SITUATION/CHALLENGE - Telecom Italia Mobile in Brazil had an urgent business risk to improve the security of their enterprise desktops. The Chief Information Officer (CIO) at TIM Brazil identified several enhancements and technologies that would improve IT security, one of which was to add two-factor authentication to their PCS architecture. The challenge was finding the right combination of technologies to achieve this goal.
Visiant Security was selected to work with Telecom Italia Mobile in Brazil to solve the desktop security challenge, based on the previous experience in implementing IT access controls solutions for Telecom Italia’s Desktops, Applications and Servers. Visitant Security proposed using a combination of fingerprint scanners with smart cards that would be seamlessly integrated into an enterprise access control solution from Fox Technologies and CA’s SiteMinder solution.
The selection of these combined products was based on the applications and IT environment at Telecom Italia Mobile in Brazil including the PCS architecture. The PCS architecture required very specific combinations of products and solutions including the need to combine smartcard technology with a two-factor solution.
FoxT’s BoKS Access Control was selected as a core platform for the solution because it provides centralized, enterprise-wide access control management for desktops through to standard and bespoke applications. With BoKS, IT Policy and Roles for access to all desktops and applications are defined centrally and the architecture then authenticates the access attempt based on the location, credentials, access route, and IT policy prescribed for their Role. These policies include the use of passwords, SecurID tokens, smart cards, and X.509 certifcate-based authentication where strong authentication mechanisms are required. The solution then enables single sign-on for web-based access and client/server applications.
FoxT Partner: Visiant Security
Team Lead:Enrico Togni
Award Winner: Visiant Security, Rome - Italy
Company Nominating: Fox Technologies (FoxT)
SOLUTION - In order to achieve the unique requirements posed by Telecom Italia in Brazil for securing the desktops and applications in the PCS architecture, Visiant had to determine which authentication technologies and access management software to utilize.
Visiant Security had many requirements to consider in their selection of the two-factor authentication devices used for the solution including the following factors:
The finger image had to be used as unlock code for the smartcard
The device had to have the “match-on-card” feature.
The device had to be able to support PC/SC cards and PKCS#11 card drivers.
Performance metrics included the need for the verification time to be less than 1second and the identification time (2000 recs.) to be less than two seconds.
The device also needed to support a USB interface
The technology also needed to be compatible with existing X.509 PKI
The biometric data had to be encapsulated in an X9.84 biometric token.
Visiant also required the core solution to have a robust Software Developers Kit (SDK) in order to simplify integration with CA’s Site Minder solution and the related technologies.
Based on these requirements, Visiant determined that they would integrate the smart card, FingerPrint Reader Sagem MorphoSmart 1350, with FoxT’s Access Control for Desktops and Access Control for Applications to address the security needs laid out by Telecom Italia in Brazil and the requirements of PCS.
The FoxT solution provides the centralized access control management of the desktops and applications across the enterprise so that any Client Server application secured on PCS could securely login. In order to permit the use of an external certificate or a third party device, it is possible to import and set another Certificate Authority in the configuration menu of the BoKS Access Control Suite. This external Certificate Authority issues the user certificates, which are inserted in the smart card. This user certificate is then used for the strong authentication in PCS.
From the user’s certificate (format .p12) it is possible to select a unique field and join the BoKS user in the BoKS database. As well, the FoxT BoKS solution provides a smart card management module and interfaces to a PKCS#11 provider, which Visiant was able to leverage for the integrated solution.
Access attempts to the client/server applications are managed by FoxT’s BoKS Access Control for Applications solution. The FoxT software intercepts the login request and prompts the user to provide the personal smart card. The desktop retrieves the smartcard public information and communicates that data to the FoxT BoKS security server. The FoxT BoKS security server then sends a challenge to the desktop in order to unlock the virtual card link to the user. The BoKS Desktop agent then makes a request of encryption to the smart card. The Middleware YPSID intercepts the request for de-encryption and automatically prompts the user for the finger print. If the result of the operation is proper, the user will be authorized from the BoKS desktop to unlock the virtual card.
Info Security Products Guide
CONCLUSION - Through Visiant Security’s unique integration of FoxT’s BoKS Access Control solutions with smart cards and fingerprint biometrics devices, Telecom Italia in Brazil is now able to ensure a much higher degree of control over their end-user workstation and application environment in a fully auditable manner. The FoxT Access Control solutions simplifies and enforces central security policy and credential management, including the ability to flexibly define how users should authenticate when they login. Administrators can define security policies for accessand distribute them automatically. Administrators can also easily expand and restrict system access, and distribute, enroll and renew certificates much more easily. The entire solution enables integration with CA’s SiteMinder to fully leverage the existing investment, while further securing the IT infrastructure.
Fox Technologies (FoxT)
883 N. Shoreline Blvd. D-210
Mountain View, CA 94043
Tel: +1-425-706-0044
Visiant Security
Via Mardella Cina, 266 00144 Rome, Italy
