Trusted Identity & Access Management The Next Critical Step In introduction, provide bridge between what they just heard—probably hard core security related content—and the “identity message.” What you’ll be talking about is taking that security approach to the next level—the individual—and how to assure that individual’s identity is safe across mediums, while not interfering with successful access to materials, inside and outside of the enterprise. This is a message of productivity, user convenience, and management efficiency—not the “typical” security message, but one that is going to be become more and more important to organizations striving to increase security while maintaining a user and management focus.

Identity Provisioning Application Integration RSA Market Presence Identify Users and Devices Manage/ Personalize Access Ensure Integrity of Information Ensure Integrity of Transactions Identity Provisioning Application Integration Access Management Digital Signatures Authentication Encryption Management In addition to our product vision, we have world-class service capabilities and world-class partnerships This provides what Geoffrey Moore (“Crossing the Chasm”) refers to as the “whole product solution” Information and Transactions People and Devices

RSA Authentication Solutions High-Level Differentiation Using RSA SecurID as an example, here’s how various options for user authentication can be differentiated -- use the right tool for the right job RSA Mobile’s great benefit is zero deployment Verbally mention that it can be sent to other devices besides the phone (Blackberry, pager) etc..

Two-Factor User Authentication

Building the Authentic User Authentication binds people to their digital identities Password Authorization enables a digital identity access to services according to policy Certificates bind digital identities to transactions and provide data integrity “Let’s meet next week to discuss our merger. As you know our common stock allocation needs to be handled carefully. This is a critical time - any leakage of the Far East situation could be catastrophic” Enablement of applications to securely process “real-world” business rules is achieved via Cryptography

Time-based Token Authentication Login: JSMITH Passcode: 2468 234836 PASSCODE = + PIN TOKENCODE PIN TOKENCODE Token code: Changes every 60 seconds Clock synchronized to UCT Unique seed Corporate Presentation 16

RSA SecurID Two-factor User Authentication Proven & pervasive 12 million+ users in 8,000 companies 220 RSA SecurID-ready products from 100+ partners SecurID Express deployment service Scalable to 3000,000s of users Broad range of authenticators RSA SecurID and hybrid PKI RSA SecurID, Web Agent and SSL provide secure communication with no special client SW

Tokens do a Simpler Job... Identification & Authentication Firewall RAS Intranet Internet Identification & Authentication No client software required Very simple to use and deploy

How Customers Use RSA SecurID E-Business Internet RSA Agent Internet Access VPN or Firewall Enterprise Access RSA ACE/Server Intranet Mainframe Enterprise Unix Web Server Applications & Resources RAS RSA Agent Remote Access Let’s look at the overall picture, then go into these areas in more detail. As you know, secure remote access has been our traditional market. The good news is that this market is growing at 35% per year so it continues to be an important market for us and for our customers. What’s new for us is the attention on Internet-based remote access - most commonly VPNs and Firewalls. We want our customers to be able to take advantage of the Internet for remote access, so we have made it possible by making ACE interoperable with almost all of today’s virtual private network solutions. As companies are driving to be more efficient. This means getting their products to market better, faster, cheaper than the competition. To accomplish this they are creating E-Business applications (in the form of extranets or other e-commerce applications) letting partners, customers, contractors onto the company intranet or extranet to get the information they need to be successful. In recent times, more and more focus is being placed on the enterprise network. I am sure we are all familiar with recent studies that cite disgruntled employees as one of the major threats to an organization’s network. In fact, the CSI and FBI recently reported that nearly 50% of network hacks originated with employees. The amount of sensitive information being stored on the enterprise network is increasing. Examples include Engineering Plans, Acquisition information, Employee salary information To help reduce this risk, RSA Security is focusing on securing local network access.

RSA Smart Badging Building Access PC Access Proximity PC Mag-Stripe Network Web and Web App. Access RSA SecurID Passage Partners HID RSA SecurID 5100 The RSA SecurID Smart Badge solution provides impenetrable two-factor authentication for safeguarding physical assets (such as buildings and inventory), information assets (contained in computer systems and networks) and people (including employees and customers). By insulating your business from both internal and external threats, the RSA SecurID Smart Badge solution supports and extends your total security policy. CAC Approved

Windows-based Application SSO 1st Time Access User gains access to application User puts card in reader Enters PIN Clicks on application Step 1 PC Login Step 2 Train Passage User clicks “Learn” User enters application information

Introducing RSA Mobile Upon receiving a valid username and PIN, RSA Mobile sends a one-time access code to the user's portable device. Two-factor authentication Leverages a device the user already has Zero-deployment, zero-footprint Intuitive, easy to use and highly portable Emphasis on zero footprint, zero deployment! IDC Quote: “RSA Mobile software brings strong authentication to the mobile world, removing the need to deploy any hardware and software to the end-user. With more than 200 million SMS users in Europe, the product leverages a device that people already have and use, and may open the door to new larger-volume markets through its scalability and cost-efficiency,” said Thomas Raschke, program manager European security products & strategies at IDC. “RSA Security is presenting a consumer authentication solution to companies with Web-based, high-end user volume B2C or B2B applications, such as financial services and telcos. RSA Mobile authentication software serves to enhance both customer trust and revenue generation while reducing the risk of fraud,” added Raschke. Ovum Quote: “RSA Mobile authentication software provides an order-of-magnitude advance in delivering increased assurance of an Internet user’s identity in an easy to use form,” said Graham Titterington, senior analyst at Ovum. “It is anticipated that it will be popular with both end users and organizations providing services over the Internet.”

How RSA Mobile works Start here Steps in using RSA Mobile Web Server Agent Userid + PIN Userid + PIN Start here RSA Mobile Authentication Server Userid + PIN Access code + Phone # Access code 294836 e-Mail Server or Gateway Server Telco Network Steps in using RSA Mobile Not shown: User attempts to access a web page that is protected with RSA Mobile. Agent intercepts the request and requests user authentication. User enters Userid and PIN RSA Mobile Server looks up user’s phone number, calculates his access code and forwards it to the SMS Gateway SMS Gateway forwards SMS message to telco (NOTE: Mention how this would work in email option) Telco sends SMS message through the air to user’s phone User enters access code and is granted access to the protected web page Upon accepting a userID and PIN, RSA Mobile Server sends a challenge string back to the user’s browser. The challenge string is stored in browser and is completely hidden from the user. It is passed back to RSA Mobile when the user enters his access code. This provides security as a user must enter his access code into the same browser from which he requested it. Leverage existing infrastructure: LDAP internally, GSM network externally If out of coverage, can use Temporary Access Password Can be set in advance of a trip for a specified validity period Can be set by a) calling help desk or b) customer can implement user self service using Admin APIs Access code 294836 Access code 294836 Text Message

User Authentication (IV)

Certificate Management Solutions RSA Keon Web Server SSL Enabling cost-effective trusted server authentication RSA Secure e-Forms Signing Enables trusted transactions for streamlined business processes RSA Secure e-Mail Enables trusted messaging for streamlined business processes RSA Smart Badging Combining physical and logical access for an enhanced ROI

RSA Keon Web Server SSL Solution Solution components include: RSA Keon CA RSA Keon Root Signing RSA Professional Services Functions: Enables organizations to issue & manage SSL certificates Alternative to service-based SSL model Business Benefits: Improved total cost of ownership Rapid return on investment Accelerated deployment and ease of use Trusted foundation for deployment of secure e-business Sales order the Solution, the solution includes the components…. What is this solution focus: RSA Keon Web Server SSL Solution offers a compelling alternative to third-party SSL certificate services providers. Traditionally, organizations have had little choice other than to rely upon third-party service providers to issue and manage their on-line corporate identities but this has all changed. The RSA Keon Web Server SSL Solution is a complete solution to allow an organization to issue and manage trusted SSL certificates for themselves. The solution includes the RSA Keon Certificate Authority, and the Keon Root Signing Service to allow an organization’s CA to be signed by the trusted RSA Certificate Authority. In addition, the Keon Web Server SSL Solution includes a Quick Start Package which encompasses a set of service-based delivery items in support of implementation planning, software installation, and training. Safeguarding e-transactions is critical for e-business success. RSA Keon Web Server SSL Solution delivers the level of trust enterprises’ demand for e-business. Unlike other Trust Authorities who offer service-based solutions, RSA Keon Web Server SSL delivering a fast, easy-to-deploy and cost effective solution for organizations wishing to secure their e-business processes and manage online trust. Business Benefits: Rapid return on investment ·         RSA Keon Web Server SSL Solution offers a more cost effective method for addressing web authentication and online trust requirements compared to service-based models ·         3-year total cost of ownership significantly less than alternative year-to-year certificate purchase programs Accelerated deployment and Ease of Use Simplified administration of SSL certificates lessen the burden of issuing and deploying of certificates Streamlining enrollment processes enables e-business applications to be deployed sooner. Enterprise control over SSL server certificates enables immediate deployment of certificates, enables e-business applications to be deployed sooner with surety. trusted foundation for development, deployment, and scaling of secure applications and e-business services

RSA Secure e-Forms Signing Solution Solution components include: RSA Keon CA RSA e-Sign – Downloadable, zero-footprint applet RSA Keon Web Passport optional Functions Demonstrates intent Authenticates the signer Assures the integrity of signed data Supports non-repudiation Benefits Prevents “breakage” in e-business processes Enhanced e-based revenue opportunities Support for legislative compliance Sales order the Solution, the solution includes the components…. The promise of the Internet as an electronic medium for conducting high-value business transactions traditionally performed in person has yet to be fully realized. While it is true that parties can communicate, exchange information, and negotiate securely, the process typically moves to a paper-based environment at a critical juncture: the point at which a signature is required. Each time a user has to print a form, sign it and send it to the intended recipient the electronic process is interrupted causing delays in business and severely limiting an organization’s ability to take full advantage of e-business efficiencies. Signatures present a challenge for e-Business: Ability for organizations to achieve trusted and secure end-to-end electronic processes is hampered by the requirement of signatures. Signatures cause a “breakage” in the end-to-end electronic processes. Impact: organizations resort to less efficient means to complete business transactions; negatively impacting business processes. What is this solution focus: The promise of the Internet as an electronic medium for conducting high-value business transactions traditionally performed in person has yet to be fully realized. While it is true that parties can communicate, exchange information, and negotiate securely, the process typically moves to a paper-based environment at a critical juncture: the point at which a signature is required. Each time a user has to print a form , sign it and send it to the intended recipient the electronic process is interrupted causing delays in business and severely limiting an organization’s ability to take full advantage of e-business efficiencies. Impact upon business processes: organizations resort to less efficient means to complete business transactions; negatively impacting business processes. For organizations looking to improve business efficiencies by replacing paper-based forms or extending existing e-business processes with e-based forms, RSA Secure e-Form Signing Solution provides digital signatures to enable trusted end-to-end electronic processes. With RSA Secure e-Form Signing Solution, organizations can streamline business processes reducing cost as well as becoming more responsive to business demands and customer convenience while ensuring the signer’s authenticity and integrity of the information to meet compliance requirements. Business Benefit: Enable secure end-to-end electronic processes resulting in business process efficiencies - Improved efficiencies, the streamlining of business process leads to cost savings and cost savings leads to improved revenue results - Enables organizations to operate at the speed of eBusiness: capable of handling processes electronically end-to-end in a secure and trusted manner. Support for Legislative Requirements Assist organizations in addressing electronic signing legislation requirements. Major legislation includes: ESIGN, HIPAA, 21 CFR Part 11, GPEA, EU Directive on Electronic Signatures as well as the Japanese Law Concerning Electronic Signatures and Certification Services. Despite the variations in legislation from country to country as well as industry-to-industry electronic signing solutions based on digital certificates are capable of addressing the primary technology requirements. This untrue of other e-signatures solutions.

RSA Secure e-Mail Architecture e-Mail Client Enroll for digital certificate Certificate issued & e-mail configuration scripted RSA Keon CA with OneStep INVISIBLE TO USER Secure e-mail enables organizations to add security features to the e-mail messages sent using Microsoft Outlook. An end user can sign a message with a digital signature to ensure that the message is not altered and to ensure the recipient that the message actually came from the originator. An end user can also encrypt the message to ensure that the message (and any attachments) cannot be read by anyone other than the intended recipients. To send someone an encrypted message, you need a copy of their public encryption key which may be available from their encryption certificate stored in Microsoft Exchange Global Address List. e-Mail configuration script publishes certificate information into Microsoft Global Address List G.A.L.

Agenda Identity Management RSA Security’s role in Identity Management Define the term Explore the value The evolution RSA Security’s role in Identity Management “Trusted Identity and Access Management” The Liberty Alliance project Summary Quickly summarize what we’ll be going through.

To succeed, it must also infuse TRUST. Let’s Define the Term “Identity management is a process, rather than a function, inclusive of provisioning new users, executing the work flows needed to grant access, and managing application use.” “…identity management needs to focus on the user’s entire security lifecycle. AMR Research – June 2002 To succeed, it must also infuse TRUST. By show of hands (if you want to get interactive w/ audience)—how many of you have heard of the term “identity management”? It’s certainly been getting a lot of interest and press lately, with everyone looking at it just a little differently. At its core, identity management is a multi-part process (reference above)—about a user’s entire SECURITY lifecycle. This discussion belongs squarely with your security decisions as this is about access and security. And all of this, of course, assumes TRUST.

Trusted Identities: Coupling Identity and Access Management An un-trusted identity won’t be of use to anyone How do you establish a trusted identity? Authentication Identity and access privileges are tightly coupled Who I am and what I can do Separate but related The line between authentication, proof of identity, and access management begins to blur Why is trust so important? Well….what good is a single identity if it’s not trusted? …..

