Reduce Password Fatigue and Improve Security with Single Sign-On
•
1 gefällt mir•1,091 views
The document discusses identity and access management solutions using VASCO's IDENTIKEY Federation Server, including single sign-on capabilities, reducing costs of managing user identities and authentication across multiple applications and systems, and securing access for internal employee and external business partners. It provides an overview of key features and benefits of the IDENTIKEY Federation Server for centralized user authentication, identity federation, and single sign-on across various applications.
Empfohlen
Weitere ähnliche Inhalte
Ähnlich wie Reduce Password Fatigue and Improve Security with Single Sign-On
Ähnlich wie Reduce Password Fatigue and Improve Security with Single Sign-On (20)
Mehr von VASCO Data Security
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
Reduce Password Fatigue and Improve Security with Single Sign-On
- 2. http://your.intranet.com your. intranet.com john.doe@vasco.com Y ******** © 2013 - VASCO Data Security IDENTIKEY Federation Server Workshop 2
- 3. http://your.intranet.com your domain your. intranet.com Y … © 2013 - VASCO Data Security IDENTIKEY Federation Server Workshop 3
- 4. your domain Identity Service © 2013 - VASCO Data Security IDENTIKEY Federation Server Workshop 4
- 5. your domain SAML Identity Service © 2013 - VASCO Data Security IDENTIKEY Federation Server Workshop 5
- 6. your domain Reduces Identity $ Management Costs © 2013 - VASCO Data Security IDENTIKEY Federation Server Workshop 6
- 7. your domain © 2013 - VASCO Data Security IDENTIKEY Federation Server Workshop 7
- 8. your domain © 2013 - VASCO Data Security IDENTIKEY Federation Server Workshop 8
- 9. your the domain cloud … © 2013 - VASCO Data Security IDENTIKEY Federation Server Workshop 9
- 10. your the domain cloud Authentication … Identity Service Users DIGIPASS © 2013 - VASCO Data Security IDENTIKEY Federation Server Workshop 10
- 11. Yes you can 8 Can I access? 1 Please Login @ … Jack 6 A Service Ticket ? 7 3 Authentication 2 OTP ? 4 Identity Identity 5 Authentication Service Jack © 2013 - VASCO Data Security IDENTIKEY Federation Server Workshop 11
- 12. User A Service 2 Ticket Identity Authentication Ticket ? 4 3 Please Login @ … Can I access? 1 B Jack Service Yes you can 5 © 2013 - VASCO Data Security IDENTIKEY Federation Server Workshop 12
- 13. … Identity Identity Authentication © 2013 - VASCO Data Security IDENTIKEY Federation Server Workshop 13
- 14. Identity One Family Identity Authentication Identity Server Federation SAML © 2013 - VASCO Data Security IDENTIKEY Federation Server Workshop 14
- 15. IFS: The selling story Raf Van Ermengem Trainer
- 16. Existing New New customer Customer Customer helpdesk costs Security User Management B2B associates
- 17. Catherine Falcke CEO 17
- 18. Remote access OWA 25 18
- 19. Protect all company Brent Kehl applications with Account Manager 19
- 20. Which applications? How many users?
- 21. 5 80 25 40 15 Sales Admin Technical 21
- 22. I don’t talk RADIUS 25 Sales 40 Admin Upgrade license to Enterprise 15 Technical Selling 55 user licenses Enterprise Selling 55 DIGIPASS Authenticators 22
- 23. Username & OTP Check OTP Sandra 23
- 24. SAML? SOAP? Username C ? Username A Username C Sandra OpenID? OAuth? 24
- 25. Single Sign On Future-ready No upgrade Secure existing licenses
- 27. Username OTP Sandra 27
- 28. Easy Future management of Secure licenses ready Easy SSO user 1 login No management administration overload Convenient … 28
- 29. New Existing customer Customer User Management Security
- 30. John Forbes Manager Customer 30
- 31. 31
- 32. Protection web applications Alice Malley Account Manager Consultants leaving company 32
- 33. Which applications? How many users? 33
- 34. 7 70 40 30 Employee Consultant 34
- 36. Username OTP Dennis 36
- 37. 1 central point Secure Future SSO proof … 37
- 38. Existing New New customer Customer Customer Security User Management helpdesk costs
- 39. Marc Celis IT Manager 39
- 40. David Gomez Password issues Account manager Helpdesk cost 40
- 41. Which applications? How many users? 41
- 42. 7 Soft HR portal My skills employees Training Training Training Credits Tracks offer 5120 120 5000 Employee Associates 42
- 43. Complaints? Login = annoying What’s my SSO = solution? password? 43
- 44. 44 44
- 45. Soft skills HR portal Training Credits Username Training Tracks Password Lisa Training offer My employees 45 45
- 46. 1 central Decrease point TCO Easy 1 login user management Convenient 46
- 47. 47 47
- 48. Soft skills HR portal Training Credits Username Training Tracks OTP Lisa Training offer My employees 48 48
- 49. 1 central Decrease point TCO Easy 1 login user management Convenient Security 49 49
- 50. 120 5000 Employee B2B associates User license? 120 5000 Security Employee B2B associates 50 50
- 51. Security ? 5000 B2B associates 51 51
- 52. Soft 5000 skills Username Password HR portal B2B associates Training Credits 120 Username Training Tracks OTP Employee Training offer My employees 52 52
- 53. 53
- 54. Soft 5000 skills Username Password OTP HR portal B2B associates Training Credits 120 Username Training Tracks OTP Employee Training offer My employees 54 54
- 55. 1 central Future point ready decrease TCO Easy SSO user Secure management Convenient Cost effective 55 55
- 56. Existing New New customer Customer Customer helpdesk costs Security User Management B2B associates
- 57. Define Title in Insert Header/Footer Slide 57
Hinweis der Redaktion
- The IT security problem of today:Password Fatigation
- This is a classic login screen on your intranet, a way of getting access using a username and password.
