Front cover
Protecting Data Assets by Deploying a Multi-Factor
Authentication Solution with End-to-End Encryption
Axel Buecker Aditi Mukherjee
Understand the secure, token-flexible IBM Total Authentication Solution
Built on the centralized DS3 Authentication Server high performance appliance Examine multiple solution use-case scenarios
Redguides
Executive overview
The advent of the Internet revolutionized the consumer experience. From performing high-value transactions to accessing corporate networks remotely, consumers today have numerous options to conduct their business from anywhere in the world. To stay competitive in this fast growing field of e-commerce, organizations are constantly thinking of innovative ways to reach customers over the Internet. But, new e-commerce channels emerge through a myriad of new devices (mobile phones, tablets, PCs), operating systems (iOS, Android, Windows, and so on), and channels (such as social media sites and auctions). Therefore, organizations constantly face new threats and vulnerabilities because of the introduction of new technologies.
Many organizations rely on user name and password to authenticate users. However, because the user name and password are static, they offer little protection against unauthorized access. They are also vulnerable to a wide variety of phishing and Trojan attacks. Attackers can easily decipher static passwords, and then impersonate the original user to access any confidential data. Moreover, most users use easy-to-remember, weak passwords that can be easily stolen, cracked, and be compromised, exposing the system to fraudulent attacks. Many organizations try to address these threats by implementing
counter-phishing programs and stricter password policies, but newer and more efficient threats are constant. Also, some password management tools require centralized administration of passwords, which by itself poses a security risk. Clearly, to reduce or prevent online fraud and sabotage, organizations must move beyond authentication methods that depend solely on user name and password.
According to the 2012 Annual Norton Cybercrime Report by Symantec, the direct cost that is associated with global consumer cybercrime1 was USD 110,000,000,0002 over the past 12 months. The report states, “Every second, 18 adults become a victim of cybercrime, resulting in more than 1.5 million cybercrime victims each day on a global level.
1 Based on self-reported direct financial costs and losses as a result of cybercrime incidents, such as fraud, theft,
and repairs.
2 Symantec Corporation, 2012 Norton Cybercrime Report, September 2012
(http://www.norton.com/2012cybercrimereport). Findings are extrapolations that are based upon results from a survey that was conducted in 24 countries among adults 18-64. The financial cost of cybercrime in the last year ($110,000,000,000) is calculated as follows: Victims over the past 12 months (per country) x 197 average financial cost of cybercrime (per country in US dollars).
With losses that total an average of US $197 per victim across the world in direct financial costs, cybercrime costs consumers more than a week’s worth of nutritious food necessities for a family of four. In the past 12 months, an estimated 556 million adults across the world experienced cybercrime, more than the entire population of the European Union.”3
With so much personal data and the credibility of an organization at stake, it is no surprise that organizations today are forced to adopt enhanced authentication methods. These methods are not just to secure sensitive data, but to also comply with various stringent industry and government regulations.
The only cost-effective way to secure data and inspire consumer confidence in online business is to introduce Two-Factor Authentication (2FA). With 2FA, the user provides two or more of the three means of identification (factors) for authentication. These factors are: A knowledge factor Something the user knows; for example, a static password or PIN. A possession factor Generated from something that the user has; for example, a
hardware or software token device.
An inherence factor Something the user is; for example, a biometric finger print. When users try to access an online service or system, they are prompted to enter a second factor; for example, a dynamically generated One-Time Pin (OTP), in addition to the regular user ID and static password. The system authenticates the user by using both factors, and if successful, authorizes access to the system. Validating the user by using two factors offers more security as compared to one-factor authentication.
The
IBM®
Total Authentication Solution
is a fully integrated, enterprise-wide, andcost-effective strong authentication solution. This tool can help organizations enhance identity assurance across various business applications and access scenarios. The Total
Authentication Solution delivers a highly secure, token-flexible, centralized authentication infrastructure that can integrate with the existing infrastructure of the organization to provide end-to-end (E2E) protection of sensitive data.
The core component of the solution is the
Data Security Systems Solutions
(DS3
)Authentication Server
, a security appliance that offers strong 2FA and E2E encryption of passwords and OTPs. The server contains a tamper-resistant FIPS4-certified Hardware Security Module (HSM)5 that provides secure storage for master keys and other sensitive data. With an easy-to-use, browser-based administration, the authentication server enables the administrators to centrally manage the authentication policies, users, groups, and tokens for all the domains. This type of management provides an unprecedented level of control over their system.This IBM Redguide™ publication highlights the key features and differentiators of the Total Authentication Solution, and how it can create a complete authentication solution that empowers you to meet your business and security challenges.
With cutting edge technology and highly skilled professionals, IBM successfully implemented the Total Authentication Solution in small, medium, and large-sized organizations in over 20 countries.
3 To view the press release about the Norton study, see this website:
http://www.symantec.com/about/news/release/article.jsp?prid=20120905_02
4 For more information about FIPS, see these websites:
http://csrc.nist.gov/publications/PubsFIPS.html
http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf
Business challenges
Consumers are conducting an increasing number of online transactions from non-traditional places such as airports, coffee shops, homes and cars, by using devices such as mobile phones, tablets, and PCs. Therefore, organizations are facing significant challenges in securing confidential data for users, enterprises, and governments.
Some of the challenges that these organizations face are now highlighted.
Enhance security beyond just passwords
Validating the identity of the user is important in protecting data and network from
unauthorized access. But the simple password, which is used for authentication today, is not enough to protect confidential data. Users often choose easy-to-remember passwords that are based on their personal information, such as name, birthday, and name of their pet. These types of passwords can be easily cracked by attackers using sophisticated password cracking software, login spoofing, key stroke logging, phishing, and other methods.
One option to secure passwords is to implement a stricter password policy in the
organization. For example, increase the complexity of the password, increase the password length, limit the validity period (by forcing it to expire after a short period), and forbid the user from selecting any password from history. However, all of these methods might end up exposing the passwords even more. This scenario occurs because as passwords become complex and difficult to remember, users tend to write them down on sticky notes, or files, which can get into the hands of the wrong people. Also, volumes of help-desk calls can go up drastically as users call to reset their forgotten passwords, increasing the cost for running the help desk centers.
Yet another option is to adopt a password management tool that reduces the burden of users and help desk personnel. These tools offer centralized administration so that the users can manage all of their passwords from one place. However, centralization of passwords might also jeopardize the security of the password. If an attacker gets access to one password, the attacker can possibly access all accounts and applications through the other passwords that are saved in the centralized location.
Clearly, passwords are not enough to protect the sensitive data from unauthorized access, identity theft, and fraudulent attacks. One single lapse or small loss of data can lead to a significant loss of money and the immeasurable loss of credibility among users and customers.
Comply with security regulations
The online systems offered today are diverse and technologically complex. They have many components, from gateways and network routers to distributed databases and servers. Each of these components, if not properly secured, can add to the risk of cyber-attacks. Depending on the nature of the business or transaction, many governments and industry-specific bodies are creating standard guidelines and regulations that mandate to secure these different components, and safeguard sensitive data and systems.
The regulations require a comprehensive data-security solution that includes strong
authentication, data encryption, device control, and robust risk-management technologies to protect customer data and transactions. Failure to comply with these regulations might result in fines or considerable damage to brand reputation.
For example, Federal Financial Institutions Examination Council (FFIEC) is a government regulation in the US that mandates all banks and financial institutions in the US to implement strong 2FA to secure certain kinds of high-value online transactions. Similarly, The Internet Banking and Technology Risk Management (IBTRM) guideline from Monetary Authority of Singapore (MAS) includes guidance for combatting cyber threats in all banks that offer services over the Internet. There are industry-specific regulations too, which mandate the protection of personal sensitive data through strong authentication policies, audits, and controls. Examples include the Payment Card Industry Data Security Standard (PCI DSS), Sarbanes-Oxley (SOX), and the Health Insurance Portability and Accountability Act (HIPAA).
Integration, interoperability, and flexibility
Any organization that considers an authentication solution must ensure that the new solution integrates with the existing applications and directory technologies, works with the tokens used in that organization, and is compatible with the currently used operating systems. This assurance is especially important if the organization uses a proprietary algorithm, protocol, or existing systems; or plans to switch from one authentication solution to another.
Usually, a new authentication solution is considered when an organization plans to improve security, usability, or reduce IT-related costs. With so many authentication solutions available in the market, it can be a challenging task for an organization to select the appropriate solution for itself. The different solutions have their own strengths and weaknesses. The solutions vary in security levels, ability to integrate with other systems and platforms,
interoperability with the existing authentication methods, flexibility of tokens, and scalability of the solution.
Cost and complexity
Implementing a new authentication solution can be a complicated project. Depending on the system that is used by the organization and choice of authentication solution, the cost and complexity of the implementation might vary. The decision makers must fully understand the up front and hidden costs that are associated with infrastructure, tokens, user management, maintenance of the system, and training of administrative and support staff. The new system must provide higher security, and best return on investment (ROI).
Segregate user access
Thousands of employees, contractors, and partners log on to the corporate networks every day, from all over the world. Some work remotely from home, though others are traveling and might log in from pubs, cafes, airports, and other non-traditional places. They require access to their work domains, emails, files, HR site, IT department, financial portals, and many more. To boost productivity, it is important that the organizations provide access for all of these users, whenever and wherever they want.
However, because of different access rights for different groups of users, the organization must segregate the users into different domains so that sensitive personal data, such as salary and personal records, is visible to only the authorized set of users. The organizations must manage access to different departments or domains without jeopardizing the security and integrity of confidential data.
Single sign-on to multiple systems
An increasing number of organizations are granting access to multiple networks and systems through single sign-on for simplified management of passwords across a wide range of applications. This process can streamline user access through automated sign-on and sign-off, and facilitates regulatory compliance with comprehensive audit logging and reporting.
As an organization, if you decide to grant access to multiple systems with single sign-on, you must ensure that you use reliable and robust technologies to authenticate the user. If the initial user credentials are available to attackers, they can possibly access all the data through single sign-on.
Easy-to-manage administration
The strong authentication solution must meet the data security requirements of the organization, and be centrally manageable by the administrators and support operators. The IBM Total Authentication Solution is a prominent 2FA solution that provides strong authentication for small, medium, or large sized organizations, and handles all of the business challenges reliably and effectively. This solution is compatible with most of the commonly used operating systems and tokens (hardware and software), integrates with the existing infrastructure, and provides an easy-to-use browser-based administration for centralized management.
Business value of the IBM Total Authentication Solution
The Total Authentication Solution comes as a complete Two-Factor Authentication solution that enables organizations to maximize business value, and meet their security and business requirements. The following requirements are met by this solution:
Enhanced security of sensitive data
The Total Authentication Solution protects the sensitive data by implementing enhanced identity assurance and access control through the following features:
– Strong 2FA of OTP or public key infrastructure (PKI). – E2E encryption of password/OTP.
– Support for PKI and digital signatures.
– Use of a FIPS 140-2 Level 3 HSM for storage of keys and cryptographic operations. – Separation of domains.
– Comprehensive audit logging and reporting.
Compliance with regulatory standards
The Total Authentication Solution is compliant with a number of government and industry-specific standards, and other risk management guidelines:
– FFIEC (the US)
– MAS IBTRM (by Singapore Monetary Authority) – PCI DSS
– HIPAA, Sarbanes-Oxley, and other industry-specific regulations
The Total Authentication Solution is a flexible solution that can protect the current infrastructure investments, and can lower the overall cost by offering less expensive alternatives and a centralized administrative console:
– Supports open standards such as Lightweight Directory Access Protocol (LDAP), remote authentication dial-in user service (RADIUS), and Java application programming interfaces (APIs). These standards make it possible to integrate the Total Authentication Solution with existing IT infrastructure.
– Provides token flexibility. This solution supports a wide range of 2FA tokens: hardware, software, mobile-based, grid cards, and pin mailers.
– Handles most of the authentication methods, including EMV-CAP and PKI. – Provides less expensive software tokens for 2FA. This option is useful for those
organizations which are interested in phasing out the expensive and hard-to-maintain hardware tokens.
– Offers centralized web-based administration for managing the system.
Mature and certified product
The Total Authentication Solution is a security solution that was developed by a seasoned team of security experts with deep expertise of over 60 years:
– Perfected product that includes the best practices and process flows from
organizations in various industries and countries, reducing the customization costs. – Clustering support for high-availability and disaster recovery.
– Certified for RSA Secured Partner Program, MasterCard EMV CAP, Ready for IBM Tivoli® Software Program and Initiative for Open Authentication (OATH).
Proven support
The Total Authentication Solution is a robust, future-proof solution that is backed by IBM. – Support from highly reliable and responsive IBM team that consists of experienced and
dedicated professionals.
– Multi-language support for authentication credentials (such as user ID) and menus.
IBM Total Authentication Solution architecture
The Total Authentication Solution is a cost-effective, fully integrated authentication solution that enhances data security in Internet-based businesses by using state-of-the-art security technologies. Here, the solution architecture is described and a closer look at the individual components is provided.
