application security—made in switzerland€¦ · saml 2.0 idp / sp, oauth 2.0, openid connect –...
TRANSCRIPT
Application Security—Made in Switzerland
Security at bank levelAirlock is now the established Swiss standard for eBanking—and that’s a fact. Our lengthy experience of wor king in the international financial sector means that you benefit from the best possible online security—reliable, efficient and process-optimized.
FlexibilityThe Airlock Suite is just as flexible as your requirements. That’s because Airlock can adapt—to existing environ-ments, new challenges and individual needs. The result: your investment is excellently protected, and you ben-efit from customized solutions.
Cutting costIntelligent software architecture, central authentication functionalities and cutting-edge user self-services: these are the assets that make the Airlock solution so outstandingly attractive in terms of cost—a solution that will permanently reduce your IT expenditure.
User self servicesForgotten passwords, lost logins, new user accounts—customer support has to deal with a host of routine tasks. That’s why we opt for well-designed user self-services. Thanks to this approach, Airlock can cut costs while boosting your customer and employee satisfaction level.
Integrated solutions, one single sourceIndividual components, perfectly coor-dinated in one complete package—that’s Airlock. No matter how varied your requirements are, Airlock Suite is your guarantee of well thought-out solutions from one single source-scalable and flexible.
Swiss madeNo doubt about it: the highest qual ity— that’s what Airlock offers you, because our security applications are devel-oped exclusively in Switzerland: your guarantee of maximum reliability, precision and perfection.
The problem of internet security is almost as old as the internet itself. But there is a reliable solution: Airlock Suite from Ergon. Airlock Suite is underpinned by superb Swiss engineering expertise, many years of experience and well thought-out concepts that master the most complex challenges. Airlock Suite deals with the issues of filtering and authentication in one complete and coordinated solution – setting new standards for usability and services.
Online banking, eCommerce, mobile access: the Airlock Web Application Firewall will reliably protect your internet applications—thanks to system-atic control and filtering mechanisms backed up by a diverse range of enhance-ment options.
When combined with Airlock WAF, Airlock Login ensures reliable user authentication and authorization. But that’s not all: as well as superlative security, Airlock Login delivers high usability and cost-efficiency.
Airlock IAM is the suite’s central authen tication platform, including enter - prise functions. With this pro duct, customers, partners or employ ees log in just once for secure access to data and applications. Airlock IAM also automates user administration.
Overview
WAF Login IAM
The Airlock Web Application Firewall offers a unique combination of protective mechanisms for web applications. Whether your objective is legal compliance, security for your applications or protection for eCommerce: Airlock WAF will upgrade security for your internet applications—a permanent solution with a host of well thought-out functionalities.
Thanks to Airlock WAF, businesses can exploit the potential of the internet without jeopardizing the security and availability of their web applications and services. Each access is systematically monitored and filtered at every level. Used in conjunction with an authentication solution such as Airlock Login or IAM, Airlock WAF can force upstream
user authentication and authorization. This allows a uni - form, central single sign-on infrastructure. All information is also made available via monitoring and reporting functions. Airlock WAF is one of a few web application security solution on the market that provides superla-tive end-to-end protection for complex web environments.
Reverse Proxy and Web Application FirewallAirlock WAF offers a unique protection mechanism by oper - ating as a combined secure reverse proxy server and web application firewall. All access attempts are systematically controlled and filtered.
Control via a central access pointAirlock WAF is a central point of control for web access, avoiding anonymous interactions with applications that have user authentication. Airlock covers every layer reducing costs and dependencies.
Shorter time to market thanks to virtual patchingSecure now, fix later—that’s virtual patching in a nutshell. Airlock WAF’s reverse proxy approach makes it very easy for you to virtualize servers and services. Virtual import of patches is also possible. The benefit: security-relevant weaknesses are quickly remedied at a central point over all applications.
Improved availability and performanceWeb applications and web services deal only with authorised users and valid data traffic. High availability is guaranteed through load balancing and failover functions.
SIEM integrationThe Airlock Operations app for Splunk® Enterprise makes aggregated management reports available on security issues and application usage. Network administrators can use various dashboards to investigate security-critical events so application and performance problems are rapidly resolved.
