securepass at openbrighton
TRANSCRIPT
ENTERPRISE SECURE IDENTITY IN THE CLOUD WITH SINGLE SIGN-ON AND STRONG AUTHENTICATION
MAKING THE CLOUD A SAFER SPACE
Giuseppe Paternò, Director of GARL@gpaterno | www.gpaterno.com
IT Architect and Security Expert with 20+ years background in Open Source and Cloud (OpenStack, OpenNebula, ...). Former Network and Security architect for Canonical, RedHat, Wind/Infostrada, Sun Microsystems and IBM and Visiting Researcher at the University of Dublin Trinity College.
Past projects: standard for J2ME Over-The-Air (OTA) provisioning along with Vodafone, the study of architecture and standards for the delivery of MHP applications for the digital terrestrial television (DTT) on behalf of DTT Lab (Telecom Italia/LA7) and implementation of HLR for Vodafone landline services.
Lot of writings, mainly on computer security.
CTO and Director of GARL, a multinational company based in Switzerland and UK, owner of SecurePass and SecureAudit.
ABOUT ME
IT security products and virtualization services focused on identity protection on the Cloud.
Born from Symantec, conducting pentest and vulnerability assessment on their behalf in EMEA
Extensive OpenSource experience and large-scale Open Source projects such OpenStack, OpenNebula, ....
Most of the customers in finance and telco operators
HQ based in Switzerland (Lugano and Zurich) and office in London.
User privacy is protected by strict Swiss privacy regulations, no UE or US exceptions allowed.
MAKING THE CLOUD A SAFER SPACE
THE CLOUD IN THE ENTERPRISE
It’s easy to span new instances(often) it takes less time than internal IT to have a virtual machine
Great for prototyping and then they bring it into productionMight have discounts from HW/SW vendor (especially HP Cloud, Azure, ....)
Some applications are outsourced (eg: SalesForce, ...)Small software suppliers prefer to sell software-as-a-service
WHAT HAPPENS IN REALITY
Applications and instances
are out of control
Not always possible to
enforce IT security
policies
Each application have its own username/
password
Prone to identity frauds
and bruteforce
attacks
Can’t have a central point of
control
62% Increase breaches in 2013(1)
1 in 5 organizations have experienced an APT attack (4)
3 Trillion$ total global impact of cybercrime(3)
8 months Is the average time an advanced threat goes unnoticed on victim’s network(2)
2,5 billion exposed records as results of a data breach in the past 5 years(5)
1,3,5: Increased cyber security can save global economy trillions, McKinsey/World Economic Forum, January 2014 2: M-Trends 2013: attack the security gap, Mandiant, March 2013 4: ISACA’s 2014 APT study, ISACA, April 2014. Source: ISACA Cyber Security Nexus
TOO MANY THREATS
Hosted Apps
Single point of control for your dispersed applications
Central and unified user management
Strong authentication
Cloud applications access control
Central logging with no repudiation
THE CLOUD CONTROL
Cloud Orchestrator 2FA/SSO
One Time Password
345227
345227345227 Identity
Management
Single Sign-On
SECUREPASS FEATURES 3-in-1 identity management for maximum security in cloud and internet services:
Strong authentication: no more passwords to remember but “one time password” generated by a token.
Identity management: manage users and group lifecycles from a control panel
Single Sign-On: SecurePass recognize users for every application or network integrated
CENTRAL IDENTITY MANAGEMENT SERVICE FOR ALL DISTRIBUTED APPLICATIONS AND FIREWALLSOTP is built-in and mandatory, the way around of “standard” services- OTP generated on mobile and hardware tokens- Ensure the protection against brute force password attacks
Works out of the box with all VPN/SSL VPN softwareWorks with Web applications with little or no effortWorks with corporate SaaS applications like SalesForce and Google AppsWorks with virtualization software such as Citrix XenApp, VMWare Horizon/vCloud & more...
Open protocols: RADIUS, LDAP, CAS and SAMLSeamless integration: works out of the box with more than 98% of the softwareClients and APIs available on GitHubPython, Java, PHP, C#NSS Plugin for LinuxApache PluginPlugin for popular CMS Wordpress, Joomla & Drupal
SECUREPASS IS OPEN
Python modules available in the Python Installer (PIP)
GARL WORKS UPSTREAM TO ENSURE MAXIMUM COMPATIBILITY
Modules are now “upstream” in the main Linux distributions:- Debian “Jessie”- Ubuntu 15.04 “Vivid Vervet”- Builds tested & available for Fedora and RHEL/CentOS- In talk with SuSE
3 high-secure high-speed datacenters with business continuity in different networks.
High-encryption and best practices as deployed in standard military environments.
Core keys in a secret location, former Swiss military premise, resistant up to 10 megatons nuclear attack.
Only few people has keys to access the data in the production environments and their identities is secret also to any member of GARL staff, including the board itself.
Processes to revoke the above keys if one of the administrator is leaving the company or under any personal threat.
Emergency procedures and legal coverage against attack targeted to GARL.
PCI-DSS and ISO 17799/27001 compliant.
SecurePass do not deal with your dataIn no case we will be handling your application data and we won’t be even able to understand what kind of application or device is behind the login process.
All GARL services are covered with an insurance policy with a premier Swiss-based multinational that will be able to refund up to 250’000 CHF per incident. With special agreements, GARL is able to cover up to 5 Million CHF per incident (ask for update).
WHY SECUREPASS IS SECURE
0
25
50
75
100
TIME COST MTN
RSA VS. SECUREPASS
% d
iffer
ence
RSA SecurePass
CASE STUDY WITH ING DIRECT
Financial advisors access to European leasing system
Replacement of RSA 2 factor solution, more than 70% of savings
IBM labs created plugin for IBM Websphere portal
GARL IS NOT ONLY SECUREPASS
Strong authentication and identity management for cloud and internet services
Password manager for teams with delegation
Build a virtualization service on standard hardware without licence
Secure storage for backup to comply to industry’s regulations
Tailored security audit for web app, network, VPN and devices
Network security assessment up to 8 public IP
Secure data collection app to your centralized server
BANK OF PASSWORDS
SecureData
VULNERABILITYASSESSMENT
CUSTOMERS PARTNERS
Q&A