The Data Security Systems Solutions Authentication Server
The core component of the IBM Total Authentication Solution is the
DS3 Authentication
Server
which enables organizations to implement strong authentication across various systems and scenarios through 2FA and E2E encryption of passwords such as OTPs. Mounted on an IBM x3560 or IBM x3250 server, the DS3 Authentication Server is deployed on a pre-hardened Linux operating system with a built-in packet filtering firewall. The server is also fitted with a FIPS-140 Level 3 certified HSM for E2E encryption and storage of secure keys.The DS3 Authentication Server provides a flexible 2FA solution to protect networks, applications, and data from unauthorized access. It is token-flexible, and can receive authentication requests from various applications and servers that either use Java Remote Method Invocation (RMI) or standard authentication protocols such as RADIUS and LDAP. The OTP authentication process is depicted in Figure 1. The following list provides details: 1. A user enters the user ID and OTP in their browser to log in to a secure website. 2. The user ID and OTP are passed to the browser.
3. The browser passes the user ID and OTP to the web server.
4. The web server processes the validation of the user ID and OTP by using the DS3 ClientAPI.
5. The authentication server accesses the internal database to retrieve the seed/OTP record. 6. The authentication server verifies the OTP.
7. The authentication server returns the result
OK
to indicate that the OTP was validated successfully.8. The authentication server returns the authentication status back to the web server. 9. The web server authenticates the login session of the user, enabling the user to log in to a
secure website.
Figure 1 OTP authentication
The DS3 Authentication Server is fitted with a FIPS 140-2 Level 3 certified Hardware Security Module (HSM) that provides E2E encryption of passwords/OTPs, which makes it possible to comply with regulations such as PCI-DSS, HIPAA, and SOX. The master keys are stored in the tamper-resistant HSM to secure the encrypted data.
Figure 2 shows how the authentication server secures the password by using a public-private key pair. The following list provides the process steps:
1. A user enters the user ID and PIN in their browser to log in to a secure website. 2. The user ID and PIN are passed to the DS3 Java Applet/JavaScript in the browser. 3. The browser hashes the user ID and PIN, encrypts them with an RSA public key from the
authentication server, and then sends the encrypted data to the web server.
4. The web server retrieves the user's record (in AES encrypted format) from the database of the application.
5. The web server processes the validation of the user ID and PIN (in RSA encrypted format) and the record of the user (in AES encrypted format) by using the DS3 ClientAPI.
6. The authentication server decrypts the RSA encrypted password within the HSM, verifies it against the user record, and returns the result
OK
if they match.7. The authentication server returns the authentication status back to the web server. 8. The web server authenticates the login session of the user, enabling the user to log in to a
secure website.
Figure 2 E2E encryption
Key technical capabilities
The key technical capabilities of the DS3 Authentication Server are described here.
End-to-end encryption of password and OTP
The DS3 Authentication Server protects the confidential data that is transferred during an online transaction by encrypting the password and OTP by using randomly generated asymmetric or symmetric keys. The encrypted data is only decrypted in the tamper-resistant HSM within the authentication server, which stores the master key. This method keeps the sensitive data encrypted from its point of entry to the final destination where it is decrypted and validated, and prevents it from getting exposed during transit.
Support for standard protocols
The DS3 Authentication Server provides out-of-box (off the shelf) support for standard protocols such as RADIUS and LDAP, which enables a large base of organizations to connect to the authentication server seamlessly.
The support for RADIUS makes it possible for virtual private network (VPN) gateways to connect to the authentication server, and authenticate users for remote corporate access over a Secure Sockets Layer virtual private network (SSL VPN). The VPN gateways from all major VPN vendors: Cisco, Juniper, Check Point, Nortel, and Microsoft are supported by the authentication server.
The authentication server can also handle authentication requests as a proxy to the back-end LDAP and Radius servers. This function allows the organizations to retain their existing user repository while using the flexibility and support of the Total Authentication Solution.
Support for open application programming interfaces
The authentication server comes with a client API, a Java based library, which enables the Java client applications to connect to the authentication server through a two-way SSL authentication. A Java client application might be any Java web login page that is hosted on a conventional Java Platform, Enterprise Edition servers such as IBM WebSphere® Application Server, Oracle WebLogic Server, Apache Tomcat, and so on. If you have other web logins that use other programming languages, you can still call client application programming interface (API) by using an appropriate wrapper.
The support for open API enables organizations to integrate the Total Authentication Solution with their existing applications and systems, authenticate users by using various first and second factor tokens, authorize certain kinds of transactions, and automate user provisioning. These APIs are also widely used for server maintenance such as database backup, disaster recovery, and download of daily audit and system logs.
Flexible multivendor multi-token support
Compared to other existing solutions, the authentication server is a multi-factor multi-token system that allows organizations to issue almost any type of tokens to their users.
