2. Badge & Credential Management
Agenda
• Introduction
– IT Security: Too many challenges…
– A strong need for “Trusted Identities”
– “Trusted Users” Key Benefits
– A strong need for Integrated Badge & Credential Management (CMS)
• OpenTrust SCM Overview
– OpenTrust SCM Key Benefits
– A Simple and Full Featured Enterprise CMS
– Making “Trusted Users” a reality
– OpenTrust SCM Architecture and Ecosystem
– Worldwide References & related business cases
• Use Cases: eBanking, IAM Integation
Confidential - OPENTRUST - Page 2
3. IT Security: too many challenges …
How to allow IS access to roaming users,
third parties and remote application services
without How to secure access control to business
compromising IT security ?
applications, while authentication schemes
How to (safely) provide enough
rely (mostly) on shareable/spoofable logins
and passwordsto adapt to :
IS flexibility ?
How to warrant Enterprise data privacy and
► Evolving business workflow requirements ?
integrity in order to protect mission critical
► Organization and regulations changes ?
How to take advantage of electronic to existing regulations
assets, with respect
► Heterogeneous connection means and devices ?
transactions to leverage business SAFE, etc.) ?
(SOX, PCI, Bale II,
processes and to increase global
productivity to get better protected against
How ?
internal threats & frauds ?
etc…
Confidential - OPENTRUST - Page 3
4. Electronic Trust… a global answer
The widespread use of Digital Identities securely granted to any user
and IS component establishes the basis of new and powerful security
At OpenTrust, we believe that implementing a
policy enforcement paradigms :
global Trust Infrastructure is the Corporate
only foundation
User
to address upcoming IT security challenges
► “Trusted Networks” in one, with respect to :
all
Authorized
IAN / IBNS Employee
External
► “Trusted Users” - Security standards User
► “Trusted Transactions” OK
- Ease of use
Certificate KO
KO
ArchivingProvider (PKI)
System
- Productivity requirements (TCO, ROI)
Customer
SSOBusiness
Application
Server
Portal
OTP
Server
Confidential - OPENTRUST - Page 4
5. Key benefits of “Trusted Users” (1/2)
Prevent user security credentials disclosure using a single,
safe and personal cryptographic support
► Enabling IS-wide “two factor” strong authentication, regardless of
connection means and user types
► Confining multiple user “secrets” (OTP, SSO, Key pairs…) in a single
support that can be fully managed locally and remotely at any time
► Providing a suitable mean of convergence for logical (certificate, key
pairs…) and physical (contactless, biometrics…) access control
credentials… one step toward unified Corporate Badging
Allow a simple, cost effective and deep integration
of asymmetric cryptography standards in the IT environment
► Already supported by most of the IT (infrastructure: routers, switches…
& software components: web servers, email clients, SSO, Windows
Logon…)
► Enabling easy user (or server) based data encryption and regulation
compliant digital signature
Confidential - OPENTRUST - Page 5
6. Key benefits of “Trusted Users” (2/2)
Establish a user friendly “state of the art” security model
► No more passwords (goal : not even a few)
► Simple and secure handling of personal authentication means
► Enhanced user capabilities and asset protection (encryption, digital
signature)
► Empowered user productivity (focus on core business rather than
getting lost with multiple access control schemes)
Provide secure and integrated credential lifecycle management
to existing X.509 Certificate (PKI), SSO, OTP & IAM solutions
► Allowing them to rely on secure digital identities that can be trusted
far beyond logins and passwords… and that belong to a global,
consistent and business effective security policy
► Lowering TCO : multiple (i.e. per solution) credential management
tasks are automated and handled from a focal point :
the Card Management System (CMS)
Confidential - OPENTRUST - Page 6
7. Requirements for an Enterprise CMS
Widespread use of Digital Identities stored
on personal cryptographic supports is a
very attractive approach of user security
But it requires strong and complete
management capabilities to become
a reality across the Enterprise
Multiple Lifecycle
Operations Multiple Supports
Distribution & Enrollement Multi vendors Multiple Holders
Revocation Smart Cards & Tokens Employees,
Credential renewal (and related drivers, Externals,
Badge recycling middlewares…) Partners,
Self care (unlocking, Customers (B2B, B2C),
PIN change, replacement, etc.) Etc…
Confidential - OPENTRUST - Page 7
8. OpenTrust SCM Key Benefits
is a comprehensive answer that provides enterprise
wide “Trusted Users” management capabilities, while remaining :
► Highly secure (communications,
access control, operations, auditing…)
► Simple and user friendly (easy endorsement,
enhanced productivity)
► Open to third party solutions (SSO, OTP, IAM…)
and trough standard interfaces (Web Services,
LDAP, PKCS#7...)
