Introduction Authentication Platform

Transcription

1 SecureMetric Technology Unified Platform Adaptive Multi-Factor User Access and Transaction Security Introduction CENTAGATE Unified Platform (CENTAGATE UAP) CERTIFICATE 2D-BARCODE OTP Organisations with multiple enterprise systems require optimised and centralised multi-factor authentication with single sign-on capabilities across a wide variety of business units and functions. The complexity of managing user IDs is moving towards seamless identity management using a trust model as a framework. TIME-CONSTRAINED KEY PASSWORD CENTAGATE Unified Platform What is CENTAGATE UAP? The research and development of CENTAGATE UAP based on SAML 2.0 Specification addresses problems related to the increase of operational risks attributed to users and system administrators who control and provide cross-application functionalities in heterogeneous applications. The growth of heterogeneous applications in an enterprise is inevitable due to the proliferation of web-based applications available; within a firewall in an Intranet or even outside a firewall in the Internet to run application services. CENTAGATE UAP is designed to manage front-end application authentication using an established protocol, Secure Assertion Markup Language (SAML) protocol, which provides a centralised authentication framework and aims to reduce significant application changes at the backend.

2 Present Challenges Big Data And Security The world is currently enduring a big data boom, hoping that an explosion of data will bring solutions to a myriad of problems, from preventing terrorist attacks to anticipating the next technology trend and mitigating natural disasters before they happen. In retrospect, not a day has gone by that cyberespionage campaigns are uncovered, shadowy hacker groups infiltrate prominent websites and endless streams of riveting disclosures occur involving various government agencies across the globe. As a result, standard security measures such as Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are not to be fully relied on as they are at risk of eavesdropping. It is here the management of privacy and the security of information of the very people that reside in the system that is key. Username + Password Application A Application A Identity Card Application B Application B User Username + PIN + SMS TAC Application C User Certificate 2D-Barcode Application C Username + OTP Application D Password Time-Constrained Key OTP Application D Current Desired Common Scenario vs Desired Scenario Security Breach on Engagements Massive amounts of data are intercepted from telephone calls and computer use through intelligence services. Similarly, in cases of banking or government-related transactions, there is a notion if the current access mechanism is good enough to ensure only related parties see certain information. Non-Comprehensive Process Current systems for login, even those used for banking, only rely as much as two-factor authentication which normally comprises the password and a hardware or SMS token. In addition, methods that possess biometric or device identification are not widespread. Identity Theft and Forging With the advent of multiple methods of accessing the same system, for example, through phone, desktop, laptop from any unabated location and at any given time, it is highly doubtful for the system to know that the person accessing it is one and the same. Variable Trust Levels In ever-evolving information systems, especially in sensitive government-related applications, ceiling and floor trust levels often vary. Different applications require different trust levels and trust requirements are often static and non-randomised allowing for infiltration. Over Reliance on Operation Personnel Companies often focus on outside threats to security and business privacy. However, the biggest threats to a company come from insiders who may have the clearance and access to sensitive information. Security should be baked in at a fundamental level and not hinge on operation personnel. 2

3 Scalable High Trust Financial Systems Federal financial planning, budgeting, monitoring and reporting systems need enhanced authority over expenditure management given limited resources. Streamlining of access is necessary to reduce the risk of information leaks, fraud and ensure security. CENTAGATE UAP supports this via: Adaptive Within an enterprise environment, for example, applications pertaining to budget approval that are set at a higher trust level may require additional methods of authentication which is provided by CENTAGATE UAP. In addition, based on the login behaviour of the user such as a change in device location or login time, CENTAGATE UAP may request user for additional authentication. Multi-Factor CENTAGATE UAP comprises multiple authentication methods with different trust values. Therein, enterprise systems can have the flexibility to set the type of authentication method to facilitate secured user access. Users also have the option to choose their preferred method to login to the system. Multi-Factor Tokens such as OTP Token, PKI Token and Smart Card Knowledge such as SMS PIN, picture with passphase Cross-Function Services Audit Profile Provision Mgmt Platform Integration High Integrity Security Information CENTAGATE UAP System Architecture National security agencies operate in highly protected environments that ensure integrity when information is exchanged between parties within or between agencies. Systems need to accommodate the growing amount of information by being scalable and information needs to be quickly validated and disseminated for action. CENTAGATE UAP supports this via: Common Interface One secure method of authentication is through certificates and private keys. CENTAGATE UAP provides a common interface for external developers to access the hardware token which is often used as the storage medium for these thereby nullifying the need to write specific codes to support different browsers. Digital Signature CENTAGATE UAP common interface also allows digital signing of documents. Digital signatures protect data integrity, verify data origin and ensure non-repudiation of data. A document can be immediately verified without the need for third party tools to check for tamperering. 3

