IBM Tivoli Access Manager and SecurIT TrustBuilder - A Unique Combination for Web Access Management and Transaction Protection
•Descargar como PPTX, PDF•
0 recomendaciones•995 vistas
This document discusses how IBM Tivoli Access Manager for e-Business (TAMeb) and SecurIT TrustBuilder can provide versatile authentication and transaction signing/validation capabilities. TAMeb provides web access management and identity federation functionality, while TrustBuilder extends TAMeb by adding flexible authentication options and transaction protection services. TrustBuilder allows configuration of authentication methods and security workflows through a graphical interface. This combination provides benefits such as reduced development costs, compliance with regulations, and the ability to support multiple authentication mechanisms and user communities.
Recomendados
Más contenido relacionado
Similar a IBM Tivoli Access Manager and SecurIT TrustBuilder - A Unique Combination for Web Access Management and Transaction Protection
Similar a IBM Tivoli Access Manager and SecurIT TrustBuilder - A Unique Combination for Web Access Management and Transaction Protection (20)
Último
Último (20)
IBM Tivoli Access Manager and SecurIT TrustBuilder - A Unique Combination for Web Access Management and Transaction Protection
- 1. Presenter’s name Date IBM Tivoli Access Manager for e-Business and SecurIT TrustBuilder® A UNIQUE COMBINATION
- 2. Web Access Management 2 Products: Tivoli Federated Identity Manager (TFIM) and Tivoli Access Manager for ebusiness(TAMeb) IBM is a viable option in almost every WAM project, and continues to show customer growth, even though most other vendors' sales are flat or down. IBM TFIM combines the functionality of three products: a well-featured WAM product, a full-featured identity federation tool suitable for enterprise and service provider deployments, and a moderately well-featured Web services security tool.
- 3. TrustBuilder Value Proposition for TAMeb & TFIM Versatile Authentication Transaction Signing and Validation 3
- 4. Why Versatile Authentication ? Static approaches to definingsecurity controls is no longer adequate Security controls need to be flexible and meet the needs of the diverse setof user access requirements Ant Allen IAM Summit, London March 2009 4
- 5. Improving Security Controlswith TAMeb and TrustBuilder Security requirements continue to evolve and require more flexible dynamic approaches to protecting customer information and user access Deeper security controls are required to ensure information is protected and not tampered with Customers need to review their authentication strategies with an eye towards moving up to true a versatile authentication approach. The ultimate goal, KuppingerCole believes, is to be able to move back and forth between different authentication mechanisms freely and flexibly without the need to modify the applications themselves. Martin Kuppinger Introducing Versatile Authentication and Transaction Signing 5
- 7. the use of different controls at different points in a transaction process
- 8. can substantially strengthen the overall security of Internet-based services
- 10. Information needs to be protected based on itsvalue to the business
- 11. Access management must be flexible and modular
- 12. A layered security approach can provide the ability to support course to fine grained access controlsThe ability to dynamically set the authentication methods, based on workflow, can provide the flexibility to define the access management policy 7
- 15. IP Protection
- 16. Subscription
- 17. Registration
- 18. Proof of AccessProvides the ability to detect application data tampering and keep an undisputable proof User Vault 8
- 19. Business needs TAMeB and SecurIT TrustBuilder® 9
- 21. OTP: hardware, software, outbound / mobile
- 22. Digital Certificates: SSL, challenge/response
- 23. Biometrics
- 25. Do you want to ensure transactions are not tampered with?
- 26. Do you want to protectyour intellectual property?11 TRANSACTION VALIDATION
- 27. VALUE PROPOSITION TAMeB and SecurIT TrustBuilder® 12
- 29. Out of the box support for many validation mechanisms
- 30. Workflow driven authorization policy definition
- 31. Protecting the Integrity of the application transaction contents
- 32. Keep a non-repudiated proof of the transaction.Versatile Authentication WorkflowExtendedPolicy Controls ConnectorsforValidation AccessAuthenticationAuthorization AccessPolicy Logging TAMeb TrustBuilder extends TAMeb capabilities to extend authentication controls, introduces transaction layer protection, and provides a workflow based UI to define policies 13
- 33. How it fits together Identity Federation Cross-domain SSO TFIM TAMeB Authentication Access Control Web SSO APPLICATIONS User Versatile Authentication Adaptive Access Control Transaction Validation TrustBuilder 14
- 34. TrustBuilder Security Services Platform Plug-ins Available as WebSphere®Application and Software Appliance 15
- 36. Graphical User Interface for ease of use
- 37. Drag and drop configuration
- 38. Easily create new or edit existing workflows
- 39. Quick and simple analysis of a complex security model
- 40. The transaction can be managed by a policy.
