S2E is proud to partner with Intercede helping organizations to create and use trusted digital identities.

Transcription

1

2 S2E is proud to partner with Intercede helping organizations to create and use trusted digital identities.

3 3 Who are Intercede? So%ware company specializing in iden5ty and creden5al management Focus on iden5ty assurance cornerstone of cyber security Produces MyID, a market- leading COTS system Offices in the UK and US (80+ staff) with a global partner network Twenty- year track record of successfully delivering cyber security solu5ons to some of the world s leading organiza5ons

4 What does Intercede do? Produce MyID an iden5ty and creden5al management system Facilitates secure access to resources Allows organiza5ons to protect data and intellectual property MyID is capable of issuing FIPS- 201 compliant smart cards (PIV) Uses cryptographic techniques Biometrics Policy control only trusted individuals issued with creden5als for access Full traceability and non- repudia5on of ac5ons Toolkit available for customiza5on 4

5 5 Who we help sample customers UK Na:onal Health Service (NHS) Over one million cards 2,000 issuance loca5ons Secure access to pa5ent records and online services DWP - EAS scheme ID registra5on Token issuance Service enrolment Government Gateway connector Kuwait na:onal ID Two million ci5zens and residents Mul5 applica5on card with biometrics and ci5zen data ICAO compliant epassport TWIC Over two million cards 10,000 biometric card ac5va5ons per day CIV deployment Dutch driving license department Cards and cer5ficates for access to online services Centralized produc5on Pilot electronic driving license US Social Security 70,000 cards Government employee PACS/ LACS convergence FIPS 201 compliant

6 6 Who we help sample customers FAA Over 81,000 cards issued 410 loca5ons Single management system for all PIV cards and creden5als Swedbank Strong authen5ca5on when accessing secure data Enforcement of policy requirements Role- based access control Giesecke & Devrient Over 10,000 cards worldwide Self- service kiosks for reduced opera5onal costs Access to computer systems, networks and buildings Nuclear Regulatory Commission Uses CIV cards for secure access to Na5onal Source Tracking System (radioac5ve materials) Connects to OPM for adjudica5on Lockheed Mar:n Over 100,000 employee badges Cer5Path compliant Integra5on with exis5ng systems and automa5on of business processes Swisscom SwissID card issuance Smart ID badges for corporate customers Digital cer5ficate service

7 7 Who we help sample customers US Environmental Protec:on Agency Single card for physical and logical access FIPS 201 compliant creden5als The World Bank Access for staff on and off site using one 5me password (OTP) Enforcement of strong security policy for employees Booz Allen Hamilton PIV- I cards to follow best prac5ce Access for geographically dispersed user popula5on RBS CouQs Self- service card unlock and so% cer5ficate collec5on using OTP Wells Fargo CIV creden5als deployed company- wide PACS/LACS convergence at all company premises

8 8 Crea:ng trusted iden::es Registra:on Fingerprints, photographs, scanned documents, biographics, physical signature, electronic document verifica5on Iden:ty verifica:on Social footprint checks, background checks, 1:many biometric checks, database lookups Issuance Smart cards, OTP tokens, cer5ficates, prin5ng, applets, secure ac5va5on Lifecycle management Replacement, suspension, revoca5on, health check, unlock, updates

9 Smart cards The tradi5onal solu5on to provide secure access is to use a smart card The gold standard Two- factor authen5ca5on something I have (smart card) and something I know (PIN) Keys or codes generated on device Signing occurs on device Tamper resistant Digital iden5ty bound to the owner 9

10 PIV, PIV- I and CIV deployments of MyID PIV NRC Issues both PIV and CIV cards from one installa5on of MyID FAA 81,000 cards across 410 loca5ons with self- service capability SSA Over 70,000 cards issued PIV- I CIV Booz Allen Hamilton Comply with best prac5ce IDM ORC Operate MyID for emergency first responders and others TWIC Over two million cards issued with a peak of 10,000/day Lockheed Mar5n Over 100,000 smart ID badges for PACS/LACS 10

11 Personal Iden:ty Verifica:on (PIV) Federal agencies use a PIV process to verify applicants iden55es and issue trusted creden5als onto a smart card Standard is called FIPS 201 MyID is a FIPS 201 approved product and can issue PIV, PIV- I and CIV creden5als Already in use for large- scale deployments including TWIC, SSA and FAA Some organiza5ons use PIV- I and CIV cards because they work with government or want to follow best prac5se 11

12 Finance Keep customer data safe Secure access for employees and customers Cuts the cost of maintaining up- to- date access rights across mul5ple systems and loca5ons Secure audit trails and digital signatures Physical and logical access convergence One 5me password (OTP) 12

