Detack Sign IA Product Suite Overview

Detack "sign" is a suite of products that started as an SAP^® authentication middleware integrating multiple, single- and multi-factor authentication sources.

The Detack "sign" has grown to become a comprehensive IA (Integrated Authentication) solution that supports today the Windows^® Logon, almost any type of web enabled application, various networking and VPN systems, terminal services and other specific applications. Another notable feature is that a virtually unlimited number of different authentication sources / methods can be supported, be they standard solutions, Detack or third party ones.

Detack has developed its own strong authentication solution that acts as a credentials verification source for the "sign IA" environment - e.g. besides the standard authentication sources, such as RADIUS, LDAP, etc., the clients can now use the Detack authenticator; this solution is based on the industry standard PIN / iTAN (indexed TAN) method of providing multiple factor authentication and transaction authorization.

Already several thousand international users have access to sensitive and protected applications on a daily basis by using the authentication system provided by the Detack "sign IA".

External Access Security

To gain external, non authorized access to sensitive company data is on the daily agenda of attackers – in order to retrieve information or even manipulate data. The question is how appropriate security design looks like to protect the access to sensitive company data. The first protection layer an attacker has to bypass is mostly the logon; here single sign-on kicks in.

The Detack "sign IA" products suite protects against attackers from the beginning. Access to the connected systems is only possible through the "sign IA". Anonymous attackers get no chance to access sensitive systems; thereby the attacking risk is reduced from innumerable to a few attackers having valid access credentials. In case of an intrusion the "sign IA" supports forensic analysis by comprehensive logging mechanisms performed in a compliant manner. The central access point is especially protected by multi factor authentication regarding the extensive application access of registered users, alternatively with Tokens (e.g. RSA^®), smartcards (e.g. ActivCard^®) or the Detack own PIN / iTAN solution. The "sign IA" allows to design separate trust zones which differentiate between user groups and their origin – e.g. for internal logons only username and password / for external logons the Detack PIN / iTAN Authenticator is required. The user itself has to be authorized for the access to particular applications; the granular application access restriction allows a separation for each user or group. Regarding the high security requirements for each existing user only one single digital identity is existing for the whole session thereby anonymous / technical users are prevented. This results in a permanent transparency about who had access to the system at any given time.

In order to reach the highest security standard the "sign IA" deploys time restricted and PKI signed tickets. Thereby the entered logon password is transferred only once during the validation of the credentials - the password itself is not stored in the ticket. In the next step the user is automatically authenticated to all applications he is authorised to connect to.

The "sign IA" can be used for any SAP application, various web applications, VPN systems and terminal services, etc. All common authentication sources, be they software or hardware, are supported plug and play. This also includes all standard tokens or smartcards. It is associated with enormous costs to implement these for many users – the solution here is the Detack Authenticator based on the industry standard PIN / iTAN. This solution provides a customer oriented and cost effective deployment by the usage of a printed list containing around 400 indexed one time passwords (iTANs - a system known from the online banking) including 5 to 6 digits.

Internal Access Security

Externally available systems are attacking targets under threat, but also the internal systems are at risk which is often overlooked. These internal IT risks can be caused by the own personnel, service providers and attackers with physical access to the companies premises. But also system specific threats like RFC connections between productive and test systems could support attackers to compromise the system. For this reason the proven protection mechanisms of the "sign IA" are also contributing to safeguard internal systems and thereby the IT security is raised significantly – but without sacrificing the usability. Inside the intranet the users require permanent and stable system access. Fast reaction times are therefore a basic need to raise the efficiency and competitiveness and as a result to reduce cost. The user is not overwhelmed by innumerable passwords – a single username and password – on demand a further authentication component – is sufficient to authenticate against all authorized systems. Forgotten and hidden passwords at the workplace are significantly reduced, the modern self maintenance functions assure the productivity and thus costs benefits regarding minimized helpdesk calls and downtimes can be realized.

To realize the logon process as comfortable as possible an integration of the Microsoft Windows^® logon is obligatory:

The "sign IA" offers real Single Sign-On – the integrated applications require only one authentication which allows highest password complexity thereby significantly raising the IT security level. In the following is a short description of the authentication process:

The user authenticates as normal on his workstation using the Windows^® Logon. After successful verification of his credentials a Kerberos ticket is created. If the domain controller confirms the validation of this ticket the user receives automatically a "sign IA" logon ticket without the requirement of further authentication for the connected applications.

"sign IA" also incorporates an easy manageability by an individually designable interface which assures transparency and comprehensibility. The usage of existing databases reduces administrative effort to a minimum – the "sign IA" includes a direct connection to Active Directory / LDAP as well as other databases. Thereby it can be implemented into the existing system landscape without great effort.