Date post: | 08-Jun-2015 |
Category: |
Technology |
Upload: | kuwait-computer-services |
View: | 404 times |
Download: | 0 times |
1
A Total Physical and Logical Security System
2
Total Physical and Logical Security System
• Key Advantages of ActivIdentity ActivID Product Family
– Single Smart Card for all employees for both Physical and Logical Access
– Single Vendor (HID) (ActivIdentity now a part of HID) for the whole Physical and Logical Access control cards.
– HID Cards and Readers for Physical Access Control (PACS)– ActivIdentity CMS for Card Management and Logical Access control.
(LACS)
– Native integration with PACS (Physical Access Control System) (Lenel OnGuard )
– PIV capabilities that provide a solution without end user deployment requirements
– Leverage existing ActivIdentity software already in place with ActivIdentity SecureLogin (SSO)
Face
Key
Card
Virtual Credential
So why did HID Global acquire ActivIdentity?
© 2010 HID Global CorporationAn ASSA ABLOY Group brand
Evolution of Buildings Access Control
Face
Key
Card
Virtual Credential
Convergence with logical access control
© 2010 HID Global CorporationAn ASSA ABLOY Group brand
Passwords
Tokens
Physical / logical convergence starts
here
One Card• gets you into the building• logs you onto your computer• logs you into the applications you need to do a days work
and not a password in sight
Laptop Contactless Smartcard Reader
Security Convergence
HID Proximity Cards Readers
Windows SmartCard Logon
Secure
PKI Credentials
Secure Digital Signature Credentials
Physical Access
Logical Access
Complete Integrated Security Solutions Overview Diagram
6
Physical Access Control SystemPACS
Single Card for Physical and Logical Security (Windows)
Card Readers
Proximity / Contactless Cards
ActivIdentity USB Reader
Single Sign OnSSO Logical Card
Management SystemSmart Card Authentication Client (Optional) / Windows 7 PIV Authentication
CMS Native integration with Lenel OnGuard
Dual/Triple Factor Authentication
Single Vendor (HID) for the whole Physical and Logical Access control
PIV capabilities that provide a solution without end user deployment requirements
Laptop Contactless Smartcard Reader
7
ActivIdentity ActivID Card Management System How It Works
employee operator
badging
help desk
ActivIdentityActivID CardManagement System
ActivIdentity4TRESSAAA Server
LDAP CAHSM database IDMlogical access
physical access
digital signature
encryption
self service
ActivIdentity Solutions
PACS
8 Internal Use © 2011 ActivIdentity
Fingerprint and Contactless Smartcard Reader
For the embedded readers included in Dell computer, all we need is a PC/SC compliant reader that is compatible with ISO/IEC standards: 7810, 7816 and java cards.
Smart Card Readers
9 Internal Use © 2011 ActivIdentity
Card Reader• ActivIdentity USB Reader Version 2 or Version 3• ActivIdentity PCMCIA Reader Version 3 (SCR 243)• OMNIKEY 3021 USB• OMNIKEY 3121 USB• OMNIKEY 4040 Mobile PCMCIA• OMNIKEY 4321 Mobile ExpressCard 54• OMNIKEY 5321 USB (contact and contactless)• Precise Biometrics MC200 Fingerprint and Smart Card Reader• Precise Biometrics MC250 Fingerprint and Smart Card Reader
10
HID/ActivIdentity Smart CardsYour Logical Choice
• Replace the need to issue and manage multiple security mechanisms, including the following:– Photo ID badges for physical identification – Proximity cards for building access – One-time password tokens for remote access – Passwords for workstation access and application
access
• Organizations achieve tremendous cost- and productivity efficiencies in implementing smart cards due to its multi-purpose capabilities
ActivIdentity Smart Card
The Benefits of Integrating Physical and Logical Security
Reduce CostsIntegrating logical security with the physical access control system (PACS) can be accomplished through a single smart card that ensures security and reduces the resources needed to issue, manage and support multiple devices. An integrated system eliminates duplication, reduces management resources and increases employee productivity across the board.
Increase Security By combining physical and logical security credentials on a single card, employees are much more likely to use it to achieve the desired security benefits. For example, if an employee must use their card to access their PC and network resources, they may simply leave the card in at all times. However, if that same card must be used to gain access to buildings or doors within the office, they will be much more likely to keep the card with them meaning that the PC is secured when they are not present.
11
The Benefits of Integrating Physical and Logical Security
Improve Employee Usage
The more difficult a security system is to understand and implement, the less likely it is that employees will be to use it. They may leave access cards on their desk when they go to lunch, making those cards an easy mark for theft and, in turn, compromising the company’s security system. Or they may leave a card at home, resulting in a call to thehelp desk for access. One card, with one PIN number to remember, not only makes a company more secure, it also improves usage by employees, which is a critical element of a secured external and internal environment.
12
The Business Needs Driving Integration
Smart Card
Integrating logical security with the physical access control system (PACS) can be accomplished through a single smart card that ensures security and reduces the resources needed to issue, manage and support multiple devices. An integrated system eliminates duplication, reduces management resources and increases employeeproductivity across the board.
Consistency
Integrated deployments increase overall security, by eliminating the confounding arrayof multiple devices that many organizations employ. A single card system integratingphysical and logical security provides consistency between the physical and logicalaccess control systems. Security management systems (issuance and lifecyclemanagement) are consolidated, reducing the possibility of errors and breaches, whileensuring employee identification and access protocols and privileges.
13
The Business Needs Driving Integration
Single Interface
The day-to-day physical and logical security operations (issuance and lifecyclemanagement) can be deployed through a single interface, ensuring that logical andphysical access are terminated or suspended in a single operation, removing the risk oferrors so common in separate processes and systems.
Flexibility
Advanced integration tools can be adapted to meet a wide range of security departmentscenarios. Integration can occur within two security departments, within synchronizedsecurity departments or within one merged security department.
14
Today’s Integrated Solutions
Synchronized Card Management DeploymentFor companies that have a synchronized security department (or plan to), the ActivIdentity-Lenel Synchronized Card Management Deployment is the solution. Physical and logical security is managed by one department, which issues a smart card. The Lenel OnGuard solution issues the card and declares card lifecycle changes, includingreplacement, suspension and revocation, and automatically interacts with ActivIdentity ActivID CMS for logical access.
This approach adds full integration and interoperability of the security applications and the management console.
15
16 Confidential © 2009 ActivIdentity
ActivIdentity - ActivID Card Management System -Overview
17
A card management system enables organizations to securely deploy and manage smart cards and USB tokens containing a variety of credentials, including public key infrastructure (PKI) certificates, one-time passwords, static passwords, biometrics, demographic data, and virtually any other application.
What is a Card Management System?
17 Confidential © 2009 ActivIdentity
ActivIdentity ActivID Card Management SystemProduct Description
• With ActivIdentity ActivID Card Management System organizations can manage their – authentication devices– data (static passwords, biometrics, and demographic data), – applets– digital credentials throughout their entire life cycle
• Issue and personalize authentication devices• Manage the authentication device and its credential life cycle (automatic
certificate renewal request, automatic card updates)• Manage PINs (help desk or self-help driven)• Manage 4TRESS servers credentials• Manage users
In its fullest use case, it becomes a “smart employee ID card” for both logical and physical access control.