4 Reliable and Secured Healthcare Services Government clinics throughout Malaysia experience challenges in stable Internet connectivity. Essential clinic services such as patient registration, triage, doctor consultation and drug dispensation need to be provided even when a system is offline. In addition, the privacy of patients throughout Malaysia whose medical information is stored in a data warehouse needs to be safeguarded. CENTAGATE UAP supports this via: Offline Access CENTAGATE UAP allows users to perform authentication even when Internet connectivity is unavailable. Normal clinic operations can still run on schedule and the general public can still be served by consulting doctors. Therein, downtime is minimised by having operational continuity. Identity Confidentiality Sizeable amounts of medical information are currently placed on the cloud through various clinical systems. CENTAGATE UAP protects patient privacy from insider attacks by separating personalised and pseudonimised information and instituting a correlation between the two. Advantages Containment of Operational Risks Identification of usage and activities can be centrally tracked and traced. This delivers organised data integrity whereby a single source of information can be properly managed for a user life cycle i.e. registration, activation, deletion, termination and so on. Reduced Cost Minimise multiple changes result to less impact and reduced cost as the platform is managed centrally. Amplified Productivity Cross-functions features enable stakeholders to benefit enterprisewide from system owners, to system administrators, to system developers and system users. These benefits can be translated from resources into terms of time and money. 4

5 Key Features Rebuild Once To adopt CENTAGATE UAP, application developers need to modify and separate the authentication module and rely on the central module as the main source. This is moving towards a trusted model where a central application handles all types of authentication for an organisation. Single Sign-On/Single Sign-Off (SSO) To allow users to operate in a seamless environment, SSO denotes that a user can simply access large-scale enterprise applications without multiple logins; access is provided seamlessly after the first login. Trust Model Approach Using CENTAGATE UAP, application can define required trust level while CENTAGATE UAP evaluates user trust level based on authentication methods used and usage profile (time, location, browser and device type). User is allowed login to application if the evaluated trust level exceeds application required trust level. Responsive to Threat New authentication method can be added without any modification to all the applications. Existing authentication method with newly discovered vulnerability can be disabled instantenously. One-Time Registration In adopting CENTAGATE UAP, it is imperative to keep user registration simplified without having to re-enter the user profile for any use of new applications. Here, the verification process is reduced with the use of an system to manage the user registration process and its maintenance. as a Service CENTAGATE UAP provides the necessary technology to offer as a Service in cloud environment. Adaptive User is required to provide additional authentication if the trust level is less than application required trust level. 5

6 Comparison of s Frameworks Features Common Common Gateway SAML Single Sign-on Password Privacy Protection Low (Visible to application) Low (Visible to application) High (Not visible to application) Direct Interaction with User No Require Plaintext Password Storage No No Password Synchronization Not required Required Not required Adaptive Control Extensive changes required at each application No change required at each application No change required at each application Additional Module Extensive changes required at each application No change required at each application No change required at each application Integration Modification of application required No modification of application required Modification of application required MIMOS is Malaysia s forefront technology provider in Information and Communications Technology, Industrial Electronics Technology and Nano-Semiconductor Technology. As a strategic agency under the Ministry of Science, Technology and Innovation (MOSTI), MIMOS contributes to raising Malaysia s competitiveness by pioneering market creation for Malaysian technopreneurs through patentable technology platforms, products and solutions. KUALA LUMPUR (HQ) SecureMetric Technology Sdn. Bhd. Level 5-E-6, Enterprise 4, Technology Park Malaysia, Lebuhraya Sg Besi-Puchong, Bukit Jalil, Kuala Lumpur, Malaysia T F JAKARTA PT SecureMetric Technology Komp. Ruko ITC Roxy Mas, Block C2, No. 42, Jl. KH. Hasyim Ashari, Jakarta, Indonesia T F MANILA SecureMetric Technology, Inc. Unit 7D, Athenaeum Building, 160 L.P Leviste St. Salcedo Village, Makati City 1227, Philippines T M HO CHI MINH CITY SecureMetric Technology Co., Ltd L14-08B, 14th floor, Vincom Tower, 72 Le Thanh Ton, Ben Thanh Ward, District 1, Ho Chi Minh City, Vietnam T F YANGON (Sales Representative Office) 3rd Floor, Building (8), Junction Square, Pyay Road, Kamaryut Township, Yangon, Myanmar T F SINGAPORE SecureMetric Technology Pte. Ltd. 105, Cecil Street, #06-01, The Octagon, Singapore T F HANOI SecureMetric Technology Co., Ltd 203B, TDL Office Building, No. 22, Lang Ha Street, Dong Da District, Hanoi, Vietnam T F sales@securemetric.com Disclaimer : 2016 SecureMetric Technology Sdn. Bhd., CENTAGATE UAP All Rights Reserved. No part of this publication may be reproduced, distributed, or transmitted in any form or by any means, including photocopying, recording, or other electronic or mechanical methods, without the prior written permission of the publisher.