Recently documented cyber-attacks targeted specifically at two-factor authentication solutions can render these security measures ineffective, put confidential data at risk, undermine customer trust and create a public relations nightmare. As security professionals, we believe that there is a clear need to create a trusted and secure environment that protects and manages the underpinning cryptographic keys used for the critical provisioning and authentication processes. This slidedeck shows how VASCO and Thales address these challenges with an integrated solution for the secure lifecycle management of user credentials and authentication devices using certified HSMs at its root of trust. Ask VASCO and Thales security experts about advantages of protecting keys in a hardened, tamper-resistant HSM environment; learn how the joint solution can help you comply with regulatory requirements for the financial, healthcare and public sectors. In this session you will learn how to: Combat APT attacks on your stored authentication data Leverage HSMs to protect and manage underpinning cryptographic keys Prevent reverse engineering of cryptographic keys and algorithms Use an integrated solution to enforce security policies and separate security functions from administrative tasks Secure license provisioning for hardware and software Or why not view the webcast: https://vasco.webex.com/vasco/lsr.php?RCID=d2514f56994973bf5405e75454a2eee6

1. Enhancing Identity
Protection Solutions
with a Certified
Hardware Security
Module (HSM)
Will LaSala – VASCO Data Security
Juan Asenjo – Thales e-Security

2. Things can go wrong…
Trust takes years to build, seconds to break, and forever to repair.

3. Why protect your authentication solutions?
Unauthorized access to
online sensitive data
Targeted cyber-attacks on
authentication solutions
can render them ineffective
• Insider Attacker Threats
• Targeted Social
Engineering Attacks
• Advanced Persistent
Threats

4. Multi-Factor Authentication
▌ VACMAN Controller
Backend
Protect & manage keys
used for provisioning
authentication devices
▌ IDENTIKEY
Authentication Server
Backend
Authentication server
Processes user login
requests
Validates devices
▌ DIGIPASS
Frontend
Authentication device
family
Something user has
Something user knows
Thales nShield HSM
A Component of the VASCO Trust Platform

5. IDENTIKEY Authentication Server
Remote Clients
Back-End
IDENTIKEY DB
• Built-in
• ODBC
• Active Directory
Web Admin Command
AD Admin Line
Additional ToolsAdministration
SEAL
RADIUS
Customer Web ApplicationsSOAP
DIGIPASS Authentication
for Windows LogonSEAL-SSL
Wifi / RADIUS ClientRADIUS
Citrix/OWA/IIS6
WINDOWS
LDAP
Native HSM
Key Protection

6. VACMAN Controller
VACMAN Controller replaces your built in password
verification module inside your application
6
Platform
X
Application
Core
Communication
Interface
StorageUser
Interface
Password
Validation
Module
VACMAN
Controller
HSM
Security
World VC
HSM
Module

7. • Thales and VASCO platforms with HSM leverages multiple secure keys which are used to decrypt DIGIPASS
secrets in the manufacturing injection process, transport file and customer backend database.
• VASCO HSM Encrypted data used for Authentication and Provisioning
• DIGIPASS Secrets are never in the clear and leverage an HSM throughout the entire lifecycle
VASCO and Thales Deliver Secure Lifecycle Management of User
Credentials and Authentication Devices:
Manufacturing to Delivery
Delivery to Loading
Joint Solution Details

8. What are HSMs and What do they do?
Hardware Security Module
Hardened, tamper-resistant devices isolated
from host environment
Alternative to software crypto libraries
Secure cryptographic operations
Protect critical cryptographic keys
Segregate administration and security domains
and enforce key use policy
nShield HSMs
are FIPS 140-2
Level 3 certified

9. Protecting the Keys (Software vs. Hardware)
Software-Only System
Numerous copies of keys live across
system and backups
Hardened System
Keys are segregated within an isolated
security environment

10. Extending nShield Security Capabilities
CodeSafe – secure code execution
 Enables sensitive applications to run within HSM security boundary
 Protects application code from attack while it executes
 Essential when the protection of keys and crypto processes alone is not sufficient
 Creates tamper-resistant applications
 Ideal for remote deployment operations such as manufacturing sites
Business Application Security-Sensitive Code
Code moved into
HSMHSM security boundary
Application keys and security-
sensitive code inside HSM
boundary
Security-sensitive
code
Crypto processing engine

11. Protecting the Private Key
Cryptographic Identity
 1:1 mapping between a private key and its corresponding certificate
 Your private key is your identity
 Personal
 Corporate
 What is the impact if that key is compromised?
 Compromise of DIGIPASS OTP secrets, which can be used for remote access to
company resources
 Compromise of trusted user authorization, without triggering inherent network monitor
alarms
 What can be done to mitigate a compromise?
 Surprisingly little – the cat is out of the bag
 OTP token can be revoked
 New OTP tokens & keys can be distributed and hope your credibility survives

12. Thales Integration with Vasco
Enhance the Security of your User
Credentials with a Proven,
Integrated Solution
CLICK HERE

13. Why Thales e-Security?
Banking Government Utilities High Tech Mobile
Automotive
Healthcare
Manufacturing
▌ Our track record. Over 40 years of leadership delivering data protection solutions around
the world
▌ Our customers. We secure some of the world’s most valuable information and > 80% of
payment transactions
▌ Our commitment. Hundreds of R&D staff dedicated to excellence in applied
cryptography
▌ Our certifications. All our offerings are independently security certified - more than
anyone else!
▌ Our support services. Our Advanced Solutions Group (ASG) provides world-class
consulting, training, and deployment assistance

14.  End to End key protection throughout key lifecycle
 Hardened tamper resistant environment
 Seamless support of an integrated solution
 Robust two-factor authentication of users
 Protects a wide range of authentication devices
 Full lifecycle cryptographic key management
 Stores keys in a FIPS 140-2 Level 3 validated module
 Simplified PCI DSS auditing and reduced compliance costs
A Secure environments needs to have Trust, across users, devices,
applications, communications, platforms
End to End Trusted User Security is…
 Building Trust for Everything the user is
 Building Trust for Everything the user does
 By ensuring Everything is secure
 Everything is built on controlling access to the Keys
 If that key is compromised, then others can follow
Joint Solution Summary
VASCO Trust Platform

15. The VASCO Trust Platform
Risk
Management
Transaction
Security
Mobile Application
Security
Multi-Factor
Authentication
Identity
Proofing
Trusted Identity Trusted User
Trusted Device
Trusted App
Trusted Channel
Trusted Data & Docs
Trusted Signatures
Trusted Transactions Trusted Behavior
VASCO Trust Platform
Who you are What you do
IDENTIKEY
Risk Manager
f o r A P P S
Leverage new technology to deliver higher levels of security and fraud prevention that are frictionless and
transparent to the end user, and that enable new business capabilities and efficiencies.

16.  Download Solution brief CLICK HERE
 Upgrade your IDENTIKEY license to IDENTIKEY
Enterprise
info-usa@vasco.com
 Request more information about Thales HSM
www.thales-esecurity.com
What’s Next: