Recently documented cyber-attacks targeted specifically at two-factor authentication solutions can render these security measures ineffective, put confidential data at risk, undermine customer trust and create a public relations nightmare. As security professionals, we believe that there is a clear need to create a trusted and secure environment that protects and manages the underpinning cryptographic keys used for the critical provisioning and authentication processes.
This slidedeck shows how VASCO and Thales address these challenges with an integrated solution for the secure lifecycle management of user credentials and authentication devices using certified HSMs at its root of trust.
Ask VASCO and Thales security experts about advantages of protecting keys in a hardened, tamper-resistant HSM environment; learn how the joint solution can help you comply with regulatory requirements for the financial, healthcare and public sectors.
In this session you will learn how to:
Combat APT attacks on your stored authentication data
Leverage HSMs to protect and manage underpinning cryptographic keys
Prevent reverse engineering of cryptographic keys and algorithms
Use an integrated solution to enforce security policies and separate security functions from administrative tasks
Secure license provisioning for hardware and software
Or why not view the webcast:
https://vasco.webex.com/vasco/lsr.php?RCID=d2514f56994973bf5405e75454a2eee6
2. Things can go wrong…
Trust takes years to build, seconds to break, and forever to repair.
3. Why protect your authentication solutions?
Unauthorized access to
online sensitive data
Targeted cyber-attacks on
authentication solutions
can render them ineffective
• Insider Attacker Threats
• Targeted Social
Engineering Attacks
• Advanced Persistent
Threats
4. Multi-Factor Authentication
▌ VACMAN Controller
Backend
Protect & manage keys
used for provisioning
authentication devices
▌ IDENTIKEY
Authentication Server
Backend
Authentication server
Processes user login
requests
Validates devices
▌ DIGIPASS
Frontend
Authentication device
family
Something user has
Something user knows
Thales nShield HSM
A Component of the VASCO Trust Platform
5. IDENTIKEY Authentication Server
Remote Clients
Back-End
IDENTIKEY DB
• Built-in
• ODBC
• Active Directory
Web Admin Command
AD Admin Line
Additional ToolsAdministration
SEAL
RADIUS
Customer Web ApplicationsSOAP
DIGIPASS Authentication
for Windows LogonSEAL-SSL
Wifi / RADIUS ClientRADIUS
Citrix/OWA/IIS6
WINDOWS
LDAP
Native HSM
Key Protection
6. VACMAN Controller
VACMAN Controller replaces your built in password
verification module inside your application
6
Platform
X
Application
Core
Communication
Interface
StorageUser
Interface
Password
Validation
Module
VACMAN
Controller
HSM
Security
World VC
HSM
Module
7. • Thales and VASCO platforms with HSM leverages multiple secure keys which are used to decrypt DIGIPASS
secrets in the manufacturing injection process, transport file and customer backend database.
• VASCO HSM Encrypted data used for Authentication and Provisioning
• DIGIPASS Secrets are never in the clear and leverage an HSM throughout the entire lifecycle
VASCO and Thales Deliver Secure Lifecycle Management of User
Credentials and Authentication Devices:
Manufacturing to Delivery
Delivery to Loading
Joint Solution Details
8. What are HSMs and What do they do?
Hardware Security Module
Hardened, tamper-resistant devices isolated
from host environment
Alternative to software crypto libraries
Secure cryptographic operations
Protect critical cryptographic keys
Segregate administration and security domains
and enforce key use policy
nShield HSMs
are FIPS 140-2
Level 3 certified
9. Protecting the Keys (Software vs. Hardware)
Software-Only System
Numerous copies of keys live across
system and backups
Hardened System
Keys are segregated within an isolated
security environment
10. Extending nShield Security Capabilities
CodeSafe – secure code execution
Enables sensitive applications to run within HSM security boundary
Protects application code from attack while it executes
Essential when the protection of keys and crypto processes alone is not sufficient
Creates tamper-resistant applications
Ideal for remote deployment operations such as manufacturing sites
Business Application Security-Sensitive Code
Code moved into
HSMHSM security boundary
Application keys and security-
sensitive code inside HSM
boundary
Security-sensitive
code
Crypto processing engine
11. Protecting the Private Key
Cryptographic Identity
1:1 mapping between a private key and its corresponding certificate
Your private key is your identity
Personal
Corporate
What is the impact if that key is compromised?
Compromise of DIGIPASS OTP secrets, which can be used for remote access to
company resources
Compromise of trusted user authorization, without triggering inherent network monitor
alarms
What can be done to mitigate a compromise?
Surprisingly little – the cat is out of the bag
OTP token can be revoked
New OTP tokens & keys can be distributed and hope your credibility survives
12. Thales Integration with Vasco
Enhance the Security of your User
Credentials with a Proven,
Integrated Solution
CLICK HERE
13. Why Thales e-Security?
Banking Government Utilities High Tech Mobile
Automotive
Healthcare
Manufacturing
▌ Our track record. Over 40 years of leadership delivering data protection solutions around
the world
▌ Our customers. We secure some of the world’s most valuable information and > 80% of
payment transactions
▌ Our commitment. Hundreds of R&D staff dedicated to excellence in applied
cryptography
▌ Our certifications. All our offerings are independently security certified - more than
anyone else!
▌ Our support services. Our Advanced Solutions Group (ASG) provides world-class
consulting, training, and deployment assistance
14. End to End key protection throughout key lifecycle
Hardened tamper resistant environment
Seamless support of an integrated solution
Robust two-factor authentication of users
Protects a wide range of authentication devices
Full lifecycle cryptographic key management
Stores keys in a FIPS 140-2 Level 3 validated module
Simplified PCI DSS auditing and reduced compliance costs
A Secure environments needs to have Trust, across users, devices,
applications, communications, platforms
End to End Trusted User Security is…
Building Trust for Everything the user is
Building Trust for Everything the user does
By ensuring Everything is secure
Everything is built on controlling access to the Keys
If that key is compromised, then others can follow
Joint Solution Summary
VASCO Trust Platform
15. The VASCO Trust Platform
Risk
Management
Transaction
Security
Mobile Application
Security
Multi-Factor
Authentication
Identity
Proofing
Trusted Identity Trusted User
Trusted Device
Trusted App
Trusted Channel
Trusted Data & Docs
Trusted Signatures
Trusted Transactions Trusted Behavior
VASCO Trust Platform
Who you are What you do
IDENTIKEY
Risk Manager
f o r A P P S
Leverage new technology to deliver higher levels of security and fraud prevention that are frictionless and
transparent to the end user, and that enable new business capabilities and efficiencies.
16. Download Solution brief CLICK HERE
Upgrade your IDENTIKEY license to IDENTIKEY
Enterprise
info-usa@vasco.com
Request more information about Thales HSM
www.thales-esecurity.com
What’s Next: