fundamentals of safenet identity and access management
TRANSCRIPT
Fundamentals of SafeNetIdentity and Access Management
Manav Khanna – Product Manager
Holger Schulze – Director Product Marketing
Why Smart Tokens?Better Regulatory Compliance
Certified and standards compliant solutions - HSPD 12, HIPPA, SOX
Mitigation of Security RisksTamper-resistant storage for protecting private keys and other forms ofpersonal informationSafeNet has a strong security pedigree (FIPS, NSAs)Enable portability of credentials and other private information between computers at work, at home, or on the road
Integrated Physical and Logical SecurityWindows Desktop logon and door entrance (HID)
Employee accountabilityNon-repudiation
Increased Productivity Information is more accessible through easy and fast authenticationID mobilityInsignificant Administrative OverheadsEnforcement of password policies
Market Trends for Smart Tokens
“The market for identity and access management (IAM) products will grow to almost $5 billion by 2011” - IDC
Rapid growth in the USB token market is projected (55% CAGR)
IDC projects the USB token market to grow from US$ 38M in 2004 to US$ 206M in 2009
Growth of the smart card “logical access control” market will be driven by USB tokens [Frost and Sullivan]
Smart card market size (physical and logical) growth from $62.4 million (2003) to $86.9 million (2008)
Growth in smart card enabled applications is a contributing factor in this growth. (Microsoft, UNIX/Linux, business applications)
At 10 million USD, SafeNet’s market share is 5%
There is potential!
PKI CertificatesPKI Certificates
User Name & User Name & PasswordsPasswords
Biometric Biometric CredentialsCredentials
Barcode & Magnetic Barcode & Magnetic Swipe encoding*Swipe encoding*
Access Controls*Access Controls*
Photo ID*Photo ID*
* Photo ID, Access Control, Bar Code/Magnetic Swipe are applicable to smart cards only
Applications of Smart Tokens
PKI Authentication Non-PKIUser Name / Password
AuthenticationSystem AuthenticationWindowsTerminal ServersCitrixRemote Desktop
System AuthenticationWindowsTerminal ServersCitrixRemote Desktop
Application AuthenticationOutlookVPNsEntrustNetscape
Two-factor Authentication
SafeNet Protects Access to Data
Comply w/ Legislation –Proven compliance w/ mandates requiring secure access
Implement access controls for compliance with mandates
Protect Data at Risk –Most advanced two-factor authentication, storage of digital credentials
Protect access to sensitive data & applications
Minimize cost of providing identity and access management
Business Need
Reduce Operational Cost –Lowest operational cost through single management platform and easy to integrate SDK
SafeNet Solution
SafeNet smart tokens provide the most advanced authentication technology for securing access and protecting digital identities.
SafeNet’s Token Product Offerings
Mac OS X 10.4.6 –10.5.1
Win 2K, 2K3, XP,
Vista
Mac OS X 10.4.6 –10.5.1
Win 2K, 2K3, XP,
Vista
Win 2K, 2K3, XP,
VistaOperating
System
SC 400 iKey 4000
SC 330iKey 2032iKey 1000Hardware
BSec PK for Mac v1.0
BSec PK 7.0.x
BSec PK for Mac v1.0
BSec PK 7.0.x
iKey SDK v4.xSoftware
SafeNet iKey Authentication Tokens
iKey 4000
The most advanced authentication token
• On-board cryptographic key generation, verification and signing
• 64 kB EPROM for secure storage of keys, passwords, certificates, applications and data
• FIPS 140-2 Level 3 (in process). Smart Card chip is CC EAL5+.
• Complete crypto support incl. RSA/DSA, AES, Diffie-Hellman, SHA-1
• Supports all common APIs and OS
• Optional biometric support
MyID
Best-in-class Identity Management Platform
• Enables quick and efficient lifecycle management of users, identity devices and credentials
• Reduces cost of token administration
• Pre-integrated with most identity systems for fast deployment
• Easy to use with intuitive, web-based user interface
• Provides complete audit trail for proof of compliance
iKey 1000iKey 2032
The easiest to use authentication token
• On-board cryptographic key generation, verification and signing
• 32 kB EPROM for secure storage of keys, passwords, certificates, applications and data
• FIPS 140-1 Level 2. Smart Card chip CC EAL3.