13 Finance cont. Swedbank Strong authen5ca5on for 17,000 employees in over 500 loca5ons Wells Fargo CIV cards for PACS/LACS convergence at global sites The World Bank Use OTP to strongly authen5cate users on and off- site RBS CouQs Self- service card unlock and so% cer5ficate collec5on using OTP 13

14 Healthcare and pharmaceu:cal Secure access to pa5ent records Self- service cer5ficate renewal Large number of issuance loca5ons Immediate replacement of lost or forgojen cards MyID = single product to manage all device and cer5ficate issuance and post- issuance Opera5ons integrated with exis5ng business processes 14

15 Healthcare and pharmaceu:cal cont. NHS (UK) Over a million cards issued at more than 2,000 issuance loca5ons Strong authen5ca5on to the NHS data spine using PIN protected smart cards Immediate replacement of lost/ forgojen cards HealthSmart (Australia) ACT Health (Australia) 15

16 UK Na:onal Health Service (NHS) Over a million users and 2,000 issuance loca5ons Single product managing all device and cer5ficate issuance and post- issuance ac5vi5es Opera5ons integrated with exis5ng business process for reduced training requirement Strong authen5ca5on to ensure and maintain confiden5ality Immediate replacement of lost or forgojen cards Combined electronic and graphical personaliza5on in a single process 16

17 Aerospace and defense Use MyID to achieve compliance with best prac5se solu5ons (such as FIPS 201 and Cer5Path) Solid framework for secure communica5ons between organiza5ons (e.g. TSCP) Corporate iden5ty badges that also facilitate secure PACS/LACS Cri5cal to protect high value informa5on and IP 17

18 Aerospace and defense cont. Lockheed Mar:n Over 100,000 smart ID badges Integra5on with exis5ng systems and automa5on of business processes High end- user service levels and reduced opera5onal costs Boeing Over 150,000 CIV smart cards for PACS/LACS Cards issued in just three months EADS Astrium Strong authen5ca5on to both high security and restricted domains from a single card Combined PACS/LACS 18

19 Government Use MyID to produce creden5als for programmes such as ID cards, driving licences and health cards Change from paper records to electronic records Comply with appropriate standards, e.g. ICAO for epassport Post- issuance management included in the product Proven COTS product reduces risk 19

20 Government cont. NHS 1.1 million users 2,000 issuance loca5ons Kuwait na:onal ID Over a million ICAO- compliant cards Ci5zen collec5on of cards from self- service kiosks DWP Secure role- based access for DWP employees, over 380 local authori5es and outsourced staff RDW Smart cards and cer5ficates for authen5ca5on of employees and self- service customers (e.g. garages, police, insurance agencies) 20

21 Federal government Comply with PIV standard FIPS- 201 Issue PIV, PIV- I and CIV smart cards from the same installa5on of MyID Secure audit trails Centralized revoca5on Off- site bureau card produc5on with biometric ac5va5on Converged PACS/LACS Interoperability 21

22 Federal government cont. TWIC SSA FAA Over two million cards issued Biometric ac5va5on PIV cards for PACS/LACS Over 70,000 cards issued Over 81,000 cards deployed Over 400 issuance loca5ons NRC Uses PIV cards for employees and CIV cards for secure access to NSTS Adjudica5on by the Office of Personnel Management (OPM) 22

23 BYOD and mobile iden:ty Survey of 17 countries found that 88% of employees use their personal devices for business purposes (Avanade via BBC) Organiza5ons are looking to reduce costs and increase produc5vity by allowing BYOD Secure BYOD - need to get digital iden55es onto mobile plaoorms Applies to a wide range of plaoorms: Android (phone and tablet) ios (iphone and ipad) Windows 8 (virtual smart cards) BlackBerry Trusted Execu5on Environments (TEE) Mobile device management vendors 23

24 MyID CardChecker app Supports PIV, PIV- I, CIV, CAC and TWIC cards Verify a cardholder s iden5ty with three- factor authen5ca5on (card, PIN and fingerprint) Check that data is correctly formajed and the printed photo matches the photo electronically stored on the card Confirm that the informa5on printed on the card s surface has not been tampered with, reducing iden5ty fraud Uses Tac5vo sleeve Available for iphone/ipad and Android 24

25 25 Mobile iden:ty verifica:on 1. A user places their NFC- enabled smartphone next to a guard s smartphone 2. The guard s phone reads data from the user s phone 3. The guard authen5cates that the user data is valid via a signature check 4. The guard s phone communicates with the MyID server to retrieve details and addi5onal ajributes (e.g. first responder creden5als) 5. Data is validated and displayed on the screen of the guard s phone 6. Remote iden5ty verifica5on via mobile smart card has been enabled