Where’s the Real Value? Interoperability Applications, Networks Establishing Trust in Identity Enforcing Business Policy Emphasis here is infusion of the interoperability across applications and networks—emphasize RSA’s unique capabilities here and core corporate strengths that bring all of these business benefits to reality. Storage & Retrieval Automating Account Creation & Termination

Trusted Identity & Access Management RSA Security’s View What it is Intelligent use of identity Ability to securely manage the full lifecycle of an on-line or digital identity What it is not It’s not simply the ability to store or provision digital identities Trusted identity and access management is about using identity intelligently. We’re working with customers who are using it within the enterprise, across the extended enterprise and successfully within B to C situations. When implemented effectively—for productivity and efficiency—this management of identity stretches across multiple, standards-based application and network infrastructures. Remember—this is about business optimization as well as user convenience. We’re talking about the ability to: Set up, update & terminate users and information Manage credential creation, issuance & revocation Create authentication policy enforcement and management supporting multiple methods Implement authorization policy enforcement and management It’s not just about storage. So many vendors stop here in their definition. Both the data store and the provisioning applications may be critical to identity management. But these are just a piece of the overall solution. Remember—this is about secure TRUST.

Trusted Identity & Access Management Benefits Enables cross-domain relationships Improved user experience Enables interoperability Reduced management costs Better policy enforcement / improved security Enables cross-domain relationships Trusted transactions Employees, partners, customers Same identity within and outside the organization Improved user experience Single sign on/authentication to web and network resources Single credential request, provisioning and use Enables interoperability Integration of multiple systems inside/outside organizations Multiple standards-based environments Liberty, .Net, and x.500 Reduced Management Costs User information Authentication & authorization policy Credentials creation, issuance & deployment Reduced help desk/support costs for authentication & credentials Better policy enforcement/improved security Supports simple to robust authorization requirements Meet specific authentication requirements Session management Simplified management

Putting the Value into Perspective An Analogy An ERP installation requires the SAP software and an underlying database engine like Oracle. Both are required. Which one provides the most business value to the organization? Trusted identity and access management touches every element of your business, from a user and management perspective. It provides tremendous user convenience and management productivity—not to mention increased security.

Trusted Identity & Access Management The Evolution Future Application Real-time B2B negotiations and transactions Consumer single sign-on Shared security infrastructure Transaction context sharing Outward-facing e-Commerce Value Delivered Supply chain integration Shared leads – CRM Inventory and fulfillment Channel optimization Immediate Application Partner Community Talk through the slide—short and long term benefits to a successful implementation. Again—what’s cool about this message is it’s about security AND user convenience and management time and cost savings, and it leverages what organizations have in place. All with trust at the backbone. Cost savings Ease of use/efficiency Within the Enterprise Adoption Timeline

Liberty Alliance Membership Partial List www.projectliberty.org To help drive the trusted identity and access management discussion and vision forward, RSA Security is a founding member of an organization called the Liberty Alliance. Working together with many consumer and technology companies from across the globe—representing over a billion end customers worldwide--RSA Security is working to create standards that can be implemented by many different companies across various products. The goal of the Liberty Alliance is to establish technical standards to facilitate the deployment of federated identity solutions and support a broad range of products and services. Ultimately, this is about e-business enablement and improved ease of use for users. More information about this strong organization is available at www.projectliberty.org.

RSA Security and Standards for Identity Management Liberty Alliance SAML .Net (Microsoft) Web Services RSA Security will bridge Identity Management platforms by providing higher level security and integration across multiple, heterogeneous environments. There are many organizations that are working toward standards in the identity management world. In addition to Liberty Alliance, RSA is active with SAML—a standard driven through OASIS, a key standards body; .Net—here in Seattle, you’re well familiar with that Microsoft movement that reaches across MSFT products and will be supported across our products; and Web Services applications, which at their core must be secure and provide a backbone for trusted identity. Because of our core products and corporate philosophy, we will bridge these various platforms by providing higher level security and integration across multiple, heterogeneous environments. Remember—this is about easing the management challenge as well! Liberty Alliance As the sole security vendor among the the sixteen founding members, RSA Security is committed to delivering Liberty Alliance-compliant solutions in early 2003 SAML RSA Security was one of the two primary drivers behind the development of the SAML standard in OASIS and will continue to lead the implementation of SAML .Net (Microsoft) RSA Security plans to incorporate both the issuance and consumption of Passport assertions into our products to allow them to fully function in a .Net environment Web Services RSA Security is committed to enabling security for Web Services-based applications to consume identities provided by an ID Mgmt system

Summary Identity management is a process Value is in establishing trust in identity and enforcing business policy “Trusted Identity & Access Management” is the intelligent use of identity and the ability to securely manage the full lifecycle of an on-line or digital identity RSA Security is uniquely positioned to provide Trusted Identity and Access Management solutions RSA Security will bridge all Identity Management platforms by providing higher level security and integration across multiple, heterogeneous environments Key points, again, are it’s all about trust. We believe in this, we’re committed to it, we’re acting on it, and you’ll see if first from us.

A+ Technology Solutions, Inc. The Most Trusted Name in e-Security® Christopher May A+ Technology Solutions, Inc. Phone# 877-797-6197, ext. 2238 www.rsasecurity.com