© 2013 - VASCO Data Security
Rik Swusten
Product Manager
IDENTIKEY Product Family
© 2013 - VASCO Data Security 2
DIGIPASS GO 100
DIGIPASS GO 3
DIGIPASS GO 6
DIGIPASS GO 7
DIGIPASS for Mobile
VirtualDIGIPASS
DIGIPASS Nano
DIGIPASS for Web
DIGIPASS for Windows
DIGIPASS 800
DIGIPASS 810
DIGIPASS 830
DIGIPASS 835A
DIGIPASS 836
DIGIPASS 855
DIGIPASS 865
DIGIPASS 920
DIGIPASS 837
DIGIPASS 840A
DIGIPASS 250 -251
DIGIPASS 260 -261
DIGIPASS 270
DIGIPASS 301 CV
DIGIPASS 550
DIGIPASS 560
DIGIPASS 736
DIGIPASS 270 XPress
DIGIPASS 275
DIGIPASS & VACMAN Controller
VACMAN
Controller
© 2013 - VASCO Data Security
IDENTIKEY Authentication ServerIDENTIKEY Appliance
IDENTIKEY Virtual ApplianceIDENTIKEY Federation Server
IDENTIKEY Tools
© 2013 - VASCO Data Security
IDENTIKEY IDENTIKEY Authentication Server
4
Features Ease of Use Performance Documentation Support Value for Money Overall Rating
© 2013 - VASCO Data Security
Product Vision
5
IDENTIKEY Authentication Server
1 authentication server for DIGIPASS OTP validationwith numerous options , features and interfaces
that address the security needs of small and large enterprises
that require control over access to their resourcesin various horizontal and vertical markets
© 2013 - VASCO Data Security 6
IDENTIKEY Server Vision
IDENTIKEYServer
SBRModule
SOAP API
ModuleIIS FilterModules
(OWA, CWI, RDW)
Provisioning Module
CA SiteMinderModule
RADIUSModule
FederationModule(WebSSO)
VirtualDIGIPASS(SMS, Email)
HSMModule(SafeNet)
WindowsLogonModule
© 2013 - VASCO Data Security
1 DIGIPASS for all applications
7
Internet
Application ServerWebserver
Windows Desktop & LAN
1
Internet HostedApplications
2
3
45
WiFi Access
Remote Access
Internal Web-Applications
© 2013 - VASCO Data Security
IdentikeyServer 3.0
IdentikeyServer 3.1
Active Directory WS2008LDAP BackendEasy install
Webbased admin interfaceWS 2003, Linux, 64Bits OSSOAP, e-SignatureSoft DIGIPASS provisioning
2008 Q1 2009 Q2 2010 Q1
IdentikeyServer 3.1.6
nCipher HSMTemporally usersSeveral improvements
2010 Q3
IdentikeyServer 3.2
IDENTIKEY Authentication Server Roadmap
2011 Q2
IdentikeyServer 3.4
EMV-CAPHSMWindows OTP Logon
2012 Q3
RADIUS AttributesWireless
PCI-DSSIdentikeyServer 3.3
2013 Q28
IdentikeyServer 3.5
© 2013 - VASCO Data Security
Market feedback, latest trends
9
• Virtualisation
• Mobile and Out-of-Band delivery
• “SAML support”
• Migration from competing products
• security vs flexibility
• Windows Desktop Logon
© 2013 - VASCO Data Security
next release
IDENTIKEY Authentication Server 3.5
Support WS2012Support Hyper-V
Support DIGIPASS for Mobile 4.0Support creation and emailing of offline activation codes, also with QR Code Device binding (device registration, device re-activation)
Expand Virtual DIGIPASS functionalitySee next page
Other enhancements:Support Automatic Token DisablingFunction to search user accounts by name (now: UserID)Customisation of the auditing filename in ADUC snapinOption to duplicate the rights of a user into a new user.Improvement for Administrator priviliges assignmentOption to set Web Services port during installationOption to Switch off "DISABLE DIGIPASS" button 10
© 2013 - VASCO Data Security
Virtual DIGIPASS support
11
Support latest generation SMS Gateways
support SMPP protocol
Improved delivery combinations
send out OTP via SMS or Email PER USER
send out OTP via SMS AND Email
Improved support delivery methods
send out OTP via email towards SMS Gateway (SMTP)
send out OTP via PBX
send out OTP via VASCO services
include SMS provider templates
© 2013 - VASCO Data Security
Virtual DIGIPASS
12
Request OTP
SMS Gateway
Email Server
PBX
Vasco Services
Out Of Band
OTP Delivery
LogOn
1 2
3
4
5
© 2013 - VASCO Data Security
IDENTIKEY Editions
13
Reference and Comparison Card
Standard Edition Gold EditionEnterprise
EditionIncluded Authentication ClientsRADIUS authentication (+WAP) √ √ √
Webfilters (OWA, CWI, RDWebAccess, Generic) √ (10 each) √ (10 each)
Desktop Windows Logon √ √
SOAP authentication √
SOAP e-Signature option (see pricelist)
SOAP Provisioning option (see pricelist)
EMV-CAP
HSM Interface
SBR Module √ (2) √ (2)