• Supports crypto algorithms incl. RSA, DES/3DES, SHA-1
• Supports all common APIs and OS
The most cost-effective USB token
• Cryptographic key generation, verification and signing in software
• 8 kB EPROM for secure storage of keys, passwords, certificates, applications and data
• Supports common crypto algorithms
• MD5 and RNG in hardware
• Supports all common APIs and OS
SafeNet iKey 4000
Designed for easy deployment in network and application authentication, email encryption, digital signatures and many other PKI-enabled applications from vendors such as Microsoft, Entrust, CA, VeriSign and more.
Crypto APIs: PKCS #11, Microsoft CAPI, Microsoft and Apple PC/SC
Best-in-class identity management platform (BSec) for quick, efficient, and effortless lifecycle management of authentication devices
Operating systems: Microsoft Windows 2000, 2003, XP, Vista, and Apple MacOS 10.4.6 – 10.5.0
Ease of Deployment
On-board key generation and crypto processing ensures that crypto keys remain secure in hardware at all times
64 kB EPROM ensures secure storage of keys, passwords, certificates, applications and other data
Algorithms supported: RSA 1024-2048, Diffie-Hellman, 3DES, AES128-256, SHA-1
Certifications: FIPS 140-2 Level 3 (in process); smart card chip is CC EAL 5+
Tamper proof casing
Security
The most advanced authentication token, pre-integrated with the leading PKI infrastructures.
SafeNet iKey 2032
Designed for easy deployment in network and application authentication, email encryption, digital signatures and many other PKI-enabled applications from vendors such as Microsoft, Entrust, IdenTrust, Computer Associates, VeriSign and more.
Crypto APIs: PKCS #11, Microsoft CAPI, Microsoft and Apple PC/SC
Best-in-class identity management platform (BSec) for quick, efficient, and effortless lifecycle management of authentication devices
Operating systems: Microsoft Windows 2000, 2003, XP, Vista, and Apple MacOS 10.4.6 – 10.5.0
Ease of Deployment
On-board key generation and crypto processing ensures that crypto keys remain secure in hardware at all times
32 kB EPROM ensures secure storage of keys, passwords, certificates, applications and other data
Algorithms supported: RSA 1024-2048, Diffie-Hellman, DES, 3DES, SHA-1
Certifications: FIPS 140-1 Level 2; smart card chip is CC EAL3
Tamper proof casing
Security
The easiest to use authentication token, pre-integrated with the leading PKI infrastructures.
SafeNet iKey 1000
Designed for cost effective deployment in network and application authentication, email encryption, digital signatures and many other PKI-enabled applications from vendors such as Microsoft, Entrust, Computer Associates, VeriSign and more.
Robust iKey1000 Software Development Kit (SDK) for integration with client-server and browser-enabled applications
Crypto APIs: PKCS #11, Microsoft CAPI
Microsoft and Apple PC/SC compliant
Operating systems: Microsoft Windows 2000, 2003, XP, Vista, and Apple MacOS 10.4.6 – 10.5.2
Ease of Deployment
Cryptographic key generation, verification and signing in software
MD5 Hashing and Random Number Generation (in hardware)
8kB EPROM ensures secure storage of keys, passwords, certificates, applications and other data
Algorithms: RSA 1024, DSA, DES and 3DES (in software)
Tamper proof casing
Security
The most cost effective authentication token, pre-integrated with the leading PKI infrastructures.