- 41. set the boundaries of acceptable security levels and alike. 16
- 43. Ability to dynamically update authentication mechanisms, without affecting TAMeB or Applications.
- 44. Simply accommodate # user communities with # authentication requirements and/or mechanisms.
- 45. Easily map authentication tokens to a known TAMeB ID (e.g. certificate).
- 46. Considerably reduce the workload on WebSEAL by offloading authentication to TrustBuilder Server.
- 47. Share TrustBuilder Server authentication services between TAMeB and other platforms (Network Access, Portals, Applications, etc.)Versatile Authentication 17
- 48. Benefits for a TAMeB or TFIM customer Transaction Validation Services can be combined with Authentication Services on the same TrustBuilder system Minimal impact on existing and new applications, reducing development time Transaction Validation services can now easily be shared by multiple applications, allowing significant savings Open to support different Transaction Proofing mechanisms OTP (Gemalto, RSA, Vasco) X.509 Signatures Compliant with CAP/EMV (VISA/MC) Open to support new Transaction Types by generating a highly-configurable challenge over any transaction or data submitted to it Solution meetsmanyindustry standardsand aids in compliance management. Transaction Validation 18
- 49. Signing as a Service Transaction Preparation Collect sensitive information from Transactions Generate Challenge Transaction Signing Present Signature Form Embed Challenge Embed signing logic Transaction Validation Capture Signature Validate Signature Store validation result 19
- 50. Transaction Validation Use Cases 20 Web Service provided to Applications APPS TAMeB SSO Authentication Signing & Validation TrustBuilder User User APPS TAMeB Service provided via TAM Authorization Policy SSO Authentication Signing & Validation TrustBuilder
- 52. validated against RACF
- 53. VASCO Digipass
- 54. OTP device
- 55. Unconnected Card Reader
- 57. Certificate on USB dongle
- 60. Internal
- 61. Foreign AgenciesUSE CASEVersatile AUTHENTICATION 21
- 63. validated through TAM API
- 64. RSA SecurID
- 65. Radius backend shared with VPN
- 66. including Token life cycle Mgmt
- 68. Certificate to TAM ID mapping
- 69. Online and offline Revocation checkEuropean Organization for the Safety of Air Navigation SecurIT TrustBuilder USE CASEVersatile AUTHENTICATION
- 70. Benefits for the Customers Simultaneous support for multiple Authentication methods to accommodate use cases More flexibility in the rapidly changing world of security. The environment can easily be extended with other Authentications methods. Less Development Costs Compliance with Government and Industry regulations. 23
- 72. Migrate to CAP-EMV using an UCR
- 74. SSO for customers within retail & wholesale segments
- 75. Support crossing of customer segments
- 76. Support external hosted applications
- 77. Support employees – branch of the future
- 78. Support newer paradigms: Federation, Mobile …
- 79. Buy versus Build, also for SecurityUSE CASETRANSACTIONSIGNING & VALIDATION 24
- 81. Extends the Authentication capabilities of TAM/TFIM
- 82. Acts as gateway to Authentication & Signing Services
- 83. Enables Flexibility in defining Security Workflows.TrustBuilder 25
- 84. TrustBuilder: Key Features Enterprise Security Services platform Versatile Authentication Transaction Signing & Validation Out-of-the-Box solution Plug-in Architecture with comprehensive Connector Library Supports many Vendor/Validation mechanisms Integrates with many User & Data Repositories Guarantees Flexibility Easily adapt to changing requirements Supports migration needs Configurable Workflow to accommodate # Use Cases Ease of Implementation No development Choose, Pick or Change Connectors Drag-and-drop GUI Workflow set-up Field proven, robust and scalable Technology 26
- 85. SecurIT info@securit.biz www.securit.biz QUESTIONS ? 27
Notas del editor
- This presentation intends to highlight a unique combination in today’s web access management market: IBM Tivoli Access Manager for e-Business and SecurIT TrustBuilder.