Included DIGIPASSVirtual DIGIPASS option (see pricelist) option (see pricelist) option (see pricelist)
Included ServersPrimary √ √ √
Backup √ √
Replica √ (5)
Total 1 2 7
Extra Server (>7)
© 2013 - VASCO Data Security
IDENTIKEY Standard Edition
License for Primary Server (1 IP)License for RADIUS Authentication (Firewalls, VPN, SSL-VPN)
14
© 2013 - VASCO Data Security
IDENTIKEY Gold Edition
License for Primary and Backup Server (2 IP’s)License for RADIUS Authentication (Firewalls, VPN, SSL-VPN)License for 10 instances of all Webfilters (10 IP’s each)
Outlook Web AccessCitrix Web Interface New! Citrix ReceiverGeneric IIS6/IIS7 Web InterfaceNew! Microsoft Remote Desktop Web Access
Includes Microsoft Remote Desktop GatewayLicense for DIGIPASS Authentication for SBR
Primary and Backup Server (2 IP’s)License for DIGIPASS Authentication for Windows Logon for every user
15
© 2013 - VASCO Data Security
IDENTIKEY Enterprise Edition
License for 7 Servers (7 IP’s)License for RADIUS Authentication (Firewalls, VPN, SSL-VPN)License for 10 instances of all Webfilters (10 IP’s each)
Outlook Web AccessCitrix Web Interface New! Citrix ReceiverGeneric IIS6/IIS7 Web InterfaceNew! Microsoft Remote Desktop Web Access
Includes Microsoft Remote Desktop GatewayLicense for DIGIPASS Authentication for SBR
Primary and Backup Server (2 IP’s)License for DIGIPASS Authentication for Windows Logon for every userLicense for SOAP Authentication (Web-based applications)Optional: More servers, SOAP e-Signature, SOAP Provisioning
16
© 2013 - VASCO Data Security
LAN accessnetwork, desktop logon
Remote AccessVPN, SSL, webmail, intranet, …
Web applicationsportal, webshop, eCRM, …
Drivers
17
© 2013 - VASCO Data Security
IDENTIKEY Tools
18
© 2013 - VASCO Data Security
Update Tools & Webfilters, release with IDENTIKEY 3.5
DIGIPASS Authentication for CWIDIGIPASS Authentication for OWA DIGIPASS Authentication for RDWADIGIPASS Authentication for SBR
support WS2012DIGIPASS Authentication for Windows Logon
Support for Windows 8Backup system for offline mode
Password Synchronisation ManagerLDAP Sync ToolData Migration Tool
support IDENTIKEY 3.5
19
© 2013 - VASCO Data Security
IDENTIKEY Appliance
20
© 2013 - VASCO Data Security
Product VisionConvenience platform
Complete authentication server pre-installedPlug&Play solution
Managed Authentication ServerIntegrates latest IDENTIKEY Authentication Server(semi-) automated upgradesProgrammable backup functionsLogging, Auditing, Reporting
Appliance19” Rack FormFactorSelected components for 24x7 operation, long availability, longevityHardened OSBuilt-in database & WebserverSeparate administration interface (GUI)Additional SNMP functionality (hardware monitoring)
21
© 2013 - VASCO Data Security
Available Hardware Models
3000 Series (AG3442)Upto 500 users
5000 Series (AG5502)Upto 10.000 users
7000 Series (AG7552)Upto 100.000 users2 Hot Swappable Power Supplies2 ‘Hot Swappable’ Hard Disks
22
© 2013 - VASCO Data Security
Current release
IDENTIKEY Appliance 3.4.6.0integration of IDENTIKEY V3.4SR1Including patches upto IK 3.4.7Option to select local time for auditingOption to edit the SMS message for Virtual DIGIPASS
IDENTIKEY Appliance Patch 3.4.6.1Several bug fixes (license, audit date, etc)
23
© 2013 - VASCO Data Security
IDENTIKEY Virtual Appliance
24
© 2013 - VASCO Data Security
New Product
IDENTIKEY Virtual Appliance 3.4.6.0
integration of IDENTIKEY Authentication Server V3.4SR1 (upto IK3.4.7)
Software-only appliance
Supported on VMWare environments
Available in 4 models (license driven)
25
© 2013 - VASCO Data Security
GoToMarket4 Models with different performance and pricing
1000 SeriesLimited to 1 CPU Core and 1GB RAMInstallations <= 100 users
2000 SeriesLimited to 2 CPU Core and 4GB RAMInstallations <= 5000 users
4000 SeriesLimited to 4 CPU Core and 8 GB RAMInstallations <= 50000 users
8000 SeriesLimited to 8 CPU Core and 16 GB RAMInstallations <= 200000 users
Upgrade to the next model by updating the licensedemo license appliance (IDENTIKEY demo license can be used)
26
© 2013 - VASCO Data Security
VACMAN Controller, IDENTIKEY Server, Appliance
27
DIGIPASS
VC IAS IA IVA
© 2013 - VASCO Data Security
IDENTIKEY Platform ComparisonIDENTIKEY Authentication Server brings a solution where:
The customer wants complete flexibility
IDENTIKEY Appliance brings a solution where:The customer wants a managed serverThe customer wants a plug&play solutionThe customer has a preference for appliancesAvoid technical intervention
IDENTIKEY Virtual Appliance can bring a solution where:The number of users is larger than 100.000 (performance)The number of users is lower than 500 (low ROI)The customer is located outside Europe (shipments, RMA)Changing environment, newer technologies & trends
28
© 2013 - VASCO Data Security
IDENTIKEY Platform Comparison
Small Deployment
Large Deployment
Flexibility (DB,OS, HSM)
Managed Server
Plug&Play Convenience
Easy shipments
Virtualisation
IDENTIKEY Authentication Server
√ √ √ √ √
IDENTIKEY Appliance √ √
IDENTIKEY Virtual Appliance
√ √ √ √ √ √
29
© 2013 - VASCO Data Security
IDENTIKEY Federation Server
30
© 2013 - VASCO Data Security 31
UserApplication
SAML2.0
Server
User Application
SOAP
Server
© 2013 - VASCO Data Security
WebSSO
32
UserApplication
SAML2.0
Application
Application
Web SSO
Server
© 2013 - VASCO Data Security
User’s login to multiple webapplications
The multiple login process is time consumingdifficult to remember many different static passwordsThere is big chance that applications will not be usedThe secure handling and storage of user credentials is in the hands of the application ownerThe enforcement of password policies is managed by the application owner
33
Users and Static Passwords IDENTIKEY Value Add
SSO increases user productivity
OTP login: The number of password resets can be greatly reduced.Automated login increases user experience and improves collaborationThe security is managed by own staff
Password policies can easily be implemented
© 2013 - VASCO Data Security
User’s login to multiple webapplications
Users have to be managed in several applicationsEmployees that leave can still login to the applicationsLicenses have to be managed in every application separatelyThe management of several applications means complex auditingAdding applications means a lot of manual tasks
34
Administration painpoints
IDENTIKEY Value AddOne central point to manage all users, no administration overheadOne central point to manage leaving employeesLicenses can be easily managed, accounted and optimisedOne central point for auditing facilitates compliancyCentral management of applications
© 2013 - VASCO Data Security
Federation
35
UserApplication
SAML2.0
User Application
SAML
Application
(any compatible federation server)
Server
Federated Authentication
Trusted Federation
Server
© 2013 - VASCO Data Security
Added ValueUser Convenience
Logging in to several websites is troublesomeWeb SSO brings automated sign-on
SecurityUsing static passwords is dangerous, especially in combination with SSOReplace static passwords by 2FA
TCOUsing static passwords can result in less productivityUsing static passwords can result in increasing administration costsManaging all users in 1 software reduces admin overhead
CompliancyEasy to comply to and enforce password policiesEasy to manage users and licensesEasy to create security reports and audits
36
© 2013 - VASCO Data Security
IDENTIKEY Federation ServerExtension to IDENTIKEY Authentication ServerBrings DIGIPASS 2FA-supported SSO to Internet Applications
Largely enhances user experienceReduces admin overhead
User management, password management, licenses, password policies, auditing
Cost reduction results in higher ROI
Virtual appliance, available for VMWare and Citrix environmentsSeparate user-based license
37
UserApplications
Server
© 2013 - VASCO Data Security
2FA support via IDENTIKEY Server
38
User ApplicationServer
DIGIPASS OTP validation
One-Button
Keypad
Mobile platforms
SMS, Email delivery
© 2013 - VASCO Data Security
Functions
Authentication Manager:User Authentication Provider: Validation of user credentials.Identity Provider: Assign an identity ticket to the user
It is valid for a pre-defined time and can be re-used for logonIt has an authentication level that should match to what the application requires.