Simple operationAirlock is a linux-based software appliance with a hardened operating system. It runs on the common hardware platforms, in virtual machines and in the cloud. Airlock offers a fast and easy installation and allows cost efficient operation.
Product information
PKIMobile OTP
Mobile TAN Database/Directory
Applications
Cross Domain SSOwith SAML or OAuth 2.0
Applicationin other Domain
Password Management/Transaction Signing
RADIUS Client
Corporate Network
A B C D
Kerberos/Smart Card
SAML Assertion Flickering Mobile TAN Client Certificate
Airlock system overview
WAF
Practical, lean and secure: Airlock Login is the ideal complement to Airlock WAF for reliable user authentication and authorization. Airlock Login offers efficient solutions and easy handling at an attractive price. Airlock Login features convincingly high usability and straightforward configuration.
Solid basis for moreBecause it is directly integrated with Airlock WAF, Airlock Login allows fast and convenient implementation of strong upstream user authentications with in-company single sign-on. There may be a need for extensive additional func-tions such as web service interfaces, step-up authentication workflows, support for cross-domain SSO or user self services. In these cases, an upgrade from Airlock Login to Airlock IAM could not be easier: simply import a new license, and the Airlock IAM functions will be activated.
Secure and strong access controlVirtually every modern web application requires user identification to allow certain types and levels of access.
Airlock Login provides upstream authentication and allows access control for customers and employees to be central-ised and run independently of the business logic.
Single sign-on (SSO)Airlock Login ensures that even legacy web applications with own user master records can be easily integrated in the standardised web single sign-on infrastructure.
Easy configuration—also in regard to running timeConfigurations can be efficiently processed using the graphic editor. Airlock Login has a flexible architecture that permits configuration changes at run-time without any session loss or operational disruption.
Product information
Components
Web-based login application
Web-based administration interface
Integrated database for user profiles
Service containers for batch jobs and letter generation
Technical interfaces
Authentication
Strong 1 and 2-factor authentication
Password verification against directory (LDAP, MSAD), OTP token server via RADIUS, RSA SecurID, MTAN (SMS), client certificates
Role-based access control (RBAC)
Complex authentication workflows (e.g. step-up, step-down)
Support for a wide range of additional authentication methods
Dynamic access control (based on environment attributes)
Login application
Change and reset password via email
Portal funktion
User self-services
Various other functions (representation, GTCs, maintenance reports /notifications, etc.)
Single Sign-on (SSO) and identity federation
Simple SSO (using cookies, HTTP headers, on-behalf form login, back-side Kerberos, etc.)
Cross-domain SSO and identity federation
Identity Management
Find and show users
Manage, aggregate and provision identity and role information
Deployment
Integration in Airlock WAF
Deployment is possible outside of Airlock WAF
Client capability
Airlock Login and Airlock IAM compaired
Login
Airlock IAM is the suite’s central authentication platform, including enterprise functions. With this product, customers, partners or employees log in just once for secure access to data and applications. Airlock IAM also automates user administration and provides user self-services.
SSO for heterogeneous application environments
In addition to a large number of supported SSO mecha-nisms (e. g. SAML, OpenID Connect), Airlock IAM also accepts authentication tickets issued by other entities.
Cross-domain single sign-on Airlock IAM supports Federated Identity Management (FIdM)and therefore facilitates cross-domain SSO. Acting as a central identity provider (IDP) in this case, Airlock IAM regis- ters, reports and manages user data. User data are auto-matically synchronised with third-party systems via the standardised interface. This always ensures a consistent status of user data for all parties. Another advantage is maximum usability. The specific services (service providers) come from other domains and use identities transmitted via SAML, OAuth or OpenID Connect.
Authentication servicesAirlock IAM has its own integrated authentication services for matrix cards, mobile TAN via SMS and mobile OTP. All these variants are very cheap since there is no need to purchase any tokens or any special operating hardware. Their administration is fully integrated in the product.
In addition other authentication services as well as many different hardware or software tokens are supported.