ActivIdentity ActivID Card Management System How It Works
employee operator
badging
help desk
ActivIdentityActivID Card
Management System
ActivIdentity4TRESS
AAA Server
LDAP CAHSM database IDMlogical access
physical access
digital signature
encryption
self service
ActivIdentity Solutions
ActivIdentity ActivID Card Management System Use Cases
• Logical access control– Workstation and network access– Remote access for mobile employees and home based workers– Applications access for employees, business partners and suppliers– Web Email access without VPN access (Outlook Web Access)
• Physical access control– Facility access
• Digital signature– Secure transactions via digital document signature– Secure collaboration with digital email signature
• Encryption– File encryption for data-at-rest– Disk encryption for data-at-rest
ActivIdentity ActivID Card Management System Key features
• Global Platform support allowing the best security level available on the market• PKCS#11 support• Java Card oriented - supports main card vendors• Multiple CA supports• Automatic Certificate Renewal• External Identity Repository relying on LDAP• Adaptive End User Help Desk Portal (Globalized)• Extended API allowing product customization and third party integration• Existing third party connectors to PKI and provisioning solutions• End user oriented card lifecycle management system
– Policy defined for each state: new card, replacement card, temporary card• Synergy with ActivClient eases end user experience• Integration with 4TRESS servers to allow OTP support on the card• Batch management system and Logistic management modules
21 Confidential © 2009 ActivIdentity
26 Confidential © 2009 ActivIdentity
Architecture
27 Internal Use Only © 2009 ActivIdentity
High Level Architecture
ActivIdentity Solutions
employeeActivIdentityActivID CardManagement System
ActivIdentity4TRESSAAA Server
LDAP CAHSM database IDMlogical access
physical access
digital signature
encryption
self service operator
badging
help desk
ActivIdentityActivID KeyManagement System
ActivIdentityActivID BatchManagement System
ActivIdentityActivID BatchManagement System
CMS Secure Issuance and lifecycle Management - Simplified
28
CMS Operator
Certificate AuthorityPKI Server
ActivIdentityCard Management System
LDAP User Directory
ActivIdentityAAA Secure Remote Access – OTP server
pin
PKI
OTP
HSM
CMS: Distributed Card Issuance over Unsecured Network (Details)
Issuance Station
Blank Card Protected with Manufacturer Keyset
ActivIdentityActivID CardManagement System
ActivIdentity4TRESSAAA Server
LDAP CAHSM databaseIDM
SSL v3ActivIdentityActivClient
Secure Channel
Card Now Protected with CustomerKeyset
Customer Keyset Generated Using KMS
Manufacturer Keyset Loading during Key Ceremony
PIN applet
OTP applet
PKI applet
Generic Containerapplet
PIN applet
OTP applet
PKI applet
Generic Containerapplet
Technical Overview of a Java Card layout
30
To CMS server
Card Hardware and Operating System
CardManager
PINMgt.
Global Platform 2.x (secure management layer)
Java card OS API 2.x
Secure messagingGeneric
ContainerPKI OTP
Cer
tific
ate
Cer
tific
ate
Stai
c Pa
ssw
ord
Dat
a,
Tok
en K
eys
Key
Pai
r K
ey P
air
Logical Security domain
EM
V V
SDC
FinancialSecuritydomain
Applets
Data
Secure Card Management based on Card Manager Keys (controlled by the HSM used by CMS)
EMV
MinMax…
Example Architecture
4TRESS AAA Serverfor Remote Access
CMSServer
CMSDatabase
HSM
Web Client (Operator)
Web Client (Self-Service) Directory Server
Certificate Authority
32 Confidential © 2009 ActivIdentity
Look and feel
End User notification example
• With ActivID CMS 4.2 and ActivClient 6.2: automated process means higher success rate– On card insertion; ActivClient checks for card update requests available in
ActivID CMS for the inserted card– When updates are available, ActivClient starts End User Self Desk
Confidential © 2009 ActivIdentity33
Automatic Card Update with ActivID Card Management System
• Do not use the card, remove card or lock the screen until the update completes
Confidential © 2009 ActivIdentity34
• Remove and re-insert smart card when prompted to do so– Microsoft Windows and ActivClient are made aware of the updated card
content
Confidential © 2009 ActivIdentity
Automatic Card Update with ActivID Card Management System
35
ActivIdentity and Lenel Solutions
37
Synchronized Card Management Deployment
Information & Sales Partner
Musaad Al-Saleh Bldg.Soor Street,Al-Sharq,KuwaitP.O.Box: 5113,Safat 13052,Kuwait.TEL: (+965) 2241 7966/5/7FAX: 22459019WEB: www.kcs.com.kwEMAIL:[email protected]@kcs.com.kw
38
For demonstration and sales enquiry in Kuwait please contact.