課件參考教程02-i sprint product intro en

1、Identity, Credential, Access Management and Versatile Authentication Solutionsi-Sprint Product OverviewDESIGNED, ARCHITECTED AND BUILT BY GLOBAL BANKING PROFESSIONALSTrust without Boundariesi-Sprint introduction and technical overviewi-Sprint Products OverviewUser Administration and Provisioning(UIM

2、)Versatile Authentication System (UAS)Unified SSO Platform(USSO)Unified Access Control and Authorization(UAM)Password Management for Shared & Privileged Accounts(UCM)YESSafe SolutionsSummaryTopicsTechnology Overviewi-Sprint ProductsAccessMatrixYESsafeSummaryWe design and build niche enterprise class

3、 Credential Management & Versatile Authentication products to secure access to private and confidential informationAbout i-Sprinti-SprintInnovationsIAMSolutionsClients Technology OverviewWorld Class Identity and Security Management Solution ProviderMobile Authentication & AuthorizationData Protectio

4、nCloud ProtectionMobile ProtectionIdentity ProtectionOnly Asian ICAM Vendor featured in Gartner Reports 30 millionEnterprise UsersProtecting over US$10 Trillionof total asset valueProven Technology successful implementations in 150 customers including world leading financial institutions100% owned I

5、Pswith patented technologyComplete suite of ICAM/IDM on-premises & cloud offeringsTo prevent frauds in cloud, mobile &enterprise environment Enterprise Identity & Security Management Software & ServicesMobile Identity &Security SolutionsMobile IdentityCounterfeit DetectionWorld Class Identity and Se

6、curity Management Solution ProviderOur Security Technology Focus & FutureA-B-C-D-EAuthenticationTo positively verify users claimed identity BiometricsTo achieve higher identity assuranceCloud To enforce the same security standards to cloud as in the internal corporate environmentDevice for MobilityT

7、o provide the security for users to access the corporate information via their mobile devices convenientlyEnd to End Encryption End to End Encryption for credential and data protection to prevent internal frauds and data leakingTechnology DevelopmentMobileCustomersEmployeesPartnersVisitorsConsumersT

8、abletSOAPSAMLOAuthWebServices100% Standard BasedOpenIDConnectNext Generation Identity and Access Management InfrastructureUsing any Identity Authority and Authentication MethodsOn Any DeviceAccessing any Network, Apps or Physical ResourcesAccount AccessProvisioning for any userNext Generation Identi

9、ty & Access ManagementInfrastructureThe only truly integrated IAM solutions to save at least 50% of project implementation timeBuilt-in Fine Grain and Customizable Administration Delegation Model for large enterprises and organizations with complex administration structure, SaaS & Cloud services pro

10、vidersEmbed Best Security Practices to avoid the internal threats associated with the Super User and do away with the cumbersome compensating controlsOut-of-the-box Integration with FIPS certified Hardware Security Module (HSM) as standard product features to support secure key management and end to

11、 end confidentiality protectioni-Sprints Overall Differentiators (1/2)Bank Graded Security design with many successful deployments in over 50 reference-able world class ranking global and regional financial institutions including:3 out of the top 10 banks in the World3 out of the top 5 Chinese banks

12、Our own unique IP extensible and future proof Pluggable Authentication Module (PAM) to support all authentication methods in the marketProven Compliance track records with financial regulatory agencies in last 10 years with 100% success rate for all our clientsi-Sprints Overall Differentiators (2/2)

13、Flexible Administration ModelAdministrators and Security policy can be defined at any level of the hierarchy using inheritance. Benefits: Allows both centralized and decentralized control and allow changes of model easily.Segmented Hierarchy-based Policy-driven Model with Granular delegationPluggabl

14、e Authentication (PAM) & Authentication RealmAxMx Engine supports multiple directories, multiple factor and multiple steps authentication methodsActive DirectoryLDAPRADIUSKerberosNTLME2EEAWeb tokenPluggable Authentication ModuleOne TimePasswordIDPasswordPKIDigital CertOpenInterfaceKnowledgeBasedOut

15、of BandAuthentication Realm (Multi-Step Authentication Flow)Questions & AnswersPicturesMatrix CardEMV-CAPIntegrationAccess ManagerBiometricsProducts & Solutions OfferingsIdentity ProtectionData ProtectionCloud ProtectionMobile Protectioni-Sprint introduction and technical overviewi-Sprint Products O

