320 likes | 440 Views
Baltimore Technologies (UK) Ltd Charles Pierson Director of Government Business. Authentication and Authorisation . Introducing Baltimore. E-security products, solutions and professional services 25 years security industry experience UK Company of c 350 staff
E N D
Baltimore Technologies (UK) Ltd Charles Pierson Director of Government Business Authentication and Authorisation
Introducing Baltimore • E-security products, solutions and professional services • 25 years security industry experience • UK Company of c 350 staff • Established blue-chip customer base • Government • Financial Institutions • Worldwide reach • Europe, Asia Pacific, US • Leading influencer of security standards
Baltimore Products and Services • PKI Digital Certificate Management System – UniCERT • Access Control solutions – XML and LDAP based authorisation product - Select Access • Integrated security solutions - Trusted Business Suite • Developer toolkits for easy PKI enabling of applications; • Professional Services and consultancy on all aspects of e-security design and implementation ; • KeySteps PKI Structured Methodology; • Global 24*7*365 Support.
The Emerging Connected Digital World New challenges in securing on-line transactions… • Multi-channel, web-enabled applications & communications • Increasing mobility of people, devices and applications • Web Services connecting users to application services • Federated Identity Management
Security Challenges • Establishing identity Authentication • Providing access to entitled resources Authorization • Conducting e-business with integrity DigitalSignatures
Security Management Challenges Identity Proved Authorization Granted Transaction Signed Any Device, any Platform, any Network Provisioning Identity andEntitlemewwnts Managing Identity andEntitlements Enforcing Identity and Entitlements Authentication, Authorisation, Digital Signature Technology
STRONG & CONSISTENT POLICY MANAGEMENT Core Products SelectAccess - Authorisation Management System • Provision, manage and enforce entitlements • Easy to use management features, unique GUI • Web-based single sign on for intranets, extranets and portals • Role-based access control with delegated administration • Performance-based scalability, architected for the Internet and web services UniCERT - Digital Certificate Management • Provision and manage digital certificates • Enable digital signatures and strong authentication • Protect the privacy and integrity of data • Carrier-grade performance, scalability and flexibility
Digital Certificates • A Digital Certificates provide proof of identity • A Certificate Authority is the trusted third party that certifies the authenticity of users • It does this by creating a digital certificate which binds the user’s identity to their public key • User is required to present the certificate to prove identity (authentication) • Proof of identity can then be used to determine access rights (authorisation) A Certificate is the equivalent of a Digital Passport
Digital Certificates v PINs / Passwords There are many ways to provide security… Digital Certificates are the only way to provide persistent trust • Password Systems • Well established methodology • Easy to “crack” or too difficult to remember • Do not provide full strength authentication • Digital Certificates • A tamper-proof ID • Provides highly secure and robust authentication • Often deployed with two-factor authentication tokens • Reusable across multiple applications / SSO • Necessary for ‘trusted’ transactions
The sender’s credentials are used to create a digital signature which can be attached to a transaction, message or document and used to authenticate the sender as well as proving the integrity of the received data Digital signatures enable AuthenticationAn entity is as claimed Data integrityData has not been changed Non-repudiationThe signing party (or parties) cannot deny involvementin the transaction at a later date AuthorisationEntitlement to access to a resource (Using signed policies & signed authentication data) Digital Signatures
Digital Signatures help resolve Lack of trust Manipulation of data Repudiation of a transaction Fraud Legal standing on electronic transaction Chain of ownership and change management Lack of an on-line trusted approval mechanism Digital Signatures in Business
The Need for Authorisation • Enterprises face increased demand to make resources (data, applications, web sites) available to both internal and external users • Different users need to have access to different information and applications • Business managers determine user privileges and which data and applications are users are entitled • Payables clerk doesn’t get rights to generate invoices • Marketing can’t change salary information – only HR • Privileges enforced by users signing on to access resources • Access controlled at the application level – on a server by server, application by application basis
Who’s problem is it? • End Users – Multiple logons and lost passwords • Lost productivity & frustrated users • Business Manager – Reliance on IT to Add/Change user rights • Time consuming & error prone • IT Help Desk Manager – 40%-60% of calls password related • IT Administrator – Increasing users and resources to secure • No economies of scale & a growing backlog of requests • IT Security Manager- Leaves gaps in security • Servers and application control lists out of sync • Lags between business requests and changes
How SelectAccess Solves the Problems • End users – SSO eliminates multiple IDs and passwords to web based info and transactions • Business Manager – Reduces reliance on IT to manage user profiles and access • IT Help Desk Manager – Significantly reduces calls related to lost passwords and resets • IT Administrator – Provides a unified centralized means to maintain privilege rights across servers and applications • With delegation for economies of scale • IT Security Manager – Provides real time security uniformly updates servers and applications • Allows for businesses to make real time changes
