SafeNet Authentication Service - one-time password management system
About a year ago, in the article “ eToken lived, eToken alive, eToken will live ” I mentioned such a product as Gemalto Safenet Authentcation Service, it's time to tell about it in more detail. This article is introductory, but there will be other, more technical, and I think even with real business cases.
IT professionals are often faced with the issue of enhancing the security of a service. And the issue of user identification with authentication also plays a key role in the security of the service.
What to choose:
After all, the use of the decision should not complicate access to the service, otherwise it will lead to resistance from the end user. According to statistics, most cases, user compromise occurs at the authentication stage. Before you figure out what to use in practice, IT managers are subject to a serious assessment of various methods. Special attention is paid when users from the so-called “untrusted environment” are working.
')
Suppose, while working, a user from an untrusted environment enters his user data for identification and a password for authentication, being at a foreign computer, say, in an Internet cafe. Meanwhile, attackers can intercept either network packets or keyboard input, which will allow them to continue to use user data. Also, all user-entered information in an untrusted environment can be locally cached on the computer it used.
Of course, the use of alienable media in the form of smart cards or USB tokens is much more reliable than the use of passwords. But what to do when there is a special case when the user needs at the moment to use a smart card or a USB token outside the office. Not to mention the fact that for each type of smart card and USB tokens, you must have specialized software (software) on your computer. There is little hope for that in the public zone and it is unlikely to be able to establish it. It is also impossible to exclude the need for a free USB port, which can be blocked to connect USB-tokens or PC equipment with a reader for the operation of smart cards. And taking into account the increased popularity of users working on mobile devices, the probability of using alienable carriers on them is significantly lower.
Much easier to use one-time passwords - OTP - One-Time Password for a one-time user authentication procedure. Such a password is easier and more convenient to use. One-time password does not make sense to intercept with the help of a keylogger or be afraid that it will be cached on the computer. It is useless to pry a one-time password or to think that it can be intercepted in the form of network packets. At the moment, this is the only type of tokens that do not require any connection to a personal computer, nor the presence of specialized software on it, working with any platform in any environment. A wide range of model range in the form of generators of one-time passwords will allow enterprises to provide enhanced security in providing access to corporate resources, portal (s) or personal account of the user, which is now a separate security requirement from the business side.
What to do when we decided on the user authentication method? Who should transfer the role of the person responsible for managing and supporting the service? How to manage the life cycle of OTP tokens that are distributed to users? How to track their statuses? How to increase customer service? These, as well as many other questions may arise before IT managers.
The key role in solving these issues is the choice of a solution that will cope with the task of managing the life cycle of OTP tokens. Since the main task, after putting tokens into operation and handing them over to users, is the provision of timely service to users of tokens as soon as possible. Of course, there are a sufficient number of control systems on the market, but first of all, it is worth paying attention to the mono-vendor solutions. No one knows better how vendor tokens are.
You can not get past the decision of the company Gemalto-SafeNet - SafeNet Authentication Service, which is annually nominated for the "Best Multi-factor Authentication Solution" by reputable publications and research companies.
Choosing the right authentication solution is important in reducing business risk. Of course, the best solutions have the largest range of supported token models, and can protect both cloud and local applications and services, as well as any network access from any device. But it's not just about security, it's also about how easily you can deploy, manage, and scale your authentication solution.
What is SafeNet Authentication Service?
SafeNet Authentication Service is a fully automated multifactor authentication service, the purpose of which is to serve users with tokens. SafeNet Authentication Service is distributed in 2 types of editions. A local version that can be independently deployed in the enterprise’s own infrastructure. And also in the form of a cloud edition - such a service has already been deployed and there is no need to ask the question: “where to find the resources for its deployment?”. SafeNet Authentication Service is managed in the Admin Browser Console. In the console, the optimal conditions for managing processes: automatic preparation of users and user repositories, for example, if you use LDAP-catalog or DBMS as the basis of users; setting up self-service users; the broadest configuration of authentication mechanisms and protection for all of your most valuable corporate resources, both local and web resources or resources in the "cloud".
SafeNet Authentication Service supports the following authentication methods and form factors:
Software tokens for SafeNet Authentication Service support a large number of platforms, among which are: OS OS MS Windows, Windows Mobile, MAC OS X, iOS, Android and BlackBerry. SafeNet Authentication Service supports various combinations of user profiles that allow you to combine different authentication methods, taking into account the requirements of an enterprise security policy.
Hardware OTP tokens are used to create highly secure one-time passwords. A large selection of hardware tokens range eToken PASS, eToken GOLD, KT-4, RB-1 allows users to authenticate to critical applications and data.