- Besides the intranet your company is also offering other internalapplications that require an additional login.
- Applications with the main purpose of offering a service to a select user group and therefor storing identities, in the form of a username and password.
- “Provider” is a generic way of referring to both IdP’s (Identity Providers) and SP’s (Service Providers). There are overlaps when it comes to defining Identity providers vs. Service Providers. According to the OASIS (organization) that created SAML an Identity provider is defined as “A kind of provider that creates, maintains, and manages identity information for principals and provides principal authentication to other service providers within a federation, such as with web browser profiles.” A Service provider is “A role donned by a system entity where the system entity provides services to principals or other system entities” and a Federation is “An association comprising any number of service providers and identity providers.”
- In simple terms and as they relate to identity management an Identity provider can be described as a Service Provider for storing identity profiles and offering incentives to other SP’s with the aim of federating user identities. It should be noted however that Identity Providers can also provide services beyond those related to the storage of identity profiles. This way reducing the cost for identity management.
- Single sign-on (SSO) is a property of access control of multiple related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them. Conversely, Single sign-off is the property whereby a single action of signing out terminates access to multiple software systems. As different applications and resources support different authentication mechanisms, single sign-on has to internally translate to and store different credentials compared to what is used for initial authentication. Single sign-on requires that users literally sign in once to establish their credentials. Systems which require the user to log in multiple times to the same identity are inherently not single sign-on. For example, an environment where users are prompted to log in to their desktop, then log in to their email using the same credentials, is not single sign-on.
- As single sign-on provides access to many resources once the user is initially authenticated ("keys to the castle") it increases the negative impact in case the credentials are available to other persons and misused. Therefore, single sign-on requires an increased focus on the protection of the user credentials, and should ideally be combined with strong authentication methods like smart cards and one-time password tokens.
- FIdM, or the "federation" of identity, describes the technologies, standards and use-cases which serve to enable the portability of identity information across otherwise autonomous security domains. The ultimate goal of identity federation is to enable users of one domain to securely access data or systems of another domain seamlessly, and without the need for completely redundant user administration. Identity federation comes in many flavors, including "user-controlled" or "user-centric" scenarios, as well as enterprise controlled or B2B scenarios.
- Digital identity platforms that allow users to log onto third-party websites, applications, mobile devices and gaming systems with their existing identity, i.e. enable social login.Social login, allows public access for your application, without the need of managing their Identity.
- Hello everybody. Let’s give you some help to sell the IDENTIKEY Federation Server.
- We will go through 3 case studies.First one:An existing customer who has a security concernSecond one:A new customer who has some issues with User ManagementAnd the last one:A customer who likes to decrease the helpdesk costs.Fasten your seatbelts, let’s start with the first case.
- Let’s say hi to Catherine Falcke. She is the CEO of “Beyond the door”.This company is situated in selling and placing doors, garage doors, skylights, window security,…More than 100 employees are working for this company.
- Good to know is that the company already uses the VASCO IDENTIKEY Authentication Server to protect the remote access for the Sales PeopleAlready customer of VASCO?Yes. 3 years ago a VASCO reseller sold and installedan IDENTIKEY Authentication Server.Reason: Protection of the remote access for the complete Sales team (25 persons)Protection of the OWA for the complete Sales teamQ: Which edition of IDENTIKEY Authentication Server did the reseller sold?IK Gold, for the web filters
- She remembers, during a previous contact, that it’s no problem to protect also all the web based applications with a OTP.So she setup a meeting with Brent Kehl from Easysis, her dedicated reseller.
