the Guide Guide Usher: a comprehensive enterprise

Transcription

Usher: a comprehensive
enterprise security guide
USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE
TABLE OF CONTENTS
Introduction
5
Logical access controls
6
Physical access controls
6
Identity authentication solutions
7
Chapter 1: Components of an enterprise security deployment with Usher
8
Mobile credentials (Usher Security)
8
Usher badge
9
Time-limited Usher codes
9
Validation panels
11
Digital keys for physical access
13
Sight code panel (only available in SDK)
13
Chapter 2: Badge security and configuration
14
256-bit AES encryption of user attributes
14
Integration with Touch ID
15
Offline capabilities
15
Add a badge from deep link in email
15
Badge information
16
Upload profile image
17
Remove a badge locally
17
Badge recovery
18
Image caching
18
Encrypted access tokens for authentication
19
Offline Usher code generation
19
Encrypted X.509 PKI certificates
20
Out-of-band identity transmission
20
Encrypted channel for data transmission
21
Chapter 3: Network management
22
Network creation
23
User management
24
Usher agent for Active Directory
24
Network administrators
25
Badge management and design
26
Chapter 4: Authentication and access
27
Logical access and methods
28
Physical access and methods
31
Behavioral-based conditions/fencing
34
Extension to Apple Watch
35
Chapter 5: Workforce productivity with Usher Professional
36
Discovery views
37
User profiles
38
Search capabilities and saved groups
39
Chapter 6: Intelligence and reporting with Usher Analytics
40
Interface
41
Transaction logs
43
Pre-built dashboards
44
Chapter 7: Usher server
46
Server architecture
47
Server components
47
Common library and tools
47
Server deployment
48
Deployment architectures
48
Secure Cloud
48
Certifications and controls
48
FIDO certification
48
Systems
49
Current server environment (multi-tenant)
49
Operations
50
Technology
50
Monitoring
50
Maintenance
50
Security operations
51
Vulnerability management
51
Event logging and auditing
52
Chapter 8: Custom implementation (SDKs)
53
Mobile SDK workflows
54
Usher as a mobile app authentication mechanism
55
Usher as an enterprise SSO provider
56
Usher as a step-up authorization provider
56
Usher as a peer-to-peer authentication provider
57
Mobile SDK
57
Server-side SDK
57
Platform RESTful API
58
Physical Access Control System API
58
Chapter 9: Deployment scenarios
59
Higher education
60
Federal government
62
International airport
63
Financial services
64
Chapter 10: System requirements
66
Up-to-date documentation links
67
Recommended production configuration
67
Development and pilot configuration
68
Usher Professional and Usher Analytics
68
Usher physical gateways
69
Usher evaluation edition license keys
69
Introduction
The threat of industrial espionage today is all too real; it seems that
every day another company’s confidential information is hacked—and
the cost of these security breaches is escalating at an alarming rate.
According to a study conducted by the Ponemon Institute, the average
cost of an information security breach to a U.S. company is $3.5 million;
this figure doesn’t even include the mega-corporations who were most
recently the victim of an attack. What the Ponemon figure also doesn’t
represent is the post-attack cost to a company’s reputation. We all know
public trust is a key requirement for revenue and business continuity.
Reputation can be a company’s biggest value driver, or its worst enemy.
For one highly visible retailer, the latter came true in 2014. This namebrand retailer estimated that in Q2 2014, the costs associated with their
security breach exceeded $148 million. Forrester Research Analyst John
Kindervag suggests that over time, those costs could eclipse $1 billion.
The moral of the story: your information is too valuable to be protected
by traditional and outdated security measures. As a result of these
trends, businesses of all types are making 2015 the year of information
security, or InfoSec. MicroStrategy has identified three crucial types
of investments in the field of identity and access management (IAM)
and advanced authentication (AA) and built all three of them into a
single security offering, Usher. This Usher product guide addresses
industry issues as well as capabilities, security details, and use cases.
| Introduction
Investment 1: Logical access controls
Logical access controls ensure only appropriately credentialed employees have access to your
workstations, applications, and information networks. Unfortunately, at many companies,
employees across the organization have unhindered access— typically “resolved” by controlling
access via passwords. Here’s an alarming statistic: 76% of all cybersecurity breaches are caused
by weak or compromised passwords. Equally striking, it costs your firm anywhere from $51–$147
every time someone needs a password reset. This cost is driven by the number of calls your help
desk fields exclusively for password resets (Fact: 30% of all help desk calls are a result of forgotten
passwords). Standard logical access controls like passwords are surprisingly expensive to your
firm–even without a breach. By relying on passwords, your organization is leaving itself vulnerable
to even greater costs, as passwords are easily hacked by internal and external threats alike. It is
critically important for your organization to secure its sensitive information using effective logical
access controls. Essentially any access control utility that relies on simple data entry—including
passwords, PINs, and knowledge-based questions—is not enough. Security measures like these
cannot account for the person inputting the data. Much like physical security platforms, logical
access platforms must leverage the person’s true, non-replicable identity.
Investment 2: Physical access controls
Most companies utilize various forms of physical locks and keys for access control; these solutions
have obvious weaknesses. These weaknesses do not, however, stem from the solutions themselves.
Rather, they are the result of the user. Studies have shown that the top threat to an organization’s
data is its own employees. In fact, it has been reported that 69% of serious organizational data leaks
are caused by employee activities—both malicious and non-malicious in nature. With activities of
malicious intent, these leaks are often a result of employees physically accessing server rooms and
devices that contain sensitive information. In these situations, physical access controls are either
abused or, even worse, non-existent.
usher.com 6
| Introduction
The most infamous information security hack of 2014 is a poignant example of failed physical
access controls. According to the hacker group responsible, they were able to obtain their victim’s
private information by leveraging employees on the inside with physical access to the target
network. If this is true, it implies employees physically injected a virus into the network that
enabled the hackers to access their victim’s data remotely. Additionally, if the hacker group did in
fact leverage employees, then it will be very difficult for the victim to recover fully. As CSO Online
points out, “physical security related breaches…are hard to contain and recover from because
evidence can be tampered with or simply removed.” What makes this story even more worrisome
is that the employees were said to have “similar interests” to the hacker group. No organization
wants to believe their employees are capable of being adversarial. However, it is nearly impossible
for an organization to prevent the possibility of a bad egg—there’s always the risk of a disloyal or
embittered employee attempting an information security breach. When this happens, it is critically
important that your company has suitable physical access controls to prevent a breach.