16、verviewUser Administration and Provisioning(UIM)Versatile Authentication System (UAS)Unified SSO Platform(USSO)Unified Access Control and Authorization(UAM)Password Management for Shared & Privileged Accounts(UCM)YESSafe SolutionsSummaryTopicsAccessMatrix & YESsafe Product SuiteIdentity, Credential

17、Management and Versatile Authentication Solutions for End to End Protection of Identity and Critical DataEnterprise, Cloud and Mobile Applications Mobile Security Value PropositionsUser Administration and ProvisioningVersatile Authentication System Unified SSO PlatformUnified Access Control and Auth

18、orizationCommon Application Security PlatformCentralized IAM & IDM Platformi-Sprint introduction and technical overviewi-Sprint Products OverviewUser Administration and Provisioning(UIM)Versatile Authentication System (UAS)Unified SSO Platform(USSO)Unified Access Control and Authorization(UAM)Passwo

19、rd Management for Shared & Privileged Accounts(UCM)YESSafe SolutionsSummaryAccessMatrix Universal Identity Manager (AxMxUIM)Comprehensive enterprise identity management and access control administration system for various applications, operating systems, databases and security registries based on Ac

20、cessMatrix technology for both on-premises and cloud based environmentsUse a policy-driven approach to manage default access to various companies IT resources based on users organizational role as well as allow users to submit ad-hoc access requests subject to management approval.Offer self service,

21、 customizable workflow, automated user provisioning, automatic role management, automated access certification, and automated password reset tools mean dramatic reductions in IT operating cost and implementationUser Life Cycle ManagementUIM Logical ComponentsTarget SystemsOTB Connectors & Connector

22、FrameworkIDM ServicesAudit & ComplianceProvisioningReconciliationRole ManagementResourceManagementAdministrationDelegationSelf ServiceRequest ManagementUIM PlatformEntitlement Policy MgtSOD PolicyManagementWorkflowManagementBusiness role based policy management, simplifying the (complex) management

23、of access for personnel and system resource Expanding multi-dimension role modelling and enhancing business friendliness Comprehensive user lifecycle management , automated provisioning and access removal Auto detection and data-mining for ghost account thereby increasing compliance and lower risk o

24、f intrusion. Provide time-sliced multi-dimensional , real time auditing and compliance control with ability to do self rectification. Well designed self service and delegation function, lowering management cost.UIM Basic Operation ModelUserTarget Resource and accessBusiness RoleConcepts of UIMCore I

25、dentity Management ProcessesProvisioning ProcessRequest-basedRole-basedRequest Approval Workflow ProcessReconciliation ProcessAttestation/Recertification Process Provisioning ProcessRequest Approval ProcessReconciliation ProcessAttestation ProcessProvisioningTarget ResourceUIM Global UserERP SystemA

26、ccount + Role+ AccessEntitlement PolicyConditionList of resourcesDirectory SystemAccount + User groupTrusted SourceAutomatic Provisioning based on Entitlement PolicyAutomatic Provisioning When a global user account is being created or edited, according to the entitlement policy, an account and its a

27、ccess to the target resource will either be created or revised.Manual Provisioning System Admin can directly assign access right the target resource to the UIM user.Synchronization with on user, access right and other info in data warehouse of target resource, data mining for ghost account. Synchron

28、ization with trusted source, mainly used for automatic access to user date and changes in its identity lifecycle. Target ResourceTrusted SourceUIM Global UserReconciliationHR SystemFull Time Employee InformationERP SystemAccount + Role+ AccessPermissionResource 1Resource 2Directory SystemAccount + U

29、ser groupCRM SystemBusiness Partner User InformationScheduled TaskConnectorAttestationSystem AdminAuditorAudit PlanTarget ResourceScope of userReviewerExecution time and frequencyScheduleTaskCreateschedule taskor execute immediately GenerateAnd sendproof of execution to reviewerWorkflowDetail record

30、on access allocationReviewercheckdetailAutomated rectification or adjustment of business system accessGenerate compliance audit reportPass auditFail auditChina Centralization Authentication for VPNAccessMatrix Software has been deployed in China to provide user provisioning to AD system for 700,000

