enhancing identity protection solutions with a certified hsm
TRANSCRIPT
Enhancing Identity Protection Solutions with a Certified Hardware Security Module (HSM)
Will LaSala – VASCO Data SecurityJuan Asenjo – Thales e-Security
Things can go wrong…
Trust takes years to build, seconds to break, and forever to repair.
Why protect your authentication solutions?
Unauthorized access to online sensitive data
Targeted cyber-attacks on authentication solutions can render them ineffective
• Insider Attacker Threats• Targeted Social Engineering
Attacks• Advanced Persistent Threats
Multi-Factor Authentication
▌ VACMAN Controller
BackendProtect & manage keys used for provisioning authentication devices
▌ IDENTIKEY Authentication Server
BackendAuthentication server Processes user login requests Validates devices
▌ DIGIPASS
FrontendAuthentication device familySomething user hasSomething user knows
Thales nShield HSM
A Component of theVASCO Trust Platform
IDENTIKEY Authentication ServerRemote Clients
Back-End
IDENTIKEY DB
• Built-in• ODBC• Active Directory
Web Admin Command AD Admin Line
Additional ToolsAdministration
SEAL
RADIUS
Customer Web ApplicationsSOAP
DIGIPASS Authentication for Windows LogonSEAL-SSL
Wifi / RADIUS ClientRADIUS
Citrix/OWA/IIS6
WINDOWS
LDAP
Native HSMKey Protection
VACMAN ControllerVACMAN Controller replaces your built in password verification module inside your application
6
Platform
X
Application
Core
CommunicationInterface
StorageUserInterface
PasswordValidation
Module
VACMAN Controller
HSM
Security World VC
HSMModule
• Thales and VASCO platforms with HSM leverages multiple secure keys which are used to decrypt DIGIPASS secrets in the manufacturing injection process, transport file and customer backend database.
• VASCO HSM Encrypted data used for Authentication and Provisioning• DIGIPASS Secrets are never in the clear and leverage an HSM throughout the entire lifecycle
VASCO and Thales Deliver Secure Lifecycle Management of User Credentials and Authentication Devices:
Manufacturing to Delivery
Delivery to Loading
Joint Solution Details
What are HSMs and What do they do?
Hardware Security Module
Hardened, tamper-resistant devices isolated from host environment
Alternative to software crypto libraries
Secure cryptographic operations
Protect critical cryptographic keys
Segregate administration and security domains and enforce key use policy
nShield HSMs are FIPS 140-2 Level 3 certified
Protecting the Keys (Software vs. Hardware)Software-Only SystemNumerous copies of keys live across system and backups
Hardened SystemKeys are segregated within an isolated security environment
Extending nShield Security CapabilitiesCodeSafe – secure code execution Enables sensitive applications to run within HSM security boundary Protects application code from attack while it executes Essential when the protection of keys and crypto processes alone is not
sufficient Creates tamper-resistant applications Ideal for remote deployment operations such as manufacturing sites
Business Application Security-Sensitive Code
Code moved into HSM HSM security boundary
Application keys and security-sensitive code inside HSM
boundary
Security-sensitive code
Crypto processing engine
Protecting the Private KeyCryptographic Identity 1:1 mapping between a private key and its corresponding certificate Your private key is your identity
Personal Corporate
What is the impact if that key is compromised? Compromise of DIGIPASS OTP secrets, which can be used for remote access to
company resources Compromise of trusted user authorization, without triggering inherent network monitor
alarms
What can be done to mitigate a compromise? Surprisingly little – the cat is out of the bag OTP token can be revoked New OTP tokens & keys can be distributed and hope your credibility survives
Thales Integration with Vasco
Enhance the Security of your User Credentials with
a Proven, Integrated Solution
CLICK HERE
Why Thales e-Security?
Banking Government Utilities High Tech Mobile
Automotive
Healthcare
Manufacturing
▌ Our track record. Over 40 years of leadership delivering data protection solutions around the world
▌ Our customers. We secure some of the world’s most valuable information and > 80% of payment transactions
▌ Our commitment. Hundreds of R&D staff dedicated to excellence in applied cryptography
▌ Our certifications. All our offerings are independently security certified - more than anyone else!
▌ Our support services. Our Advanced Solutions Group (ASG) provides world-class consulting, training, and deployment assistance
End to End key protection throughout key lifecycle Hardened tamper resistant environment Seamless support of an integrated solution Robust two-factor authentication of users Protects a wide range of authentication devices Full lifecycle cryptographic key management Stores keys in a FIPS 140-2 Level 3 validated module Simplified PCI DSS auditing and reduced compliance costs
A Secure environments needs to have Trust, across users, devices, applications, communications, platformsEnd to End Trusted User Security is…
Building Trust for Everything the user is Building Trust for Everything the user does By ensuring Everything is secure Everything is built on controlling access to the Keys If that key is compromised, then others can follow
Joint Solution Summary
VASCO Trust Platform
The VASCO Trust Platform
Risk Management
TransactionSecurity
Mobile Application Security
Multi-Factor Authentication
Identity Proofing
Trusted Identity Trusted UserTrusted DeviceTrusted App
Trusted ChannelTrusted Data & Docs
Trusted Signatures
Trusted Transactions Trusted Behavior
VASCO Trust Platform
Who you are What you do
IDENTIKEYRisk Manager
DIGIPASSf o r A P P S
Leverage new technology to deliver higher levels of security and fraud prevention that are frictionless and transparent to the end user, and that enable new business capabilities and
efficiencies.
Download Solution brief CLICK HERE
Upgrade your IDENTIKEY license to IDENTIKEY Enterprise
Request more information about Thales HSM
www.thales-esecurity.com
What’s Next: