Embed Size (px)
Citation preview
PKI is Alive and Well: The Symantec Managed PKI Service Marty Jost Product Marketing, User Authentication
1
Lance Handorf Technical Enablement, PKI Solutions
Agenda
PKI Background: Problems and Solutions
Symantec Managed PKI: Customer Use Cases 2
3
1
Demonstration
SYMANTEC VISION 2012
Initial PKI Use Fueled by Business Migration to Internet
3
• Cost cutting drives more
businesses to online model
• Competitive necessity
• Non-repudiation an
essential element of
e-commerce
Failure to enable =
loss of agility
Enable Growth and
remain competitive
• Protect public image
• High value targets
• Hacker profiles evolving
from attention seekers to
organized sponsorship
Public security breaches =
lost customer confidence
Manage risk to
assets and brand
SYMANTEC VISION 2012
• SSL technology authenticates the web site
• Web site identity verified as part of cert issuance
• Relies on CA root certificates embedded in browsers
• Most common use cases implement passwords for client authentication to site
• SSL web site certificate used to encrypt information during online session
Business Related Authentication
4
SSL Use Case
• Identifies identity of code signing developer • Provides virtual “shrink wrap” to ensure code
is not altered after signing
Code Signing Use Case
Verify the organization you are doing business with
SYMANTEC VISION 2012
Digital Certificates Have Additional Versatility
5
Digital Signatures
Strengthen integrity and audit potential
of electronic transactions
Validate users and user data
SYMANTEC VISION 2012
What Exactly Is a User or Device Certificate?
• File conforming to a standard (X.509, PEM etc)
• Strength comes from Public-key Crypto
– Keys commonly 1024 bit
– Increasingly 2048 bit
• Stored on user device (or a smart card)
• Contains some required information
– User or device name
– Public key
– Hash of itself
– Signature of issuing authority
• Customizable through meta-data
– Extension fields
– Customer specific information
Symantec Confidential – Do Not Distribute 6
A Digital Identity
SYMANTEC VISION 2012
Symantec Strong Authentication Solutions
Risk-based Authentication 7
Flexibile, diverse technology for broad customer requirements
Symantec™ Web-based Management Symantec™ Cloud-based Authentication Infrastructure
Validation and Identity Protection Service
Multiple Credential Form Factors
(OTP or Risk-based)
Available in hardware or software Stored on disk or “token”
Symantec Managed PKI Service
Device and User Certificates Authorization gateway to cloud
Single Sign-on
Symantec O3
Agenda
PKI Background: Problems and Solutions
Symantec Managed PKI: Customer Use Cases 2
3
1
Demonstration
SYMANTEC VISION 2012
Symantec Enterprise Customers Use PKI as an Enabler
9
Improve Business Agility and Business Processes
Mobility to create a flexible workforce
Supply chain integration to for better collaboration
Comply with business ecosystem requirements
SYMANTEC VISION 2012
Symantec Managed PKI Solution
10
Out of Box Support for Multiple Use Cases
Infrastructure Authentication
Transparent WIFI , EAP enabled wired switch, or Mobile Device Mgmt
Strong Web Authentication
Authenticate to web apps via a browser
Document Signing
Digitally signatures for Adobe PDF , MiS Office and others
Secure Email
Digitally signed, encrypted email communications
Secure Remote Access
Strong authentication to networks via VPN
+ Other Initiatives
• Multi-use Smart Cards (HSPD 12/PIV)
• Healthcare Information Exchange (HIE)
SYMANTEC VISION 2012
How Do You Manage Certificates?
Symantec Managed PKI Service – Solution Overview 11
One option is to self-manage with readily PKI available tools
Certificate Software & Hardware
&%$#!
Not easy to use Not always Multi-platform? Will it Scale?