31、of their employees globallyCentralized User Provisioning and Administration SystemAccessMatrix UIM Software has been deployed in Bank of China Insurance to support their centralized user management activities for all applications in their organizationReference Casesi-Sprint introduction and technica

32、l overviewi-Sprint Products OverviewUser Administration and Provisioning(UIM)Versatile Authentication System (UAS)Unified SSO Platform(USSO)Unified Access Control and Authorization(UAM)Password Management for Shared & Privileged Accounts(UCM)YESSafe SolutionsSummaryTopicsAccessMatrix Universal Authe

33、ntication Server (AxMxUAS)A versatile authentication server enables organizations to unify multiple authentication mechanisms and simplify integration complexitiesUse a Pluggable Authentication Module (PAM) approach to support a wide range of authentication methods and new authentication methods can

34、 be easily added to cater for new authentication methods The out-of the-box end-to-end token life-cycle management module greatly streamlines the administration and management of token logistics UAS provides fine grained and configurable authentication policyLogin Policy, Password Expiry Policy and

35、Password Quality Policy Multi-tier Java based architecture to offer wide range of server platforms and scalability HSM Integration to provide strong key management and efficient encryption and decryption of user credentialsVersatile Authentication ServersA versatile authentication server (VAS) is a

36、single server (software, or a software or hardware appliance) that supports multiple open and proprietary authentication methods in multiplatform environments.Gartner sees more enterprises adopting multiple authentication methods that best suit multiple use cases. For such an enterprise, a VAS is th

37、e strategically important piece of an authentication solution. A VAS allows the enterprise to avoid having to implement and support multiple parallel infrastructures. Furthermore, a VAS gives an enterprise a simple means of migrating to new authentication methods as its needs change and new methods

38、emerge each needs only to be plugged in to the VAS, rather than stripping out the old authentication infrastructure and plumbing in the new. Although a VAS is most suited to an enterprise looking to adopt multiple authentication methods, any enterprise should, given a choice between two vendors with

39、 otherwise similar offerings, favor the authentication vendor offering a VAS. Looking to a third-party VAS vendor is also a viable option. Source Gartner: Dr. Ant AllanPluggable Authentication (PAM) & Authentication RealmAxMx Engine supports multiple directories, multiple factor and multiple steps a

40、uthentication methodsActive DirectoryLDAPRADIUSKerberosNTLME2EEAWeb tokenPluggable Authentication ModuleOne TimePasswordIDPasswordPKIDigital CertOpenInterfaceKnowledgeBasedOut of BandAuthentication Realm (Multi-Step Authentication Flow)Questions & AnswersPicturesMatrix CardEMV-CAPExternalAuthenticat

41、ionIntegrationAccess ManagerBiometricsAccessMatrix UAS Ready IntegrationEnterprise 2FA ModulesStrong Authentication & Token Management2FA forMicrosoftTerminal Server Microsoft OfficeSharePoint Server(MOSS2007)SharePoint ServerOutlook forWeb Access (OWA)2FA forUNIX OSLogin WebApplications2FA Desktop

42、Login (Credential Provider)RAS / VPN GatewayRadius enabled Devices/ApplsReadyIntegratedModulesRadiusReadyModulesAxMxUAS SDKfor ApplicationIntegrationVersatile authentication platform to incorporate the support for Biometric Authentication and Management featuresBiometrics Authentication and Authoriz

43、ationBank of China (HK): Internet BankingCentralized Authentication PlatformAccessMatrix UAS Software has been deployed in Bank of China (HK) to provide a Centralized 2FA Authentication Platform for their internet Banking ApplicationsCitic Bank International: Centralized Authentication PlatformAcces

44、sMatrix UAS Software has been deployed in Citic Bank International to provide a Centralized Authentication Platform for their internet Banking Applications to meet the 2FA and E2EEA requirements mandated by HKMA & MASReference CasesChina Centralization Authentication for VPNAccessMatrix UAS Software

45、 has been deployed in China to provide Centralized Authentication for Remote Access using OTP via SMS for more than 700,000 employees and partnersPSA Corporation Centralization Authentication for VPNAccessMatrix UAS Software has been deployed in PSA Corporation (the largest Port in the world) to pro