- Now we need to get more information from MssFalcke.How many applications are you using?Who has access to these applications?
- Well, we have in total 5 different web based applications:Sharepoint, OWA, hardware inventory (Baramundi), Salesforce and SecurexThe last 2 are cloud based solutions. I hope this is not a problem?All these applications are protected with static passwordsWho has access to these applications?Besides all the 25 sales people, also my complete administrative staff (40 persons) and some technical guys (15 persons)So, in total 80 employees have access to all the internal applications.
- Brent listened very carefully, thought about it, and came up with a solution!Dear Mss. Falcke, Thanks to the fact that you are already working with a VASCO solution, it is actually simple.Let me explain how:We will upgrade the 25 user licenses of the sales people from a Gold to an Enterprise editionYou need to buy 55 extra user licenses, Enterprise EditionAnd 55 DIGIPASS Authenticators, for the administrative staff and technical guys.
- And how does this work in real life.Say hi to Sandra. Sandra is an administrative person. As from today, she has a secured access to the web based applications, thanks to IK Authentication Server.So each day, time she needs to login on each site with a OTP. Not really convenient!?Can we offer an even more convenient solution?
- We can do better than this. Just keep the next concerns in mind:Each day Sandra, and the others, need to log in in different applications = annoyingIs she using, on each application the same username?Are all the web based applications talking SOAP? Or SAML? Oauth, …More and more applications are cloud based. So there is a big chance that this company will work in the future with extra applications.Upgrade of user licenses, can be hard to sell. And even than, you are not sure that it can work (SAML, Oauth, ….)
- So, let’s give them a solution:Whereby we offer the end user a SSOWhereby security Which is future-ready:Extra applications No problemApplications talking SAML, REST, Oauth, SOAP can be easily integrated.Which on not need an upgrade of existing licenses.
- Well, we can offer a solution which take care of all these topics: IDENTIKEY Authentication Server, in combination with IDENTIKEY Federation Server.And the good news is that they belong to the same familyOK, but how will it look like?
- So, thanks to the combination of IK authentication server and Federation Server, we offer the end user a secure and convenient solution.
- So,The IDENTIKEY Authentication Server, in combination with the IDENTIKEY Federation Server, offers the customer a lot of advantagesFor the end user:1 login to access all the applicationsLogin is secured by a One Time PasswordFor the company, and more specific, the IT-people:1 central point to manage all the usersNo administration overloadEasy management of licenses
- Brief recapitulation:Case 1 :An existing IK Authentication customer.Request for securing web based applicationsSolution IK authentication and Federation ServerCase 2:New customerWeb based applications – scared of hackingSolution: IK authentication and Federation ServerCase 3:New customerWeb based applications – Likes to be a differentiatorSolution: IK authentication, Federation Server and MYDIGIGIPASS.COM
- The company QuickMedia is situated in the marketing vertical.They offer their customers:Social Media Marketing CampaignsSEO solutions (Search Engine Optimization)Content marketingHelp to convert website visits into customers…
- John is concerned about confidentiality. All the company applications are accessible via an username and password.So, he is scared that someone could have access to the internal databases of the company (without knowing it)
- QuickMedia invited Alice Malley, a reseller of VASCO.John will explain that he likes to have a secure solution for his web based applications.Another concern he has, is about the consultants. He is not always sure that, when they leave the company, the access on each website is blocked.@Peter Vervloedt: Gartner report regarding the time it takes before an ex-employee is bloc
- Well, and again, we must ask these 2 questions:Which applications would you like to protect?And how many persons are using these applications?
- Well, we have in total 7 different web based application running.The customer has in total 7 different applications running:3 managed internallySharepointWordPress (for blogs)SAP (Management of data)3 managed externallyOffice 365HRnetSource (online HR portal)EPAY (Cloud based time tracking tool)Salesforce50 people or working in our company. 40 of them are on the Payroll of QuickMedia, the other 10 are consultants.
- Alice can offer John a great solution: IFS together with the IAS.Q&AWhich solution can we offer? And Why?IAS in combination with IFSSecure (OTP) and simple user management (for blocking leaving people)What was the request again?Security and blocking consultants
- So, thanks to the combination of IK authentication server and Federation Server, we offer the end user a secure and convenient solution.