- However, the security world is changing rapidly and new requirements keep popping up.In this presentation we will show the added value SecurIT’s TrustBuilder platform provides to TAMeB and TFIM, in the area of Versatile Authentication and Transaction Signing and Validation.
- For instance, the internet banking world is due to increase the protection of user’s assets and facilitate new business models, as illustrated by the new FFIEC guidance. Here is an excerpt of the new FFIEC’s recommendations issued on June 28th, 2011: ‘…..The Federal Financial Institutions Examination Council1 (FFIEC) issued today a supplement to the Authentication in an Internet Banking Environment guidance, issued in October 2005. The purpose of the supplement is to reinforce the risk-management framework described in the original guidance and update the FFIEC member agencies' supervisory expectations regarding customer authentication, layered security, and other controls in the increasingly hostile online environment......‘The guidance clearly promotes a layered security approach, combining authentication, adaptive access control and transaction proofing mechanisms to accomplish this task.
- Transaction Signing & Validation is a Security measure organizations use to accomplish 2 objectives:Ensure the critical data in a transaction cannot be altered by malicious invaders, either on the endpoint or in the networkAnd maintain an undisputable proof of the Transaction Contents and Timing in a safe placeIn business critical applications it provides an additional security layer at the transaction levelin different applications, like internet banking, Intellectual Property protection, submitting forms for subscribing to policies, like for instance insurance policies, registration to events, or simply keeping an undeniable proof that a user was able to access or obtain particular privileged information at a specific point in time.This represents an architectural choice for a re-usable service, rather than implementing such functions within each application. In other words: a Service Oriented Architecture. Bundling this with Authentication Services makes sense because very often the same validation mechanisms will be applied for authentication and signing, but in a different way.
- Let’s now have a look at some observed business needs for such a solution.
- Large organizationswillalways have to deal with multiple authenticationmechanisms. Organizationscannowchoosebetweenmany types of hardware or software tokens andone time password generators. Certificatesregain interest, especiallywhenissued in a community environment by a Trusted Party. Governmentsissuingelectronicidentity cards withcertificates are a goodexample. Plans are evolvingtoincludeBiometrics as well, in line withincreasedusabilityandcosteffectiveness.Someobviousreasonsfor the use of different methods have been illustrated in the previous slides. However, in practice we have seen even more reasonsforthis. Onemaydesiretoleverageexisting investments in a system. Especially in mergersituations we see the needtoconsolidate a centralapplication or infrastructure without obliging the users to change theirhabits or enforcecostsfor new methods.Anotherexample is migration. Even ifanorganizationdecidesto introduce anotherauthenticationmethodfor aparticularuse case, thiscannot happen overnight in most cases. Sotherewillbe a periodwherecertain users accessing the sameprotected resource are stillusing the old means andsomeother the new system. Thisrequires a workflow capabilityto handle thissmoothlyandunderuser’s control.Where traditional credentialslike username/password are stillused, a layered security approach maybeappropriate, characterized by the use of different controls in a transaction process so that a weakness in one control is generally compensated for by the strength of a different control.Examples are knowledge-basedauthentication, risk/fraude analysis systems or GeoLocation services, usedtolocate internet users tryingto access a particular environment.A keyrequirementfor the use of suchcomplementarymethods is the needto handle the authenticationprocess in multiple steps, controlledby a workflow for maximum flexibility in order toevolve over time without affecting anorganization’sapplicationsand Access Infrastructure components.
- Whereas Transaction Validation used to be included in some highly critical business applications by specialists only, it is now within reach for many applications. TrustBuilder’s model as a centralized service reduces the time and cost of adding such capability tremendously.Different transaction proofing mechanisms are now within reach and for each use case the critical data can easily be selected in order to ensure the integrity from the endpoint to the server and protect your intellectual property.
- We discussed what business requirements needs to be addressed which leads to the question: how can these needs be addressed in an optimal way?At SecurIT we have done exactly that when designing TrustBuilder. We released the first incarnation of TrustBuilder already in 2005. Today, it is a proven technology, which is being used in very large customer projects and in very stringent environments. So by now it also is a robust platform, which is able to fulfill its tasks in the most demanding environments.
