A Physical Key to a Digital World Towards Stronger Digital Identities

1
A Physical Key to a Digital WorldTowards
Stronger Digital Identities

• Nico Popp, VP Research Advanced Products

2
Security Pain-Points Drivers for Stronger
Identity Vision of Universal Strong
Authentication Realizing the Vision
(propagation) Strong Authentication
Federated Identity QA

• Industry Collaboration
• Reference Blueprint
• New Key Concepts

3
The Need for Strong Identity

• Identity Theft
• Threat network effect
• Reducing risk to physical theft (second-factor)
• Federated Networks
• Strong SSO
• Strong identity to address trust issues
  (dependency, liability)
• Proliferation of Devices (Rogue Devices)
• Not just people, device as network end-points too
• Wi-Fi compounds problem (did you say perimeter
  security)?

4
What Defines the Strength of an Identity?

• Strong Identity Verification
• Strong Credentials
• Identity Provider Security Policies
  Best-Practices
• Identity Provider Reputation (Audit Compliance)

5
Towards a Network of Strong Device and People
Identities
Strongly Authenticate
6
Everyone, Everything, Everywhere
Driving Trend Increasing network interactions
across all users types

• Employees
• Partners
• Customers

1 ALL USERS

• Enterprise LAN
• Extranet
• Public Internet

• Desktops (PC)
• Mobile Devices (laptops, PDAs)
• Servers (Web Services)
• P2P (Voice Video over IP)

Driving Trend Blurring of public private
network, all converging to IP (wired
wireless)
StrongAuthentication
3 ALL NETWORKS
2 ALL DEVICES
Driving Trend Proliferation of IP devices
device to device interactions
7
Using ANY Strong Credential
8
To Secure ALL Mission Critical Applications
Email/Form Signature File Encryption
Strong Web SSO e-commerce
Roaming DRM (games, music)
ONLINE
Strong Network Access (VPN, Dial-up , Wi-Fi, Win
Logon)
Secure Corporate Data Access
9
Realizing the Vision

• Propagating Strong Authentication
• How do we make strong credentials pervasive?
• How do we integrate strong authentication into
  all major apps?
• How do we drive adoption with enterprise and
  Internet users?

10
Requires Industry Collaboration

• Ubiquity
• Devices (tokens, smart cards, cell phones, PDA,
  PCs)
• App connectors (VPN, Wi-Fi, Web-Apps, SAP,
  Siebel)
• Platforms (WebSphere/Tivoli, .Net)
• Interoperability
• Common algorithms protocol
• Common app platform connectors
• Common validation provisioning architecture
• Accessibility
• Lower costs through higher volume (devices,
  software)
• Increased choice best of breed (interoperable
  components)
• Accelerated deployment through built-in
  functionality

INTEGRATORS CUSTOMERS
CHIPS DEVICES

APPLICATIONS
PLATFORMS
11
It All Starts with an Open Technical Blueprint

• Flexible security devices with combined auth
  methods

• Common protocols framework

• Unified validation and provisioning architecture
• Legacy integration (Radius, LDAP)
• Unification
• Federation

12
Key Concept 1 All-In-One Devices
Device Manufacturers need to create
multi-mode/multi-function devices (OTP-PKI-SIM
mobile devices, smart cards tokens)

• Unplugged mode
• One time password (OTP)
• Plugged mode (USB or else)
• SIM, OTP (challenge/response) PKI certificate
  store
• Versatility use-case
• Wi-Fi roaming (SIM), VPN (cert), Web portal (OTP)
• Not just an authentication device!
• File encryption signature capabilities
• Personal data vault (Flash RAM)
• Physical access (RFID)

13
Key Concepts 2 802.1X Everywhere

• ONE architecture (802.1x) for BOTH wireless AND
  wired networks
• ONE strong credential on every device (desktops,
  servers, printers)
• ONE 802.1x client on every device
• ONE protocol (EAP-TLS because cert is natural
  device credential)

Wired
Wi-Fi
Towards Device Identity Management
14
Key Concept 3 Built-In Activated On-Demand
15
Universal Strong Authentication in the Context of
Federated Identity

• Assume identity assertion interoperability gets
  solved
• Liberty/WS-Federation standard convergence
• Technical bridges
• Trust remains key issue
• Identity federation creates dependency
  liability issues
• These issues drive the need for strong identities
  that can be shared
• Strong authentication (credentials ID proofing)
  is an important step toward trusted identities
  that can be shared

16
From Identity Management Towards Federated
Identity Management
You are here (if you are lucky)!
Binds identity strength, policies, and audit into
one machine consumable attestation (WS or Liberty)
1. Directory Identity Mgt
Directory Admin
Auth Az Mgt
Identity Security Services
Federation Gateway
TechnologyStandards
Identity Assertion Certificates
Strong Credentials
4. Compliance
Audit Compliance Services
2. StrongIdentity
Auth Bureau
Strong Auth Standards
Best-Practices Certification
Security, Ops, Privacy Best-Practices
3. Best Practices
17
Conclusion

• Universal Strong Authentication
• People devices
• Open blueprint
• Cheaper, better, everywhere (no more static
  passwords)
• Federated Identity Includes Strong Identity
• Id Mgt (as the staring point)
• Strong Authentication
• Security, Ops Privacy Best-practices
• Certification, compliance and identity security
  services
• QA