So what can your organization do to prevent a physical security-related attack? Most importantly,
consider how your employees currently access your physical computer network environment. Is it
with the turn of a key? Is it an electronic key fob? Is there an actual guard standing at the door? All
of these methods lend themselves to human error. Physical keys or key fobs can be lost or stolen. A
guard can mistakenly grant access to an unauthorized person. Every organization needs a physical
access control solution that authenticates individuals based not only on something they have
(such as a key, key fob, or physical badge), but also on something they know (like passcodes and
PINs), and something they are (biometrics). From the user’s standpoint, the access tool needs to be
difficult to lose, steal, and replace.
Investment 3: Identity authentication solutions
As greater emphasis is placed on improving physical and logical access controls, it becomes
increasingly important to manage these controls centrally. Information security is simply too
important to be directed by individual departments. Distributed ownership leads to unclear
accountability, making it difficult to identify security vulnerabilities and breaches without a
single unified platform. This trend toward centralized administration is called converged access
management (CAM). CAM is the ideal that every organization must strive to achieve. However, CAM
is all but impossible to achieve when employees are forced to use different forms of identification
for different types of authentication purposes. If employees use a physical badge to gain physical
access and a password to gain logical access, it is highly likely that separate administrators
manage each type of access. Organizations in this position sacrifice both efficiency and security.
To guarantee the best protection, organizations must adopt a single, comprehensive identity
authentication solution. For employees, this means a single authentication tool that is simple to
use. For administrators, this means an authentication platform that is difficult to defeat and doesn’t
require a specialized skillset to manage. And crucially, the identity authentication solution must
provide comprehensive threat monitoring and analysis.
usher.com 7
| Introduction
Chapter 1:
Components of an enterprise
security deployment with Usher
Mobile credentials (Usher Security)
Mobile security badges allow enterprises to replace outdated methods of authentication such
as passwords, ID cards, keys, and security tokens, with a mobile app. Mobile security badges are
a more secure solution because they offer multi-factor authentication, dynamically changing
codes, encryption, telemetry, geo-fence controls, time-fence controls, and biometrics, all
running on a single instance on mobile devices.
Swipe up for additional profile information
Employee Badge
Swipe left
and right for
additional badges
Ying Gayle Le
Marketing Manager
0621
BADGE
KEYS
QR CODE
READER
SETTINGS
usher.com 8
| Chapter 1
Usher badge
The badge is the center of the Usher user experience. Badges are uniquely branded for a given
enterprise and present publicly viewable information like name, title, and a photo. Users can have
multiple badges in the same app, and simply swipe left or right to switch between them.
Locally on the mobile phone, the Usher badge stores nothing more than basic user information
(such as name, title, and photo), an access token that authenticates the user, and a X.509 PKI
certificate that identifies the smartphone to the server as an Usher-enabled device.
Usher badge data
User attributes
Only a simple, descriptive part of the
identity is stored on the phone
Picture
A photo of the user for
visual identification
X.509 PKI certificate
An X.509 PKI certificate ensures that
only Usher identities are authenticated
Access token
An access token for authentication
of the user
The Usher mobile app stores data on the smartphone in an encrypted format.
Time-limited Usher codes
Usher acts as an extension of a user’s identity and communicates that identity to a wide range of
devices and systems within the enterprise, including watches, phones, tablets, computers, systems,
and doorways. It does so using three different methods:
1. Usher codes: human-readable time codes of 4 to 8 digits that expire every 60 seconds or other
configurable time period.
2. QR codes: machine-readable, dynamic QR codes for scanning that expire every 60 seconds.
3. Bluetooth signals: Bluetooth low energy (BLE) signals that can transmit and detect Usher users in
close proximity using very low power consumption.
usher.com 9
| Chapter 1
Prior to Usher, personal identity validation was limited to two imperfect systems:
1. The low-cost, low-security system that uses laminated pictures on official
looking cards, which are easily forged, stolen, or counterfeited.
2. The high-cost, higher-security solution that provides electronic validation using
dedicated biometric readers or smartcards with card readers or sensors.
With Usher, users enter time-limited Usher codes into their Usher badge’s user validation panel to
verify the identity of other users. After the pre-set time period expires, each code is refreshed and
replaced with a newly generated code. The previous code is rendered invalid and can no longer
be used. All Usher codes are linked to a specific device, enabling the server to precisely identify
the device being used. This architectural design ensures that the security risk associated with
stolen Usher codes is minimal, preventing replay attacks. Given the time sensitivity, these codes
are designed to withstand brute force attacks with the server throttling guessing attempts. In
short, the attacker only has the time period for which the Usher code is valid to try each and every
combination, making it highly improbable for the in-use Usher code to be guessed.
9867
6231
60s
5512
Old Usher code is expired
9867
120s
New Usher code generated
New Usher code generated
180s
Old Usher code is expired
6231
One-time, time-limited Usher codes act as short-lived, temporary identifiers of the client.
usher.com 10
| Chapter 1
Validation panel
The QR validation panel, which is the third tab in the bottom navigation pane in the Usher Security
app, is a built-in QR code scanner. This panel lets users capture Usher QR codes, allowing them to
open entryways, unlock workstations, log in to applications, and authorize transactions (an SDKonly functionality). For low-light situations, there is a built-in flashlight button at the top-left corner.
Validation
Ying Gayle Le
Marketing Manager
Scan QR code for access
Organization
Badge
Issue Date
Email
Acme Corp.
Employee Badge
Sep 04, 2015
[email protected]
User Validation
You can validate users by their Usher Code or by scanning
their QR code.
Usher Code
0621
QR Code
The User Validation panel (accessed by tapping on a badge to bring up the Badge Information
view, and then selecting “User Validation”) empowers users to verify the identities of other Usher
users, both remotely and in-person.
usher.com 11
| Chapter 1
When remote, any Usher user can ask another Usher user via phone or chat for their 4- or 8-digit
Usher code, then type it into the User Validation panel and press ‘Enter.’ When in-person, navigate to
the QR code tab and scan the other user’s personal QR code from their badge information view.
Either workflow should return the same result:
You can then tap on the envelope in the top-right-hand corner to conveniently add the validated
user to your phone’s contact list.
usher.com 12
| Chapter 1
Digital keys for physical access
Favorite Keys
All
Plastic ID cards used for physical access are easily
lost, stolen, or counterfeited—problems that can
HQ P3 Garage
go days without being discovered. Additionally,
physical ID cards grant entry based on
L3 exit
L2 exit
L2 enter
L1 enter
possession, without regard to the cardholder’s
identity. By interoperating with the world’s
most prevalent physical access systems (Lenel,
Honeywell, Paxton, Datawatch, S2 Security),
physical entry points can be controlled by
Usher using encrypted digital keys attached to a
mobile device. Users can rely on the smartphone
or Apple Watch to securely access virtually every
entryway with digital keys that can be remotely
HQ 14 Flr Elevator S
HQ P3 Lane 2 Entry
HQ P3 Lane 2 Exit
HQ P3 Lane 3 Exit
Innovation Lab
distributed and revoked in an instant.
Sight code panel (only available in
SDK)
Sight codes are animated, time-limited fractal
images that are impossible to counterfeit and
provide instant visual indication that people
are members of the same Usher network.
They are revealed by swiping left on an
Usher badge, and are perfect for quick visual
identification of a group of people (i.e. employee
identification in emergency response situation,
quick identification of event attendees). This
has applications for any physical space that
hosts multiple events concurrently: badges for
attendees of each event will display different
sight codes.
usher.com 13
| Chapter 2
Chapter 2:
Badge security and configuration
256-bit AES encryption of user attributes
Only basic identity information, such as a user’s name, title, company, and photo, is stored
locally on the client. All user attributes are encrypted with 256-bit AES encryption and stored
in the phone’s encrypted storage area, ensuring that the user’s data cannot be compromised.
256-bit AES
encryption
AB123NOSJCV NI39UR84HNJ
ILWSNHIOE8949U4JJIOEWNF
OWEU0490R094JRFMEFI0QI4
30UR9U043JFIOEJFI0EJR9034
NJKJUIJAOIENOFEUFNAU932
2I02I92UE93IUJIFIOSDHVIOSF
D0V9KGSDFSDJFISVNSODV0S
D9FI1VS0DUV0SUJCSIDF0VUS
EWI2928484721901JAOIENOF
Basic user information is stored in a n encrypted format on the smartphone.
usher.com 14
| Chapter 2
Integration with Touch ID
Mobile hardware and software are becoming sophisticated enough so that everyone with a
smartphone can have a powerful, state-of-the-art biometric reader in their pockets. This added
layer of security comes at no added cost to the enterprise, as no investment in additional biometric
verification hardware is needed.
With Touch ID, the device operating system (OS) determines the procedure for capturing a
fingerprint in order to perform feature extraction and verification. A dialog that requests the user
to present their fingerprint is displayed. This dialog disappears upon successful acquisition of the
fingerprint image by the device, followed by a successful verification. The same dialog is displayed
if the verification is unsuccessful for up to three consecutive tries.
The fingerprint feature extraction is controlled and performed by the mobile OS; applications
such as Usher have no access to the extraction process or to the template. Usher does not have
fingerprint feature extraction explicitly in its workflow; instead, the presence of user enrollment is
checked and verification functionality is disabled if the user has not enrolled their fingerprint.
Offline capabilities
Usher offers several options for situations where network connectivity is not available.
1. Physical access: you can have a Bluetooth reader at the door, which is connected to the
network (hard-wired or Wi-Fi), and a disconnected Usher mobile client can unlock the door.
2. Logical access: a disconnected Usher mobile client can unlock a Mac workstation with Bluetooth.
3. Peer-to-peer validation: works when the validated user is offline, but the validator must be online.
Add a badge from deep link in email
If a user has just installed the Usher app and has not yet added a badge, there will be a welcome
screen displayed to remind this user to check his email and see if there’s an invitation to add a badge.
After the administrator creates an Usher network and invites the corresponding users, the end user
being invited (or the administrator user himself ) will receive an email. If the user opens the mail on
her phone and clicks the activation link in the mail, the badge will be automatically added in the
Usher Security app (the mobile client).
usher.com 15
| Chapter 2
If the Usher mobile client is not detected on the phone, the activation link will redirect the user to the
Usher Security app page on Apple Store or Google Play store to allow the end user to download and
install it. After that, the user can click the activation link in the email. The badge the end user has been
invited to add will be loaded automatically in the Usher Security app and displayed to the end user.
If this badge has already been added in the Usher Security app in the past, a message saying
“%Badge Name% badge has already been added previously” will be displayed.
Badge information
A “badge information” section is located in the “settings” of the Usher Security app. All Badges added
in the Usher Security app will be listed in this section. Clicking a badge listed here will display all
information related to it, which includes:
1. Organization
Ying Gayle Le
2. Badge
3. Issue date
4. Email
Marketing Manager
Organization
Badge
Issue Date
5. Time-limited Usher code (also found
Email
Acme Corp.
Employee Badge
Sep 04, 2015
[email protected]
on the main view of the badge)
User Validation
6. Time-limited QR code (scannable for
their QR code.
the purposes of verifying the legitimacy
Usher Code
0621
of this badge)
QR Code
usher.com 16
| Chapter 2
Upload profile image
If the administrator does not add an image for a user in his profile when they create a badge using
Network Manager, no image will be shown in the user’s badge. This user may be able to upload or
change her picture from the badge by tapping on the image placeholder in the badge information
view to activate the camera and photo library. Any new image captured or selected will be synced
and stored on the server along with the user’s other information.
Remove a badge locally
When in the badge Information view (accessed by tapping on any badge) scrolling down reveals
a button that allows a user to remove the badge from the app altogether. A pop-up dialog will
prompt the user to confirm the badge deletion. If this badge is the only badge in the Usher
Security app, deleting it will redirect the user to the welcome screen.