SafeNet Authentication Service uses the Enterprise- standard RADIUS and SAML protocols, which essentially mean that the service can be integrated into any network and application, including solutions from all leading vendors. With SafeNet Authentication Service, you can protect any access to any application.
SafeNet Authentication Service out of the box supports VPN with strong authentication, both IPSec and SSL VPN, in other words, compatibility at vendors such as Cisco, Checkpoint, Juniper, F5, Palo Alto, SonicWall, Citrix and WatchGuard. Expansion of strong authentication in the virtualization infrastructure (VDI) will ensure the reliability of authentication on "thin clients", mobile terminals and employees' own devices (BYOD) in virtualization environments from Citrix, VMware and AWS (Amazon Web Services).
Not so long ago, the official distributor of Gemalto-SafeNet solutions in Russia TESSIS (Technologies, Systems and Solutions for Information Security) announced that the FSTEC No. 3070 certificate of conformity was extended until January 27, 2020. The solution can be used in information systems and personal data processing systems for classes 3 and 4 of security with the actual threat of the absence of unspecified capabilities of type 3.
Cases when and where can use SAS solution?
Financial organizations and remote banking services:
Telecom and telecom operators:
Medical and pharmaceutical organizations:
Corporate Security:
In conclusion, I would like to note that the choice of strong authentication and the use of one-time passwords really protects user authentication. One-time passwords are convenient and easy to use for organizing access to corporate resources, portals and cloud services. The user does not have to memorize passwords, as the one-time password is entered and forgotten. It is also important that, regardless of the workplace the user is working for, he does not need to install a driver for the token. And using the SafeNet Authentication Service, we get a complete solution for accessing various services and managing the lifecycle of OTP tokens. The concept of SafeNet Authentication Service is to make multi-factor authentication publicly available. And the use of SafeNet Authentication Service proves that a high level of security does not mean high cost and expensive maintenance of the service itself.
IT professionals are often faced with the issue of enhancing the security of a service. And the issue of user identification with authentication also plays a key role in the security of the service.
What to choose:
- Use the Login & Password link?
- Deploy a PKI infrastructure and distribute certificates to all?
- Strengthen authentication with one-time passwords?
After all, the use of the decision should not complicate access to the service, otherwise it will lead to resistance from the end user. According to statistics, most cases, user compromise occurs at the authentication stage. Before you figure out what to use in practice, IT managers are subject to a serious assessment of various methods. Special attention is paid when users from the so-called “untrusted environment” are working.
')
Suppose, while working, a user from an untrusted environment enters his user data for identification and a password for authentication, being at a foreign computer, say, in an Internet cafe. Meanwhile, attackers can intercept either network packets or keyboard input, which will allow them to continue to use user data. Also, all user-entered information in an untrusted environment can be locally cached on the computer it used.
Of course, the use of alienable media in the form of smart cards or USB tokens is much more reliable than the use of passwords. But what to do when there is a special case when the user needs at the moment to use a smart card or a USB token outside the office. Not to mention the fact that for each type of smart card and USB tokens, you must have specialized software (software) on your computer. There is little hope for that in the public zone and it is unlikely to be able to establish it. It is also impossible to exclude the need for a free USB port, which can be blocked to connect USB-tokens or PC equipment with a reader for the operation of smart cards. And taking into account the increased popularity of users working on mobile devices, the probability of using alienable carriers on them is significantly lower.
Much easier to use one-time passwords - OTP - One-Time Password for a one-time user authentication procedure. Such a password is easier and more convenient to use. One-time password does not make sense to intercept with the help of a keylogger or be afraid that it will be cached on the computer. It is useless to pry a one-time password or to think that it can be intercepted in the form of network packets. At the moment, this is the only type of tokens that do not require any connection to a personal computer, nor the presence of specialized software on it, working with any platform in any environment. A wide range of model range in the form of generators of one-time passwords will allow enterprises to provide enhanced security in providing access to corporate resources, portal (s) or personal account of the user, which is now a separate security requirement from the business side.
What to do when we decided on the user authentication method? Who should transfer the role of the person responsible for managing and supporting the service? How to manage the life cycle of OTP tokens that are distributed to users? How to track their statuses? How to increase customer service? These, as well as many other questions may arise before IT managers.
The key role in solving these issues is the choice of a solution that will cope with the task of managing the life cycle of OTP tokens. Since the main task, after putting tokens into operation and handing them over to users, is the provision of timely service to users of tokens as soon as possible. Of course, there are a sufficient number of control systems on the market, but first of all, it is worth paying attention to the mono-vendor solutions. No one knows better how vendor tokens are.
