安訊奔whitepaper-開發(fā)身份認(rèn)證策略gartner

22的4新5對(duì) 案例研究:為東盟最強(qiáng)大、最 來自Gartner的文件HowtoChooseNewUserAuthentication 在上一篇通訊“為企業(yè)、云和移動(dòng)設(shè)備提供簡(jiǎn)捷的、性的和一次 登錄（SSO）的概覽，也了為什么企業(yè)應(yīng)該對(duì)SSO解決方案進(jìn)行業(yè)都至關(guān)重要。在的商業(yè)環(huán)境下，SSO能幫助企業(yè)提高生產(chǎn)力，說，使用SSO能為企業(yè)帶來的益

然而，似乎仍不能擺脫困擾。如果單一憑證損害，則者便能支配所有可的資源。需要問問自己，容易的通用而簡(jiǎn)單的，是否在SSO世界提供了足夠多年以來，認(rèn)證機(jī)制受到追捧的環(huán)2011年人類生18,000億GBIBM公司說，每天會(huì)產(chǎn)生2200000TB的數(shù)據(jù)?！邦A(yù)計(jì)在的將來，將會(huì)有萬億新設(shè)備連接到互聯(lián)網(wǎng)，這樣而來，到2020年，數(shù)字?jǐn)?shù)據(jù)會(huì)是如今的44倍”2可能很輕易地憑證管理系統(tǒng)環(huán)境發(fā)展迅猛。在過去的一年可能很輕易地憑證管理系統(tǒng)機(jī)構(gòu)到各大網(wǎng)絡(luò)公司和品牌都了經(jīng)驗(yàn)數(shù)據(jù)和盜用的問題。作為鑒別碼的用戶名加組合不再起作用。過去一年里，數(shù)據(jù)庫(kù)使得數(shù)千萬的記錄損壞。盡管安全措施和防護(hù)技術(shù)不斷進(jìn)步，仍然存在不少的安全。據(jù)網(wǎng)絡(luò)犯罪中心（IC3）提供的數(shù)據(jù)，由 導(dǎo)致的總損失多達(dá)525,441,110.003。得知這個(gè)

，Adobe發(fā)布了一 ：“290萬Adobe客戶的其他與客戶訂單相關(guān)的信息”4 和/或雇員的用戶ID和。憑借竊1公司（FuturesCompany），隱私，從數(shù)據(jù)到人，20122DMH斯托拉德（DMHStallard），保護(hù)好數(shù)據(jù)-保護(hù)好企業(yè)，2012年63IC3，《2012年網(wǎng)絡(luò)中心報(bào)告》，2013年54 /conversations/2013/10/mportant-customer-security-為SSO解決方案評(píng)估當(dāng)前環(huán)境和影響因Verizon《2013年數(shù)據(jù)丟失報(bào)告》顯示，因招致?lián)p失的現(xiàn)象在全球各地的各個(gè)領(lǐng)域都有發(fā)生，但在金融機(jī)構(gòu)和大型企業(yè)發(fā)生的概率更高。

也是從這一份報(bào)告中，看到，76％andrestaurants(-)transportation,andutilities(+)ofnetworkintrusionshitinformationandprofessionalservicesfirms(+)ofbreachesimpactedlargeranizations

ofnetworkintrusionsexploitedweakorstolencredentials(-)involvedphysicalattacksleveragedsocialtactics料來年據(jù)丟失告》，誰(shuí)受害者？

資料來源：Verizon，《2013年數(shù)據(jù)丟失報(bào)告》，是10％新智能（增長(zhǎng)12％）和平板電（18％）的全球銷量將繼續(xù)顯著增長(zhǎng)，占整個(gè)IT市場(chǎng)增長(zhǎng)的60％以上安全部和司法部的聯(lián)合非備忘錄中得知，高達(dá)79％機(jī) 近幾個(gè)月以來，安卓用戶 注Android主密鑰3。它使得始應(yīng)用程序的簽名，即可在第市場(chǎng)重新發(fā)布。 中間人攻擊（MitMa）號(hào)稱為銀行移動(dòng)應(yīng)用程對(duì)雙因素認(rèn)證系統(tǒng)的的，如中間人（MitMa），瀏覽器中間人（MitB），移動(dòng)中間人（MitMO）等。因此，非常在這種之下傳統(tǒng)的哈希被用來保護(hù)的密碼。但隨著經(jīng)濟(jì)實(shí)惠的顯示卡的出現(xiàn)，一個(gè)500的GPU（圖形處理單元）就可以用來每秒鐘數(shù)千萬的哈希。這增加了那些可以數(shù)據(jù)庫(kù)的 或蠻力的