To remove multiple badges at once, navigate to the settings tab at the bottom of the app, and then
select “manage badges.”
Settings
Ying Gayle Le
Marketing Manager
SERVER
their QR code.
Usher Code
0621
Usher Server
9 badges
YOUR BADGES
Badge Recovery
QR Code
App Passcode
Manage Badges
Touch ID
Not Required
Passcode
Not Required
CONTACT US
Send Feedback
Remove Badge
Report a Problem
usher.com 17
| Chapter 2
Badge recovery
Badge recovery allows users to recover badges for the Usher Security app through the settings
screen of the application when at least one badge has been added. Otherwise, users will need to
enter an email address on the application landing page at first launch. The user will receive an email
with a deep link to restore all of the badges associated with his or her email address.
Image caching
In order to improve performance and reduce time/network traffic cost for users when switching
between badges or validating other users in Usher, Usher offers an image cache policy.
Each time a user validates another users’ badge in the validation panel or refreshes all his badges in
the Usher Security app, the client will check the image cache for each of these badges.
1. If there is no image being cached, the client will fetch the image from server and cache it.
2. If there is an image being cached, the client will compare the timestamp
of this badge image with the server to see if it is the latest one.
3. If the image being cached is not the latest one, the client will
fetch the latest image from the server and update it.
4. If the image being cached is the latest one, the client will display the cached image.
usher.com 18
| Chapter 2
Encrypted access tokens for authentication
Usher employs access tokens instead of usernames and passwords, eliminating the need to send user
credentials over Wi-Fi, 3G or 4G networks for user authentication. This ensures that credentials cannot
be intercepted or phished during data transmission. Access tokens are stored in an encrypted format
on the smartphone and are only valid for a specific, but configurable, time period. Upon expiry, Usher
users must re-authenticate themselves to Usher and obtain a new token.
256-bit AES
encryption
Offline Usher code generation
All Usher codes used for identification can be generated on the client, including the QR code,
and numeric Usher code. For numeric Usher code generation, the Usher server sends an initial
key to the Usher-enabled device, which stores this key on the phone in an encrypted format. The
Usher-enabled device then uses this key to generate time-limited numeric codes locally on the
smartphone. The Usher architecture is designed such that the initial key remains valid only for a
specific, configurable time period. Before expiry, the Usher server issues a new key to the device
for generating a new set of codes. The time-limited codes, which expire after a pre-set time limit,
not only are designed to withstand brute force attacks but also make it highly improbable for the
code to be guessed. In addition, the Usher server will throttle any attempts to guess Usher codes,
thereby preventing a brute force attack.
QR CODE
2165
USHER CODE
usher.com 19
| Chapter 2
Encrypted X.509 PKI certificates
Usher uses X.509 PKI client certificates to help secure communications between the Usher mobile
app and the Usher server. The Usher server issues a unique X.509 PKI certificate to each Usherenabled device when the Usher mobile app is launched for the first time on that device. This
certificate is generated to the X.509 PKI standard, and, upon issue, is stored in the mobile phone’s
encrypted storage area. A mobile phone identifies itself as an Usher-enabled device to the Usher
server by including its unique X.509 PKI certificate in every data transmission. This in turn prevents
rogue devices from impersonating an Usher device and establishing fraudulent communication
with the Usher server to steal identity information.
256-bit AES
encryption
Out-of-band identity transmission
All identity information is transmitted out-of-band from the Usher server to the Usher mobile app.
This ensures that no two Usher clients directly share identity data and that the Usher server always
validates the identity independently. This includes identity validation through QR and numeric
Usher codes. This approach also ensures that malicious apps can never steal identity data from the
smartphone client. Additionally, since a malicious app cannot present a valid Usher-issued X.509 PKI
certificate, the Usher server will immediately reject any communication attempts from it, ensuring
that identities always remain secure.
usher.com 20
| Chapter 2
Other Usher mobile client
Usher mobile client
2
Offer personal code
9867
9867
Usher code
QR code
1
Generate time-limited
personal code
Submit
personal code
3
1:23
Usher server
Receive identity
information
4
1:23
Usher code
Encrypted channel for data transmission
The Usher server and the underlying identity management solutions use the TLS protocol with 256bit AES cipher to send identity verification requests and verified identities to one another. These
requests include the access token for user authentication, the X.509 PKI certificate to identify the
device, and an Usher code; and the transmission is always encrypted. The Usher server matches the
client’s X.509 PKI certificate with a copy maintained in the Usher server database and, upon positive
identification, sends the verified identity back to the client. This process ensures that only known
Usher-enabled devices can send identity requests to Usher and receive identity information from it.
Additionally, all identity requests are processed exclusively through the Usher server, which, in turn,
accesses identity information through Usher connectors.
Certificate pinning: To ensure that the client is talking only to known servers, all trusted servers’
certificates are pinned in the application to prevent a man-in-the-middle attack that may use
fraudulent certificates or malicious proxy servers. The usage of certificate pinning also prevents
cyber thieves from deploying a fraudulent server to masquerade as an Usher server.
1
At initial launch,
the client sends
“Certificate Signing
Request”
Client public key
256-bit
AES
CSR infromation signed
with client private key
2 Server generates a
certificate and maintains
an encrypted copy
Usher
server
3
Usher client receives
the certificate
4
Usher client encrypts
the certificate on the
client side
Certificate database
usher.com 21
| Chapter 3
Chapter 3:
Network management
Security and IT personnel today are required to handle all information securityrelated issues, including replacing ID badges, resetting passwords, and managing
databases with employee and customer information. The ideal security solution
includes a management tool that allows IT personnel to manage all aspects of
security systems – including deploying mobile security badges, monitoring logical
and physical access, and understanding all enterprise workforce activity.
usher.com 22
| Chapter 3
Network creation
An Usher network is the group of users in your organization who can use the Usher app on their
smartphone to validate their identity, log into applications, gain access to secure physical resources,
and so on. Network creation is the process of developing and naming a specific Usher network,
and is accessed at the Network Manager web portal. For both Secure Cloud and on-premise
deployments, Network Manager will reside at a URL unique to that specific implementation, which
you can get from your Usher account team. Network Manager is the web interface to the Usher
Server that allows Usher Networks to be created and managed. The Network Manager is a PHP
application that runs under Apache. Through it, Usher administrators can create an Usher network,
configure gateways (to web applications, physical access systems and work stations), and then
distribute or revoke access to gateways among their users, quickly and simply.
Upon visiting the network manager site, administrators set up a network by following these steps:
1. Enter badge name
2. Enter network name
3. Edit badge design
4. Create an administrator account by
submitting name, title, and photo (optional)
5. Enter valid email address: Usher sends an
email message with instructions to install
the Usher client and acquire the badge
6. Log into network manager with the
newly acquired Usher badge (by
scanning the QR code on the screen)
usher.com 23
| Chapter 3
User management
User management allows administrators to set up a user population for their Usher network.
Administrators do so using one of the following methods:
• Manual user entry
• User import from supported applications
• User import from CSV file
• Identity Management (IDM) system synchronization
• Active Directory
• OpenLDAP
Please note that a combination of manual entry and IDM synchronization is not supported at this
point in time.
Usher agent for Active Directory
Many organizations use Active Directory as a central repository for user management. With the
Usher agent, an administrator can now synchronize their Usher user base with Active Directory
in a matter of minutes. All of this is done through a lightweight agent running as a service on
a Windows machine. It connects to Active Directory and synchronizes the user groups, or the
organizational units one wishes to incorporate into their Usher deployment.
In this deployment scenario, the Usher Active Directory agent is installed on customer premises.
The Usher agent connects to the customer’s active directory via LDAPS. Communication between
the Usher security server and the Usher agent is secured with TLS. The two-way communication
channel is used for authentication purposes, as well as to update settings (i.e. import more user
groups or synchronize more LDAP fields). The one-way communication channel is dedicated to
send updates from Active Directory to the Usher network to keep user information up to date
(every 20 seconds).
usher.com 24
| Chapter 3
This architecture can be deployed over a proxy or a firewall – and as the communication is
outbound, it doesn’t require any change in firewall settings. The AD credentials are encrypted on
the Usher agent, and the decryption key is stored on the Usher server
The tool is entirely self-service, and has the benefit of letting changes performed on your user
information in Active Directory be reflected in the Usher user base in seconds – one can even
synchronize users’ pictures between Active Directory and Usher. Disabled users in Active Directory
will be removed from the Usher user base in seconds as well.
Network administrators
Network manager allows administrators to:
• Add, delete, and manage other Usher network users and administrators
• View the status of other administrators – “active” or “inactive”
usher.com 25
| Chapter 3
Badge management and design
Badge management includes various functions to change badge functionality:
Design allows an administrator to modify badges:
• Color (gradient option available)
• Patterns – choose from eight provided background patterns
• Background image – upload PNG or JPG files
• Icon – upload PNG or JPG files
Properties allows an administrator to:
• Edit badge name
• Enable Usher code broadcasting to access high-security door readers
• Toggle location tracking on or off
• Set location or time-based restrictions for badge usage
usher.com 26
| Chapter 4
Chapter 4:
Authentication and access
control options
Today’s methods of authentication and access are both wide-ranging and outdated –
because enterprises continue to rely on twentieth-century thinking to secure a digital
world. The solution needed today includes authentication and access methods that
replace the outdated methods (passwords, badges, ID cards, keys, security tokens), and
can connect to all enterprise assets, including applications, domains, data and processes,
with physical systems: watches, phones, tablets, computers, doors, facilities, vehicles,
safes, and gates. Access to these resources and spaces may be granted using one of
several methods and customization options with the Usher Security app. These fall under
the categories of logical access, physical access, and behavioral-based conditions.
usher.com 27
| Chapter 4
Logical access and methods
Web applications refer to resources that users access through a browser (web browser or mobile
browser). These can be cloud applications or enterprise-grade, internally hosted applications. While
Usher can be configured to provide authentication into any SAML 2.0-enabled web application
or any VPN solution that supports FreeRadius, the Usher gateway configuration interface provides
customized templates for several high-profile, prolific applications. These include, but are not
limited to:
• Amazon AWS
• Zendesk
• Join.me
• Salesforce.com
• Flowdock
• Yammer
• MicroStrategy Web
• Box
• GoToMeeting
• Google Apps
• Asana
• RemedyForce
• Github
• New Relic
• Cisco VPN
• Rally
• Active Directory
• Juniper VPN
• Wordpress
• Dropbox
Federation Services
• Citrix VPN
• Slack
Usher’s VPN functionality is implemented as a module that sits on a RADIUS server, one of the
most popular VPN servers in the market. As a result, Usher’s VPN solution is designed to work with
vendors that support the RADIUS protocol, like Cisco, Juniper, Citrix, and F5. In this way, Usher adds
an additional layer of security for remote system access that is convenient to the end user.
usher.com 28
| Chapter 4
Method 1: QR code scan
When accessing a shared logical resource, such as an open workstation, the resource’s front-end
Usher user interface is assigned a time-limited QR code by the Usher server. A user then scans the
QR code from the validation panel of her Usher client, telling the Usher server who she is, as well
as the gateway identifier associated with the QR code. The Usher server confirms the validity of
the user and then passes the corresponding parameters to the web application using the SAML
protocol in order to request access to the resource on behalf of the user.
Method 2: pairing (push notifications)
When performing a QR code scan on any SAML-enabled web application, the user can request
that the system remember the specific user on this particular machine. This is known as pairing
the client to the gateway. The Usher server will remember the user’s device token the next time
the user goes to access the resource. The site will display a button to log in with Usher. Clicking
on the button will trigger the Usher server to send a push notification to that user’s Usher client.
The user can simply confirm the notification to log in. This feature works on Apple Watches with
the Usher WatchKit app on them, as well as Android Watches, for which there is no native Usher
application currently in production. As long as the phone is locked and configured to send its
push notifications to an Apple/Android watch that is paired with it, the user will receive a push
notification on his watch that allows one-tap access to a paired, logical resource gated by Usher.
usher.com 29
| Chapter 4
Method 3: mobile single sign-On (app switching)
The Usher Security application supports mobile SSO workflows, which lets users log into third-party
mobile applications running on the same device. Third-party mobile apps may implement the
Mobile SDK to call the Usher Security app with a request to verify the user’s identity and obtain an
access token. The communication between the Usher Security app and third-party apps is achieved
via deep-linking between the applications.
Method 4: one-time-passwords (Usher codes)
On the main screen of each badge, the small white bar under the time-limited Usher code will
degrade over time to let a user know that it is about to expire. Aside from entering the time-limited
Usher codes into their client to validate the identities of other users, a user can use her Usher
code to log into organizational VPNs in much the same way as one-time-passwords generated by
security tokens do. Usher’s VPN authentication inherits all security settings you set for your network,
allowing you to customize the security based on your needs
usher.com 30
| Chapter 4
Physical access and methods
For physical access, Usher has Usher Physical Access (PACs) Web Services (specialized for specific
Physical Access systems such as Honeywell EBI, Lenel OnGuard, and Tyco C-Cure) that broker calls
between the Usher Server and the Physical Access System’s API layer. Some web services run on
Windows Server under IIS (Lenel, Honeywell), while others run under Tomcat containers (S2). A
“Standard PACS Adapter” also exists which allows for system integrators to write their own Web
Services for PACS systems that are not supported by Usher out of the box.
Method 1: Digital keys
The key panel lets users tap on a key to unlock doors, elevators, and gateways. Virtually any
entryway that is controlled by a PACS can be unlocked using Usher keys. Usher offers a list of all
entryways a person has authorization to unlock and lets him organize his favorite keys on the key
ring panel. The favorites key ring is also accessible in the Usher app on the Apple Watch.
By default, the key panel shows your favorite keys. Tap on the ‘All’ button at the top-right of the
screen to bring up all the keys you have access to, organized by badge. Here, you can then add
and remove your favorite keys. These keys can be accessed by providing up to three factors of
authentication—having your phone with you, knowing your phone’s passcode, and presenting
your fingerprint (with iOS Touch ID). Most importantly, administrators can monitor and record who
accesses each entry point at any given time—providing unparalleled insight into potential threats.
usher.com 31
| Chapter 4
Method 2: QR scans
Another way to unlock doors is by simply scanning the Usher QR code affixed to a door. An
organization can place an Usher QR code at each entryway. A user then scans the Usher stamp
with his validation panel, and Usher communicates with the PACS to unlock the door to which the
Usher stamp is affixed. With the key panel and QR scans, Usher bypasses legacy door readers and
communicates directly with the PACS, so enterprises can use Usher without purchasing new door
reader hardware.
Method 3: Bluetooth readers
For hands-free door entry, Usher uses Bluetooth to automatically unlock the door without the
user needing to remove the smartphone from a pocket or purse. Using the same information
advertised for peer-to-peer user discovery, a door reader can obtain the badge ID via Bluetooth and
then make a request to the PACS, which unlocks the door if the user is both within a customizable
physical range and is authorized to enter. With Bluetooth low energy (BLE), Usher minimizes battery
consumption, as the user does not need to have the Usher Security app running in the foreground.
Whether access was granted or denied is displayed on the door reader.
usher.com 32
| Chapter 4
Method 4: iBeacons
Another method of context-based physical access is the Usher Nearby widget–in the Today view of
iPhone’s drop-down notification center, which is accessible from the lock screen. iBeacons, which
are relatively inexpensive, are deployed to powered sources near physical entryways, and set to
constantly broadcast its presence via Bluetooth. When an Usher user is within range of the iBeacon
and opens her Usher Nearby widget, the client on the phone receives the number the iBeacon is
transmitting. It then maps the iBeacon to its associated key, and calls the Usher server for access to
this resource. In this way, just one button in the widget can take on the identity of the key for any
specific door the user is standing next to.
This feature is also integrated with the glance of the Usher app for the Apple Watch. When a user
swipes up from the bottom of their Apple Watch, the glance searches for iBeacons associated with
physical entries nearby and displays them to the user for access.
Furthermore, iBeacons and Usher can be configured to automatically unlock doors when a user
reaches a certain distance from the door. This delivers maximum convenience, as a user can leave
their phone in-pocket.
usher.com 33
| Chapter 4
Method 5: NFC chips
Near Field Communication (NFC) chips are similar to Bluetooth chips and allow the sharing of small
payloads of data. Most Android devices have NFC chips located somewhere on the device. When
Usher-configured NFC chips are deployed throughout an enterprise environment, Android device
end-users can take advantage of NFC for convenience. Users simply need to place the spot of their
device where the NFC chip is located against the shown sticker located near the door. The location
of the NFC chip is different depending on the Android device. The Usher client does not have to be
open, but must be running in the background of your device. For the majority of devices, the NFC
chip is located near the camera, but some trial and error may be needed for your particular device.
Tap Here to open
NFC
Behavioral-based conditions/fencing
Network administrators can set restrictions for how Usher badges are used, based on time and geolocation for better control and security over network resources.
In other words, any resource (logical or physical) can be gated so that access is only possible during
certain hours or in certain geographic locations.
usher.com 34
| Chapter 4
Additionally, administrators can set up Usher to require fingerprint verification every time a person
uses it, or before accessing specific resources. This is significantly more convenient than typing
in a password, and prevents unauthorized use of the Usher badge by providing an additional
authentication factor for highly secure situations. Since only certain types of smartphones contain
fingerprint readers, a passcode alternative is available for devices lacking this feature.
