Transcription
TECHNOLOGY AUDITEntrust IdentityGuard Version10.1Entrust IncReference Code: OI00070-106Publication Date: February 2012Author: Andy KellettSUMMARYCatalystEntrust IdentityGuard is a function-rich, identity-based software authentication platform. It supportsa broad range of secure authentication products. Its facilities cover the breadth of theauthentication market, ranging from smartcards, mobile device usage, risk-based approaches, andone-time tokens, through to lighter controls that fit the needs of specific business activities. Thetools, which can be software and hardware-based, include IP geo-location checks, out-of-band,certificate authentication, and e-grids.Entrust recognizes that different organizations and users have different authenticationrequirements. Its products are designed to handle these variations and support the use of mixedauthentication techniques across user groups. The new IdentityGuard release, version 10.1,focuses on extending the business use of mobile devices and the opportunity to combine logical(LACs) and physical (PACs) access controls using a single authentication approach.Key findings Entrust provides one of the broadest ranges of authentication tools available in theidentity and access management (IAM) market. Physical as well as logical access facilities are supported. Mobile device authentication can be used to deal with the physical and logical accessrequirements of mobile workers, online clients, and everyday business users.Entrust IdentityGuard (OI00070-106) Ovum (Published 02/2012)This report is a licensed product and is not to be photocopiedPage 1
Mobile device authentication reduces the need for hardware-based tokens and addsextra resilience when tokens are lost or software alternatives are required. OoB authentication, which confirms the legitimacy of transactions, is a valuable toolfor detecting and preventing fraud. Risk-based authentication links the required levels of authentication to individualactivities. Although PKI and certificate-based services are supported, a complete managedservice option for IdentityGuard will not be available until later in 2012.Ovum recommends Threats to information systems continue to grow. At the same time, systems andnetworks become more open as businesses collaborate with external partners,provide access to users from a variety of locations, and make use of an increasingrange of smart mobile devices to gain entry. All these issues highlight the importanceof identity management and its core role to allow or block user access. The key element that drives secure access to corporate systems is identity. Identity isthe foundation of secure access, but to be effective its authentication approachesmust fit the risk requirements of business systems. Users require different levels of authentication. Many need read-only access to lowlevel business information, a few work with highly sensitive data, and most fallsomewhere in between. Business organizations need identity-management facilitiesthat are secure enough to support a range of users and flexible enough to deal withusers as their access requirements evolve and change.Value propositionEntrust has built its reputation by providing an identity-based software security platform that offersa broad range of software and hardware authentication facilities including support for federatedidentities and self-service administration. Release 10.1 of IdentityGuard extends this approach bymaking it easier for employees to use their mobile devices as a core source of authentication andinformation access. The approach adds convenience because users can gain access to businesssystems using a device that they carry with them. It offers convergence and enterprise-gradecredentials because mobile technology with its near-field communication (NFC) and Bluetoothtechnology can be used to combine PACs (physical access control) and LACs (logical accesscontrol) authentication using a single credential.Entrust IdentityGuard (OI00070-106) Ovum (Published 02/2012)This report is a licensed product and is not to be photocopiedPage 2
The target audience for Entrust is industry-wide, and because its authentication options range fromvery light to highly secure, there will be a range of identity-based facilities that meet the needs andbudgets of most organizations.The effective management of identity is one of the most important elements of an enterprisesecurity strategy. However, the IAM sector has a reputation for delivering complex and expensivesolutions. Enterprise-level take-up continues to be restricted because of these issues. Where IAMproducts are used, they are usually deployed to deal with a particular business risk or address atrading requirement such as providing secure online access for employees or customers.The ways in which users now access corporate systems are changing. New mobile