Entrust > Entrust IdentityGuard for Enterprise
Protecting Your Enterprise
When an employee or partner accesses a corporate network through an extranet, remote access gateway (VPN) or Microsoft® Windows® desktop, they have effectively opened a door to the organization's most sensitive assets, intellectual property and customer data. The security of the network and subsequent desktops are only as strong as the authentication method implemented, highlighting the importance of executing this properly. Coupled with industry mandates like the Red Flag Rules, Sarbanes-Oxley Act (SOX) or the Payment Card Industry (PCI) standard, organizations are being driven to increase the strength of authentication across a much broader user population than ever before.
The most common way of authenticating employees and partners - username and password - is also one of the weakest in use today. Strengthening this type of authentication - typically by mandating long, complex passwords and enforcing frequent changes - often delivers minimal security improvement, yet significantly increases help-desk costs. The need to provide strong second-factor authentication to wider enterprise populations is increasing. The budgetary challenges highlighted by widely deploying traditional strong authenticators is causing organizations to look for more cost-effective solutions that deliver a flexible approach to increasing security without introducing significant costs.
An Open Versatile Authentication Platform
As an established global leader in layered security strategies, Entrust offers a costeffective versatile authentication platform that can help organizations protect the identities of employees and partners accessing sensitive enterprise data. A key component of a layered enterprise security model, the Entrust IdentityGuard versatile authentication platform allows organizations to match the authenticationstrength and mechanism to the amount of risk involved, usability requirements and cost considerations. This enables organizations to apply strong authentication across the enterprise, instead of just a select group of users. Entrust IdentityGuard seamlessly integrates with existing environments with minimal impact on the user experience. This is advantageous for users accessing the network via remote access, Microsoft Windows desktop or the extranet, which can be used for leading applications like Microsoft Outlook Web Access.
Transparent Authentication
Transparent authenticators validate users without requiring day-to-day interaction. Step up to additional authentication only when the transparent authentication fails. Transparent authenticators include:
IP-Geolocation
Authenticated users can register locations where they frequently access the corporate network. During subsequent authentications, the Entrust IdentityGuard server compares current location data - country, region, city, ISP, latitude and longitude - to those previously registered. Organizations can step up authentication only when values don't match. With IP-geolocation, organizations can create blacklists of regions, countries or IPs based on fraud histories, or leverage the Entrust Open Fraud Intelligence Network (OFIN) to receive updated lists of known fraudulent IPs based on independent professional analysis.
Device Authentication
Authenticated users can register a computer or device that is frequently used to access the corporate network. A sophisticated encrypted profile of the registered computer is created and stored. During subsequent authentication, the Entrust IdentityGuard server creates a new profile and compares it against the stored value. Step-up authentication is required only when the values don't match. IP-geolocation and machine authentication, deployed in combination, offer an effective and transparent authentication method for users.
Physical Form Factor Authenticators
Physical form factors are tangible devices that users carry and use when authenticating. Entrust offers a number of physical authentication devices to meet diverse corporate user requirements. Physical form factor authenticators include:
One-Time-Passcode Tokens
Entrust offers two versions of the popular one-time-passcode (OTP) token. Starting at just $5, the Entrust IdentityGuard Mini Token is OATH-compliant and generates a secure eight-digit passcode at the press of a button. The OATH-compliant Pocket Token offers additional features including PIN unlock prior to generating the passcode, in addition to a challenge-response mode.
Display Card
The Entrust Display Card provides the same functionality as the popular token in a credit card format. In addition to providing an OATH-compliant, one-time passcode, the Display Card optionally can include a magnetic stripe and a PKI or EMV chip for greater versatility.
Grid Authentication
The Entrust-patented grid card is a credit card-sized authenticator consisting of numbers and characters in a row-column format. Upon login, users are presented with a coordinate challenge and must respond with the information in the corresponding cells from the unique grid card they possess. As a complement, eGrid cards are sent to the user via the Web or .PDF, which easily can be stored on a machine or mobile device for convenient access, eliminating the need to carry a physical form factor.
One-Time-Passcode List
End-users are provisioned with a list of randomly generated passcodes or transaction numbers (TANs) that are typically printed on a sheet of paper and distributed to end-users. Each passcode is used just once.
Non-Physical Form Factor Authenticators
Non-physical form factor authentication provides methods of verifying user identities without requiring them to carry an additional physical device. Non-physical form factor authenticators include:
Knowledge-Based Authentication
Knowledge-based authentication challenges users to provide information an attacker is unlikely to possess. Questions presented to the user at the time of login are based on information (referred to as authentication secrets) that was supplied by the user at registration or based on previous transactions or relationships. Entrust IdentityGuard allows the administrator to determine the number and type of questions asked.
Out-of-Band Authentication
Out-of-band authentication leverages an independent and pre-existing means to communicate with the user to protect against attacks that have compromised the primary channel. Entrust IdentityGuard supports this capability by allowing for the generation of one-time confirmation numbers that can be transmitted along with a transaction summary to the user. This can be done directly via e-mail or SMS, or sent through voice to a registered phone number. Once the confirmation number has been received, it is simply entered by the user and the transaction is approved.
Strong Username and Password
Entrust IdentityGuard typically provides a strong second factor of authentication to an organization's existing username and password infrastructure. The versatile authentication platform can provide strong username and password login for companies without an existing solution.
Mutual Authentication
Your organization needs to have confidence in a user's identity. Likewise, users must be confident that they are transacting with their organization or intended online site; not a fraudulent organization or spoofed site. Mutual authentication provides methods for your organization to confirm your legitimacy to users. Entrust provides organizations with a range of options for mutually authenticating with their customers, including:
Image and Message Replay
Upon registration, the user selects an image from an extensive image bank supplied with Entrust IdentityGuard. The user also creates a messge. During subsequent logins the image and message are presented to the user.
Grid Serial Number Replay
During login, the serial number of the user's unique grid card is presented to the user.
Grid Location Replay
During login, the user is presented with the values of a number of cells from their unique grid card.
Extended Validation (EV) SSL Certificates
Organization can deploy Extended Validation SSL certificates, which confirm the Web site's authenticity by displaying a green address bar - an obvious trust indicator for the end-user. Each method is designed to replay identifiable information to the user that could only come from the legitimate organization itself, enabling users to quickly and easily confirm the Web site is authentic.
Entrust IdentityGuard Advantages
Range of Strong Authentication Capabilities Entrust IdentityGuard provides one of the widest ranges of authentication capabilities on the market today. The solution's variety of multifactor authentication options can enable stronger authentication across the enterprise without the need to deploy a one-size-fits-all solution that may not meet the unique requirements found across an organization. Unmatched in versatility and efficiency, Entrust IdentityGuard delivers a range of authentication capabilities that can enable strong authentication without requiring client-side software, hardware or significant changes to the user experience. The solution provides authentication methods that require virtually no user interaction, such as device fingerprinting and IP-geolocation. Authentication techniques that don't require a second physical form factor include knowledgebased, username and password, and out-of-band onetime passwords (OTP) via SMS or voice. Finally, the platform also supports authentication factors that require a form factor, which include grid cards, OTP hardware tokens and slim display card tokens. Entrust IdentityGuard affords a level of choice, flexibility and personalization to both end-users and enterprises. Organizations can choose how they want their users to authenticate depending on user type, risk assessment and the application being used, including remote access, Windows desktop and applications deployed on the extranet. The platform can be readily extended to other delivery channels, including interactive voice response (IVR) and help-desk systems. The solution's authentication methods do not require specialized hardware or direct hardware connections with the computer, so it can be leveraged across multiple platforms and used in conducting various types of transactions. The range of authentication methods provided by Entrust IdentityGuard is supported by a single administrative layer that allows organizations to manage all users through one point of policy enforcement while being able to tailor the specific authentication policy on a per-user or group basis. The security of the Entrust IdentityGuard versatile authentication platform is built on Entrust's FIPS 140-2- validated cryptographic engine.
Easy to Use
Entrust IdentityGuard enables organizations to choose from a range of authentication options tailored to meet the unique requirements of their users. The platform provides the capability to manage everyday authentication in the enterprise with one type of highly usable authentication, such as grid, and leverage another option, such as knowledge-based authentication, for applications like self-service user-recovery. All authenticators are administered through one central Web-based console, making management simple and efficient. For organizations leveraging strong authentication for Microsoft Windows desktops, users are able work both on and offline, making it a true enterprise application for users on the go. Non-Invasive, Open Platform The Entrust IdentityGuard versatile authentication platform is designed to work within an organization's environment with little impact to the existing infrastructure. It does not require additional client or server software for VPN remote access, interoperating with various leading IP-SEC and SSL VPN applications from Nortel, Cisco, Checkpoint, Juniper Networks, F5 and more. The solution even includes 802.1x native support. For Microsoft Windows authentication, Entrust IdentityGuard requires a small footprint client that provides the Entrust IdentityGuard grid challenge as a second step to Microsoft Windows authentication. For Web applications, organizations can leverage standard Web service APIs to directly integrate into an enterprise portal, or use a standard ISAPI filter to protect leading applications like Microsoft Outlook Web Access. The solution leverages current user repository - whether it is LDAP, Active Directory or a database - and is architected to address the high scalability needs of
large organizations.
Entrust & You
The Entrust IdentityGuard versatile authentication platform offers the widest range of authenticators available on the market today. From easy-to-use grid cards, IP-geolocation capabilities to one-timepasscode tokens, the solution provides any organization, financial institution, enterprise and government agency seamless, efficient methods to deploy strong multifactor authentication as part of a comprehensive layered security strategy.