Web Server Portal Java App Server Application Admin Server Enforcer Plug-In Directory Server Secure Audit Server Validator SAML Server SelectAccess Architecture Summary
Integrated Security Solutions Trusted Business Suite
Baltimore’s Solutions Strategy • Create solutions • That offer “out-of-the-box” functionality • Packaged and priced to meet clear departmental business needs • Based on UniCERT and SelectAccess functionality • Fully tested, KeySteps Blueprinted and globally supported • Designed to offer a highly functional & responsive but invisible PKI
Baltimore Solutions • A suite of high trust business applications, designed to remove the complexity and cost of public key infrastructure • Built upon core authentication and authorisation technology, the solution modules work out of the box to deliver immediate business benefit. • Two Solution Suites: • Trusted Business Suite • Trusted Portal Suite
Trusted Business Suite • A comprehensive suite of high-trust, solutions that : • Meet business security needs without the cost of implementing large & complex security infrastructures • Tightly integrated with business applications • Open new markets for Baltimore’s products and technology • A Solution Suite comprising 3 application areas: • Trusted Workplace • Trusted Networks • Trusted Messaging
Trusted VPN Internal Users Remote / Mobile Users Customers Suppliers Partners Trusted Business Suite VLANWLAN Trusted Portal SuiteTrusted Oracle Portal Trusted WorkplaceTrusted DocumentsTrusted FormsTrusted Collaboration Trusted Messaging Trusted E-MailTrusted Web-Mail WEB Trusted Network Trusted VPNTrusted Web Trusted WebAuthorisation Trusted WebSSL Class III Baltimore Applied Solutions Engine User Provisioning & Certificate Server Now is the time fro all good men o come to the aid of the party.. Now is the time for all good men to come to the aid of the party 2) Non-repudiation 1) User Authentication 3) User Security Management
Business Solution Architecture Key Differentiators • All Baltimore Solution Modules have been designed to feature: • The use of existing or bulk loaded user data - to simplify user registration • Simple installation for both an administrator and end users • An automated process to invite authorised users to enrol - for each solution • A registration page to guide users through enrolment • The managed download of any client side code • On-line key generation and certificate request processing • A single management interface for managing users & solutions • To set and manage all solution policy controls, with controlled delegation • To manage users, their registration data, groups, roles and digital credentials • Multiple solution credentials within a single credential store • Enterprise SSO, third party SSO with strong authentication & authorisation • A choice of smartcard, token, soft-token or roaming & mobile/wireless • Ease of solution expansion, ease of adding new solution modules • A minimum requirement for security management overheads
Smart Cards • The move towards “user-centric” computing and the expectations of “anytime / anywhere” access means portability of security credentials is a growing demand • Smart cards are a good fit , being: • Secure environments for credential storage ( cryptographic keys and digital certificates) • Familiar formats • Able to carry additional information (photo / logo) • Baltimore has undertaken interoperability testing with many major smart card vendors
EU Smart Card Initiatives • Austria - Citizen Card with certificates , c 2003 • Belgium -National Electronic ID Card , c 2003 • Finland - National Electronic ID Card , rolling out • France - Multi application card being studied • Germany - Multifunction card being studied • Ireland - Pilots planned in 2003 for public service cards • Italy - National EID card and Regional projects underway • Netherlands - Plans for National Electronic ID card with certificates • Norway - Planning stages • Spain - Government internal use for civil servants, National ID card planned • Sweden - Multipurpose ID card with credentials , operational
Challenge to leverage the National Identity Card to accessWeb-based ‘e-government’ services System based on standard issuance of national ID cards new cards also have certificates workflow exactly the same as before municipality to police authorities to Ministry of the Interior card printed with photograph and issued to citizen at the municipal office UniCERT enables flexible architecture and registration processes, all in full compliance with EU and Italian digital signature legislation Architecture involves 3 subordinate CAs to national root CA- 2 for citizens- 1 for local operators 100,000 certificates issued to date Partners include Getronics, Bull and Siemens Italian National ID Card System
Regional Government of Lombardia, Italy 9 million citizens in the region Using UniCERT to strenthen the authentication, integrity, confidentiality and non-repudiation of e-healthcare services Issuing a health card with digital certificate to all citizens used to securely access public healthcare services system based around smartcards 300,000 issued so far focus on citizens and local Government staff Partnered with Ericsson, Elsag and Context System RegioneLombardia
Summary • Baltimore Technologies provides solutions to enable e-business to be conducted in a secure, trusted manner • The solutions are built around Authentication , Authorisation and Digital Signing • Smart cards are a natural part of the solution to provide secure and portable credential stores to support authentication and digital signing • Many EU Governments are planning roll-outs of smart cards at national or regional levels