft.

• The SolutioniKey1000

Driver/Application built with iKey1000 SDK for Authentication/Unlocking for notebook BIOS lock

Developed by Notebook Vendor

• The ResultAchieved Cost Effective Secure Identities for shared notebooks

Rendered Sleep-well factor to the Customer

Higher Accountability to Contractors

CASE STUDY 2007

SALES SUCCESS

Vendor: PanasonicVendor’s Customer: Meiji Yasuda Life Insurance,

JapanRevenue: $600,000Product: iKey 1000 and SDK

A Replicable Business Model by supporting OEM to leverage its customer base and verticals

CASE STUDY – 2

OEM Market

CASE STUDY 2007

SALES SUCCESS

Customer: EPSON, JapanRevenue: $100,000 per quarterProduct: iKey 1000 and SDKSolution: Securing Shared Printing Operations

A Replicable Business Model by supporting OEM to leverage its customer base and verticals

Authentication

CASE STUDY

Banking and Financial Services Market• The Problem

Non Compliance with mandatory government regulation of two-factor PKI authentication for high worth electronic transactions by banking and securities consumers

Overcome usability and cost issues with currently existing OTP infrastructure

• The SolutioniKey 2032, BSec middleware integrated with Bank’s online electronic transaction management software

• The ResultIncreased (and more secure) internet transactions

Cost reduction over existing authentication structure

Improved user experience

Compliance with qualified certificates

Legislative Requirements Compliance

CASE STUDY

Banking and Financial Services Market• The Problem

Non Compliance with mandatory government regulation of two-factor PKI authentication for high worth electronic transactions by banking and securities consumers

Overcome usability and cost issues with currently existing OTP infrastructure

• The SolutioniKey 2032, BSec middleware integrated with Bank’s online electronic transaction management software

• The ResultIncreased (and more secure) internet transactions

Cost reduction over existing authentication structure

Improved user experience

Compliance with qualified certificates

Legislative Requirements Compliance

CASE STUDY - 2007

SALES SUCCESS

Customer: NH Bank, KoreaRevenue: USD 400,000 (2007/Phase 1)Product: iKey 2032 and BSec middlewareBusiness Potential– 200,000 keys in 3 years– Replicable Business: Other banks to follow suit – SafeNet’s iKey among the 2 products certified by local

authority

Enterprise Market

• The ProblemDifferent Employee IDs for facilities and IS

Issues with traditional password based authentication of customers to enterprise online services

Lack of centralized management of devices and identities

No tracking of ID device issuance, post issuance management and incident logging

• The SolutionSafeNet’s iKeys/smart-cards, BSec middleware

Intercede’s MyID

• The ResultIncreased security and usability through access id consolidation

Increased and more secure internet transactions

Improved and Easy Lifecycle Manageability

Improved Legislative Requirements Compliance

Enterprise Sales – Solution Benefits

SafeNet’s iKeys/smart-cards, middlewareEmployees can not only obtain physical access to facilities and Log in to their computers and network with tokens, but also,

Store and Manage their credentials

Encrypt files, documents, and emails;

Digitally sign documents;

Intercede’s MyIDAdministrators can

Securely conduct lifecycle management of users, ID devices and credentials through registration, issuance and post issuance management

Securely audit and report operations on a centralized web based application

An end-to-end enterprise solution for PKI authentication tokens, lifecycle management of IDs and credentials, and centralized auditing and reporting

Thank You

Backup slides

iKey 2032/4000 v.s. Aladdin eToken Pro

Integrated w/ ProtectDrive, SSO and CMS

Comments/Notes

32Kb=$59.88 US/ 64Kb=$76.80 US$38-57.50$35-50Pricing

ISO 7816-1 to 4 specificationsSupport for ISO 7816 & 14443 specifications

ISO support

ITSEC LE4 (Infineon & Siemens); FIPS 140-1 Level 2&3 (32K model)

FIPS 140-2 Level 3 (in progress), Design to CC EAL4+ (process starting soon)

FIPS 140-1 Level 2Smartcard chip security

RSA 1024-bit/2048-bit, DES/3DES, SHA1 (only with 64K)

RSA 1024-2048-bit, DSA 1024, 3DES, AES 128, 192, 256, Diffie-Hellman Key exchange, SHA1

RSA 1024-2048-bit, DES/3DES, SHA1 On board Crypto

32K, 64K64K32K Models by memory size

PKCS11 v2.01, CAPI, Siemens/Infineon APDU commands, PC/SC, X509 v3 certificate storage, SSL v3, IPSec/IKE

PKCS #11 v2.01, Microsoft CryptoAPI (CAPI) 2.0, Microsoft PC/SC, PC/SC, X.509 v3 certificate storage, SSL v3, IPSec/IKE

PKCS #11 v2.01, Microsoft CryptoAPI (CAPI) 2.0, Microsoft PC/SC, PC/SC, X.509 v3 certificate storage, SSL v3, IPSec/IKE

API & Standard Support

Windows 98/98SE, ME, 2000, XPWindows 2000, 2003 and XPWindows 95, 98, NT, 2000, XP and 2003Operating Systems

eToken ProiKey 4000iKey 2032Model

www.aladdin.comwww.safenet-inc.comwww.safenet-inc.comWebsite

AladdinSafeNetSafeNetManufacturer

Compliance Needs for Stronger IAMAmericas

FIPSFFIECHomeland Security Presidential Directive (HSPD 12) Personal Information Protection and Electronic Documents Act (PIPEDA) Information Security Breach Notification Act

European UnionEuropean Privacy DirectiveBasel II

Industry-specific regulationsHIPAA (Healthcare)Gramm-Leach-Bliley Act (GLBA; Financial)PCI (Financial)

Corporate governanceSarbanes-Oxley (Corporations listed on U.S. exchanges)