Manages access to internet hosted applicationsDistributes user identity to requesting applicationsManages flow of user attributes if requested by the application
WebSSOThe identity ticket can be re-used to gain access to other applications or service providersThe above conditions apply (ticket is still valid and level is high enough)
Federated AuthenticationValidated users can access applications from another service provider in the same federationThe user validation can be delegated to another Identity Provider for remote applicationsAnother Identity provider can delegate validated users to local applications 39
© 2013 - VASCO Data Security
SpecificationsSupported protocols:
SAML2.0 for IFS as IdP (incoming requests), SAML2.0 for IFS as Client/SP (outgoing requests)ASelect protocol for IFS as IdP and SP (incoming/outgoing requests), ASelect WS protocol for IFS as Client/SP (incoming requests)OpenID for IFS as IdP (incoming requests)OAuth V2
Supported Web Applications:Any application that supports SAML2.0 and/or OpenIDPreconfigured Application GoogleApps (IFS as IdP)
Preconfigured Application Salesforce.com (IFS as IdP)
ADFS2 as RP (IFS as IdP/RPG) -> Office365
© 2013 - VASCO Data Security
current release
IDENTIKEY Federation Server V1.2
Standard support GoogleAppsStandard support Salesforce.comStandard support ADFS2.0 Office365Support OAuth V2 MyDigipass.com
IDENTIKEY Federation Server V1.3
Account Linking for OAuth Identity ProvidersSelf ManagementAdmin ManagementApplication API
Upgrade OS to the latest versionSupport Hyper-V
41
© 2013 - VASCO Data Security
OAuth support
42
UserApplication
SAML
User
Application
OAuth
Employees
Partners
Customers
© 2013 - VASCO Data Security
IFS as Relying Party Gateway to ADFS2
43
User
ApplicationServer
Office 365
WS-Fed
Windows DC / WS2008
ADFS2 (SAML2+MS spec)
Dir Sync
© 2013 - VASCO Data Security
next release
IDENTIKEY Federation Server V1.4
Support for Office365 Rich Clients
44
© 2013 - VASCO Data Security
Vasco Labs Demo
User
Salesforce.com
SAML
OAuth
45
GoogleApps
Office365
WS-Fed
Windows DC / WS2008
ADFS2 (SAML2+MS spec)
© 2013 - VASCO Data Security
Identikey Family Roadmap (2013)
2013
IDENTIKEYAppliance3.4.6.0
IDENTIKEYAuthentication Server3.4SR1
IDENTIKEY Federation Server 1.2
IDENTIKEY Virtual Appliance3.4.6.0
46
IDENTIKEY Virtual Appliance3.5.7.0
IDENTIKEYAuthentication Server3.5
IDENTIKEY Virtual Appliance3.4.6.2
2012
IDENTIKEY Federation Server 1.3
IDENTIKEY Federation Server 1.4
IDENTIKEYAppliance3.4.6.2
IDENTIKEYAppliance3.5.7.0
© 2013 - VASCO Data Security
On-Premise Solution - What to offer?
47
DIGIPASS-Hardware-Software
[maintenance]
StandardGoldEnterprise[maintenance]
+
+
Appliance Platform[maintenance]
Web SSO[maintenance]
+
Learn: Technical trainingSell: Sales trainingDemo: Vasco Labs Install: Integration GuidesHelp: Professional Services
© 2013 - VASCO Data Security 48
© 2013 - VASCO Data Security
Thank you !
49
Rik SwustenProduct Manager
IDENTIKEY