Extension to Apple Watch
Usher for Apple Watch turns Apple’s most personal device into the key that unlocks the enterprise,
both logically and physically. It’s a new take on enterprise security that combines the powerful
security capabilities required by modern organizations with the simplicity of a consumer WatchKit
app. The iPhone and Apple Watch work in concert and are contextually aware of the systems,
hardware, and entryways that users approach. Users receive push notifications on their Apple
Watch, prompting them to unlock their workstation, log into a system, or open a doorway, and
they can do so with a tap or gesture. In addition, the WatchKit app boasts a digital keychain which
synchronizes with the digital keychain in the Usher app on its owner’s smartphone that is paired
with it. A user can also use Apple Watch Force Touch to switch between badges and access the
dynamic 4-digit Usher codes associated with various badges for multi-factor authentication (e.g.,
into a VPN) or identity verification. The glance feature of the WatchKit app mirrors the Usher Nearby
widget on the phone; it searches for the nearest iBeacon and lets an authorized user unlock any
door they are standing in front of.
usher.com 35
| Chapter 5
Chapter 5:
Workforce productivity
with Usher Professional
With Usher Professional, a mobile application available on both smartphone
and tablet, managers gain access to personalized and localized intelligence
about resource utilization, transaction authorization, and all other activity
being performed by their subordinates in the enterprise context. It is
especially applicable to teams where employees are in the field.
usher.com 36
| Chapter 5
Discovery views
There are three discovery views for Usher Professional: grid, list, and map view. By tapping on each
individual team member, a manager can contact a team member directly or be kept informed of their
recent enterprise access activity with usage data collected from their Usher Security application.
usher.com 37
| Chapter 5
User profile
Tapping on a user brings up their user profile. The first tab of the user profile shows trend lines for their
usage of both physical gateways and logical resources. The second tab is a bar graph of the locations
the user performed Usher actions from, as well as how many actions were performed at each location.
The third tab maps out the locations the resources were accessed from. Tapping on each location
provides a scrollable log of actions taken at the location.
From within the Usher Professional interface, a manager can directly initiate an email to a subordinate
if the manager notices unusual items or patterns in the access history. For added insight, Usher
Professional can integrate individual access data with other types of individual data (e.g., HR
information) that is stored in analytics projects, such as those created in MicroStrategy Analytics.
usher.com 38
| Chapter 5
Search capabilities and saved groups
In Usher Professional, a manager can filter, search, and create groups. Usher Professional can be
calibrated to display users in the immediate vicinity, users within 300 feet, users within five miles, or
all users in your badge network. A manager can save a group discovered by using any of these filter
options, and check up on members of that particular group later. For example, a manager may wish
to bookmark anyone who attended a particular planning meeting.
To help with sorting through every user in a particular network, a manager can search based on
name or title keyword, and save groups based on this. An example would be everyone who has
“associate” in his or her title. Groups that are saved from the search functionality can be edited to
clean out irrelevant search results (e.g., if the previous associate search was for intended to find
junior-level employees, but also included a couple associate vice presidents in the results.) Usher
Professional can be customized with more detailed user profiles for searches. The flexibility to add
fields such as skills or certifications enables managers to more efficiently utilize the human capital
theoretically at their disposal. Additionally, a manager can create and save a group of employees
based on geo-location in the map view by creating a circle of a certain radius from a point or
by using a freeform selection tool. After creating and saving a group, a manager can also send
communications to the entire group as they would to an individual.
usher.com 39
| Chapter 6
Chapter 6:
Intelligence and reporting
with Usher Analytics
Built on the industry-leading MicroStrategy Analytics Platform, Usher Analytics
captures, analyzes, and displays visualizations of all Usher activity, providing both
global visibility of users and an audit trail for governance, risk management, and
cyber security oversight. It also provides proactive alerts when abnormal activity is
detected or when thresholds are exceeded, and delivers a full spectrum of analytic
capabilities, from simple time analysis to sophisticated correlations and data mining.
Whenever an action is taken on an Usher Security client, the action is passed
to the Usher server log and then to Usher Analytics, where it is stored in
a MySQL database. If the Usher server is installed on-premise, a customer
has flexibility in storing these action logs in a variety of ways.
Usher Analytics provides complete visibility of all identity actions across a network
in near real time, enabling state-of-the-art risk management, cyber security, and
auditability to provide actionable insights at all times. For example, immediate
detection of abnormal activities and irregular patterns (such as afterhours
access), outlier behavior, or users who seem to be in two places at once.
As an offering, Usher Analytics comes out-of-the-box with a set of pre-built
MicroStrategy Analytics schema and objects, such as reports, dashboards,
metrics, and filters. However, organizations also have the flexibility to
upload their own data to the project for additional analysis.
The current Usher Analytics solution, hosted in our cloud environment,
utilizes the latest innovations in in-memory architecture to enable
world-leading data warehousing options for massive datasets shown
against traditional online analytical processing (OLAP) services.
usher.com 40
| Chapter 6
Interface
Our main dashboard, accessible from the network manager site, contains information about the
users, resources, and transactions of the viewer’s networks.
The second section of this dashboard presents an overview of members’ activities and will allow you
to see which users are most active, access the most resources, and initiate the most connections.
usher.com 41
| Chapter 6
If location services are enabled on the user’s device, a pair of location coordinates will be recorded
for each transaction that they initiate. You can, at a glance, see the last known location of each
member on your network.
Usher Analytics will also provide the administrators the functionality to categorize their most used
resources, or rank and sort which resources are susceptible to failure, as shown below:
usher.com 42
| Chapter 6
If an Usher network administrator wanted to dive deeper into an individual Usher user’s behavior or
transactions, there is a convenient view of the data for auditing. The view below provides a summary of
usage, resource distribution of that user, and the segmentation of where actions are being performed.
Transaction logs
The Transaction log is a summary of all Usher network actions. It comes with a robust filter panel,
and gives you have the power to drill-down and filter into specific activity types, timeframes, or set
of actions for full compliance and auditing.
usher.com 43
| Chapter 6
Pre-built dashboards
These are the current out-of-the-box Usher Analytics dashboards as accessible from the web in
network manager:
Network panel – provides an overview of the network as a whole.
User panel – lists all users and provides trends and metrics around their usage.
usher.com 44
| Chapter 6
Gateway panel – lists all gateways and provides trends and metrics around its usage.
The gateway panel is divided into the analysis of physical and logical gateways.
usher.com 45
| Chapter 7
Chapter 7:
Usher server
The nerve center of the platform, the Usher server is a scalable, high-performance
server that can host one or many Usher networks. It can be installed onpremise, or used in Amazon’s secure cloud as multi-tenant or single tenant.