自帶設(shè)備越來越多的人通過智能、平板電腦和筆記本電腦來公司網(wǎng)絡(luò)和數(shù)據(jù)，這也給IT安全帶來了全新 。企業(yè)開始為BYOD實(shí)施安全策略。研究公司J.Gold 稱，目前約有25％到35％的企業(yè)采用了BYOD政策，而且他們預(yù)計(jì)，在未來兩年4，比例將超過50％。現(xiàn)在，消費(fèi)者和員工有著持續(xù)不斷的聯(lián)系。結(jié)果，大量公司敏感的數(shù)據(jù)，如企業(yè)郵箱、庫(kù)、企業(yè)介紹和商務(wù)計(jì)劃等，都隨著自帶設(shè)備并工作的員工越來云的IT服務(wù)的使用不斷擴(kuò)展，應(yīng)用程1 /sites/gilpress/2013/12/03/idc-top-10-technology-predictions-for- /DHS-FBI- /threat-of-the-month-android-master-key-vulnerabil4/tip/Moble-device-strategy-bypassed-as-enterprises-face-tablet-對(duì)認(rèn)證的影因此，了解到，可以企業(yè)網(wǎng)用程序的日益普及，如網(wǎng)上銀行，迫份認(rèn)證。其中，一個(gè)是安全的頻發(fā)，它了用戶、個(gè)人信阻礙基于傳統(tǒng)PKI令牌的配置。隨著智能的使用，越來越多的人偏向把移動(dòng)作為認(rèn)證設(shè)備，因?yàn)樗芨鶕?jù)不同的風(fēng)險(xiǎn)級(jí)別，組織提供著不同類型的服務(wù)。接入信道可以是IVR、基于臺(tái)式機(jī)的接入、移動(dòng)接入、ATM，Kiosk或Branch。配置的認(rèn)證機(jī)制應(yīng)該與服務(wù)的風(fēng)險(xiǎn)級(jí)別相稱。同時(shí)，不同類型的用戶應(yīng)該有不同的使用模式（接入裝置、頻率、角

增強(qiáng)的方法已經(jīng)從傳統(tǒng)的令牌到USB設(shè)備到智能卡到識(shí)別器、令牌和掃描設(shè)備不斷演變?；谛袨槟Ｊ胶驮O(shè)備模式分析的上下文認(rèn)證已經(jīng)越來越重要，而且越來越多的廠商都為此提供了用戶認(rèn)證產(chǎn)品。此外，為確保提供更好的用戶體驗(yàn)，越來越多的企業(yè)引進(jìn)了生物識(shí)別技術(shù)，包括形態(tài)因素，如打字節(jié)奏、語(yǔ)音識(shí)說，總擁有成本（TCO）是一個(gè)更重鑒于上述趨勢(shì)和，IT架構(gòu)師

當(dāng)企業(yè)尋求新的、有適當(dāng)風(fēng)險(xiǎn)的用戶認(rèn)證方法時(shí)，有一點(diǎn)需要注意，即單認(rèn)證方法并不太適合所有的用例。在重新制定時(shí)，大多數(shù)企業(yè)傾向于依靠單一的用例作出決策。Gartner的 不單方生下現(xiàn)在已經(jīng)了解了環(huán)境及其對(duì)多因素認(rèn)證需要如下兩個(gè)或多個(gè)因ATMOTP你是什么：生物識(shí)別特征，如指 文認(rèn)證，基于對(duì)可能只需1級(jí)認(rèn)證（簡(jiǎn)單口令），而2級(jí)認(rèn)證（ 或智能卡）。生物識(shí)別技術(shù)。Gartner的，“雖然目前通過智能或平板電腦企業(yè)網(wǎng)絡(luò)或高價(jià)值的網(wǎng)絡(luò)應(yīng)用程序使用生物識(shí)別認(rèn)證的用戶還不到5％，但是到5年，這個(gè)比例將達(dá)到0。

或增加不必要的TOC，并使用戶安訊奔的AccessMatrix?通用認(rèn)證服務(wù)器（UAS）使企業(yè)能夠通過建立UAS是一個(gè)通用的，且不會(huì)過時(shí)通過式認(rèn)證模塊（PAMUAS支持多種認(rèn)證方法，而且容易添加新的方法以滿足不同的認(rèn)證機(jī)制。企業(yè)還可以通過認(rèn)證工作流程，兩個(gè)或以上的認(rèn)證方法，以滿足強(qiáng)認(rèn)證和的要求AccessMatrix?通用AccessMatrix?通用認(rèn)證減少成本，因?yàn)槭褂猛ㄓ每蓴U(kuò)展認(rèn)證和令牌管理解簡(jiǎn)化集成和部署工作，因?yàn)橐延械腜AM模塊，可輕松與現(xiàn)有的LDAP，AD和JDBC實(shí)施靈活和動(dòng)態(tài)的認(rèn)證工作流程，以處理復(fù)雜的認(rèn)證需基于標(biāo)準(zhǔn)的通用認(rèn)證解決方案的PAM框架，可以滿足未來認(rèn)證選項(xiàng)的需要。可增加新的認(rèn)證方法到此解決方案，同時(shí)，也會(huì)把因此導(dǎo)致的對(duì)現(xiàn)有強(qiáng)認(rèn)證部署的影響提供可高度擴(kuò)展且公開可靠的平臺(tái)，以支持需求，如自動(dòng)故障轉(zhuǎn)移、水平和垂直縮放、和全天候的運(yùn)維要憑借的專利技術(shù)-基于分層模式的安全管理和框架，UAS允雙因素認(rèn)證通常結(jié)合靜態(tài)和其他從輸入點(diǎn)（瀏覽器）到比較點(diǎn)（FIPS認(rèn)證的HSM），UAS為端到端加密靜態(tài)提供了一個(gè)模塊，這可確保企業(yè)無人 法 法??

OTP

IBMCASiteMinderIDANAFOasisSAMLHPAccessMatrixUASUAS-端到端加密模用戶憑證（PinMailerATMPIN碼，基于ISO9564UAS-OTP令牌認(rèn)證和生命周期管理模Vasco令牌SafeNet RSA令牌OATHUAS-YESsafe令YESsafe令牌為認(rèn)證（同步和響應(yīng)）、、簽名認(rèn)證和主機(jī)UAS-生物識(shí)別認(rèn)證與管理模UAS-適用于企業(yè)認(rèn)證模塊的雙因素認(rèn)使用GINA和CP、終端服務(wù)器和Citrix的Windows 和Unix登錄MSOutlook網(wǎng)絡(luò)UAS程序集成的UAS-適用于第網(wǎng)絡(luò)SSO產(chǎn)品的雙因素集UASHSM集成用于保護(hù)憑證的HSM密鑰管理HSM的OTP認(rèn)新一代的通用認(rèn)證服新一代的通用認(rèn)證服務(wù)FIPS認(rèn)證的WEB瀏覽 應(yīng)用系A(chǔ)WEB服AWEB服務(wù)Radius協(xié)用 .NET用 策略外案例研究-為東盟最強(qiáng)大、最的銀行提供的端 金融管理局（MAS）及金融管理局（HKMA）所規(guī)定的安全準(zhǔn)則的要對(duì)客戶PIN的端到端保護(hù)-必須件安全模塊）對(duì)加密的PIN進(jìn)結(jié)合（OTP）VASCO令牌和OTP的強(qiáng)身-這也是基于企業(yè)的安全安訊奔的集中安全管理方法在整個(gè)項(xiàng)目中都得以應(yīng)用，以協(xié)助銀行實(shí)施和配置AccessMatrix?通用認(rèn)證服務(wù)器（UAS）的端到端加密認(rèn)證（E2EEA）、VASCO令牌管理模塊和OTP模塊，從而為銀行實(shí)現(xiàn)認(rèn)證和管理要求提供認(rèn)證和管理平臺(tái)，以遵守針對(duì)網(wǎng)上銀行的銀行管理制度。AccessMatrix?通用認(rèn)證服務(wù)器的端到端加密認(rèn)證（AccessMatrix?UAS2EEAPpinn和pnlrprintng整套解決方案。通過UAS客戶端的加密庫(kù)，在端點(diǎn)（PC或移動(dòng)設(shè)備）對(duì)Pin進(jìn)行加密，并保持加密狀態(tài)，直到HSM的比較點(diǎn)。這可確保銀行無人有權(quán)。

AccessMatrix通用認(rèn)證服VASCO（AccessMatrix?UASVASCOTokenManagementModule）還提供了與銀行現(xiàn)有的動(dòng)態(tài)鎖OTP服務(wù)器的VASCO令牌管理模塊還利用由VASCO的DigiPass令牌提供 （出廠初始化或自動(dòng)初始化為用戶提供可定制的自助服務(wù)界安訊奔的AccessMatrix?通用認(rèn)證如今，世界各國(guó)之間的聯(lián)系日漸緊 信系統(tǒng)不斷推動(dòng)著技術(shù)進(jìn) 和文化變遷。這種互聯(lián)導(dǎo)致風(fēng)險(xiǎn)的多樣化。如果企業(yè)不認(rèn)證評(píng)估自己的風(fēng)險(xiǎn)，并確定和實(shí)施合適的認(rèn)證，那么，他們終將繼續(xù)處于劣

安訊奔的AccessMatrix?通用認(rèn)證服務(wù)器（UAS）是一個(gè)具備高擴(kuò)展性風(fēng)險(xiǎn)而言。AccessMatrix?UAS有ResearchfromHowtoChooseNewUserAuthenticationEnterprisesareseekingnew,risk-appropriateuserauthenticationmethods,butasinglemethodisrarelyappropriateforallusecases.AnIAMleaderorsecurityarchitectwilllikelyneedtochooseasetofvariousmethodstomeetalltheneedsoftheenterprise.KeyMostauthenticationbuyingdecisionsaretacticalandfocusonasingleusecase.IAMleadersandsecurityarchitectsareputtinggreaterweightontotalcostofownership(TCO)anduserexperience(UX).Eachusecasehasdierentneedsandconstraints.Thus,asingleauthenticationwithintheenterprise.Theadoptionofmobilecomputingismidtermtolongterm.

unnecessarycostandcomplexityReuseofanincumbentmethodinnewusecaseswhereitmaybealess-than-goodt,unacceptablyreducingsecurityorunnecessarilyincreasingTCOandoverburdeningusersHowcanenterprisesoptimizetheirchoiceofauthenticationmethodsandhowthey’reimplementedacrossmultipleusecases?Thisresearchoutlinesadecisionframeworkthatidentityandaccessmanagement(IAM)leaders,securityarchitectsandotherpractitionerscanuseacrossarangeofusecases,providingabasisforvendorandproductselection.Elementsoftheframework sobeToreviewincumbentForsingleusecasesinaswellasauthenticationstrength,whenevaluatingnewauthenticationineachusecase.Don’tneglectregulatorycomplianceconstraintsandadjacentsecurityDeneanoptimalsetofauthenticationinthesimplestway,butwithminimum

applicationstoidentifywhiethodintheoptimalsetismostappropriate(orwhetheranewmethodisneeded)otherIAMfunctions.Condenceortrustinaclaimeddigitalidentityiscrucialtoauthorization(forexample,segregationofduties)and ligence(forexample,Awidevarietyofauthenticationmethodsos.Identifyappropriatewaysofimplementingavailable(seeNote2and“ATaxonomyStrategicPlanningBy2015,30%ofusersaccessingcorporatesmartphonesortabletswillusebiometricandfocusonasingleusecase.Asusecaseshavedierentneedsandconstraints,asingleauthenticationmethodisrarelythebesttformultipleusecaseswithintheenterprise.Thiscanhavetwoconsequences:

AuthenticationMethods,GoodauthenticationchoicesarecharacterizedRisk-appropriateauthenticationLow(justiableandaordable)Good(acceptableminimum)OverviewofGartner’sFrameworkforChoosingNewAuthenticationlevelstructure:Identifyallcurrentandlikelyfutureusewilluse.DeterminehowyouwillimplementNotethatthisisnotasimplelinearprocess.Dependingontheusecasesconsideredandthechoicesthatemergefromthem,thetwo

depictedinFigure1(“Whatmethodswillyouuse?”and“Howwillyouimplementthem?”)maynotbeindependent,andeachcaninuenceorconstraintheother.SomeiterationwilllikelybeIdentifyUse,enumeratethedierentusecasesforauthentication.Note3outlinesasetofusecasesthatweuseinotherGartnerresearchthatmightbeabletoidentifyothersaswell.Moreimportantthanthislistaretheusecases(seeFigure2).FIGURE1Gartner’sFrameworkforChoosingNewAuthenticationwillyouuse?HowwillyouofFIGURE2IdentifyingUse Source:Gartner(MarchWhoAretheUsers?HowDoTheyInuenceandConstrainYourChoices?ConsidertheseRelationshiporconstituency,whichindicatesacceptableconstraintson(mis)behavior.Whileyourworkforceisboundtousetheauthenticationmethodyouimpose,yourcustomers(oranyuserswithanelectiverelationship)don’thaveto.PoorUXhasimpactoncustomerretention3Presence,whichimpactsregistration/enrolmentandcredentialing/provisioning.usersareaparticularconcern.TCO.Pricingfordierentmethodsscalesdierently.Otherrelationships, ightinusers’attitudestowarddierentInuenceandConstrainYourConsidertheseThevarietyofformfactorsandOSsthatwillbeused.Theremaybetechnicalrestrictionsonwhatmethodscaneasilybeusedwithdieracrossdierentendpoint6s.

Ownership.Methodsthatrequiresoftwareorconnectedhardwarecomponentsmightnotbeacceptabletouser/ownersorthirdparties(suchasbusinesspartners).Evenifdevicescanbeproblematic.WhereIsAccessFrom?HowDoesThisInuenceandConstrainYourChoices?ConsidertheseLocalorremoteaccess.Forlocalaccess,theremaybecontrolledphysicalaccesstothestrengt7remoteaccesscanbeproblematicforsomeauthenticationmethod8s.Mobility.Thatis,dousersgetaccessfromthesamelocation,ordotheymovebetweenlocalandremo ocationsoramongdierent ocations?Iftheansweristhelatter,locations.Thiscanbeaparticularchallengeforoutofband(OOB)authenticationmethods,dependingonvendorsupportandlocalmobilenetworkoperators.Signalstrength.Thisvariesaccordingtomobilenetworkcoverageandauser’slocationwithinAlloweddevices.Restrictionsontakingphonesintocertainlocations,forsecurityreasonsorbecauseofpotentialinterferencewithsensitiveequipment(forexample,hospitals),canprecludephone-as-a-tokenauthenticationmethods.WhatIsBeingAccessed?HowDoesThisConsidertheseThevalueorcriticalityofanassetisaleadingindicatorofrisk1.0Thesensitivityofanassetmaydemandhighaccountability(ratherthanjusthighTheplatformmayconstrainthechoiceofintegrationoptions.WhatOtherDemandsandNeedsMight

ConsidertheseLawsandregulations,whiayAuditorndings,whiaydemandtwo-laworregulationdoesn’1t1forencryption,digitalsignatureortransactionverication,whiightexploitthesameunderlyingmechanismasacandidateauthenticationmethod(ordesire)forcommonaccesscards.DetermineNeedsandIdentifyCandidateMethodsFigure3illustratesthescopeofthersttwostepsinthisleg.willyouuse?LevelofEndpointFIGURE4DeterminingLevelofrisk velofassuran UpperlimitUserwantsand LowerlimitVarietyofendpoin dpoiNeedforndencentindepeSource:Gartner(MarchDetermineFigure4illustratesthekeydrivers(thecharacteristicsofeachusecase)andhowtheyinuenceneeds.Thelevelofriskimposesalowerlimitonlevelsofassuranceandaccountability.Determiningthelevelofriskineachcaseisbeyondthescopeofthisresearch“WhyYouNeedaRiskonTCO.endpointindependence.Thelevelofriskanduserwantsandinuencestheavailablebudget(andthustheupperlimitonTCO).