MyID Management Platform
Single self-service interface for all device and credential lifecycle activities
Workflow-driven, step-by-step walkthroughsEase of Use
Secure logon to MyID using two factor authentication
Signed operations
Complete audit trail and reporting
Security & Auditing
Multiple technologies and systems supported out of the box
Configurable business processes, roles, and policies
Toolkit and well documented APIs for easy integrationFlexibility
Best-in-class identity management platform for quick and efficient lifecycle management of users, identity devices and credentials.
SafeNet SmartcardsSmart Card 400
The most secure smart card
• On-board cryptographic key generation, verification and signing
• Biometric capabilities available
• 64 kB EPROM for secure storage of keys, passwords, certificates, applications and data
• FIPS 140-2 Level 2, FIPS 201 (in process); smart card chip is CC EAL 5+
• Complete crypto support incl. RSA/DSA, AES, 3DES, Diffie-Hellman, SHA-1
• Supports all common APIs and OS
MyIDSmart Card 330MSmart Card 330
The high performance smart card
• On-board cryptographic key generation, verification and signing
• 32 kB EPROM for secure storage of keys, passwords, certificates, applications and data
• FIPS 140-2 Level 2
• Supports crypto algorithms incl. RSA, DES/3DES, SHA-1
• Supports all common APIs and OS
The three-factor authentication card
• Cryptographic key generation, verification and signing in software
• Biometric capabilities available
• 32 kB EPROM for secure storage of keys, passwords, certificates, applications and data
• Supports common crypto algorithms
• Supports all common APIs and OS
Best-in-class Identity Management Platform
• Enables quick and efficient lifecycle management of users, identity devices and credentials
• Reduces cost of token administration
• Pre-integrated with most identity systems for fast deployment
• Easy to use with intuitive, web-based user interface
• Provides complete audit trail for proof of compliance
SafeNet Smart Card 400
Designed for easy deployment in network and application authentication, email encryption, digital signatures and many other PKI-enabled applications from vendors such as Mirosoft, Entrust, CA, VeriSign and more.
Crypto APIs: PKCS #11, Microsoft CAPI, Microsoft and Apple PC/SC
Best-in-class identity management platform for quick, efficient, and effortless lifecycle management of authentication devices
Operating systems: Microsoft Windows 2000, 2003, XP, Vista, and Apple MacOS 10.4.6 – 10.5.1
Ease of Deployment
On-board key generation and crypto processing ensures that crypto keys remain secure in hardware at all times
Optional biometric support
64 kB EPROM ensures secure storage of keys, passwords, certificates, applications and other data
RSA 1024-2048, Diffie-Hellman, 3DES, AES128-256, SHA-1
Certifications: FIPS 140-2 Level 2, FIPS 201 (in process); smart card chip is CC EAL 5+
Security
The most advanced authentication token, pre-integrated with the leading PKI infrastructures.
SafeNet Borderless Security Middleware
Easy token personalization by users
Comprehensive “C” API SDK supporting PKCS#11 and MS CAPI interfaces
Supports signing PDF and Word documents
Supports Email signing and encryption (Microsoft Office Outlook and Outlook Express).
Supports Entrust and Identrust certificates for signing and encryption
Operating Systems: Microsoft Windows 2000, 2003, XP, Vista
Flexibility & Ease of Use
Centralized configuration
Easy mass deployment via Microsoft Group Policy Object (GPO) or Microsoft Systems Management Server (SMS)
Ease of Configuration & Deployment
Secure storage of PKI-based digital credentials on tokens (Public and Private keys, Digital certificates)
Secure storage of Non-PKI-based logon credentials on the tokens (User names and passwords)
Security
Middleware enables rapid and custom integration of two-factor authentication into IT systems and applications.