devicespresent both a security challenge relating to how access is controlled and an opportunity to replaceexpensive hardware-based tokens. For example, financial services organizations have deployedcard readers for online customers to improve security when logging on and as a secondarymethod of confirming certain transactions. Today, different approaches using mobile devices,application-based software, and grid technology provide cost-effective alternatives.It is advantageous to make better and more extensive use of constantly available devices such asmobile phones, tablets, and iPads. These devices are in everyday use and can be used to supportthe authentication and user access requirements of businesses and their users.Entrust IdentityGuard (OI00070-106) Ovum (Published 02/2012)This report is a licensed product and is not to be photocopiedPage 3
SOLUTION ANALYSISFunctionalityThe Entrust IdentityGuard platform was built with versatility in mind. At a very early stage Entrustrecognized there would never be a one-size-fits-all approach to authentication. The companyoffers a very broad range of authenticators that cover high-end through to more basicrequirements. Coverage includes a range of hardware and software-based one-time tokens andsmartcards, risk-based authentication, IP geo-location, certificate-based authentication, use of gridcards and software grids, and user-response approaches.Some older authentication methods are now beginning to look outdated. The use of mobiledevices provides a software and application-based authentication alternative. The availability ofmobile OoB transaction verification is good way of defeating man-in-the-browser threats, withavailable geo-location checks also adding an extra layer of protection.Most business and systems users either own or are provided with a company mobile device.Employees want to use the latest devices for personal use and to access business systems.Businesses benefit from the combined use of these devices if security concerns about device useand access control are dealt with.Entrust IdentityGuard addresses mobile device issues by providing device-management andaccess-control facilities.Figure 1: IdentityGuard - authentication platformOVUMSource: EntrustEntrust IdentityGuard (OI00070-106) Ovum (Published 02/2012)This report is a licensed product and is not to be photocopiedPage 4
IdentityGuard supports the use of smart mobile credentials for logical and physicalaccess, including the use of near-field communication (NFC) and Bluetooth facilities. Entrust uses NIST-approved personal identity verification (PIV) certificates to dealwith mobile security and control issues. IdentityGuard provides integration with leading MDM (mobile device management)vendors to support strong device identity (certificate-based device identity). IdentityGuard provides support for digital signature and encryption/decryption facilitiesfor secure email services. Certificate on-boarding for authentication and signing email,and S/MIME-based decryption facilities are available. Strong certificate-based authentication is available for users accessing corporatenetworks using mobile devices. Soft tokens are available in form factors that support the generation of one-time passcodes. Software development kit (SDK) facilities that allow organizations to build Entrustmobile capabilities into their own mobile applications are also available.To date few IAM vendors have successfully addressed the need for a common approach tophysical and logical access. Smartcard technology allows the combined approach to become apractical reality. Entrust IdentityGuard allows organizations to integrate the two environments. Ituses secure NFC technology as an alternative to older and less secure HID physical access cardsand can leverage Bluetooth to act as a smartcard reader to provide logical access to computerdevices. Improved return on investment (ROI), reduced running costs, and the provision of a singleintegrated approach and credential are the primary drivers.Risk-based authentication allows different authenticators to be deployed to various user groupsbased on the amount of risk associated with each user, transaction, or particular area of thebusiness. The usability element of the approach also allows more appropriate checks to be made ifaccess requirements vary from the norm.Entrust IdentityGuard Server is the main component of the IdentityGuard system (see Figure 1).Entrust IdentityGuard uses a three-tie architecture approach. It is a J2EE-based solution, and thepresentation layer and business logic layer can co-exist on a single hardware platform. Inoperational use IdentityGuard leverages an existing data repository, such as eDirectory, for datastorage, and communicates with this using either Java Database Connectivity (JDBC) orLightweight Directory Access Protocol (LDAP).Entrust IdentityGuard Server includes the following core applications and interfaces:Entrust IdentityGuard (OI00070-106) Ovum (Published 02/2012)This report is a licensed product and is not to be photocopiedPage 5
