This document introduces SafeNet Authentication Service's authentication "as-a-service" offering. It discusses replacing passwords with multi-factor authentication using tokens. Users can log in once across devices and applications. The service supports a wide choice of tokens including hardware, software, SMS-based and mobile app options. It also allows for automated provisioning, self-enrollment and single sign-on across applications.
17. Introduction: Protect Everything: Networks,
Applications and Cloud Services
17
Online
Storage
Application
Hosting
SAML
Tokens &
Users
Administrator
Agent
RADIUS
API
Private Networks
Corporate
Network
Corporate
Network
Corporate
Network
Corporate
Network
LDAP / Active
Directory
LDAP / Active
Directory
LDAP / Active
Directory
LDAP / Active
Directory
Private Cloud
Services
Public Cloud
Applications
Collaboration
Tools
SAML
SAML
18. Introduction: Widest Choice of Tokens,
including Tokenless & 3rd Party
Authenticators for every user type – and an increasing
focus on commoditisation
Authenticators that:
Don’t expire
Seed keys can be owned by the subscriber
Can be easily re-assigned to new users
Easy deployment saves cost and time
A token can be included in the service charge
H/W SMSBlackBerry iOS Android Microsoft Java
Multi Platform
USB GridMicrosoftOSx
19. Token policies and security
Ability to set token Policies
• Pre-configured to best practice for optimal security
• Reconfigurable to match each customer’s policy
• Multiple options can be re-defined
• PIN length and complexity
• OTP length and complexity
• Try attempts
• Forced PIN change
• Portal shows details of EVERY individual token
Initialisation of tokens
• Software/SMS tokens initialised at point of deployment
• Hardware tokens can also be initialised
Security Policy Application
20. Introduction: Automate everywhere
SafeNet Authentication Service automates
everything, reducing management time, the main
cost of a strong authentication solution
20
User Synchronisation
Security Policy Application
Token Provisioning
Self Enrolment
SAML Service Registration
Alerts
Reporting
21. LDAP Changes
Automatic updates of LDAP changes
21
User Synchronisation
Users
User Changes
Directory
Server
LDAP
Agent
GroupsAccess Device
or Application
Policies &
Rules
Self Enrollment
Authentication
22. Multi-tier, Multi-tenant
• Support multiple companies, divisions, business units,
LDAPs etc. on a single platform.
• Each appear as a distinct BlackShield server.
22
Service Provider
23. Multiple Business Unit entities, Groups &
Containers
23
Main Company
USA
R&D Operations Sales
EMEA
R&D Sales Administration
APAC
R&D Operations
Gain power and flexibility to support
• Delegated administration and localization within business units or
departments
• Local and centralized user directories
• Local and central authentication points: VPNs, applications and
network devices
• Organizations lower in the hierarchy can inherit policies and settings
• Avoid multiple instances of authentication servers
25. Defining the management structure Roles & Scope
A role decides “what an operator can do”
Hide, show, enable or disable tabs, modules and actions to
form a role
The scope decides “who you can do it for”
Use organisations and containers to control the scope
Roles are defined per Organisation
29. Reporting
Major additions to reporting
• Security Policy (11)
• Compliance (13)
• Billing (2)
• Inventory (9)
Fully automated delivery
• Output in html, csv, tab, xml
• Delivery via FTP, SFTP, SCP
• Restrict access by role
29
30. Simplify SAML registration
Users can automatically be added to multiple groups
Sign-in to one service and during your session you are
automatically signed in to all your services
Sign-out to leave all services
30
SAML Service Registration
UserID: Bill
Password: “OTP”
SAML Assertion
bill@gmail.com
SAML Assertion
blaham@cryptocard.com
SAML Assertion
bill
31. Migrating to your new service
31
SAS-Agents
RADIUS
SAML
RADIUS Access device or
RSA Agent (any 3rd party agent)
RSA Authentication
Manager w/RADIUS
(any 3rd party auth. Server)
RADIUS
Add Auth.Manager
as an Auth Node
Add SAS
as a RADIUS Client
BEFORE
Use any token type
AFTER
34. User Self-Service Portal
34
Request a new,
replacement or
temporary token
Create workflows
for approving
requests
Allow users to
customise their
portal
Provide language
variants to match
user needs
Users can resolve
common problems
We offer complete flexibility of token / authentication method: we believe strongly that different users in an organisation require a different experience now and in the future. We are token agnostic in that we support 3rd party OATH tokens, RSA tokens and will add more tokens / authentication methods in the futureOur architecture means that users of our tokens are NOT vulnerable to a copy of the RSA seed breachOur tokens are designed to provide better value: hardware tokens are metal and don't expire so expected life is c. Double the competitions, our soft tokens are all re-assignable as many times as you want, etcEmphasise the ease of deployment: automation and self-enrolment“We needed a reliable authentication solution that works on mobile devices. The great advantage of the BlackBerry tokens is that passwords can be accessed at any time and tokens cannot be misplaced or lost.” Balfour Beatty“We have been using Blackshield Cloud for over two years now, and have yet to replace a single token or battery. There are obvious cost and resource savings for us when using reliable long-life tokens and we are already seeing those benefits.” Specsavers
Key parts of our “more secure” story…Unique policy engine allows centralised control of security postureBest practice settings provided as default but all parameters are flexible so you can implement your company’s policy Automatically monitors and protects against attacks such as brute force and Denial of servicePasscode and PIN length and complexity can be set to reflect your preferred security postureOperational role segregation and delegated managementHighly granular operator role (what they can do) and scope (who they can do it to)Each operator can be given access to (or not) each button of the management UIDefault roles provided for help desk, admin etc, all customisable. See later slide