46、vide Centralized Authentication for Remote Access using OTP via SMS and RSA tokens for more than 20,000 employeesReference CasesCiti Private BankingClient Web SiteAccessMatrix UAS Software has been deployed in Citi Private Banking Global Client Website and iOS App to secure their clients login using

47、 E2E Encryption Authentication UBS Wealth Management Client PortalAccessMatrix UAS Software has been deployed in UBS Wealth Management Client Portal for their internet Banking Applications to meet the E2EEA requirements mandated by HKMA and MASReference Casesi-Sprint introduction and technical overv

48、iewi-Sprint Products OverviewUser Administration and Provisioning(UIM)Versatile Authentication System (UAS)Unified SSO Platform(USSO)Unified Access Control and Authorization(UAM)Password Management for Shared & Privileged Accounts(UCM)YESSafe SolutionsSummaryTopicsToo Many IDs / CredentialsCustomer

49、Pain PointsPassword Management ComplexitiesUsers are frustrated by the complex login and password policies. Poor password selection and management cause weakened security at the desktop. Loss of ProductivityEmployees get locked out, which interrupts work and revenue-producing activity.High Help Desk

50、 costs for password-related callsMounting Regulatory PressurePreventing public access to private data is a requirement (HIPAA, GLBA). Increasing in security standardsRequirements for strong authentication for critical applications.Integrating advanced authentication for applications is difficult.Ent

51、erprise SSO Non Intrusive SSOEnable SSO ConvergencewebSSO, ESSO, Cloud SSOThe Unified Single Sign-On Platform for Enterprise,Cloud and Mobile ApplicationsAccessMatrix Unified Single Sign-On (SSO) platform covers Enterprise Single Sign-On (ESSO), Federated Single Sign-On, Web Single Sign-On and Mobil

52、e Single Sign-On. It provides Identity Federation platform that supports popular identityprotocols e.g. SAML, and OAuth to provide the SSO capabilities for cloud and mobile applications.AccessMatrix The Unified Single Sign-On PlatformBusiness ChallengesLoss of ProductivityFrequent Interruptions in u

53、ser productivity and revenue generating activities due to employees locked out Integration of business entities through merger and acquisition eventsHigh help desk and user support cost due to password-related issuesSecurity ExposureWeakened security due to poor password selection and managementPass

54、word sharing among staff lead to potential fraudsDifficulty of integrating advanced authentication for applicationsMore Stringent Regulatory RequirementsEnsure only authorized users can access private data (HIPAA, GLBA) and track and report on all access (SOX)AccessMatrix Universal Sign-On (AxMxUSO)

55、Web Based eSSO solution to enable organizations to achieve secure single sign-on to both web and non-web applications without any source code changesNo manual software installation & Zero-Administration is required at the client workstationSelf-install, self-config, self-upgrade and self-serviceNo s

56、ingle point of failure design to ensure that the SSO feature is always available to minimize operation disruptionHSM Integration to provide strong key management and efficient encryption and decryption of user credentialsAccessMatrix USO (User Experience Simulation)myloginID*albertcLogin SuccessfulR

57、eference CasesBank of LanzhouESSO PlatformThe Bank has leveraged our AccessMatrix USO to provide a SSO platform for their internal applications and their users can enjoy the convenience of application access. Bank of China(BJ) ESSO PlatformThe Bank has leveraged our AccessMatrix USO to provide a SSO

58、 platform for their internal applications and their users can enjoy the convenience of application access.i-Sprint introduction and technical overviewi-Sprint Products OverviewUser Administration and Provisioning(UIM)Versatile Authentication System (UAS)Unified SSO Platform(USSO)Unified Access Contr

59、ol and Authorization(UAM)Password Management for Shared & Privileged Accounts(UCM)YESSafe SolutionsSummaryTopicsComprehensive enterprise access control system and single sign-on (SSO) platform based on AccessMatrix technologyProvide Web Access Control and Authorization FeaturesFine grain access cont

60、rol to manage users to access to confidential information and critical business transactionsAgent technology for protecting critical application resources Web Server Web Security Agent (WSA)Application Server Application Security APIs (ASA)Flexible APIs and agent technologies to provide easy and see