Authentication and administration provides web services using the Java platform andC# application programming interfaces (APIs). Administration interface, properties editor, and master user shell. A sample web application that demonstrates service delivery capabilities.The applications and interfaces are used to authenticate and manage users and theirauthentication data.Figure 2: IdentityGuard - integration with an authentication applicationOVUMSource: EntrustGo-to-market strategyEntrust IdentityGuard provides an inclusive approach to working with the types and levels ofauthentication that clients choose to deploy. Its open API architecture supports a wide range ofsoftware and hardware tokens, and integration with leading MDM (mobile device management),IAM, and PKI (public key infrastructure) vendors, including Entrust PKI. This allows the solution tobe used across a broad range of mature and emerging markets, and supports the ability to workwith a wide range of digital certificates.Traditionally the company has targeted the financial services and government sectors where it hasachieved successful results. In addition, Entrust's position as a Certificate Authority (CA) allows itto support strong certificate-based authentication that is relevant to organizations of all sizes.As a provider of mainstream authentication services, the vendors that Entrust regularly competesagainst include CA, Gemalto, HID, RSA, Symantec, and VascoData.Entrust IdentityGuard (OI00070-106) Ovum (Published 02/2012)This report is a licensed product and is not to be photocopiedPage 6
Entrust brings its IdentityGuard product to market using a mix of direct sales and distributionpartners. Its extensive list of distribution partners includes Allstream, Fishnet, HP, IBM, MPA,NeoSecure, NeTrust, PTE, and SIA.The company maintains technology-partner relationships with leading industry providers. Theseinclude formal relationships where vendors that have made their products "Entrust Ready" byincluding encryption and digital signature facilities. There are currently over 200 partners engagedin the Entrust partner program and 115 of their products have been awarded the "Entrust Ready"designation. Entrust works with a significant number of high-profile partners including Adobe,Cisco, IBM, Microsoft, Oracle, PeopleSoft, and SAP.Typical project values for entry-level projects start at around 20,000, the average is set at 60,000, with the largest projects exceeding 1m with a typical 80%-20% split between softwarelicenses and services across all project sizes.Entrust has an evolving roadmap strategy for IdentityGuard. The current focus is on developingnew approaches to support mobile authentication. The next release (v10.1) will build additionalsmart credentialing and certificate enrollment facilities for mobile. These were first introduced inthe current product release. It will also introduce a managed offering for IdentityGuard during thefirst half of next year.DeploymentThe time taken for the implementation of a pilot IdentityGuard project is typically one to three daysand involves between one and two subject matter experts with server, network, and repositorymanagement and administration skills. For an average sized implementation (30 user departmentsand above) the same skill sets apply with the potential addition of user management (helpdesk)capabilities and an implementation timeframe of two to four days. At the enterprise level (500-userdepartments and above) the timeline is three to five days with the same skill requirements.Entrust can supply a range of professional implementation support services. These includearchitecture, design and planning services, installation and deployment assistance, and endpointintegration and validation support. It extends to include customized application development anddocumentation services and support for customized training programs.There are three levels of technical support: Silver, Gold, and Platinum. Silver support provides coverage Monday to Friday, 8.00am to 8.00pm EST and7.00am to 7.00pm Greenwich Mean Time (GMT), and has an annual charge of 18%of the contract price. Gold support extends coverage to 24 hours a day Monday to Friday and has anannual charge of 20% of the contract price.Entrust IdentityGuard (OI00070-106) Ovum (Published 02/2012)This report is a licensed product and is not to be photocopiedPage 7