- TAMeb is the market leading web access management and single sign on solution. TrustBuilder extends TAMeb capabilities to extend authentication controls, introduces transaction layer protection and provides a workflow based UI to define policies. In addition to its out of the box support for many validation mechanisms, it adds adaptive, context-aware access control and a workflow driven authorization policy definition. Its layered security approach includes protecting the integrity of the application transaction contents, while maintaining a non-reputable proof of the transaction.TAMeb and TFIM combined with TrustBuilder provides the most comprehensive and flexible solution for Web Access Management in the industry today.
- So how does this fit together ?Well, let’s start with the basic functionality offered by Tivoli Access Manager to manage access to an organization’s IT resources. TAM is a web single-sign-on solution, granting users access to protected applications. It provides course-grain access control based on the user’s identity, which is verified through its authentication processes.Some of that functionality is offered out-of-the-box and interfaces are provided to complement this with external components whenever needed.CLICKTFIM hooks into such an interface to add support for federated identity management and cross-domain single-sign-on, for instance with Microsoft Windows workstations.CLICKSimilarly, TrustBuilder can extend TAM’s reach by adding versatile authentication, as described in the beginning of this presentation, feeding context-based access control elements and facilitate transaction signing and validation. CLICKThis latter feature can also be used by applications, whether or not combined with TAM’s access control capabilities.CLICKFinally, TrustBuilder can also cooperate with TFIM to add authentication capabilities to TFIM’s processes.Reality has proven time and again that no other vendor can offer such a rich set of functionality. That is a key element of the cooperation between IBM and SecurIT.
- On this slide a graphical overview of the TrustBuilder Security Service platform is presented. Looking at the top of the graphic you’ll see the services offered in dark blue, today in the field of authentication and/or transaction validation. The product is offering these services through a high level interface to either an infrastructure component, like Tivoli Access Manager, or to traditional applications, for instance through a plain HTTP/HTML interface or via Web services in a Service Orientated Architecture.On the other side of the framework, a plug-in architecture (in green) allows to insert so called Connectors. At present we have developed some 20 connectors to perform various functions in order to cover aspects around validation, either internally or interfacing with external validation services, capabilities to access information in almost any repository, or extend the platform to include services offered by any external application to fulfill certain parts of the requirements.In between and at the heart of the system is the policy and workflow management component. This management component is able to handle a request in multiple steps and its workflow will determine how the request will be handled in a particular use case. Such a workflow could be context depended, so the outcome of a particular step in the workflow can influence the way the continuation of the workflow will be handled. And the transaction can be managed by a policy, to allow the organization to set the boundaries of acceptable security levels.With the latest release, a graphical user interface makes it even much easier for customers to configure the system and change the behavior at any point in time.
- TrustBuilder’s workflow manager is a key differentiator, allowing to configure easily how the request will be handled in a particular use case.Via a drag and drop GUI sophisticated workflows can be created, as well as changing existing ones with minimal effort and error risk.The graphical representation also provides a quick and simple analysis of the most complex security models.In addition, an organization’s policy can be included by setting the boundaries of acceptable security levels.
- In addition, or in a second step, Transaction Validation services can be offered, which can easily be shared by multiple applications, allowing significant savings. This can even be done without changing a single byte in the application itself, a really unique feature in the industry.The combined solution is open to support different transaction proofing mechanisms, either based on one time password technology from vendors like Vasco, RSA or Gemalto, or based on digital certificates, and compliant with the CAP/EMV standard from VISA-Mastercard in the financial industry.
- A few more words on Transaction Validation, or signing as a service if you want.Transaction validation is usually handled in three phases: in the preparation phase we collect the sensitive data of the transaction and generate the challenge. The second phase is the signing of the transaction, so presenting a signature form to the user, embed the challenge that has to be signed and potentially embed also the signing logic, if that is required. Finally there is the transaction validation cycle, capturing the signature, validating the signature and store the validation result.