- So,The IDENTIKEY Authentication Server, in combination with the IDENTIKEY Federation Server, offers the customer a lot of advantagesFor the end user:Login is secured by a One Time PasswordFor the company, and more specific, the IT-people:1 central point to manage all the usersNo administration overloadEasy blocking consultants who are leaving the company
- Brief recapitulation:Case 1 :An existing IK Authentication customer.Request for securing web based applicationsSolution IK authentication and Federation ServerCase 2:New customerWeb based applications – scared of hackingSolution: IK authentication and Federation ServerCase 3:New customerWeb based applications – Likes to be a differentiatorSolution: IK authentication, Federation Server and MYDIGIGIPASS.COM
- Marc Celis is the IT manager of EduSocra. This company is offering HR-managers, of several companies in France, online tools to create/follow up, … training tracks of their employees.Good to know is that they are linked (financially) with the national government.
- As an IT manager, Marc sees that 40% of the IT tickets are created because of password issues.Since they changed the password policy (stronger).This implicates also that the workload of the IT-department increases. EduSocra even took the recruitment of 2 new IT administrators in consideration.
- Can you give me more information about the applications and the people who are using these?
- We have in total 7 different applications. All internally managed, except Google apps.All the internal applications are “house made” and accessible by the B2B associates as well as the employees.In total 5120 persons are using the online applications.From the 5120 people, 120 are employees of EduSocra.
- Justin: As far I can see, your company has setup a great solution for their employees and B2B-associates.Nevertheless, are people having complaints about this way of working?Marc: We hear more and more people complaining about the login on each website.They very often forget their username, password. This increases the workload of the IT staff.And keep also in mind that people are very impatient these days. The like to have a solution asap.
- Mr. Celis, we can offer you the IDENTIKEY Federation Server. With this solution you will create a SSO-solution for your employees as well for your B2B-associates.
- So, if it’s one of your employees or a business associate, they need to fill in only one their username and password.It’s a very convenient solution.But sorry, this is also a very dangerous solution!
- Well, this is a really great solution and very convenient for the end user and IT administrators.But there is a major security risk!! All the web based applications are accessible with a username and same static password.
- Get rid of these static passwords!! Combine the IDENTIKEY Federation Server together with the IDENTIKEY Authentication Server.Which IDENTIKEY Authentication Server?Is already possible with a standard edition. Is tricky, no backup license!!
- Get rid of these static passwords!! Combine the IDENTIKEY Federation Server together with the IDENTIKEY Authentication Server.Which IDENTIKEY Authentication Server?Is already possible with a standard edition. Is tricky, no backup license!!
- Get rid of these static passwords!! Combine the IDENTIKEY Federation Server together with the IDENTIKEY Authentication Server.Which IDENTIKEY Authentication Server?Is already possible with a standard edition. Is tricky, no backup license!!
- Marc Celis is convienced of the proposed solution.He has however, some issues with the total cost of this solution.Paying for user licenses on the IFS, for employees and B2B associates no issue.This will decrease the helpdesk costs so acceptablePaying for security? Buying user licenses on IAS for employees:No issueOwn staff extra cost is acceptable.For the 5000 B2B associates to expensiveAre they still an associate after 1 year?
- Marc Celis is convienced of the proposed solution.He has however, some issues with the total cost of this solution.Paying for user licenses on the IFS, for employees and B2B associates no issue.This will decrease the helpdesk costs so acceptablePaying for security? Buying user licenses on IAS for employees:No issueOwn staff extra cost is acceptable.For the 5000 B2B associates to expensiveAre they still an associate after 1 year?
- And how would the solution look like?So, the B2B associates will secure login, with a free DIGIPASS authenticator on the MDP-platform.And MYDIGIPASS.COM can easily be linked to the IDENTIKEY Federation Server.
- And the name of this solution? MYDIGIPASS.COM
- And how would the solution look like?So, the B2B associates will secure login, with a free DIGIPASS authenticator on the MDP-platform.And MYDIGIPASS.COM can easily be linked to the IDENTIKEY Federation Server.
- The IDENTIKEY Federation Server offers you a bunch of advantages:1 login to all the applications1 central place to manage the users1 central point to manage leaving employeesSSO increases productivity
- Brief recapitulation:Combine the IAS and IFS gives customers a solution for different issues:Focus on SecurityFocus on User ManagementOr Focus on Help desk costs.Case 1 :An existing IK Authentication customer.Request for securing web based applicationsSolution IK authentication and Federation ServerCase 2:New customerWeb based applications – scared of hackingSolution: IK authentication and Federation ServerCase 3:New customerWeb based applications – Likes to be a differentiatorSolution: IK authentication, Federation Server and MYDIGIGIPASS.COM