Вы находитесь на странице: 1из 52

TECHNICAL PROPOSITION

ON


Centralised Computing




Secure Centralised Computing

MOVE YOUR DESKTOP USERS
&
USERS ON P OOR BANDWIDTH
&
USERS WHO DO NOT H AVE ENDPOINT DEVICE BUT
N E E D A P P L I C AT I O N S BEYOND WEB BASED APPL



Need for Centralised Computing

•  Anytime, Anywhere – Secure and Efficient Access


–  User Mobility (within office or outside)
•  Control on what a User Can do
–  Only publish Application assigned to the user and they see nothing more
–  Restrict Screen Capture, Print Restriction, etc.
–  USB block
–  Privilege User Access misuse
–  Device that can be used by an user
•  Quick User Provisioning/ De-Provisioning
•  Quick Application Provisioning/ De-Provisioning
•  Application Access over Port 443 using a Browser
•  Client Based Application Access (client installed on the Desktop/ Laptop)
•  Low configuration Linux based Thin Client device can be extended to users
–  Applications are running on the Server @ DC/ Cloud. Only Screen Transfer and Keyboard Clicks travel

•  Audit Trail
•  Stringent compliance adherence
•  Extending BYOD
•  Secure Third Party Vendor Access with Audit Trail/ Session Recording (alternate to tools like WebEx, AnyDesk, etc.)
End Computing challenges faced by all Customers

Security Cost Mobility


Application
Attacks on Frequent
Data leakage from compatibility &
Applications from application
end user devices security issues to
End User device upgrades
outside network

Stringent RBI/ High cost of Data/Apps on


Apps & OS lack
Central Bank multiple endpoint desktops are
security controls
compliances security locked

High Bandwidth &


Ever growing Privilege User
Desktop BYOD
Identity thefts Access misuse
management Cost
Requirements – Security perspective 1

IDENTITY APPLICATION
ENDPOINT ACCESS
MANAGEMENT ACCESS SECURITY
•  Audit of privilege •  Secured remote •  Allow users access
user access access to endpoints to specific
•  Auditing access by over network: without applications only
vendors, extranet RDP, direct VNC •  Auto-detection of
users •  Restrict privilege high security and low
•  Multi-factor user access from security networks
authentication: OTP/ endpoints •  Role based remote
SMS, Mobile Token, •  Protecting endpoints access from vendor
Email Token from network threats locations
and unauthorized •  User should not be
remote control able to copy any data
Requirements – Security perspective 2

APPLICATION SECURITY SECURE REMOTE ACCESS

•  Protecting high value •  Role based secure remote


applications like SWIFT from access by IT staff, executives
unauthorized access & malware •  Secured sandbox computing
attacks originating from based access to banking
endpoint machines applications from Internet
•  Isolating Internet access from •  Allow consultants, vendors to
Intranet without allowing securely access bank network
Internet access without opening up holes in
•  Enable secure Internet browsing bank network
while mitigating all Internet
related threats
Requirements – Cost & Mobility

QUICK PROVISIONING &


VIRTUAL COMPUTING
HIGH AVAILABILITY

•  Virtualize banking applications & •  Roll out Branches REAL Quick


deliver from centralized •  Deliver high applications over
datacenter slow networks
•  Implement thin client computing •  Policy controlled, Anytime,
reducing PC footprint Application access
•  Reduce PC management costs •  Deliver applications to vendors
•  Centralized all application & without having to manage
data access for better DR & vendor machines
business continuity & security
Key Security Concerns (Industry to Industry the sensitivity may vary – but if you are holding
external customer Data – you carry obligation of Data privacy)

•  IDRBT  has  released,  Cyber  Security  Checklist  2016,  recommending  banks  to  follow  best  pracCces  in  
Endpoint  management,  privilege  user  access,  applicaCon  access  and  IdenCty  &  password  
management  
•  $81  million  siphoned  off  by  hackers  from  Bangladesh  bank  by  execuCng  a  targeted  aKack  on  SWIFT,  
originaCng  from  end  user  machine  which  had  direct  access  to  SWIFT  
•  Endpoints  at  banks  have  access  to  both  high  and  low  security  applicaCons  &  data,  allowing  hackers  
to  target  such  endpoints  
•  AKack  surface  on  a  PC  is  very  large  as  the  OS,  local  app  and  capability  foot  print  is  very  large.  A  
malware  can  come  through  Internet,  low  security  applicaCons  or  local  devices  used  by  end  users  
•  Privileged  account  credenCals  (local  /  domain  accounts)  are  shared  between  mulCple  users  and  are  
prone  to  misuse  without  any  audit  /  tracking  
•  SophisCcated  aKacks  are  easily  possible  using  Man-­‐in-­‐the-­‐browser,  keyloggers,  ransomware,  etc  
when  the  applicaCons  execuCng  directly  on  endpoints  
Virtual Desktop Computing Architecture

Data  Centre  
Data remains within
datacenter
APPLICATION SERVERS

LAN /
CENTRALISED
PRIVATE WAN COMPUTING
INTERNET
All management is
centralized in
datacenter

End user device


does not matter
Typical Desktop/ Application Access Options

Traditional PC User with Thinclient/ Remote Users PC/Thinclient/


PC Users few virtual Apps BYOD user over VPN BYOD user
with virtual with virtual
desktop desktop
What Proposed Solution Suite offers

DESKTOP
APPLICATION
VIRTUALIZATION
VIRTUALIZATION
(VDI)

SECURE REMOTE MULTI-FACTOR


ACCESS (SSL VPN) AUTHENTICATION

THIN CLIENT
COMPUTING
Centralised Computing – certain Benefits

Security Cost Mobility


Enable policy Deliver business
Endpoint access
controlled access Reduction of cap-ex applications to
audit by local and
to Business and op-ex cost extranet users over
domain users
Applications untrusted networks

Enable Secure DR ready End User Anytime,Anywhere,


Access containers Internet threat Computing Any device
protect isolation infrastructure access to business
enterprise data (incase desired) applications

Easily enforce
Secure Remote Reduction in
Strong Endpoint Corporate policies
Access to energy costs &
Control on extranet
endpoints carbon footprint
devices
Centralised Computing – various USE Cases

SECURITY

Secure Remote Sandbox Endpoint


LAN- Secure SAAS Identity
Access to computing & Control &
Internet Apps, Tally Federation &
corporate Application Policy
Isolation Nav and more 2FA
network containerization Enforcement

V I R T U A L I Z AT I O N

VDI for
Virtualize &
centralized Thin client Bandwidth
Deliver Legacy
desktop Computing Optimizations
Applications
management
MOBILITY

Secure Remote
Anytime, Access for Access from Tabs,
BYOD Desktops in Cloud
Anywhere access Workforce, Chrome books
Vendors, Partners
The Solution Suite

Application & Desktop Virtualization (VDI),


Integrated Thin client & Endpoint
management

Zero client and Thin client hardware

Secure Remote Access Gateway (SSL VPN)


Geo Fencing
Multi-Factor Authentication with OTP/ Biometric
Device Authentication/ Audit Trail
Session Recording Option
Key Features – Secure Computing Platform

Application Virtualization from Web Based Management


Microsoft RDS Management Console

Shared Hosted Desktops from Integrates with AD / LDAP /


Microsoft RDS & Linux TS Novell

Desktop Virtualization from Application publishing on


VMWare, Hyper-V browser, desktop shortcuts

Connection Broking, Virtual


Seamless application delivery
Machine Provisioning

Zero client & Thin client Application & Desktop Session


Management management

Device based Virtual Desktop Printer, Scanner, Drive & any


Assignment (Unique feature) USB Device Redirection
Use Cases – Securing Computing Platform

Application
Device
Virtualization for Anytime, Anywhere Support Legacy
Independent BYOD
centralized desktop access Apps
Computing
management

Data Consolidation Sandbox computing


LAN-Internet Access from Tabs,
& Data Leakage & Application Desktops in Cloud
Isolation Chromebooks
Protection containerization

Alternate to existing
VDI : Replace
inefficient and Thin Client Bandwidth
Desktop PC with
Expensive End Computing Optimizations
Virtual Desktop
Computing Platform
Key Features – Thin Client Options

VDI Optimized Zero clients and


Always-ON Function
Thin clients

Integrates well with Centralised


Auto-power save when idle
Computing Platform

Kiosk mode operation Touchscreen Support

HY2000 HY4000 HY5000 Managed from Centralized


5W to 15W Power Consumption
Console

Universal USB Redirection Multi-Monitor Support

Multiple Models: Zero/ Linux


Device based assignment
based + Windows IoT based
Key Features – Secured Access

Application Access Gateway with Web Based Management


SSL VPN Console

SPAN Technology, no network Integrates with AD / LDAP /


adaptor, high performance Novell

Supports any TCP, UDP Web Launchpad, no admin rights


Application required

Focus on Application delivery &


Auto-updating client
not network delivery

Built-in Two Factor Authentication HTML5 based access portal


INTERNET

Linux based hardened gateway,


Endpoint Security Scan Enabled available as software, virtual
appliance
Use Cases – Secure Access

Application Data
Secure Remote Access
Control and Endpoint Scan
to corporate network
Sandboxing

Remote Access to
Connect extranet
Endpoint Internet Hosted Virtual
users, partners,
Control Applications and
vendors
Virtual Desktops
Key Features - HyID

Multi-factor authentication for Web Based Management


any application Console

Integrates with Secured Integrates with AD / LDAP /


Access Solution or any VPN Novell

Integrates with Windows & Web based management


Linux Desktop/Server Login console

Integrates with custom


Complete Audit Trail
applications via REST API

Tokens: SMS, Email, Mobile


Privilege Access Management
App, PC

Frictionless & Quick User


Protection for RDP Access
Enrollment
Centralised Computing Traffic Flow & Product Architecture –
Secure Access of Application + Application Delivery + Virtual Desktop

User Identification
Device Identification
Device Lockdown Business Apps:
Endpoint Security Email, Sharepoint
Network blinding Intranet, Web
Apps
PC

TABLET

TLS 1.2
Virtual Application Delivery
256 bit
Encryption
Secure Access
SMARTPHONE Gateway
Virtual
Desktop

Thin Client Virtual Desktops


Endpoints On premise / Cloud

G3
Security Needs – Important and Imperative for all Customers

Provide safe
Prevent User Prevent Malware
Internet browsing for
Profiling Attacks
isolated labs
•  Stop Internet •  Prevent cyber •  User’s should be
websites or 3rd attacks that allows able to
party servers from malwares to plant conveniently &
collecting user’s user targeted securely access
data / info attacks to enter Internet from
network isolated labs
Security Benefits – Important to all Institutions

Safe Internet
Safe Internet Prevent Malware
browsing for
Browsing Attacks
isolated labs
•  User’s consume •  User’s Internet •  Users use same
Internet from same downloads, whether machine to
desktop but Internet good or bad are consume Internet
runs on a different restricted to a without any risk of
machine, different separate network, getting any cyber
network in separate desktop attacks or being
anonymous method profiled
Use Case - Virtual Browser for Users

User  logs  into  applicaCon  


AXer  MFA,  Device  checks,   with  “User  ID”  &  Password  
User  logs  into  Workspace   user  logs  in  and  can  see   User  clicks  on  hosted   provided  by  Customer  
Portal   Icon  to  launch  hosted   desktop  or  applicaCons  
applicaCons  or  Desktops   (if  part  of  SSO  –  then  not  
applicable)  

User  can  upload  data  from   User  works  normally  as  


When  done,  User  closes   local  machine  using  simple   today  but  all  data   ApplicaCon  opens  in  a  new  
hosted  Desktop  /   drag  drop  or  file  upload   downloaded  by  user   tab  in  Browser,  User  starts  
applicaCon   opCons.  (Only  if   remains  within  the   working  on  the  same.  
permiKed)   datacenter  VM  

User  logs  out  from  Virtual  


Browser  or  it  Cmes  out.  
Secure Internet Browsing

Internet  

Browsers  
Intranet  
running  on  
ApplicaCons  
Virtual  
Machines  
Proposed  
SoluCon   DMZ  

Intranet  

PC  with  Pla_orm  
Thin  clients  
Client/Browser  
Secure Internet Browsing using VDI

VM  

Internet  

User  PC  with  a  local  browser   DMZ  Firewall   Proposed  SoluCon  based  on     Internet  Firewall  
accessing  Centralised   Linux  TS  or  MicrosoX  RDS  
CompuCng  Infrastructure  
using  browser  or  using  the  
client  of  Proposed  SoluCon  
Only  display  data  (bitmap)   LegiCmate  as  well  as  
of  the  VM  travel  to  end   malware  data  travel  over  
user  PC.  No  malware  or   Internet  and  lands  into  
Internet  data  travel  to   the  VM.  
end  user  PC   VM  can  be  Linux  TS  based  
or  Windows  RDS  server  
Secure Internet Browsing – Deployment Architecture

Remote  Access  Plane   Data  Plane   VirtualizaCon  Plane  

Secure  Browser  
Centralised  
CompuCng  
Pla_orm  
Cluster  
LAN/WAN  Users  
Internal   File  
Untrusted  
Network  
Firewall   Server  
Secure  
Access   OpConal   Internet  
Pla_orm  in   Internal   Physical  Hosts   Firewall  
Cluster   Firewall   with  Linux  

Directory  
Services  
Secure Internet Browsing – Use Cases and User Functions

USE  Cases   USER  Func.ons  


•  When  users  needs  only  a   •  File  Transfer  
browser  to  be  published  to   •  User  can  upload  and  download  files  from  
secure  browser  
“consume”  Internet   •  Each  file  upload  and  download  can  be  
•  Allowing  contractors  to  have   tracked  and  audited  
limited  Internet  access   •  Copy  of  the  uploaded  /  downloaded  file  can  
be  kept  in  a  locaCon  for  audits  
•  LimiCng  users  from  uploading  or   •  Users  go  via  a  workflow  to  upload/download  
downloading  content   file  to  block  unintenConal  file  download/
upload  
•  When  it  does  not  work   •  Block  file  transfer  based  on  file  type:  like  exe  
•  If  there  are  soXware  on  user  PC   files  
which  needs  Internet  access  for   •  Policy  control  based  on  user  ID  and  user  role  
funcConing  or  upgrades,  secure   •  PrinCng  
browsing  does  not  help   •  PrinCng  possible  from  secure  browser  
•  USB  device  redirecCon  
•  Policy  controlled  access  to  user’s  USB  device  
(Limited)  
Use Case – Infrastructure Access for Third Party Vendor (Software Development/
Hardware Support/ Database Support)
A REFERENCE DEPLOYMENT ARCHITECTURE
Internal/  Mobile/  Third  Party  Vendor  Secured  Access

LAN / MPLS Users

HTML  5/  Mobile/  PCs/  Thin  Clients   Virtual


Dedicated'Virtual'
Desktops'
Desktop 172.16.113.x'
Virtual machine: Win
10

Tablet,
Smartphone

vCenter'Servers'
Client for '
CUSTOMER  
PCs, INTERNET INFRA  
Port:38866' Port:3389,'
Smartphones WITH  
File'Server'
38871,'38870'
CUSTOMER  
G3

Port:443' APPLICATIONS  
Thin   Secured  
Accops HySecure The  Control  
Accops HyWorks
Controller
Clients  
Thin clients Gateway with HyID,
Access  
HyLite
Plane  
172.16.113.71
Pla_orm  
172.16.101.x
Endpoints

Virtual'Applica,ons,'
Internet / Untrusted Network Shared'Hosted'Desktops'
Win Server 2012 R2
G3
Port:389' Port:389' 172.16.113.72'

DMZ Ac,ve'Directory'


CASE STUDIES



Case Study – MNC Bank

Use Case: Benefits to Bank:


•  Cheque Collection Vendor Access §  Zero endpoint management
§  Secure access is possible from
Problem Statement: any unmanaged device without
•  Vendors who collect cheque from ATMs need to
securely access bank applications from
any security concerns
unmanaged machines and feed data over
§  New application version rollout in
Internet minutes
•  Vender users machines are unmanaged and may §  Automatic device enrollment, audit
not comply to bank’s security requirements and control
•  Data should not reside on the end user machine §  Telecom/connectivity agnostic
solution
Solution:
•  Using Proposed Solution, bank’s applications are
published as virtual applications. Remote users
logs into Secured Access Platform gateway to
access the published applications
Case Study – An Medium sized Indian BANK

Use Case:
•  Core Banking Application deliver to end users and Benefits to Bank:
SaaS customers §  Deliver CBS application from
datacenter to distributed end user
Problem Statement: based and ASP customers
•  Deliver client-server based CBS application to §  Single access portal for end users
users
and Centralized web based
•  Deliver the CBS clients to SaaS customers of the
bank distributed across the state on different
management console for IT
connectivity options
•  Centralized management console & Policy based
Load balancing
•  Avoid frequent upgrade of client software on end
user machine

Solution:
•  Using Proposed Application Virtualization solution,
the bank hosted the CBS application client in the
data-center and allowed their internal users as
well as their SaaS customers to come through a
single portal and access the CBS application with
full data isolation
Case Study – Large Indian BANK

Use Case: Benefits to Bank:


•  Endpoint remote helpdesk with full audit & §  Secure helpdesk without Internet
without Internet §  Endpoints do not require open
RDP/VNC configuration
Problem Statement:
•  IT team should be able to take remote control of
§  Centralized management console
the endpoints without requiring Internet on
for IT to control devices
endpoints §  Unattended access possible for
•  Such remote access should be audited and servers
should not be available on Intranet §  Complete audit trail for any remote
•  All such session should be recorded for security access
audit and feedback management

Solution:
•  Using the Solution Suite, Bank’s IT team gets a
centralized management console to see the live
devices and connect with the device over a
secure connection. RDP and VNC are not
opened on the network for obvious security
reasons
Case Study – LARGE MNC INVESTMENTS ORGANISATION

Use Case:
•  Secure Remote access, Multi-factor authentication & Benefits to Customer:
Privileged User Management & Audit §  Proposed Single Stack technology
enables, Seamless, easy secure
Problem Statement: remote access, avoiding risks of
•  Critical servers must be audited for privileged access network level malware
•  Multi-factor authentication for critical server access §  Seamless two factor authentication
•  Secure Remote Access by work from home and using SMS OTP for remote access
roaming users §  Strong two factor authentication for
•  Complete auditing of access server access with privilege user login
control and management
Solution:
•  Using Secured Access & Identity Assurance solution,
§  Centralized dashboard for reporting
Customer allows its remote users, work from home
users to have secure access to corporate network.
The remote login is protected with SMS OTP. When
users want to access critical servers, the user’s must
present their domain credentials to authenticate,
allowing Customer to have complete audit trail of
privileged user access
Case Study – Data Aggregation & Analytics Organisation

Use Case:
•  Complete data protection/DLP within LAN by power Benefits to Customer:
users §  Secure sandbox computing
ensures full compliance to data
Problem Statement: protection policies
•  Developers must be able to work on the applications §  Developer’s productivity not
without ability to copy any data on their local effected by single side copy
machine protection
•  Developer’s productivity should not go down §  Access from anywhere, any device
•  Developers should be able to work from home from
any device
with automated device enrollment
•  Complete auditing of access & audit
§  Centralized dashboard for
Solution: reporting
•  Using Proposed solutions, Customer built a secure
sandbox environment where the business line
applications are published. The developers can
connect to the secure computing environment via
Secure Access Platform protected with two factor
authentication, Device Authentication and access
the applications. Developers can not copy any data
via clipboard, print-screen, desktop reporting etc.
Case Study – SWIFT SECURITY

Problem  Statement:     Benefits to Bank:


•  SWIFT  applicaCon  access  from  end-­‐user  machine  is  prone   §  Execute SWIFT application in a
to  malware  aKacks,  like  recent  $81  million  theX  from  
SWIFT  
secure sandbox
•  Endpoint  must  isolate  access  to  high  security  applicaCon   §  Isolate SWIFT from all endpoint
like  SWIFT  from  other  low  security  applicaCons   related threats
•  AKack  surface  on  a  PC  is  high   §  Prevent malwares from executing
•  SWIFT  applicaCon  access  control  is  based  on  IP  address   active attacks on the application
which  is  complex  to  maintain  and  error  prone  
§  Protect SWIFT credentials
Solu.on:     §  User identity & device identity
•  Using  Proposed  SoluCons  Virtual  Browser  soluCon  ,  bank   based access control
can  deliver  SWIFT  applicaCons  as  virtual  applicaCon.  The   §  No longer do you need two
applicaCon  runs  on  a  remote  server,  delivering  remote   systems on the Desk – one for
display  of  the  applicaCon  to  endpoint.  This  isolates  the  
applicaCon  execuCon  and  data  from  the  endpoint.  The  
Bank Internal Applications and
access  can  be  limited  based  on  user  idenCty  &  device   another for SWIFT access
idenCty  rather  than  IP  address.    
Case Study – Secure Vendor Access

Problem  Statement:    
•  Bank  needs  to  provide  access  to  vendors  for  various  data   Benefits to Bank:
processing  needs,  like  eDMS  eForms  applicaCon  for   §  Deliver bank applications &
processing  scanned  documents  processing   data in secure sandbox. Data
•  Currently  bank  has  to  provide  MPLS  connecCvity  and   never leaves data center.
manage  endpoints  for  data  protecCon  
•  Data  is  at  risk  as  the  data  gets  delivered  to  vendor  devices  
§  No need to manage
•  Access  may  be  slow  as  data  is  heavy  in  size  and  user  
endpoints, automatic device
producCvity  is  low   enrollment and policy
  enforcement from central
Solu.on:     console
•  Using  Proposed  applicaCon  virtualizaCon  soluCon,  bank  can   §  Prevents users from copying
deliver  such  applicaCons  as  virtual  applicaCons  available   any data
over  the  HTML5  browser  soluCon.  The  users  can  connect  to  
the  Centralised  CompuCng  portal,  login  and  launch  the  
remote  applicaCon    in  a  browser.  The  data  of  the  applicaCon  
never  flows  to  endpoint  as  the  applicaCon  client  is  running  
on  remote  server.  This  also  saves  bandwidth  as  data  is  in  
datacenter  only.  
Case Study – Heavy ERP Access across remote locations (Medium Sized Indian Bank)

Problem  Statement:    
•  MicrosoX  Dynamics  consumes  requires  400kbps  to  
Benefits to Bank:
work  
•  Deliver application to as low as 96
•  Access  to  MicrosoX  Dynamics  CRM  from  Remote   kbps bandwidth locations
branches  with  96  kbps  to  1  Mbps  network  is  slow  or   •  Improved CRM performance by
CRM  does  not  work  at  all.     almost 100x, access time reduced
•  CRM  adopCon  is  low  and  CRM  user  producCvity  is  down   from 10 minutes to 10 seconds.
•  Proposed End user experience
Solu.on:     enhancement pack make sure
•  Using  Proposed  Virtual  Browser  soluCon,  bank  can   CRM works in virtual browser
publish  MS  Dynamics  CRM  as  a  virtual  applicaCon  and  
rolled  out  the  published  CRM  to  end  users.  Users  
working  from  any  type  connecCvity  can  launch  the  
virtual  browser,  login  and  access  the  CRM  applicaCon  
with  almost  100x  beKer  performance  
Case Study – Thin Client Computing for a large Bank

Problem  Statement:     •  Benefits to Customer:


•  Desktop  management  is  high  cost   •  Enable secure computing as
•  Desktop  refresh  cycles  every  4-­‐5  years  is  costly   all applications & desktops are
•  Desktops  have  high  aKack  surface   migrated to datacenter
•  ApplicaCon  deliver  to  desktops  requires  conCnuous  
management  and  IT  Cme  
•  R e d u c e d e s k t o p & A p p
•  DR,  backup  of  local  data  are  complex  with  desktops  
upgrade, rollout, day to day
•  Desktops  locks  down  applicaCons  ,  data  and  licenses  and  hence   management by 5x
costs  more   •  Go Green by reducing energy
•  Desktops  does  not  provide  any  mobility   consumption by 10X
•  OS  does  not  provide  inherent  security  features   •  Enable any device computing
•  Energy  consumpCon  of  desktops  is  in  range  of  100  to  200  WaKs   across bank
 
Solu.on:    
•  Using  Proposed  Thin  Client  CompuCng  Pla_orm  and  Thin  
Clients,  bank  can  go  for  thin  clients  as  endpoints  and  deliver  
virtual  applicaCons  and  virtual  desktops  to  end  users.  All  
applicaCons  &  desktop  management  is  migrated  to  datacenter,  
users  have  access  to  the  thin  client  only  
Case Study – Privileged User Access Audit

Problem  Statement:     Benefits to Customer:


•  Privilege  users  (administrator/root)  credenCals  are  shared   §  Enable full audit of privilege
between  users  and  prone  to  idenCty  impersonaCon  and  theX   user logins
•  No  idenCty  audit  log  available  for  such  privilege  user  access   §  Control and manage policies
•  On  desktops  especially  no  privilege  user  control  available  
 
for privilege user logins
Solu.on:    
§  Secures unauthorized login
•  Using  IdenCty  Assurance  soluCon,  bank  can  implement  a  strong   to Servers & Desktops
privilege  user  login  management  soluCon,  such  that  policies  can   §  C e n t r a l i z e d a u d i t r e p o r t
be  enforced  to  devices  related  to  who  can  login  and  how.   available
Combined  with  two  factor  authenCcaCon,  bank  can  track  which  
individual  used  which  privilege  login  to  login  into  servers  and  
desktops.  Complete  audit  trail  is  available  from  centralized  
management  console.  ProtecCon  for  Windows  and  Linux  
desktops  &  servers  is  available,  Two  factor  authenCcaCon  using  
SMS,  Email  ,  Mobile  App,  Hardware  token  OTP  is  available  
Case Study – THIRD PARTY VENDOR ACCESS FOR A BANK

Problem  Statement:     Benefits to Customer:


•  Bank  needs  to  provide  secure  remote  access  to  banking   §  Enable full audit of privilege
development  and  producCon  environment  to  contractors  from   user logins
external  locaCons   §  Control and manage policies
•  The  vendor  employees  may  access  from  any  locaCon,  any  system  
with  no  control  necessarily  on  the  access  device  sanity/  hygine      
for privilege user logins
•  On  desktops  especially  no  privilege  user  control  available  
§  Secures unauthorized login
  to Servers & Desktops
Solu.on:     §  Centralized audit report
•  Using  IndenCty  Assurance  soluCon,  bank  can  implement  a  strong   §  Session Recording incase
privilege  user  login  management  soluCon,  such  that  policies  can   required available
be  enforced  to  devices  related  to  who  can  login  and  how.  
Combined  with  two  factor  authenCcaCon,  bank  can  track  which  
individual  used  which  privilege  login  to  login  into  servers  and  
desktops.  Complete  audit  trail  is  available  from  centralized  
management  console.  ProtecCon  for  Windows  and  Linux  
desktops  &  servers  is  available,  Two  factor  authenCcaCon  using  
SMS,  Email  ,  Mobile  App,  Hardware  token  OTP  is  available.  
AddiConally  Session  Recording  can  be  extended  
VALUE PROPOSITION

•  More  integrated  VDI  soluCon:  VirtualizaCon,  Endpoints,  


Security  
•  Single  vendor  for:  VDI,  Security  Gateway,  Thinclient,  Two  
Factor  AuthenCcaCon,  Device  AuthenCcaCon  
•  ComparaCvely  lower  TCO  
•  Reduced  Support  Requirements  
•  Agile,  flexible  and  customizable  
•  Product  customizaCons  are  welcome  –  with  quick  turnaround  


Single Sign On

Advantages Brief


Need for Single Sign On
•  No need for maintaining separate User Name and Password for different Applications
–  Portal Access with list of Applications Enabled for users. Click and Access
–  Integrated with AD (but in many cases – required SSO even w/o AD)
•  Secure Access & Identity Management for users
–  Encrypted VPN Tunnel
–  Device Authentication
–  User Authentication (OTP/ Biometric/ etc.)
•  Audit Trail/ Forensics on
–  Who
–  What
–  When
–  Where
–  Minimal impact on Performance due to Data Protection
–  Quick Recovery
Typical Data Protection Challenges

Anywhere,)Any*me,)Any)device)Challenges) Data)at)Rest)(at)end)point))Challenges))
) )

o  Login from anywhere bring o  Prevent data misuse using USB


another challenge when login drive
from compromised devices
o  Prevent data misuse passed by
o  User ID and Password can email/upload
easily be passed to anyone or
3 rd party cookies can steal it. o  Prevent data misuse passed by
printout
o  Data upload/download of data is
always under threat o  Prevent data misuse by
Malware, cookies, Search
engine or installed 3 rd party apps
Typical Data Protection – Technical Requirements & Business Expectations

Technical  Requirements   Business  ExpectaCons    


1.  Secure Access to application with MFA 1.  It will stop unauthorized application
(OTP) access anonymously
2.  Secure Access limited to Authorized & 2.  Limit access of application for
trusted devices Business purpose only, no misuse
3.  Device forensic i.e. IP address/MAC/ 3.  Audit log for who, when, where logged
MB ID/ HDD ID into desktops/applications
4.  Restricted access to Save/Download/ 4.  Minimize the data leakage & at the
Print features, option to be enable and same time, allow business to be inline
disable at per user basis with current productivity
5.  Complete restriction of screenshot, 5.  No intentional (Remote desktop
print screen, sipping tools sharing, VNC/WebEx) access to
6.  Data copy, screen recording, remote outside organization
(VNC/WebEx) access protection 6.  End user can upload/download files
but only when permitted.
High Level Approach for ACCESS

Device* Device*
Endpoint*Scan* User*IdenDty* Blacklisted*
IdenDty*&* Security*
&*Role* User*Feeds*
and*Endpoint* ClassificaDon* Feeds*
Control*
User*Security*Context* Device*Security*Context*

Access*
via*
Access*
Access* Allow*Access* Gateway*
User* Request*
Access*as**
Contextual*Policy* Virtual*
Access*Portal* Enforce*2FA* App*
Engine*
Federated*
App* Request*
Deny*Access* Access*
with*SSO*
What will the proposed SSO Solution Address

Technical)Requirements)(mapped)against)SSO)Solu8on)!
Application Access Gateway with Web Based Management
SSL VPN Console 1.  Secure Access to application with MFA
(OTP) - SSO
SPAN Technology, no network Integrates with AD / LDAP / 2.  Secure Access limited to Authorized &
adaptor, high performance Novell trusted devices - SSO
3.  Device forensic i.e. IP address/MAC/MB
Supports any TCP, UDP Web Launchpad, no admin rights ID/ HDD ID - SSO
Application required
4.  Restricted access to Save/Download/Print
features, option to be enable and disable
Focus on Application delivery &
Auto-updating client at per user basis – achievable with SSO
not network delivery
5.  Complete restriction of screenshot, print
Multi-factor authentication
screen,forsipping
Web Based
tools Management
– achievable with SSO
Built-in Two Factor Authentication HTML5 based access portal any application 6.  Data copy, screen
Console
recording, remote (VNC/
WebEx) access protection – achievable with SSO
Linux based hardened gateway, Integrates with Proposed SSL Integrates with AD / LDAP /
Endpoint Security Scan Enabled available as software, virtual VPN or any existing VPN Novell
appliance
Integrates with Windows & Web based management
Linux Desktop/Server Login console

Integrates with custom


Complete Audit Trail
applications via REST API

Tokens: SMS, Email, Mobile


Privilege Access Management
App, PC

Frictionless & Quick User


Protection for RDP Access
Enrollment
Approach to Authentication and Access

• 2FA token types


•  SMS OTP/Email OTP/ Mobile Token / PC Token/ Push
notifications
•  Biometric, face detection coming up
• Device ID based access
•  Trusted or Authorized device-based access
•  Device fingerprint based on CPU ID, Motherboard ID, MACID,
WAN IP address, Certificate, etc
• Geo location-based access
• Dynamic device trust evaluation on every request
www.ashinfo.com