ENTERPRISE SECURE IDENTITY IN
THE CLOUD WITH SINGLE SIGN-ON
AND STRONG AUTHENTICATION
MAKING THE CLOUD A SAFER SPACE
Giuseppe Paternò, Director of GARL
IT Architect and Security Expert with 20+ years background in Open Source and Cloud (OpenStack, OpenNebula, ...). Former Network and Security architect for Canonical, RedHat, Wind/Infostrada, Sun Microsystems and IBM and Visiting Researcher at the University of Dublin Trinity College.
Past projects: standard for J2ME Over-The-Air (OTA) provisioning along with Vodafone, the study of architecture and standards for the delivery of MHP applications for the digital terrestrial
television (DTT) on behalf of DTT Lab (Telecom Italia/LA7) and implementation of HLR for
Vodafone landline services.
Lot of writings, mainly on computer security. CTO and Director of GARL, a multinational
company based in Switzerland and UK, owner of SecurePass and SecureAudit.
IT security products and virtualization services focused on identity protection on the Cloud.
Born from Symantec, conducting pentest and vulnerability assessment on their behalf in EMEA
Extensive OpenSource experience and large-scale Open Source projects such OpenStack, OpenNebula, ....
Most of the customers in finance and telco operators
HQ based in Switzerland (Lugano and Zurich) and office in London.
User privacy is protected by strict Swiss privacy regulations, no UE or US exceptions allowed.
THE CLOUD IN THE ENTERPRISE
It’s easy to span new instances (often) it takes less time than
internal IT to have a virtual machine
Great for prototyping and then they bring it into production
Might have discounts from HW/SW vendor (especially HP Cloud,
Azure, ....)
Some applications are
outsourced (eg: SalesForce, ...) Small software suppliers prefer to sell software-as-a-service
WHAT HAPPENS IN REALITY
Applications and instances are out of control Not always possible to enforce IT security policies Each application have its ownusername/ password Prone to identity frauds and bruteforce attacks Can’t have a central point of control
62% Increase breaches in 2013(1)
1 in 5 organizations have
experienced an APT attack (4) 3 Trillion$ total global impact
of cybercrime(3)
8 months Is the average time an advanced threat goes
unnoticed on victim’s network(2)
2,5 billion exposed records as results of a data breach in the past 5 years(5)
1,3,5: Increased cyber security can save global economy trillions, McKinsey/World Economic Forum, January 2014 2: M-Trends 2013: attack the security gap, Mandiant, March 2013 4: ISACA’s 2014 APT study, ISACA, April 2014. Source: ISACA Cyber Security Nexus
Hosted Apps
Single point of control
for your dispersed
applications
Central and unified
user management
Strong authentication
Cloud applications
access control
Central logging with no
repudiation
THE CLOUD CONTROL
One Time Password 345227 345227 345227 Identity Management Single Sign-On
SECUREPASS FEATURES
3-in-1 identity management for maximum security in cloud and internet services:
Strong authentication:
no more passwords to remember but “one time password” generated by a token.
Identity management:
manage users and group lifecycles from a control panel Single Sign-On:
CENTRAL IDENTITY MANAGEMENT SERVICE
FOR ALL DISTRIBUTED APPLICATIONS AND
FIREWALLS
OTP is built-in and mandatory, the way around of “standard” services
- OTP generated on mobile and hardware tokens
- Ensure the protection against brute force password attacks
Works out of the box with all VPN/SSL VPN software
Works with Web applications with little or no effort
Works with corporate SaaS applications like SalesForce and Google Apps
Open protocols: RADIUS, LDAP, CAS and SAML
Seamless integration: works out of the box with more than 98% of the software
Clients and APIs available on GitHub
Python, Java, PHP, C#
NSS Plugin for Linux
Apache Plugin
Plugin for popular CMS Wordpress, Joomla
& Drupal
SECUREPASS
IS OPEN
Python
modules available in the
Python Installer (PIP)
GARL WORKS
UPSTREAM TO
ENSURE MAXIMUM
COMPATIBILITY
Modules are now “upstream” in the main Linux
distributions:
-
Debian
“Jessie”
-
Ubuntu
15.04 “Vivid Vervet”
- Builds tested & available for Fedora and
RHEL/
CentOS
3 high-secure high-speed datacenters with business continuity in different networks.
High-encryption and best practices as deployed in standard military environments.
Core keys in a secret location, former Swiss military premise, resistant up to 10 megatons nuclear attack. Only few people has keys to access the data in the production environments and their identities is secret
also to any member of GARL staff, including the board itself.
Processes to revoke the above keys if one of the administrator is leaving the company or under any personal threat.
Emergency procedures and legal coverage against attack targeted to GARL.
PCI-DSS and ISO 17799/27001 compliant. SecurePass do not deal with your data
In no case we will be handling your application data
and we won’t be even able to understand what kind of application or device is behind the login process.
All GARL services are covered with an insurance policy
with a premier Swiss-based multinational that will be able to refund up to 250’000 CHF per incident. With
special agreements, GARL is able to cover up to 5 Million CHF per incident (ask for update).
0 25 50 75 100 TIME COST MTN RSA VS. SECUREPASS % diff er enc e RSA SecurePass
CASE STUDY WITH ING DIRECT
Financial advisors access to European leasing system Replacement of RSA 2 factor solution, more than 70% of savings
GARL IS NOT ONLY SECUREPASS
Strong authentication and identity management for cloud and internet services
Password manager for teams with delegation
Build a virtualization service on standard hardware without licence
Secure storage for backup to comply to industry’s regulations
Tailored security audit for web app, network, VPN and devices
Network security assessment up to 8 public IP
Secure data collection app to your centralized server