Platinum support provides 24-hours-a-day, 7-days-a-week coverage and has anannual charge of 22% of the contract price.Entrust IdentityGuard is used by some of the world’s largest enterprise and governmentorganizations. It has millions of product licenses deployed across hundreds of customers.Customer deployment examples Bank of New Zealand is one of New Zealand’s largest banks and has been operatingsince 1861. The bank selected Entrust IdentityGuard because of its ease of use, lowcost overheads, and because its grid card systems could be locally branded to meetthe bank’s requirements. The deployment allows the bank to offer strongauthentication to all new consumer banking customers. During the first phase of theproject, approximately 25,000 users were provided with grid cards within a two-weekperiod. In less than nine months, the bank issued over 130,000 cards, whichrepresented close to half of its online customers. In a follow-up phase to its campaignagainst online fraud, the bank implemented additional IdentityGuard authenticationfacilities, including device, knowledge-based, and mutual authentication. Société Générale, a major European bank and financial services company, needed toaddress an increasingly pervasive range of online identity theft attacks that werehurting its high-end clients. The protection requirement was to provide clients with anextra level of confidence and safety during online transactions and enterprisecommunications. Entrust IdentityGuard was chosen to replace an existing tokenbased solution using its grid card approach. The initial deployment was for 1,500IdentityGuard grid cards, with the future potential of extending the service tothousands of other Société Générale customers. The grid cards, which were reportedas being both secure and easy to use, are used to authenticate access to thecompany's investment web portal.Entrust IdentityGuard (OI00070-106) Ovum (Published 02/2012)This report is a licensed product and is not to be photocopiedPage 8
DATA SHEETKey facts about the solutionTable 1:Data sheetProduct nameEntrust IdentityGuardProduct classificationIdentity and AccessManagementVersion number10.1Release dateFebruary 2012Industries coveredGovernment, Aerospace,Defense, Energy,Financial, Manufacturing,Auto, Technology and HiTechGeographies coveredGlobalRelevant company sizesSmall, medium, and largecompanies.Platforms supportedMicrosoft Windows, Linux,Solaris, AIX, HP/UX, z/OS,Mac OS, and othersLanguages supportedEnglish is the defaultlanguage. Otherlanguages, includingFrench, can be supportedas part of a professionalservices engagement.Licensing optionsPerpetual on a server basisDeployment optionsOn premiseRoute(s) to marketDirect sales and throughchannel partners, VARs,and SIs.URLwww.entrust.comCompany headquartersOne Lincoln Center 5400LBJ Freeway Ste 1340Dallas TX 75240 USAEuropean headquartersUnit 4 Napier Court FirstFloor Napier Road ReadingBerkshire RG1 8BW UKNorth AmericaheadquartersAs company headquartersAsia-Pacific headquartersLevel 57, MLC Centre 19Martin Place Sydney NSW2000 AustraliaOVUMSource: EntrustEntrust IdentityGuard (OI00070-106) Ovum (Published 02/2012)This report is a licensed product and is not to be photocopiedPage 9
APPENDIXFurther reading 2012 Trends to watch: security (OI00127-046) SailPoint IdentityIQ (v5.5), Technology Audit Swivel PINsafe (v3.8), Technology AuditMethodologyOvum Technology Audits are independent product reviews carried out using Ovum’s evaluationmodel for the relevant technology area, supported by conversations with vendors, users, andservice providers of the solution concerned, and in-depth secondary research.AuthorAndrew Kellett, Senior Analyst, Infrastructure Solutions, SecurityAndrew.kellett@ovum.comOvum ConsultingWe hope that this analysis will help you make informed and imaginative business decisions. If youhave further requirements, Ovum’s consulting team may be able to help you. For more informationabout Ovum’s consulting capabilities, please contact us directly at consulting@ovum.com.DisclaimerAll Rights Reserved.No part of this publication may be reproduced, stored in a retrieval system, or transmitted in anyform by any means, electronic, mechanical, photocopying, recording or otherwise, without the priorpermission of the publisher, Ovum (an Informa business).The facts of this report are believed to be correct at the time of publication but cannot beguaranteed. Please note that the findings, conclusions, and recommendations that Ovum deliverswill be based on information gathered in good faith from both primary and secondary sources,whose accuracy we are not always in a position to guarantee. As such Ovum can accept noliability whatever for actions taken based on any information that may subsequently prove to beincorrect.Entrust IdentityGuard (OI00070-106) Ovum (Published 02/2012)This report is a licensed product and is not to be photocopiedPage 10
Entrust IdentityGuard Server is the main component of the IdentityGuard system (see Figure 1). Entrust IdentityGuard uses a three-tie architecture approach. It is a J2EE-based solution, and the presentation layer and business logic layer can co-exist on a single hardware platform. In