Ideal Customer Profiles1,000+ users
Has regulatory compliance pressures (Sarb-Ox, HIPAA, HSPD #12)
Company has high value assets (customer data, financial assets, intellectual property)
Company wants strong, or “stronger” authentication
Authentication needs are both inside and outside the traditionalnetwork
Salespeople
Remote employees
Business partners
Want to integrate employee badge with IT access badge
Integration with SafeNet ProductsDatabase & Application
Encryption
Disk & FileEncryption
High-Speed NetworkEncryption
Hardware Security Modules
3rd Party PKI and Application Authentication
Why we winOut-of-the-box solutions
Broad interoperabilityStandards-based
Platform Compliance – Windows, MAC OS, Linux
Entrust PKI + Tokens, Identrust ready
Citrix + Tokens
Security certificationsFIPS
Solution oriented, sell the companyCustomers buying tokens also buy HSM, CMS, DARP
Token products are believe to be great door openers
ABOVE ALL - COMMITTED TEAMWORK!
Tokens Product Roadmap 2008
Q1 Q2 Q3 Q4
Low Cost iKey 2032HW
SW
BSec 7.1-Microsoft MinidriverImplementation for 330/2032-Enhance (a) IdentrustReadiness(b) Entrust Readiness
iKey 1000 SDKDriver/Client Installation Improvements
BSec 7.1.x-Microsoft MinidriverImplementation for 400/4000-Enhance (a) Entrust Readiness
iKey 1000 SDKConsolidate Windows 32/64 bit driver installers
BSec 7.1.y-Localization Programs(French, Spanish)
-Driverless iKeys*-PKI PIV Interoperability*-New “first mover” Innovation**subject to convincing business drivers
BSec for Linux (RHEL 2.6 and 2.4)
CASE STUDY - 1
OEM Market
• The ProblemLaptop Vendor to deliver laptops to customer that were to be shared by customer’s contractors working on the field. Laptops were highly prone to identity and data theft.
• The SolutioniKey1000
Driver/Application built with iKey1000 SDK for Authentication/Unlocking for notebook BIOS lock
Developed by Notebook Vendor
• The ResultAchieved Cost Effective Secure Identities for shared notebooks
Rendered Sleep-well factor to the Customer
Higher Accountability to Contractors
CASE STUDY - 1
OEM Market
• The ProblemLaptop Vendor to deliver laptops to customer that were to be shared by customer’s contractors working on the field. Laptops were highly prone to identity and data theft.
• The SolutioniKey1000
Driver/Application built with iKey1000 SDK for Authentication/Unlocking for notebook BIOS lock
Developed by Notebook Vendor
• The ResultAchieved Cost Effective Secure Identities for shared notebooks
Rendered Sleep-well factor to the Customer
Higher Accountability to Contractors
CASE STUDY 2007
SALES SUCCESS
Vendor: PanasonicVendor’s Customer: Meiji Yasuda Life Insurance,
JapanRevenue: $600,000Product: iKey 1000 and SDK
A Replicable Business Model by supporting OEM to leverage its customer base and verticals
CASE STUDY – 2
OEM Market
CASE STUDY 2007
SALES SUCCESS
Customer: EPSON, JapanRevenue: $100,000 per quarterProduct: iKey 1000 and SDKSolution: Securing Shared Printing Operations
A Replicable Business Model by supporting OEM to leverage its customer base and verticals
Authentication
CASE STUDY
Banking and Financial Services Market• The Problem
Non Compliance with mandatory government regulation of two-factor PKI authentication for high worth electronic transactions by banking and securities consumers
Overcome usability and cost issues with currently existing OTP infrastructure
• The SolutioniKey 2032, BSec middleware integrated with Bank’s online electronic transaction management software
• The ResultIncreased (and more secure) internet transactions
Cost reduction over existing authentication structure
Improved user experience
Compliance with qualified certificates
Legislative Requirements Compliance
CASE STUDY
Banking and Financial Services Market• The Problem