You can not get past the decision of the company Gemalto-SafeNet - SafeNet Authentication Service, which is annually nominated for the "Best Multi-factor Authentication Solution" by reputable publications and research companies.
 |  |  |
Choosing the right authentication solution is important in reducing business risk. Of course, the best solutions have the largest range of supported token models, and can protect both cloud and local applications and services, as well as any network access from any device. But it's not just about security, it's also about how easily you can deploy, manage, and scale your authentication solution.
What is SafeNet Authentication Service?
SafeNet Authentication Service is a fully automated multifactor authentication service, the purpose of which is to serve users with tokens. SafeNet Authentication Service is distributed in 2 types of editions. A local version that can be independently deployed in the enterprise’s own infrastructure. And also in the form of a cloud edition - such a service has already been deployed and there is no need to ask the question: “where to find the resources for its deployment?”. SafeNet Authentication Service is managed in the Admin Browser Console. In the console, the optimal conditions for managing processes: automatic preparation of users and user repositories, for example, if you use LDAP-catalog or DBMS as the basis of users; setting up self-service users; the broadest configuration of authentication mechanisms and protection for all of your most valuable corporate resources, both local and web resources or resources in the "cloud".
SafeNet Authentication Service supports the following authentication methods and form factors:
- Authentication methods:
- One-time password (OTP)
- OOB via notification, SMS and / or email
- - Matrix-based authentication (GrIDsure)
- Available Form Factors:
- Hardware tokens (OTP token)
- Software tokens (OTP applications)
- - Phone-to-token
Software tokens for SafeNet Authentication Service support a large number of platforms, among which are: OS OS MS Windows, Windows Mobile, MAC OS X, iOS, Android and BlackBerry. SafeNet Authentication Service supports various combinations of user profiles that allow you to combine different authentication methods, taking into account the requirements of an enterprise security policy.
Hardware OTP tokens are used to create highly secure one-time passwords. A large selection of hardware tokens range eToken PASS, eToken GOLD, KT-4, RB-1 allows users to authenticate to critical applications and data.
SafeNet Authentication Service uses the Enterprise- standard RADIUS and SAML protocols, which essentially mean that the service can be integrated into any network and application, including solutions from all leading vendors. With SafeNet Authentication Service, you can protect any access to any application.
 |
SafeNet Authentication Service out of the box supports VPN with strong authentication, both IPSec and SSL VPN, in other words, compatibility at vendors such as Cisco, Checkpoint, Juniper, F5, Palo Alto, SonicWall, Citrix and WatchGuard. Expansion of strong authentication in the virtualization infrastructure (VDI) will ensure the reliability of authentication on "thin clients", mobile terminals and employees' own devices (BYOD) in virtualization environments from Citrix, VMware and AWS (Amazon Web Services).
 |
Not so long ago, the official distributor of Gemalto-SafeNet solutions in Russia TESSIS (Technologies, Systems and Solutions for Information Security) announced that the FSTEC No. 3070 certificate of conformity was extended until January 27, 2020. The solution can be used in information systems and personal data processing systems for classes 3 and 4 of security with the actual threat of the absence of unspecified capabilities of type 3.
Cases when and where can use SAS solution?
Financial organizations and remote banking services:
- Using strong authentication when checking an authorized user;
- Ensure the integrity of transactions;
- Security negotiation mechanisms in each use case to validate user actions.
Telecom and telecom operators:
- Using strong authentication when checking an authorized user;
- Ensuring the necessary level of efficiency and availability without compromising security;
- Control access authorized users to the billing system;
- Increased access security for a wide range of services provided to customers;
Medical and pharmaceutical organizations:
- Using strong authentication when checking an authorized user;
- Ensuring the necessary level of security when accessing the patient's electronic file card / BD of inventory accounting, etc .;
- Integration with proprietary software environments;
Corporate Security:
- Ensuring protection, enhanced security of the whole environment, covering remote access services, virtual private networks, web-portals, corporate networks and cloud applications;
- Policies for centralized management of authenticators and authorized users;
In conclusion, I would like to note that the choice of strong authentication and the use of one-time passwords really protects user authentication. One-time passwords are convenient and easy to use for organizing access to corporate resources, portals and cloud services. The user does not have to memorize passwords, as the one-time password is entered and forgotten. It is also important that, regardless of the workplace the user is working for, he does not need to install a driver for the token. And using the SafeNet Authentication Service, we get a complete solution for accessing various services and managing the lifecycle of OTP tokens. The concept of SafeNet Authentication Service is to make multi-factor authentication publicly available. And the use of SafeNet Authentication Service proves that a high level of security does not mean high cost and expensive maintenance of the service itself.
Source: https://habr.com/ru/post/322186/
All Articles