► Flexible and complete (multiple smart card & token support,
many operator and user profiles, heterogeneous
issuance and lifecycle operations…)
► Cost effective: providing an outstanding security level,
while lowering user credential management costs
(automation, centralization, homogeneity)
Confidential - OPENTRUST - Page 8
9. OpenTrust SCM a simple
and full featured CMS
• Modeling tools: datasources & profiles (users,
cards, certificates…)
• Integrated Enrolment & Issuance processes
– “Self Enrolment” by the badge holder (end user)
– Issuance through the “Badge Office”
– Badge “Pre Personalization” process
• Card & Token Lifecycle Management processes
– • Badge holder Self
Issuance of replacement/temporary badges Care operations
– –
Badge loss/theft statement Certificate renewal
– – Auto recovery of old encryption certificates
Replacement and renewal of cryptographic contents
– Badge recycling – PIN Code change
– – Badge
Card & Token remote unlocking unlocking (on line, off line)
• Common Platform Services
– Logging, notification, publication, auditing…
– Strong Authentication and Access Control
– Dynamic application skinning and
multi lingual support
– Platform clustering and HA management
Confidential - OPENTRUST - Page 9
10. Making “Trusted Users” a reality…
Enterprise AD / LDAP
User Directory
Hardware
Security
Help Desk Module PKI
Operator
OK Server
Auto
Security Discovery
Credential
Officer of Generation
User’s Card
Existing
IT Infrastructure
Profile
Requests
(SOAP)
OTP
User Server
Authentication
Automated Card
Card User
Holder Initialization process
Employee,
External,
Partner,
etc. SSO
Server
Enrolled Support
Empty Support
Confidential - OPENTRUST - Page 10
12. A large and complete Ecosystem
PKI
Microsoft
PKI HSM
Vendors
Certificate
Providers
SSO & IAM
Providers
Card & Token
Manufacturers
OTP
Solutions One Time Password
Confidential - OPENTRUST - Page 12
13. Smart Card & Credentials Management
Worlwide References
SWISS
CARREFOUR
ALSTOM Transport
THALES Office
MinisterTOTAL
French Custom
DASSAULT Defense
of Aviation
MICHELIN
RENAULT-NISSAN
BNP PARIBAS
Global OpenTrust PKI, SCM and OTP
Multiservice Smart Card security project
MigrationPKI deployed ofaccess users,
Worldwide deployment a multiservice
Global OpenTrustandBaltimore PKI and
OpenTrust from a
Strong physical& SCMproject targeting the
OpenTrust PKI Cardlogical Management
Implementation SCM Card 40.000 control
Card
OpenTrust SCM& PlatformtoManagement
for bothAuthentication Management project
OpenTrust SCM Corporate Badging project for
implementation,
targetingCard forlogical access control (integration
Smart(OCSCards), runningbothto logical (Mifare)
150. 000both physical and Each dealer
holdersrunning physical access
Projecta(GemaltoSSO from Evidian and with IAMis
in production since
including:legacy cards) Network. (integration
worldwideproduction
both physical and CMS system in OpenTrust
From PKI, Smart Card
group’s Worldwide Dealing Management, One Time
(Gemalto Cyberflex Cards), for
(integration with
Project
control – 20.000
since Sun100.000 enrolled OfficersServices and
from & fromaaccess control,IAM from 20.000 more
and logical Platform, badges since 2004,
with2007 forMicrosystems)andUSB security token to
withSSO SCMPassLogix30.000 GemaltoIBM “TIM”)
delivered withDigitalCustom-withusersrecycling
Password, ActivIdentity6 weeks Worldwide
PKI 2003 with already 2 daily usersworldwide
SSO from self enrollingontargeting Cyberflex
Signature Web deployment,