Non Compliance with mandatory government regulation of two-factor PKI authentication for high worth electronic transactions by banking and securities consumers
Overcome usability and cost issues with currently existing OTP infrastructure
• The SolutioniKey 2032, BSec middleware integrated with Bank’s online electronic transaction management software
• The ResultIncreased (and more secure) internet transactions
Cost reduction over existing authentication structure
Improved user experience
Compliance with qualified certificates
Legislative Requirements Compliance
CASE STUDY - 2007
SALES SUCCESS
Customer: NH Bank, KoreaRevenue: USD 400,000 (2007/Phase 1)Product: iKey 2032 and BSec middlewareBusiness Potential– 200,000 keys in 3 years– Replicable Business: Other banks to follow suit – SafeNet’s iKey among the 2 products certified by local
authority
Enterprise Market
• The ProblemDifferent Employee IDs for facilities and IS
Issues with traditional password based authentication of customers to enterprise online services
Lack of centralized management of devices and identities
No tracking of ID device issuance, post issuance management and incident logging
• The SolutionSafeNet’s iKeys/smart-cards, BSec middleware
Intercede’s MyID
• The ResultIncreased security and usability through access id consolidation
Increased and more secure internet transactions
Improved and Easy Lifecycle Manageability
Improved Legislative Requirements Compliance
Enterprise Sales – Solution Benefits
SafeNet’s iKeys/smart-cards, middlewareEmployees can not only obtain physical access to facilities and Log in to their computers and network with tokens, but also,
Store and Manage their credentials
Encrypt files, documents, and emails;
Digitally sign documents;
Intercede’s MyIDAdministrators can
Securely conduct lifecycle management of users, ID devices and credentials through registration, issuance and post issuance management
Securely audit and report operations on a centralized web based application
An end-to-end enterprise solution for PKI authentication tokens, lifecycle management of IDs and credentials, and centralized auditing and reporting
iKey 2032/4000 v.s. Aladdin eToken Pro
Integrated w/ ProtectDrive, SSO and CMS
Comments/Notes
32Kb=$59.88 US/ 64Kb=$76.80 US$38-57.50$35-50Pricing
ISO 7816-1 to 4 specificationsSupport for ISO 7816 & 14443 specifications
ISO support
ITSEC LE4 (Infineon & Siemens); FIPS 140-1 Level 2&3 (32K model)
FIPS 140-2 Level 3 (in progress), Design to CC EAL4+ (process starting soon)
FIPS 140-1 Level 2Smartcard chip security
RSA 1024-bit/2048-bit, DES/3DES, SHA1 (only with 64K)
RSA 1024-2048-bit, DSA 1024, 3DES, AES 128, 192, 256, Diffie-Hellman Key exchange, SHA1
RSA 1024-2048-bit, DES/3DES, SHA1 On board Crypto
32K, 64K64K32K Models by memory size
PKCS11 v2.01, CAPI, Siemens/Infineon APDU commands, PC/SC, X509 v3 certificate storage, SSL v3, IPSec/IKE
PKCS #11 v2.01, Microsoft CryptoAPI (CAPI) 2.0, Microsoft PC/SC, PC/SC, X.509 v3 certificate storage, SSL v3, IPSec/IKE
PKCS #11 v2.01, Microsoft CryptoAPI (CAPI) 2.0, Microsoft PC/SC, PC/SC, X.509 v3 certificate storage, SSL v3, IPSec/IKE
API & Standard Support
Windows 98/98SE, ME, 2000, XPWindows 2000, 2003 and XPWindows 95, 98, NT, 2000, XP and 2003Operating Systems
eToken ProiKey 4000iKey 2032Model
www.aladdin.comwww.safenet-inc.comwww.safenet-inc.comWebsite
AladdinSafeNetSafeNetManufacturer
Compliance Needs for Stronger IAMAmericas
FIPSFFIECHomeland Security Presidential Directive (HSPD 12) Personal Information Protection and Electronic Documents Act (PIPEDA) Information Security Breach Notification Act
European UnionEuropean Privacy DirectiveBasel II
Industry-specific regulationsHIPAA (Healthcare)Gramm-Leach-Bliley Act (GLBA; Financial)PCI (Financial)
Corporate governanceSarbanes-Oxley (Corporations listed on U.S. exchanges)