verizon iam services - sourcemediaconferences.com€¦ · 2.8 million fios internet customers....

Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.

Verizon IAM Services

Presentation to CTST 2009

May 5, 2009

2Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.

Agenda• Overall Verizon Customer Base • Overview of Current IAM Offerings• Vision for Identity Management Services• Strategy• Roadmap• Smart Card Initiatives


Verizon Customers

• Wireless Business

86.6 Million Customers overall. 84.1 Million Retail (most of any US wireless company)

• Wireline Business

2.8 Million FiOS Internet Customers


Verizon Identity Solutions-What We Do

We provide organizations with the tools to provision, manage and enableidentity credentials, and to create a comprehensive and efficient approach to managing identities and access to resources across the extended enterprise.


How We Do ItIdentity Management Offerings

• IdM Professional Services – Strategy: Assessments, Business Case, Strategic Planning, Security Policies– Technology Planning: Gap Analyses, Identity Roadmap, Operational Procedures– Solution Deployment: Controls, Standards and Implementation

• Security Resale Services – Offers products for a variety of IAM technologies – Third Party Identity Software and Appliances– On premise deployments customer or remote managed

• Identity Managed Services– Managed Credentials Services– Identity Enablement Services (Future)– Secure Transactions Services (Future)


Managed Credential ServicesManaged Credential Services

•• CorporateIDCorporateID and Government IDGovernment ID: set of managed issuance and post-issuance services supporting multiple types of credentials, including certificates, OTP, tokens and smartcards

•• Device IDDevice ID: managed service allowing bulk delivery of certificates to authenticate devices such as mobile phones, set-top boxes, game consoles, …

•• SSL OnDemand:SSL OnDemand: managed service allowing organizations to issue SSL and EV SSL certificates governed under the Cybertrust CPS

Current IdM Managed Service OfferingsCore Capabilities In PKI and OTP


Vision for IdM• IdM will be increasingly outsourced due to variety of factors

– Maturation of technologies• Many IdM applications being architected for hosting/multi-tenancy

– Limited budget, skills, and other resources in-house to bring on new technologies– Cost and complexity managed better by experts with competencies and scale, e.g.

• LAN management• Exchange Hosting• Saleforce.com• Managed Credentials

– Belgian Citizen ID– U.S. Shared services provider– Commercial PKI and OTP ”product” customers migrating to hosting

• Identity will reside outside applications moving to Service-Oriented- Architecture– User and security policy data provided to applications as needed– Increased Federation of Identities– Provisioning, Access Management, Authorization can be modules


Vision >>> Strategy For Vision >>> Strategy For IdMIdMManaged ServiceManaged Servicess TTo Enable Trusted Business Processeso Enable Trusted Business Processes

Verizon Managed Identity ServicesIdentity Enablement Managed Credential Secure Transactions

Services Services Services

•Retrieve credential from store•Authenticate user•Validate issuer•Sign and/or encrypt transaction•Verify signature•Check entitlements•Authorize access/transaction•Record/receipt transaction•Audit events

•Register user•Synchronize with other

user data repositories•Publish to directory

•Deliver digital credential to user/device

•Revoke credential•Renew credential

Identity Credentials

Provisioning

Managing

Enforcing

•Policy management•Identity management•Administration & reporting

Enable Seamless Trusted Business Processes Across the Extended EEnable Seamless Trusted Business Processes Across the Extended Enterprisenterprise

MultipleUser & Role

Types

Multiple Device Types

Multiple Applications, Platforms & Networks


IAM Roadmap Multi-Phased Portfolio Expansion

Authentication (P1)

Secure Transactions (P2)

Identity Enablement (P3)

Identity as a Service (P4)

• Encryption Management Platform• Secure email and document services • Reduce paper-based transactions guard against data leakage

2009 and Beyond

User Administration & Identity Auditing • Identity Lifecycle Management• efficiently add/remove users across applications

for greater productivity, increased compliance

Val

ue

Add

Identity Enablement of Services & Mainstream Applications

• Hosted Identity Services• Menu of Identity management functions• Plugable use of Identities by applications

Expanded CorporateID Services (Authentication)• Extended form factors (VzW phones, Cards) for SecurID , Digital Certificates• Quickly & cost effectively provide credentials for secure logon and access