full
thanenrolled supports
30.000 the Minister
get Cards), 70.000userscore business applications
extranet 30.000 to from badges
internal branch office users targeted
secure document exchange platform
access existing
Usage:30 000access150.000 (HID, Mifare),
ofPhysical Authentication (Wifi, VPN,
Usage: Strong
(parts, stoks, orders, etc.), control enrolled tokens
Usage: Strong Authentication,
Usage: Physical & logical access control
Usage: logical access Cyberflex control
Windows) andPhysical Access Control, X.509
Usage: Strong Authentication, Signaturea legacy
Usage: Physical (HQ)& Digital Data (viacards),
OpenTrust OTP (on Access Control Encryption,
Usage: PhysicalGemaltocontrol (Mifare)
Data Encryption & logical access
Usage: Physical accessEncryptionqualified
Strong authentication, DataData VPN,(Mifare),
Authentication, control
Strong authentication (WIFI, Encryption,
StrongStrong Authentication and Windows),
SSO System), (WIFI, VPN, Windows),
Digital Signature &encryption and
Strong Usage: StrongProof Management,
authentication Authentication
Data encryptionSignature Secure
Strong documentDigital Signature
&Digital and
Digital Signature
digitalLogical accessXiring and
Secure authentication
signature (via control
Data encryption
sendings
to business applications
PIN Entry readers)
Data encryption
Confidential - OPENTRUST - Page 13
14. “Self Enrolment” by the Badge Holder
Enterprise AD/LDAP
User Directory
Card
Central Shipping
Security Officer Server Process
Card Serial a
Numbers
Registration
c
Auth.
Auto
Scheme
Discovery
User‘s Card
d Profile b
Registered
User
Confidential - OPENTRUST - Page 14
15. Badge Enrollement through
the « Badge Office »
Enterprise AD/LDAP
User Directory
Enrolling Badge
User Office Badge
Operator
« PIN
Server
Code »
Personal Q&A for
Formal
OK
OffAuthentication
Line c
Identification
a
User‘s Card
b Profile
OK Enrolled
User
+ « PIN »
EnrolledSupport
Empty Support
Confidential - OPENTRUST - Page 15
16. Badge “Pre Personalization” process
Recording, Shipping and Assignment
Enterprise AD/LDAP
User Directory
Central
Security Officer Server
Card Serial
Numbers
a
(CSV file) b
Card Shipping
Process
c Card Activation Code
& Instructions
d
e
Card Delivery
Operator
Enrolling
User
Confidential - OPENTRUST - Page 16
17. “Pre Perso” Process
Stage 2 – Final Badge Activation by the Holder
Enterprise AD/LDAP
User Directory
Enrolled
User
a « Activation Server
Code »
« PIN
Code »
b
Confidential - OPENTRUST - Page 17
18. “Pre Perso” Process
Stage 1 – Badge recording & “face to face” Issuance
Enterprise AD/LDAP
Badge User Directory
Bureau
Enrolling Badge
User Operator
c
a
Server
b
Confidential - OPENTRUST - Page 18
19. Use Case : “Trusted Users” in eBanking
Token Serial
Numbers
Security Registration
Officer
Server
Token’s
Central Activation
Enrolment Production
Environment Codes
Token
Shipping
Process
Mailing
Process
Secure Auth B2C eBanking
Secure Transactions Infrastructure
Customer
Personal
Token Activation Code
Confidential - OPENTRUST - Page 19
20. Use Case: Tight Coopling with the IAM
« User Properties & Identities »
PKI
Help Desk Server
Operator
Enterprise
Portal / IAM
Enterprise
AD / LDAP
User Directory
Secure
Card Holder LDAP / SOAP
Employee, Infrastructure
External,
Partner,
Server
etc.
Security
Credentials OTP
Server
Authentication : WIFI, VPN, SSO, Windows…
Encryption : Certificates & Private Keys SSO
Digital Signature : Signing Certificates Server
for Business Applications
Confidential - OPENTRUST - Page 20