Centralisation of user dataAirlock IAM is the central point of control for the administra-tion of authentication data. For other applications or com - ponents in SOA environments Airlock IAM provides a web service interface (SOAP or REST) which offers actions rela- ted to authentication: for example, Airlock IAM can enforce complex password policies while password changes are still made remotely in a business application.
User self-servicesIn addition to user administration, there are a number of user self-services which cover the entire lifecycle of a user account for single sign-on. The workflows for self-administration of user data cover self-registration, self-migration, self-provisioning of external logins, password changes and user profile data editing.
Product information
Airlock WAF
– Secure HTTP(S) Reverse Proxy– Termination of SSL/TLS– HSM Integration– Access control, authentication & SSO– Load balancing– SSL VPN– Multi-level filtering– Dynamic whitelisting– URL encryption– Smart form protection– Cookie protection– Dynamic Value Endorsement (DyVE)– WebSocket Support– CSRF Tokens– Policy Learning– Content rewriter (Raw, HTML)– API Protection (SOAP/XML, REST/JSON)– Configuration staging support– Secure session handling– Airlock Operations App for Splunk– ICAP interface for extension
Airlock Login
– Supported tokens OTP token via Radius (RSA SecurID,
Kobil SecOVID, VASCO Digipass, etc.), Client certificates (X.509, SuisseID, etc.)
– Integrated tokens Password, Mobile TAN, Email-OTP– Single sign-on Kerberos, HTTP Cookies, HTTP Hea-
ders, URL-Tickets, Basic Auth, Form Post on behalf
– User directories JDBC databases, LDAP directo-
ries / MS ActiveDirectory– User self-services automatic password reset, portal
function– Operatingsystems
Java-based: Linux, Windows, VMWare – Operational features
failover, audit log, log viewer, web-based administration console, hot deployment without restart
– REST API
Airlock IAM additional to Airlock Login
– Supported tokens CrontoSign, Kobil AST, Swisscom
MobileID, OATH -Tokens, ISPIN Virto, ti&m Secure Mobile
– Integrated tokens Mobile OTP, matrix card, Vasco– Identity Federation
SAML 2.0 IDP / SP, OAuth 2.0, OpenID Connect– Single sign-on with NTLM– Integrated database for user extension – User administration / IAM User, token and role administration,
report engine, password policy en-forcement
– User self-services Self-registration, self-migration,
self-administration, kiosk and portal function for own user data
– Interfaces Webapplication, RADIUS, SOAP,
REST, EAP / TLS 802.1X – Operational features
Multitenancy, statistical evaluations– Risk-based (or adaptive) Authentica-
tion– Stealth Authentication Mode– «Remember Me» Functionality
Features
IAM
smart people – smart software
Founded in 1984, Ergon Informatik AG now has workforce of 255 and numbers among the most long-standing and successful IT service providers in Switzerland. Over 70 % of our employees are graduate software developers, and most of them have trained as IT engineers at the Swiss Federal Institute of Technology (ETH), Zurich—one of the world’s top ten universities. Ergon Informatik AG has also won multiple awards for its sustainable personnel policy.
Ergon Informatik AG is a broadly diversified company that provides services to a wide variety of sectors. Ergon has exceptional expertise in sectors such as financial services, eBanking, telecommunications and security. In 1997, Ergon developed Switzerland’s first eBanking system for a well-known Swiss bank. Airlock Suite, our security product, was launched on the market in 2002 and is now used by 350 customers around the globe.
For more information visit www.ergon.ch
Ergon Informatik AG Merkurstrasse 43 CH–8032 Zurich
+41 44 268 89 00www.airlock.comtwitter.com/ErgonAirlock
Copyright NoticeCopyright © 2016 Ergon Informatik AG. All Rights Reserved. All technical documentation that is made available by Ergon Informatik AG is the copyrighted work of Ergon Informatik AG and is owned by Ergon Informatik AG. Ergon, the Ergon logo, “smart people smart software” and Airlock are registered trademarks of Ergon Informatik AG. Microsoft and ActiveDirectory are registered trademarks or trademarks of Microsoft Corporation in the United States and /or other countries. Other products or trademarks mentioned are the property of their respective owners.