A presentation by Giuseppe "Gippa" Paternò", GARL Director, at Brighton event "Open Source, the Cloud and your business" on 18th November 2014 Enterprise secure identity in the cloud with Single Sign On and Strong Authentication

1. ENTERPRISE SECURE IDENTITY IN
THE CLOUD WITH SINGLE SIGN-ON
AND STRONG AUTHENTICATION
MAKING THE CLOUD A SAFER SPACE
Giuseppe Paternò, Director of GARL
@gpaterno | www.gpaterno.com

2. ABOUT ME
IT Architect and Security Expert with 20+
years background in Open Source and Cloud
(OpenStack, OpenNebula, ...). Former Network
and Security architect for Canonical, RedHat,
Wind/Infostrada, Sun Microsystems and IBM
and Visiting Researcher at the University of Dublin
Trinity College.
Past projects: standard for J2ME Over-The-Air
(OTA) provisioning along with Vodafone, the study
of architecture and standards for the delivery of
MHP applications for the digital terrestrial
television (DTT) on behalf of DTT Lab (Telecom
Italia/LA7) and implementation of HLR for
Vodafone landline services.
Lot of writings, mainly on computer security.
CTO and Director of GARL, a multinational
company based in Switzerland and UK, owner of
SecurePass and SecureAudit.

3. IT security products and virtualization services focused
on identity protection on the Cloud.
Born from Symantec, conducting pentest and vulnerability
assessment on their behalf in EMEA
Extensive OpenSource experience and large-scale Open
Source projects such OpenStack, OpenNebula, ....
Most of the customers in finance and telco operators
HQ based in Switzerland (Lugano and Zurich) and office in
London.
User privacy is protected by strict Swiss privacy
regulations, no UE or US exceptions allowed.
MAKING THE CLOUD A SAFER SPACE

4. THE CLOUD IN THE ENTERPRISE
It’s easy to span new instances
(often) it takes less time than
internal IT to have a virtual machine
Great for prototyping and then
they bring it into production
Might have discounts from HW/SW
vendor (especially HP Cloud,
Azure, ....)
Some applications are
outsourced (eg: SalesForce, ...)
Small software suppliers prefer to
sell software-as-a-service

5. WHAT HAPPENS IN REALITY
Applications
and instances
are out of
control
Not always
possible to
enforce IT
security
policies
Each
application
have its own
username/
password
Prone to
identity frauds
and
bruteforce
attacks
Can’t have a
central point of
control

6. 62% Increase breaches in
2013(1)
TOO MANY THREATS
1 in 5 rganizations have
experienced an APT attack (4) 3 Trillion$ total global impact
of cybercrime(3)
2,5 billion exposed records
as results of a data breach in
the past 5 years(5)
8 months Is the average time
an advanced threat goes
unnoticed on victim’s
network(2)
1,3,5: Increased cyber security can save global economy trillions, McKinsey/World Economic Forum, January 2014 2: M-Trends 2013: attack the security gap, Mandiant,
March 2013 4: ISACA’s 2014 APT study, ISACA, April 2014. Source: ISACA Cyber Security Nexus

7. Hosted Apps
THE CLOUD CONTROL
Cloud Orchestrator 2FA/SSO
Single point of control

8. 345227
One Time
Password
345227
345227 Identity
Management
Single
Sign-On
SECUREPASS FEATURES 3-in-1 identity management for maximum
security in cloud and internet services:
Strong authentication:
no more passwords to remember but “one time password” generated by a
token.
Identity management:
manage users and group lifecycles from a control panel
Single Sign-On:
SecurePass recognize users for every application or network integrated

9. CENTRAL IDENTITY MANAGEMENT SERVICE
FOR ALL DISTRIBUTED APPLICATIONS AND
FIREWALLS
OTP is built-in and mandatory, the way around of “standard” services
- OTP generated on mobile and hardware tokens
- Ensure the protection against brute force password attacks
Works out of the box with all VPN/SSL VPN software
Works with Web applications with little or no effort
Works with corporate SaaS applications like SalesForce and Google Apps
Works with virtualization software such as Citrix XenApp, VMWare Horizon/vCloud & more...

10. SECUREPASS
IS OPEN
Open protocols: RADIUS, LDAP, CAS and
SAML
Seamless integration: works out of the box
with more than 98% of the software
Clients and APIs available on GitHub
Python, Java, PHP, C#
NSS Plugin for Linux
Apache Plugin
Plugin for popular CMS Wordpress, Joomla
& Drupal

11. Python modules available in the
Python Installer (PIP)
GARL WORKS
UPSTREAM TO
ENSURE MAXIMUM
COMPATIBILITY
Modules are now “upstream” in the main Linux
distributions:
- Debian “Jessie”
- Ubuntu 15.04 “Vivid Vervet”
- Builds tested & available for Fedora and
RHEL/CentOS

12. WHY SECUREPASS IS SECURE
3 high-secure high-speed datacenters with business
continuity in different networks.
High-encryption and best practices as deployed in
standardmilitary environments.
Core keys in a secret location, former Swiss military
premise, resistant up to 10 megatons nuclear attack.
Only few people has keys to access the data in the
production environments and their identities is secret
also to any member of GARL staff, including the board
itself.
Processes to revoke the above keys if one of the
administrator is leaving the company or under any
personal threat.
Emergency procedures and legal coverage against
attack targeted to GARL.
PCI-DSS and ISO 17799 compliant.
SecurePass do not deal with your data
In no case we will be handling your application data
and we won’t be even able to understand what kind of
application or device is behind the login process.
All GARL services are covered with an insurance policy
with a premier Swiss-based multinational that will be
able to refund up to 250’000 CHF per incident. With
special agreements, GARL is able to cover up to 5 Million
CHF per incident (ask for update).

13. CASE STUDY WITH ING DIRECT
100
75
50
25
0
RSA VS. SECUREPASS
TIME COST MTN
% difference
RSA SecurePass
Financial advisors access to European leasing system
Replacement of RSA 2 factor solution, more than
70% of savings
IBM labs created plugin for IBM Websphere portal

14. GARL IS NOT ONLY SECUREPASS
Strong authentication and
identity management for
cloud and internet services
Password manager for
teams with delegation
Network security assessment
up to 8 public IP
Build a virtualization
service on standard
hardware without licence
Secure storage for
backup to comply to
industry’s regulations
Tailored security audit for
web app, network, VPN
and devices
Secure data collection app
to your centralized server
BANK OF
PASSWORDS
Secure
Data
VULNERABILITY
ASSESSMENT

15. CUSTOMERS PARTNERS

16. Q&A