Microsoft
SYMANTEC VISION 2012
Other Requirements for Trusted PKI
12
Certificate Software & Hardware
Service Availability
Application Integration
Security Services
and key recovery Secure
Infrastructure Policy & Practices
Risk and Liability Management
Application Consulting
User Support
12
Hardware and software are just one piece of the puzzle A PKI requires: technology, people, facilities, policy,
procedures, and integration
SYMANTEC VISION 2012 Symantec Confidential
Symantec Managed PKI is Full Service Platform
• Root of Trust (global)
• Validation
• Management roles
• Tools
• Workflow
• Key Recovery
• Reporting
• Etc.
Everything is built-in
Systems Best Practices Redundancy
Turn key system – customer just provides administrator
SYMANTEC VISION 2012
Symantec Managed PKI Advantages
14
Build Your Own
Servers
Secure Facility
Backup and Recovery
PKI Software
Operational costs can soon exceed
even free software benefits
Trained PKI Expert
Administration, monitoring and auditing
Managed PKI Service
Software and System
Maintenance
Your PKI Administrator
vs.
• Much faster to deploy
• Won’t be hurt by employee departure
• Lower total cost of ownership (TC0)
• No infrastructure capital investment
• No maintenance
• Ease of use
• Leverage operational excellence
• Secure, audited operations
• High Availability (HA) and high capacity
• 24/7 support and binding SLAs
• Certifications and accredited policy
SYMANTEC VISION 2012
Flexible Topology Options Decide or change at any point
Cloud
Cloud PKI Infrastructure
• All-Inclusive Infrastructure
• Unified Administration
• Supports Common Uses Cases
Clientless
Client-Enabled
Hybrid
PKI Enterprise Gateway
• Directory-Driven Automation
• Local Registration Authority
• Native OS PKI Compatibility
SYMANTEC VISION 2012
Client-Enabled
Client vs. Client-less
Both client-less and client provide:
• Browser-agnostic enrollment
• SCEP enrollment by Apple iOS
PKI client software
• Application auto-configuration
• Automatic certificate renewal
• Client-side updates possible through via enterprise software management system
16
Easier to Manage, Simpler to Use
SYMANTEC VISION 2012
Pre-Provisioning Capabilities Speed Time to Value
Web Gateway
Configuration
Content for customized
web pages
17
Trust policy, system,
and user provisioning
Certificate policy
Format and metadata
Cryptographic algorithms
Security Level
(PIN required?)
Certificate store
Enrollment method
and authentication
Backend and site setup
SYMANTEC VISION 2012
Templatized Approach Simplifies Certificate Provisioning
• Step-by-step guidance
• Pre-defined where practical
• Use anytime: initial deployment or expansion
18
SYMANTEC VISION 2012
Simple to Customize for Client, HSMs and Other Options
19
SYMANTEC VISION 2012
Advanced End-point Automation
• Auto-enable applications to use
– Browsers (IE, Firefox, etc.)
– VPN
– Adobe
– WiFi
• Publish to directory
• Transparent Renewal
20
Certificate requested … Now what?
SYMANTEC VISION 2012
Excellent Integration with iOS and Mobile Management
Symantec Managed PKI Service – Solution Overview 21
1) Direct Enrollment
• Direct Enrollment requires no MDM server and uses built in features of Apple iOS – providing certificate related features
• MDM Enrollment acts as a proxy and provides a superset of features available through the MDM provider
Best PKI support of Simple Certificate Enrollment Protocol (SCEP)
SYMANTEC VISION 2012
Eric Ouellet et al.
“Factors Impacting PKI and PKO Insourcing and Outsourcing “
Gartner, 2010
Organizations should
focus on minimizing
complexity and
remembering the
business reasons for using
public-key technology.
22
SYMANTEC VISION 2012
Demonstration
Risk-based Authentication 23
SYMANTEC VISION 2012
MPKI
24
Internet
PKI Administrator
Symantec Cloud
Managed PKI
Certificate Services
SCEP Server
Web Services
PKI Manager
…
VPN
=enrollment link = SCEP request & VPN profile
=certificate
Tablet User
Enrollment code
SYMANTEC VISION 2012 Risk-based Authentication 25
Questions?
Thank you!
Copyright © 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
Thank you!
Symantec Managed PKI Service – Solution Overview 26