UserwantsandneedsdependinpartonthelowerlimitonUX).andaccountability.Sinceuserbehaviorvulnerabilitiesthaterodeauthenticationstrength,aneedforstrongerauthenticationdrivesgoodUX.TheupperlimitonTCO.AsamethodwithapoorUXwilllikelyhavehighertrainingandIdentifyCandidateEvaluateauthenticationstrength.Itmaybeofdierentauthenticationmethods,suchasNISTSP800-63-1(“ElectronicAuthenticationGuideline”).However,theserankingsarenotexhaustiveintherangeofmethodstheycover,noristherationalefortherankingsalwaystransparent.A“rstprinciples”approachispresentedin“GartnerAuthenticationMethodEvaluationScorecards,2011:AssuranceandInbrief,thisTowhatdegreearetheauthenticationtotheuser?Howhardisitforanattackertoposeasalegitimateuser(amasqueradeattack)?HowhardisitfortheusertowillinglyHowdopeople,processesandcompensatingcontrolsfacilitateormitigateanattack?brief,thisconsiders:Authenticationinfrastructurecomponents:Hardware,softwareandIToperations:Implementation,support,identityadministrationandlogisticssystemcomponentsEnd-userandendpointEndusers:Trainingand

EvaluateUX.Oneapproachisexplainedin“GartnerAuthenticationMethodEvaluationScorecards,2011:UserExperience.”Inbrief,thisconsiders:arerelevanttobiometricandcontextualReviewendpointindependence.acrossmultiple(kindsof)endpoints?strengthamongdierent(kindsof)AretheredierencesinUXamongdierent(kindsof)endpoints?ChoosetheOptimalSetofAfteridentifyingasuitablemethod(orasetofsuitablealternatives)foreachofseveralofmethodsfromthislargersetofcandidatemethods,asillustratedinFigure5.FIGURE5ChoosingtheOptimalSetofWhatmethodswillyouuse?Amanageablesetofmethodswiththefewestandleasttrade-offsofThisisapotentiallycomplexexerciseincombinatorialoptimization(essentiallyacompromisesinauthenticationstrengthorNotethatTCOisalsodependentonhowyouwillimplementtheoptimalsetofmethods.Inparticular,havingasingleinfrastructurethatcansupportdierentmethodsacrossmultipleusecasesislikelylessexpensivethanhavingmultipleparallelinfrastructures.Thus,thereare“Howwillyouimplementthem?”leg,especiallyChooseAuthenticationInfrastructureOption(s).Thesizeoftheoptimalsetwilldependonthethreeisusuallyareasonableformanyanizations;morethanvewilllikely unmanageable.Acommoninfrastructureformultiplemethodsmakesthingsmorechoosemoremethods.

IdentifyIntegrationFigure6illustratestherstpartofthe“Howwillyouimplementthem?”leg.ConsiderwhichoptionsaretechnicallyfeasiblefortherangeofsystemsineachuseNativesupportinthesystem(platformorapplication).Forexample,Windowsnativelysupports“interactivesmartcardlogin”(thatis,X.509tokens).Nativesupportinadirectory(suchasActiveDirectory)oranaccessmanagementtooltool),whichcanbeintegratedwiththesysteminastandardway—forexample,usingLDAP/PADL,KerberosorSAML.Directintegrationintothesystemusingavendor’stoolkitorAPIs.Thisisafairlycommonapproachinbankingapplications.Adiscreteauthenticationinfrastructure.Thesetypicallysupportstandardprotocols(suchasRADIUS,LDAPandSAML)aswellasprovidingagents,toolkitsorAPIsforusewheresystemsdon’tthemselvessupportanyFIGURE6IdentifyingIntegration HowwillUse implementNativesupportin Nativesupportplatformor indirectoryoraccess managementIntegrationinto platformor usingvendor's Source:Gartner(MarchUse HowwillimplementPoint VersatileauthenticationserverorserviceChooseAuthenticationInfrastructureWhereadiscreteauthenticationinfrastructureisindicated,thechoiceisbetweenthetwooptionsillustratedinFigure7.infrastructurethatsupportsjusttheintegratedunderanOEMagreement.Aversatileauthenticationserverorservice(VAS)supportsnotjustthevendor’sownmethods,butalsostandards-basedmethods(forexample,InitiativeforOpenAuthentication[OATH]-compliantone-timepasswords[OTPs]andX.509),andveryoftenhasanextensiblearchitecturetoallowcustomerstoeasilyintegrate“any”third-partyproprietarymethods.Apointsolutionmightsupportaswidearangeofout-of-the-boxauthenticationandlocks-inthecustomer.Forexample,futuretranchesofOTPtokensmustbeboughtfromthesamevendor.

/r/