The flexible token management system allows organizations to allocate different second factor tokens to different users based on their assessment of cost, user preference, usage pattern, and risk profile. For example, if a customer is an infrequent user of Internet-based applications, and logs in only periodically, the organization can issue a Short Message Service-based (SMS-based) OTP to the customer rather than the expensive hardware token. However, if a customer uses Internet-based applications to carry out high-value transactions, the organization can issue a signature-based hardware token to the customer for transaction authorizations. This feature allows organizations to rationalize the use of more expensive hardware tokens, and achieve significant up front savings in token deployment.
Also, if newer, safer, or less expensive tokens become available in the future, the organization can switch from the current tokens to the new types of tokens without any change to the existing application or infrastructure.
The web-based administrative module further lowers the administrative and resource-related costs by providing a centralized token management system.
Besides regular passwords, the authentication server supports a wide variety of hardware, software, and other tokens, as depicted in Figure 3.
Figure 3 Tokens that are supported by the IBM Total Authentication Solution
Multi-tenancy support
The authentication server supports up to 1024 independent domains that can be used to segregate users that are based on access rights or authentication type. Each domain can be individually managed by a domain administrator. This function allows organizations to assign different access rights to different group of users, and support different departments and divisions within an organization, as shown in Figure 4 on page 11.
Figure 4 User segregation through domains
Web-based graphical user interface for centralized administration
The authentication server provides a browser-based administrative console, which is shown in Figure 5. The console offers a centralized administration to manage everything in the system, such as domains, users, tokens, security policies, authentication protocols, logging, cryptographic keys, and high availability.High capacity
Each authentication server (DSX-100) can handle the following capacity of authentication requests:
100 E2E authorizations/second (RSA 1024)
300 OTP authorizations/second
Support for 5,000,000 users
For better performance, the Total Authentication Solution can be scaled horizontally to up to six servers, enabling it to handle the following increased capacity of authentication requests:
400 E2E authorizations/second (RSA 1024)
1600 OTP authorizations/second
Support for 25,000,000 users
High availability
The authentication server can be configured for high availability (HA), back-up, or disaster recovery. This type of configuration is called HA clustering. To configure the authentication server in HA clustering mode, you need at least two servers, a primary and a secondary. The HA clustering mode can support up to six servers in every site: one primary
authentication server, one secondary authentication server, and up to four horizontal scaling (HS) servers. All the servers are connected to the database of the primary server. If the primary server goes down, the secondary server is promoted as the primary server, and all the HS servers are connected to the secondary server.
This configuration is depicted in Figure 6.
Figure 6 High availability
Comprehensive audit logging
The authentication server stores the system logs, such as audit logs and error logs, for monitoring and troubleshooting purposes. You can designate external servers for logging, or
about user authentications and access information, whereas the error logs contain useful information about all kinds of errors in the system.
Highly secure architecture
The authentication server is a highly secure appliance that is built to protect the security and integrity of the assets of the organization. The following list provides some of the security features:
A smart card is required to initialize, start, and shut down the authentication server. If you lose the smart card, you must reinitialize the server.
When a client API connects to the authentication server, public key certificates are exchanged between the client application and the authentication server for mutual authentication.
Communication between the web administrator (by using the browser-based GUI) and the authentication server is encrypted with SSL.
A packet filtering firewall is embedded with the authentication server to control inbound traffic.
Two-factor authentication is required for logging in to the authentication server through the browser-based GUI.
All the keys and passwords that are stored in the database are encrypted with a master key stored in the HSM. If there is physical tampering, all the keys that are stored in the HSM are erased.
Solution scenarios
The IBM Total Authentication Solution is a flexible E2E security solution that can protect your current investments by integrating with your existing identity and access management solutions.
The Total Authentication Solution is Tivoli and IBM Security Ready. The tool integrates with IBM products such as IBM Security Access Manager for Web, IBM Security Identity Manager, and IBM Security Access Manager for Enterprise Single Sign-On.
It also integrates with other IBM and third-party solutions to provide a complete security solution that meets your business requirements, which are depicted in Figure 7 on page 14.
Figure 7 IBM Total Authentication Solution in a typical enterprise
Some common use cases are illustrated in the following sections.
B2C or B2B services
Many companies, banks, and government organizations provide business-to-consumer (B2C) and business-to-business (B2B) services through the Internet.
For example, a retail company offers a B2C online store to allow its customers to log on to the store, check the catalog, and purchase items directly from the web. The same company offers B2B sites to its resellers so that they can log on to its site, order products, or check the status of an order from the web.
Most of these sites are hosted on back-end application servers, such as IBM WebSphere Application Server. When a user logs in to a web server to access the online site of a company, the front-end web server forwards the request to the correct application server for further processing. The receiving application server authenticates the user name and password against the master database. If the authentication is successful, the user is allowed to access the online sites and the related applications.