- Using TrustBuilder for Transaction Validation can occur in different ways. In this graph we show two distinct possibilities, but a combinations of these scenarios is possible as well.In the first use case, the authentication services are provided to TAM, which takes care of SSO and access control to application resources. The transaction validation services are being used by the application itself through a web service interface. The application maintains control of the user interaction at any point in time. We call this the application-aware approach, as it is actively involved in the process. Still, all functions related to transaction preparation, signing and validation are handled by TrustBuilder as a service to the application, considerably decreasing the complexity, development cost and time to market. The service is of course re-usable by other applications.The second case illustrates a so called application-unaware approach. This intends to insert signing and validation of transactions without involvement of the application. The access policy in TAM can determine when a validation cycle needs to be invoked and forward the page with transaction data to TrustBuilder, which takes control over the user interaction to complete the preparation, signing and validation phases and informs TAM on completion, which subsequently releases the page to the application. This is a really unique feature allowing to add proofing capabilities to almost any application, without changing a single byte in the application.
- Let’s now have a look at some real customer use cases, starting with versatile authentication.KBC Bank is headquartered in Belgium and active across Europe, with a market leading position in some eastern Europe countries.The main business driver for the bank was being able to support the most appropriate authentication mechanism for various user communities, whether from the retail banking sector, corporate banking, foreign agencies or internal users, ranging from simple username/password to one time passwords and digital certificates. Remark that internal users ‘s passwords are also being validated by RACF on the IBM mainframe, an example of using another user registry to validate the authentication.
- Eurocontrol is the European organization for the safety of air navigation.The TFIM based portal in combination with TrustBuilder provides secure access to its applications and data for the partners, such as the airlines and air traffic control centers.Context-aware access control is offered to different user communities, each authenticated by distinct mechanisms. Tokens are shared with the VPN environment and sophisticated, policy-based handling of digital certificates allow for business-driven validation.
- The combination of TAM and TrustBuilder allowed these customers to realize this with a minimum of development costs and without affecting the user’s habits. It also allowed to select the best authentication method for a given use case, based on cost versus security and user friendliness, and align their security infrastructure with changing government and industry regulations.
- ING is a large banking and insurance group, active in the financial industry around the world.We’ll use the ING use case to illustrate how the combination of TFIM and TrustBuilder allowed to design a security infrastructure that could serve the needs of its new banking concept.At the start, the main focus was on aligning with regulatory demands by changing its validation mechanisms, both for authentication and signing. The choice went to the combination of an unconnected card reader with the user’s Bank card, in accordance with the CAP-EMV rules from VISA Mastercard.The new platform will accommodate SSO for customers from both retail and wholesale segments. Moreover, crossing customer segments will be supported, allowing users to log-in in various capacities, such as an internal user, retail customer or employee of a wholesale customer.In addition, new paradigms like federation to external hosted applications and mobile banking need to be supported.
- The resulting integrated architecture is depicted on this slide, supporting the vision to become a Direct bank for all its financial services and providing universal access by employees.Crossing customer segments is fully supported, allowing e.g. a customer employee user to check on its private affairs or consulting a bank’s offer to the employer.This new infrastructure is realized by the combination of TAM, TFIM and TrustBuilder, the latter providing the security services for authentication and transaction signing and validation. Through its comprehensive workflow capabilities, TrustBuilder also provides the flexibility to easily accommodate the use cases above and integrate with the bank’s legacy user management platform.
- To conclude this presentation, I would like to highlight some of the key features TrustBuilder is offering to its customers.As an Enterprise Security Services platform, it provides a very complete set of services for Authentication and Transaction Validation.In most cases, TrustBuilder can accommodate customer requirements out-of-the-box and offer the services to other Security infrastructure components or to applications. Through its plug-in architecture and a comprehensive Connectors Library, it supports virtually any third party validation mechanism and is able to integrate smoothly with back-end repositories.The solution provides the flexibility organizations need to address rapidly and constantly changing requirements with minimal impact.Ease of implementation or changing an existing environment became even smoother with the introduction of drag-and-drop configuration of the system.Last but not least, TrustBuilder has proven to be a robust and highly scalable platform, in use at large corporations and in stringent conditions since years.Clearly, TrustBuilder fulfills many of today’s and tomorrow’s needs and the combination with TAMeB and TFIM represents the most advanced solution for Web Access Management in today’s market place.
- Well, this concludes the presentation on SecurIT TrustBuilder, showing how the product adds value to IBM’s solutions for identity and Access Management, resulting in an unmatched offering to the market and client base. Please contact us via the coordinates on this slide if you have any questions or requests.Thank you very much for your interest.