Verizon IAM Services Presentation to CTST 2009
advertisement
Verizon IAM Services Presentation to CTST 2009 May 5, 2009 Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. Agenda • Overall Verizon Customer Base • Overview of Current IAM Offerings • Vision for Identity Management Services • Strategy • Roadmap • Smart Card Initiatives Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 2 Verizon Customers • Wireless Business 86.6 Million Customers overall. 84.1 Million Retail (most of any US wireless company) • Wireline Business 2.8 Million FiOS Internet Customers Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 3 Verizon Identity SolutionsWhat We Do We provide organizations with the tools to provision, manage and enable identity credentials, and to create a comprehensive and efficient approach to managing identities and access to resources across the extended enterprise. Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 4 How We Do It Identity Management Offerings • IdM Professional Services – Strategy: Assessments, Business Case, Strategic Planning, Security Policies – Technology Planning: Gap Analyses, Identity Roadmap, Operational Procedures – Solution Deployment: Controls, Standards and Implementation • Security Resale Services – Offers products for a variety of IAM technologies – Third Party Identity Software and Appliances – On premise deployments customer or remote managed • Identity Managed Services – Managed Credentials Services – Identity Enablement Services (Future) – Secure Transactions Services (Future) Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 5 Current IdM Managed Service Offerings Core Capabilities In PKI and OTP Managed Credential Services • CorporateID and Government ID: ID set of managed issuance and post-issuance services supporting multiple types of credentials, including certificates, OTP, tokens and smartcards • Device ID: ID managed service allowing bulk delivery of certificates to authenticate devices such as mobile phones, set-top boxes, game consoles, … • SSL OnDemand: managed service allowing organizations to issue SSL and EV SSL certificates governed under the Cybertrust CPS Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 6 Vision for IdM • IdM will be increasingly outsourced due to variety of factors – Maturation of technologies • Many IdM applications being architected for hosting/multi-tenancy – Limited budget, skills, and other resources in-house to bring on new technologies – Cost and complexity managed better by experts with competencies and scale, e.g. • LAN management • Exchange Hosting • Saleforce.com • Managed Credentials – Belgian Citizen ID – U.S. Shared services provider – Commercial PKI and OTP ”product” customers migrating to hosting • Identity will reside outside applications moving to Service-Oriented- Architecture – User and security policy data provided to applications as needed – Increased Federation of Identities – Provisioning, Access Management, Authorization can be modules Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 7 Vision >>> Strategy For IdM Managed Services To Enable Trusted Business Processes Multiple Applications, Platforms & Networks Multiple Device Types Multiple User & Role Types Enable Seamless Trusted Business Processes Across the Extended Enterprise Verizon Managed Identity Services Identity Enablement Services •Register user •Synchronize with other user data repositories •Publish to directory •Deliver digital credential to user/device •Revoke credential •Renew credential Managed Credential Services Provisioning Secure Transactions Services Enforcing Identity Credentials Managing •Policy management •Identity management •Administration & reporting •Retrieve credential from store •Authenticate user •Validate issuer •Sign and/or encrypt transaction •Verify signature •Check entitlements •Authorize access/transaction •Record/receipt transaction •Audit events Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 8 IAM Roadmap Multi-Phased Portfolio Expansion 2009 and Beyond Value Add Identity as a Service (P4) • Hosted Identity Services • Menu of Identity management functions • Plugable use of Identities by applications Identity Enablement (P3) User Administration & Identity Auditing Secure Transactions (P2) Authentication (P1) • Identity Lifecycle Management • efficiently add/remove users across applications for greater productivity, increased compliance • Encryption Management Platform • Secure email and document services • Reduce paper-based transactions guard against data leakage Expanded CorporateID Services (Authentication) • Extended form factors (VzW phones, Cards) for SecurID , Digital Certificates • Quickly & cost effectively provide credentials for secure logon and access Identity Enablement of Services & Mainstream Applications Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 9 Phase 1: Extend CorporateID Core Capabilities Enable Wider Deployment and Combine Verizon Services • Standardized and Enhanced Managed Authentication Services – Ability to address smaller user bases and offer global availability – Extending form factors (OTP on VzT phones, Card Systems) will be addressed – Launch bundled and integrated offers which leverage existing user authentication methods (PKI, OTP) tied to both remote and local access Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 10 Managed OTP -SecurID Existing Offerings Managed SecurID • Premise based remote management of primary and replica servers • End user help desk support • Bulk registration • US availability Hosted SecurID • Custom offering available for large deployments • Globally available • Help desk to help desk support • Full hosting and management of primary and replica servers • Bulk registration 2009 Roadmap Upgrade Managed & Hosted offerings • Global availability • RSA Authentication Manager 7.1 – Burst capacity- business continuity • BREW Handset capabilities • Shared platform option (as available). • End-user token distribution Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 11 Smart Card Initiatives Managed Service Offering Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 12 First Responder Needs and Challenges Goal: An interoperable credential and validation system that can issue LOCAL credentials AND validate Federal, FEMA, DoD, National Guard credentials • Challenges: – To facilitate emergency management with IT systems – To facilitate multi-agency and multi-jurisdictional coordination, between local governments, special districts, and state and federal agencies during emergency operations in compliance with the National Incident Management System (NIMS) – To support requirements imposed by FEMA and mutual aid Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 13 Objectives • Secure and reliable forms of identification – Issued based on sound criteria for verifying an individual employee's identity – Strongly resistant to identity fraud, tampering, counterfeiting, and terrorist exploitation – Can be rapidly authenticated electronically – Issued only by providers whose reliability has been established by an official accreditation process • Convergence of multiple uses – First Responders – Logical Access – Physical Access • One Card = One Identity – Based on a security framework that promotes interoperability and privacy • Standard – Cards issued and compliant with widely accepted standard practices, processes, and products Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 14 FIPS-201 Interoperable Standards • National Institute of Standards and Technology (NIST) released FIPS201 Standard – Outlines required implementation standards for interoperable and converged credentials – Identity proofing, registration and issuance requirements – General technical specifications • Dozens of HSPD-12 related NIST Special Publications with detailed specifications • NIST Testing Lab – Performs testing on all components and certifies technology for use • FIPS-201 has become the new de-facto national and international standard – ANSI Workgroups and International Smart Card community adopting standards – Use by both Public and Private Sector Organizations • Current adoption in the commercial and international markets validates the standard – E.g. Global 100 technology, financial services, UK Police Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 15 Impact of FIPS-201 • Mandates stronger security standards and procedures • Provides consistency for issuing identity credentials to employees and contractors • Addresses inter-agency interoperability • Enables access to both physical facilities and logical resources with a single credential • Allows Cross Jurisdiction recognition of the Identity/Individual as a result of common policy for issuance, validation, and even the physical appearance and size of the credential itself Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 16 Credentialing Process First Responders, Employees and Vendors Step 1: Registration and Sponsorship Step 2: Identity Proofing First Responder Credentialing Process Step 3: Background Investigations Step 6: First Responder Privileges X509 Certificates Step 4: Credential Printing Step 5: Credential Activation Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 17 Credential Usage (1 of 3): First Responders • Handheld PIVMan devices used for perimeter control to incidents – Smart card and fingerprint readers onboard – Information synchronized in near realtime to the centralized credentialing and privileging system • Allows for tracking of First Responders on-site • Incident Scenario: 1. HSPD-12 Credential placed into handheld PIVMan device 2. Device validates credential using certificates 3. First Responder provides PIN and Fingerprint 4. Device validates Identity 5. Device displays Certifications and Privileges according to NIMS guidelines 6. Audit logs uploaded in real-time for usage in centralized incident management system Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 18 Credential Usage (2 of 3): Logical Access • Replaces multiple existing tokens with a single accepted smart card token • Access to enterprise computers and systems – Logon to desktop computers – Single-sign-on can be enabled using strong authentication (PIV Authentication Certificates) • Digitally signed transactions – Common usage in the financial sector – Non-repudiation of digital signatures allows for strict auditing controls – Can tie into time accounting systems Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 19 Credential Usage (3 of 3): Physical Access • Credentials have a contactless interface – Supported by major Physical Access Control Systems (PACS) – HID antenna can be added for transition from legacy systems • Credentialing solution provisions the enterprise PACS for the organization – Assigns, updates and revokes identity – Authorizations still controlled by PACS administrator • One credential interoperable across all buildings Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 20 For More Information: • Contact: Mr. Tom Greco, Director, Identity and Access Management Verizon Security Solutions Tom.greco@verizonbusiness.com Ms. Debb Blanchard, Sr. Product Manager, Identity and Access Management Verizon Security Solutions Deborah.blanchard@verizonbusiness.com Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 21