Although these systems implement many security measures into their application servers, they do not offer strong protection against unauthorized access or misuse of confidential user data, and are not compliant with the standard regulations.
The retail company needs one system that can authenticate both B2B and B2C customers by using different tokens and authentication mechanisms concurrently.
Remote login to corporate network
With decentralized corporate governance, 24x7 work environments, and a globalized workforce, employees, business partners, and contractors today need access to various assets and databases from different parts of the world. The remote access request might come from virtual offices that are set up in homes, or public places such as coffee shops, malls, and airports.
To stay competitive and productive, the organizations must provide secure and
high-performing connections to their mobile workforce, so that they can access the corporate networks from any remote location, at any time of the day.
Many organizations provide remote access through the SSL VPN over existing Internet connections. An SSL VPN gateway is the primary method that is used to authenticate users by using a web browser and RADIUS protocol. Although SSL VPN can be fairly effective in protecting the virtual networks, it does not provide strong authentication at the remote end of the SSL VPN network. Simple authentication methods that are based on static passwords are extremely vulnerable to sniffing attacks, man-in-the-middle attacks, key stroke loggers, viruses, and other exploits, especially when the remote computer is shared with the public. With public computers, organizations need strong authentication solutions that safeguard their systems and assets through better access control, a wide range of authentication methods and tokens, and can scale in the future.
Administrator access to file and database servers
In an organization, the system administrators routinely log in to the system servers and databases for configuration, maintenance, and backup purposes. They are granted special privileges that allow them to access and modify the databases, file systems, and other critical company assets. Windows password authentication is still the most common method for network and system authentication.
For security reasons, organizations must adopt strong authentication solutions that can mitigate the risk of unauthorized access using privileged user accounts, and reduce the overall system vulnerability.
Automatic user provisioning and de-provisioning
When a new employee joins an organization, the HR department creates a user profile in their database to provision a user. This record is then populated to many other systems within the organization, and maintained in a synchronized state until the user leaves the
organization. When the user leaves the organization, all instances of the user profile are deleted from all the systems, leading to de-provisioning of the user.
Every time there is a change in the user profile, the change must be propagated to all the databases which contain that user profile. This step can cause extended effort, especially for IT people, who must manually go and update these records in all the systems and databases.
The organization needs a user provisioning system that allows IT administrators to streamline the user provisioning system by creating automated workflows, while providing strong authentication and access control.
Web enterprise single sign-on
Many organizations deploy a web enterprise single sign-on solution to simplify password management for their users and help desk personnel. This solution provides automated sign-on and sign-off functionality that is based on the initial logon, and helps to achieve regulatory compliance. Because the automated logins are based on user credentials that are provided during the initial login, these organizations risk exposing all of their systems to attackers, if not authenticated stringently.
It is imperative that these organizations secure the initial user login through means of strong authentication.
Business challenges and solution
The typical challenges that are faced by the organizations in the preceding use cases, and the solutions that are provided by the Total Authentication Solution, are described in Table 1.
Table 1 Solutions that are provided by the IBM Total Authentication Solution
Challenge IBM Total Authentication Solution
The organization uses a one-factor
authentication method at the moment (user ID and password).
The organization can migrate to a two-factor authentication method by adopting any of the tokens that are supported by the solution. The current delivery channels, for example an
SSL network, are not secure.
The Total Authentication Solution provides E2E encryption of passwords so that the password is never exposed during authentication.
The current authentication database is not secure.
All authentication data, including passwords and secret keys, is hash encrypted in a centralized database, and the encryption key is stored in the FIPS-certified HSM.
The organization needs 2FA to comply with security regulations. However, it is not easy to add 2FA to their existing systems.
The Total Authentication Solution validates different kinds of OTP and PKI for 2FA, and is compliant with many country-specific and industry-specific regulations.
The organization uses a custom web application environment for some logins, and IBM Security Access Manager or IBM WebSphere Application Server based access-management for other logins.
The Total Authentication Solution can integrate with IBM Security Access Manager and WebSphere Application Server products, as shown in Figure 7 on page 14. For custom web environments, the Total Authentication Solution provides APIs for a more seamless integration. The B2C customers and B2B business partners
need different levels of access. The organization needs one authentication system that can handle user segregation.
The Total Authentication Solution offers multiple domains to segregate groups of users. Each domain has its own security policy, and is managed by a different administrator. The new authentication system must be able to
handle large numbers of users and concurrent sessions, and must be fast enough for many kinds of services.
The Total Authentication Solution can handle many authentication requests:
100 E2E authorizations/sec (RSA 1024)
300 OTP authorizations/sec
Support for 5,000,000 users The organization wants to use a centralized
management system for usability and consistency reasons.
The Total Authentication Solution offers a web-based GUI to centrally manage all the domains, groups, users, tokens, and policies.
Authorization
Most of the financial and government organizations allow high-value transactions over the internet, for example, money transfer or change of personal information. However, during these transactions, attackers can carry out a man-in-the-middle attack, and alter critical transaction details like amount and beneficiary, or user particulars, causing significant losses to the user and organizations. These frauds cannot be prevented through just strong
authentication, each online transaction must be individually authorized by the system to reduce the risks of losing money.
An out-of-band authentication method, or additional authentication method that is cryptographically different from the normal authentication mechanism, can be used to authorize a transaction. To provide added security against attackers, it is important to use an authentication mechanism that is different from the normal 2FA. This principle is depicted in Figure 8.
Figure 8 Transaction authorization
The Total Authentication Solution can help your organization authorize high-value transactions by implementing this layered security through the following devices:
A tamper-proof, secure device which contains a trusted reader, and secure keypad When the user initiates a transaction, the IBM Total Authentication Solution securely transfers and displays the transaction details about the trusted reader of the device. If the user approves the information through the secure keypad on the device (a digital
signature), the transaction is authorized. The Total Authentication Solution supports many kinds of tokens for this type of transaction authorization.
A mobile phone
When the user initiates a transaction, the Total Authentication Solution can dynamically send a confirmation request SMS to the user with the transaction details and numeric authentication code. If the user approves the confirmation request by entering the same authenticate code, the transaction is authorized.
IBM Total Authentication Solution: Key differentiators
Take a closer look at some of the key differentiators for the IBM Total Authentication Solution:
Flexibility
The Total Authentication Solution supports an extensive selection of existing tokens and many combinations of first and second factor tokens. This feature allows organizations to choose different modes of authentication for different use cases, which are based on risk profile, usage pattern, and user preference.
Cost-effectiveness
The Total Authentication Solution can integrate with existing systems and infrastructure through standard protocols like RADIUS, LDAP, and Java APIs. Thus, organizations can use existent directories, access management tools, user provisioning tools, single sign-on (SSO) middleware applications, and other administration tools to enhance the security of their network while they protect IT investments.
The wide choice of tokens allows an organization to choose a low-cost token and reduce the up front costs that are associated with the deployment and maintenance of tokens. The administrative console effectively reduces the overall IT costs by providing a centralized management for super administrators.
Highly secure
The Total Authentication Solution provides enhanced security through 2FA and E2E encryption of passwords. All authentication data, including passwords and secret keys, is hash encrypted in a centralized database, and the encryption key is stored in a
FIPS-certified HSM. Also, access to the Total Authentication Solution and the system is controlled by a combination of security measures which make it virtually tamper-proof.
Compliant with regulations
The Total Authentication Solution is compliant with many of the industry-specific and government regulations, for example, FFIEC in the US and IBTRM (MAS) in Singapore. For more information about how the IBM Total Authentication Solution can help you comply with regulations, see the following website:
http://ds3global.com/index.php/en/news-a-events/news/172-ds3-authentication-reg ulations-compliance
Future ready
The Total Authentication Solution is designed to accommodate technological improvements, new tokens, business expansion, and evolving security needs. If a business expands, they are not forced to adopt any particular authentication method or token, but are free to select the most appropriate solution for their new business. This flexibility means that if required, the business can adopt a new token or authentication method, without worrying about the current choice. Similarly, if a business adds new users and wants to continue using their current tokens, the Total Authentication Solution allows for the sharing of tokens with multiple users. This feature reduces the costs that are associated with the tokens.
Easy-to-use administrative console
The browser-based GUI offers a centralized administrative console that is used by the super administrator to control the system, and manage the groups, policies, domains, tokens, and other attributes of the system.
Proven credibility in industry
With cutting-edge technologies, best practices and a strong base of dedicated and skilled professionals, IBM has successfully implemented the Total Authentication Solution in various organizations in over 20 countries. The deployed base ranges from small organizations with just 100 users, to large banks with more than a million active users. DS3, the vendor that developed the main component of the solution, the authentication server, was placed in the Visionaries quadrant in the 2012 Gartner Magic Quadrant for User Authentication.
Summary
Strong user authentication is vital for the security and integrity of sensitive data.
Organizations can no longer afford to rely on simple user name and password combinations to authenticate a user. With a plethora of authentication solutions available in the market, each with its own strengths and weaknesses, the organizations must balance their security needs with other requirements. Some of these considerations are reliability, cost,
ease-of-deployment, manageability, and flexibility of the solution.
The IBM Total Authentication Solution is the leading cost-effective authentication solution that provides strong 2FA capability and E2E encryption for Internet-based transactions. The solution authenticates millions of users every day, authorizes remote access and
transactions, and protects confidential data from fraudulent attacks. The Total Authentication Solution is used by many organizations in government, finance, and corporate sectors, which is a testimony to the high reliability and flexibility of the solution.
For a news release about the position of DS3 in the Gartner report, see this website:
http://ds3global.com/index.php/en/news-a-events/news/187-data-security-systems-sol
utions-ds3-positioned-as-a-visionary-in-magic-quadrant-for-user-authentication-Other resources and more information
For more information about Total Authentication Solution, contact IBM or the IBM Business Partner DS3 by using any of the following contact methods:
URL http://www.ds3global.com
Email [email protected]
Phone +65 64795688
Fax +65 64795488
The team who wrote this guide
This guide was produced by Data Security Systems Software (DS3) working with the IBM International Technical Support Organization (ITSO).
Axel Buecker is a Certified Consulting Software IT Specialist at the IBM ITSO, Austin Center. He writes extensively and teaches IBM classes worldwide about areas of software security architecture and network computing technologies. He has a degree in Computer Science from the University of Bremen, Germany. He has 26 years of experience in various areas that are related to workstation and Systems Management, network computing, and e-business solutions. Before he joined the ITSO in March 2000, Axel worked for IBM in Germany as a Senior IT Specialist in Software Security Architecture.
Aditi Mukherjee is a Technical Writer at DS3, Singapore. Before joining DS3, Aditi worked in Philips Electronics in Singapore as Lead, Technical Communications; Consumer Electronics division. She holds an MS (Computer Science) degree from the University of Texas and has more than 15 years of varied experience in IT. She started her career in 1997 as a software development engineer, and worked in telecom companies such as Alcatel and Motorola in the US to develop mission-critical software. After some time as an engineer, she moved to technical writing in 2005 to follow her personal goals. Her areas of expertise include software engineering, telecommunications, mobile applications, consumer electronics, and data security. She writes extensively on consumer electronics and telecommunications. Thanks to the following people for their contributions to this project:
Teik Guan Tan
CEO; DS3, Singapore Jeremy Ng
VP, Product; DS3, Singapore Ryan Dougherty
Senior Managing Consultant, IBM US Mari Heiser
Master Infrastructure Architect, IBM US I-Lung Kao
Security Product Manager, IBM US
Now you can become a published author, too!
Here’s an opportunity to spotlight your skills, grow your career, and become a published author—all at the same time! Join an ITSO residency project and help write a book in your area of expertise, while honing your experience using leading-edge technologies. Your efforts will help to increase product acceptance and customer satisfaction, as you expand your network of technical contacts and relationships. Residencies run from two to six weeks in length. You can participate either in person or as a remote resident working from your home base. Find out more about the residency program, browse the residency index, and apply online at:
ibm.com/redbooks/residencies.html
Stay connected to IBM Redbooks
Find us on Facebook:http://www.facebook.com/IBMRedbooks
Follow us on Twitter:
http://twitter.com/ibmredbooks
Look for us on LinkedIn:
http://www.linkedin.com/groups?home=&gid=2130806
Explore new IBM Redbooks® publications, residencies, and workshops with the IBM Redbooks weekly newsletter:
https://www.redbooks.ibm.com/Redbooks.nsf/subscribe?OpenForm
Notices
This information was developed for products and services offered in the U.S.A.
IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not grant you any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing, IBM Corporation, North Castle Drive, Armonk, NY 10504-1785 U.S.A.
The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurements may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental.
COPYRIGHT LICENSE:
This information contains sample application programs in source language, which illustrate programming techniques on various operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to IBM, for the purposes of developing, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs.
This document, REDP-4891-00, was created or updated on January 17, 2013.
Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of
International Business Machines Corporation in the United States, other countries, or both. These and other IBM trademarked terms are marked on their first occurrence in this information with the appropriate symbol (® or ™), indicating US registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at
http://www.ibm.com/legal/copytrade.shtml
The following terms are trademarks of the International Business Machines Corporation in the United States, other countries, or both:
IBM® Redbooks® Redguide™ Redbooks (logo) ® Tivoli® WebSphere®
The following terms are trademarks of other companies:
Linux is a trademark of Linus Torvalds in the United States, other countries, or both.
Microsoft, Windows, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.
Java, and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.
Other company, product, or service names may be trademarks or service marks of others.
®