Phase 1: Extend CorporateID Core Capabilities

Enable Wider Deployment and Combine Verizon Services

• Standardized and Enhanced Managed Authentication Services– Ability to address smaller user bases and offer global availability – Extending form factors (OTP on VzT phones, Card Systems) will be addressed – Launch bundled and integrated offers which leverage existing user

authentication methods (PKI, OTP) tied to both remote and local access


Managed OTP -SecurID

Existing OfferingsExisting OfferingsManaged SecurIDManaged SecurID• Premise based remote

management of primary and replica servers

• End user help desk support• Bulk registration• US availability

Hosted SecurID Hosted SecurID • Custom offering available for

large deployments• Globally available• Help desk to help desk support• Full hosting and management of

primary and replica servers• Bulk registration

2009 Roadmap2009 RoadmapUpgrade Managed & Hosted offerings • Global availability• RSA Authentication Manager 7.1

– Burst capacity- business continuity• BREW Handset capabilities• Shared platform option (as available).• End-user token distribution


Smart Card InitiativesManaged Service Offering


First Responder Needs and Challenges

Goal: An interoperable credential and validation system that can issue LOCAL credentials AND validate Federal, FEMA, DoD, National Guard credentials

• Challenges:– To facilitate emergency management with IT systems– To facilitate multi-agency and multi-jurisdictional coordination,

between local governments, special districts, and state and federal agencies during emergency operations in compliance with the National Incident Management System (NIMS)

– To support requirements imposed by FEMA and mutual aid


Objectives• Secure and reliable forms of identification

– Issued based on sound criteria for verifying an individual employee's identity

– Strongly resistant to identity fraud, tampering, counterfeiting, and terrorist exploitation

– Can be rapidly authenticated electronically– Issued only by providers whose reliability has been established

by an official accreditation process• Convergence of multiple uses

– First Responders– Logical Access– Physical Access

• One Card = One Identity – Based on a security framework that promotes interoperability

and privacy• Standard

– Cards issued and compliant with widely accepted standard practices, processes, and products


FIPS-201Interoperable Standards

• National Institute of Standards and Technology (NIST) released FIPS-201 Standard

– Outlines required implementation standards for interoperable andconverged credentials

– Identity proofing, registration and issuance requirements– General technical specifications

• Dozens of HSPD-12 related NIST Special Publications with detailedspecifications

• NIST Testing Lab– Performs testing on all components and certifies technology for use

• FIPS-201 has become the new de-facto national and international standard

– ANSI Workgroups and International Smart Card community adopting standards

– Use by both Public and Private Sector Organizations • Current adoption in the commercial and international markets validates

the standard– E.g. Global 100 technology, financial services, UK Police


Impact of FIPS-201• Mandates stronger security standards and procedures

• Provides consistency for issuing identity credentials to employees and contractors

• Addresses inter-agency interoperability

• Enables access to both physical facilities and logical resources with a single credential

• Allows Cross Jurisdiction recognition of the Identity/Individualas a result of common policy for issuance, validation, and even the physical appearance and size of the credential itself


Credentialing Process

Step 2: Identity Proofing

Step 5: Credential Activation

Step 4: Credential PrintingX509

Certificates

First Responders, Employees and Vendors

Step 1:Registration

and Sponsorship

Step 6: First Responder Privileges

Step 3: Background Investigations

First Responder Credentialing Process


Credential Usage (1 of 3): First Responders

• Handheld PIVMan devices used for perimeter control to incidents

– Smart card and fingerprint readers on-board

– Information synchronized in near real-time to the centralized credentialing and privileging system

• Allows for tracking of First Responders on-site

• Incident Scenario:1. HSPD-12 Credential placed into

handheld PIVMan device2. Device validates credential using

certificates3. First Responder provides PIN and

Fingerprint4. Device validates Identity 5. Device displays Certifications and

Privileges according to NIMS guidelines6. Audit logs uploaded in real-time for

usage in centralized incident management system


Credential Usage (2 of 3): Logical Access

• Replaces multiple existing tokens with a single accepted smart card token

• Access to enterprise computers and systems

– Logon to desktop computers– Single-sign-on can be enabled

using strong authentication (PIV Authentication Certificates)

• Digitally signed transactions– Common usage in the financial

sector– Non-repudiation of digital

signatures allows for strict auditing controls

– Can tie into time accounting systems


Credential Usage (3 of 3): Physical Access

• Credentials have a contactless interface

– Supported by major Physical Access Control Systems (PACS)

– HID antenna can be added for transition from legacy systems

• Credentialing solution provisions the enterprise PACS for the organization

– Assigns, updates and revokes identity

– Authorizations still controlled by PACS administrator

• One credential interoperable across all buildings


For More Information:• Contact:Mr. Tom Greco, Director, Identity and Access ManagementVerizon Security [email protected]

Ms. Debb Blanchard, Sr. Product Manager, Identity and Access Management

Verizon Security [email protected]

verizon iam services - sourcemediaconferences.com€¦ · 2.8 million fios internet customers....

Documents