26 26 Digital iden::es for mobile devices Creden5al providers Mobile devices Secure Elements Cer5ficates User data SIM Iden:ty & creden:al management system Phone store microsd Ajributes Photographs Directories TPM Virtual smart cards Key management TEE Keys

27 27 Architecture - mobile iden:ty verifica:on Guard phone MyID app MyID server Card layouts Ajributes WIFI/3G NFC NFC modem MyID app SIM PKI applet Key store User phone microsd PKI applet Key store Cer5ficate store MyID virtual card

28 28 Virtual smart cards Microso% Windows 8 introduces virtual smart cards (VSCs) VSCs make use of the Trusted Plaoorm Module (TPM) The TPM provides a similar level of security to a smart card - keys are stored/used in a cryptographically secured environment VSCs are secured by the TPM and operate in an iden5cal manner to smart cards plugged into a smart card reader VSCs can be remotely managed

29 Near Field Communica:on (NFC) NFC technology allows short range proximity data transfer Can be used for PACS, LACS, iden5ty verifica5on, secure and ajribute management Replaces smart cards with smartphones Deliver creden5als securely over the air Central secure audit trail Can be used even when the smartphone is switched off 29

30 Mobile creden:al usage secure Enable apps that run in silos on smartphones to access creden5als for: VPN Secure browsing Secure A MyID creden5al aware library that third party vendors can embed into their own apps Extensible solu5on to support: Smart cards + readers SIM microsd Trusted Execu5on Environments (TEE) 30

31 MyID self- service kiosk Intui5ve self- service kiosk interface so%ware guides users through card management Secure process requiring two- factor authen5ca5on Op5onal biometric applicant ID verifica5on Step- by- step instruc5ons Uses the MyID server - business process and policies s5ll enforced Fewer helpdesk staff lowers costs No training needed to use the kiosk Ac5ons recorded in central secure audit trail Create requests for creden5als on alterna5ve devices such as smartphones and tablets 31

32 MyID self- service app Perform lifecycle management tasks from your desktop in the office or on the move MyID informs cardholders when there is an ac5on to perform Simple guided workflow to collect updates Secure process requiring two- factor authen5ca5on Ac5ons recorded in central secure audit trail Create requests for creden5als on alterna5ve devices such as smartphones and tablets Easy rollout of policy changes 32

33 33 Security Need to use secure devices - HSMs, smart cards, biometric readers, micro- SD cards Need to run in a secure environment - Mul5-5er server, firewall friendly, SSL, signed and encrypted data exchange, encrypted data storage Need to define policy and enforce process - Flexible policy and workflow defini5on, role- based access control, enforced role separa5on, delegated opera5ons, witnessing Need to strongly authen5cate users - Smart card log on, signed opera5ons, signed audit trail, biometric ID verifica5on Compliance - Audi5ng, repor5ng, FIPS 201 approved

34 Registra:on capabili:es Biographic data capture Document scanning Fingerprint capture Facial image capture including facial biometric Photographic analysis Physical signature 34

35 35 Verifica:on capabili:es 1:N biometric uniqueness checks AFIS/watch list External background checks Centralized policy defini5on of required data and valida5on checks Full workflow driven management of ID verng and adjudica5on Escala5on and no5fica5on of ac5on required

36 36 Issuance capabili:es Smart cards USB tokens Smartphones Tablet PCs Contact and contactless Key management PKI cer5ficates Applets So% cer5ficates Mul5ple issuance methods: - Face to face - Self- service - Batch - Bureau

37 37 Lifecycle management Unlock card Permanent replacement (lost card) Temporary replacement (forgojen card) Key archive and recovery Card health check Updates including cer5ficate renewal Suspension and revoca5on Device content version control Remote wipe

38 Toolkit The MyID Toolkit consists of a modular package of: ü Tools ü APIs ü Documenta5on ü Sample code ü Training courses ü Consultancy services Provides the capability to customize MyID to become part of an end- to- end integrated iden5ty management solu5on Examples of Toolkit usage include: Integra5on with in- house data stores Defini5on of ajributes and screens Altering GUI Custom logic 38

39 What makes us different Proven so%ware plaoorm that encapsulates 250+ man years of development Team of focussed experts with a wealth of experience gained from mul5ple projects Cheaper to build - Reuse exis5ng product capabili5es Faster to deploy - Less risky - Based on a tried and tested solu5on Flexible product built for change 39

40 Contacts: 40