PKI is Alive and Well: The Symantec Managed PKI Service Marty Jost Product Marketing, User Authentication Lance Handorf Technical Enablement, PKI Solutions 1
Agenda 1 2 3 PKI Background: Problems and Solutions Symantec Managed PKI: Customer Use Cases Demonstration
Initial PKI Use Fueled by Business Migration to Internet Enable Growth and remain competitive Manage risk to assets and brand Cost cutting drives more businesses to online model Competitive necessity Non-repudiation an essential element of e-commerce Protect public image High value targets Hacker profiles evolving from attention seekers to organized sponsorship Failure to enable = loss of agility Public security breaches = lost customer confidence 3
Business Related Authentication Verify the organization you are doing business with SSL Use Case SSL technology authenticates the web site Web site identity verified as part of cert issuance Relies on CA root certificates embedded in browsers Most common use cases implement passwords for client authentication to site SSL web site certificate used to encrypt information during online session Code Signing Use Case Identifies identity of code signing developer Provides virtual shrink wrap to ensure code is not altered after signing 4
Digital Certificates Have Additional Versatility Validate users and user data Digital Signatures Strengthen integrity and audit potential of electronic transactions 5
What Exactly Is a User or Device Certificate? A Digital Identity File conforming to a standard (X.509, PEM etc) Strength comes from Public-key Crypto Keys commonly 1024 bit Increasingly 2048 bit Stored on user device (or a smart card) Contains some required information User or device name Public key Hash of itself Signature of issuing authority Customizable through meta-data Extension fields Customer specific information Symantec Confidential Do Not Distribute 6
Symantec Strong Authentication Solutions Flexibile, diverse technology for broad customer requirements Symantec Managed PKI Service Device and User Certificates Validation and Identity Protection Service Multiple Credential Form Factors (OTP or Risk-based) Symantec O3 Authorization gateway to cloud Single Sign-on Stored on disk or token Available in hardware or software Symantec Web-based Management Symantec Cloud-based Authentication Infrastructure Risk-based Authentication 7
Agenda 1 2 3 PKI Background: Problems and Solutions Symantec Managed PKI: Customer Use Cases Demonstration
Symantec Enterprise Customers Use PKI as an Enabler Improve Business Agility and Business Processes Mobility to create a flexible workforce Supply chain integration to for better collaboration Comply with business ecosystem requirements 9
Symantec Managed PKI Solution Out of Box Support for Multiple Use Cases Infrastructure Authentication Transparent WIFI, EAP enabled wired switch, or Mobile Device Mgmt Document Signing Digitally signatures for Adobe PDF, MiS Office and others Secure Remote Access Strong authentication to networks via VPN Secure Email Digitally signed, encrypted email communications Strong Web Authentication Authenticate to web apps via a browser + Other Initiatives Multi-use Smart Cards (HSPD 12/PIV) Healthcare Information Exchange (HIE) 10
How Do You Manage Certificates? One option is to self-manage with readily PKI available tools Certificate Software & Hardware Microsoft &%$#! Not always Multi-platform? Not easy to use Will it Scale? Symantec Managed PKI Service Solution Overview 11
Other Requirements for Trusted PKI Policy & Practices Security Services and key recovery Secure Infrastructure Application Integration Certificate Software & Hardware Service Availability Risk and Liability Management Application Consulting User Support Hardware and software are just one piece of the puzzle A PKI requires: technology, people, facilities, policy, procedures, and integration 12 12
Symantec Managed PKI is Full Service Platform Turn key system customer just provides administrator Systems Best Practices Redundancy Everything is built-in Root of Trust (global) Validation Management roles Tools Workflow Key Recovery Reporting Etc. Symantec Confidentia
Symantec Managed PKI Advantages Build Your Own Managed PKI Service vs. PKI Software Servers Trained PKI Expert Your PKI Administrator Secure Facility Software and System Maintenance Backup and Recovery Administration, monitoring and auditing Operational costs can soon exceed even free software benefits Much faster to deploy Won t be hurt by employee departure Lower total cost of ownership (TC0) No infrastructure capital investment No maintenance Ease of use Leverage operational excellence Secure, audited operations High Availability (HA) and high capacity 24/7 support and binding SLAs Certifications and accredited policy 14
Flexible Topology Options Decide or change at any point Cloud PKI Infrastructure All-Inclusive Infrastructure Unified Administration Supports Common Uses Cases Client- Enabled Cloud PKI Enterprise Gateway Directory-Driven Automation Local Registration Authority Native OS PKI Compatibility Hybrid Clientless
Client vs. Client-less Easier to Manage, Simpler to Use Client- Enabled Both client-less and client provide: Browser-agnostic enrollment SCEP enrollment by Apple ios PKI client software Application auto-configuration Automatic certificate renewal Client-side updates possible through via enterprise software management system 16
Pre-Provisioning Capabilities Speed Time to Value Backend and site setup Certificate policy Format and metadata Web Gateway Configuration Enrollment method and authentication Certificate store Trust policy, system, and user provisioning Cryptographic algorithms Content for customized web pages Security Level (PIN required?) 17
Templatized Approach Simplifies Certificate Provisioning Step-by-step guidance Pre-defined where practical Use anytime: initial deployment or expansion 18
Simple to Customize for Client, HSMs and Other Options 19
Advanced End-point Automation Certificate requested Now what? Auto-enable applications to use Browsers (IE, Firefox, etc.) email VPN Adobe WiFi Publish to directory Transparent Renewal 20
Excellent Integration with ios and Mobile Management Best PKI support of Simple Certificate Enrollment Protocol (SCEP) 1) Direct Enrollment Direct Enrollment requires no MDM server and uses built in features of Apple ios providing certificate related features MDM Enrollment acts as a proxy and provides a superset of features available through the MDM provider Symantec Managed PKI Service Solution Overview 21
Eric Ouellet et al. Organizations should focus on minimizing complexity and remembering the business reasons for using public-key technology. Factors Impacting PKI and PKO Insourcing and Outsourcing Gartner, 2010 22
Demonstration Risk-based Authentication 23
MPKI Symantec Cloud Managed PKI PKI Administrator Enrollment code Internet PKI Manager Certificate Services SCEP Server Web Services Tablet User VPN =enrollment link = SCEP request & VPN profile =certificate 24
Questions? Risk-based Authentication 25
Thank you! Copyright 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. Symantec Managed PKI Service Solution Overview 26