The Usher server is a Java web application built using the Play Framework,
which follows the model-view-controller (MVC) architectural pattern. The
server runs on an Apache Tomcat web server and utilizes a MySQL database.
The operating system needed for the Usher server is Red Hat Linux. The
Usher server has also been tested on CentOS and Windows; while the
server can be made to run on these platforms, these are not certified.
Play Framework
• Lightweight, stateless, MVC
• Built on Scala, Akka, Iteratee IO
• Highly scalable, asynchronous programming
• ORM support (EBean)
• In-memory DB support
• Easy to build (sbt) and deploy (built in Netty, supports other
application servers)
usher.com 46
| Chapter 7
Server architecture
USHER SERVER
DIRECTORY
GATEWAYS
LOGICAL
GATEWAYS
PHYSICAL
GATEWAYS
Server components
IDM kernel
IDENTITY
MANAGEMENT
NETWORK
(ORGANIZATION)
MANAGEMENT
RESOURCE
MANAGEMENT
USHER
SERVICE
LOGICAL ACCESS
SUPPORT
(Biometric etc.)
IDM common library and tools
Common library and tools
The Usher server provides generic components, tools, and applications to the platform:
Server common interface (common-interface project)
Server general library (common-library project)
• SAML
• PKI
• Other utilities, including HttpClient
Server common modules (common project)
• Multiple-language message support
• License support
• Mail support
• OAuth
• Security
• General configuration support
IDM common classes (common project)
• UsherModel
• UsherController
• SQLOperator
Log, LogSDK and LogServer (common project, LogServer)
• Cache SDK
usher.com 47
| Chapter 7
Server deployment
The Usher server is built and deployed using the RPM Package Manager. RPM packages can be
built automatically and contain all WAR files and database changes for the server. The deployment
process is also automated, which un-packages the RPM build, deploys the WAR files to the correct
Tomcat instances, and executes any DB changes.
Deployment architectures
Usher can be deployed across a variety of deployment architectures. The deployment architectures
that are possible are:
Secure Cloud deployment
Multi-tenant - with or without Active Directory Site Agent
Single-tenant - with or without Active Directory Site Agent
On-premise
Secure Cloud
Usher uses Amazon Web Services for hosting our multi-tenant or single-tenant Secure Cloud Usher
servers. Our cloud team will work with you to size an environment specific to your enterprise
requirements. Secure Cloud is monitored, managed, and maintained by experts.
Certifications and controls
Usher cloud environments are designed to ensure compliance with the most strict security
frameworks. Our personnel are highly trained on the infrastructure, process, methodologies,
and applications.
1. Vulnerability and penetration testing
2. 24x7 monitoring and alerts
3. SOC 2 Type II, PCI, HIPAA, Safe Harbor
FIDO certification
The FIDO (Fast IDentity Online) Alliance, a coalition of vendors that includes Microsoft, Google,
Intel, Lenovo, RSA, Samsung, Qualcomm and various credit card companies, has developed open
specifications for stronger, more secure authentication.
usher.com 48
| Chapter 7
FIDO’s specifications were also developed to address the lack of interoperability among
strong authentication technologies and to remedy the problems users face with creating and
remembering multiple usernames and passwords. The FIDO Alliance is changing the nature
of authentication with standards for simpler and stronger authentication that define an open,
scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO authentication
is stronger, more private, and easier to use when authenticating to online services.
FIDO certification is performed using a set of test tools developed by the FIDO Alliance, followed
by participation in a proctored interoperability event. Usher has passed a rigorous series of
tests that measure compliance with the FIDO Universal Authentication Framework (UAF) and
ensure interoperability with other FIDO certified products and services that support FIDO 1.0
specifications, thus achieving FIDO certification.
Systems
Our environments are architected using best practices to ensure high availability and redundancy.
Systems are backed up every night so we can recover in case of unforeseen events.
1. 99.9% SLA
2. Highly redundant
3. Disaster recovery – metadata and virtual machines are backed up every day
4. High availability
Current server environment (multi-tenant)
Hardware load balancing and firewall
*Paired load balancers in an active/passive configuration
Mirror/Staging servers
Webserver 1
(10,20,127,22)
Webserver 2
(10,20,127,23)
Database master
(10,20,120,10)
Database replica
(10,20,127,14)
MPT servers
Webserver 1
(10,27,21,113)
Database master
(10,27,21,113)
EA/Perf testing servers
Webserver 1
(10,20,121,25)
Webserver 2
(10,20,123,19)
Database master
(10,20,101,13)
Database master
(10,20,105,3)
Webserver 1
(10,20,125,24)
Webserver 2
(10,20,127,24)
Database master
(10,20,105,13)
Database replica
(10,20,120,13)
Development servers
UAT servers
Webserver 1
(10,20,109,13)
Test servers
Webserver 2
(10,20,109,26)
Webserver 1
(10,26,243,1)
Webserver 2
(10,26,243,52)
Database master
(10,26,243,3)
Database replica
(10,26,243,4)
usher.com 49
| Chapter 7
Operations
For SaaS-based implementations of Usher, all management of Usher services are performed
by the MicroStrategy Operations team. For single-tenant Secure Cloud deployments of Usher,
most day-to-day operational functions will be handled through the web based administrative
interface. System and database accounts, which provide superuser-level access to the underlying
OS and database are configured via the administrative interface and can be used to access these
components directly should that level of access be warranted. Any access of the underlying
OS or database should be done with coordination of Usher support staff as changes to these
components may render the Usher service inoperable.
Technology
The environment’s architecture is designed for high availability, so no guesswork or tuning is
required from the customer since the environments are built and managed by our experts.
1. 64-bit architecture
2. Massive, high-speed networks
3. State-of-the-art computing platforms
Monitoring
For SaaS-based implementations of Usher, the MicroStrategy Operations team manages all Usher
services. For Secure Cloud deployments of Usher, the virtual appliance provided by MicroStrategy
exposes an SNMPv3 (Simple Network Monitoring Protocol version 3) interface, which will allow
for monitoring of both the underlying Linux server health, as well as the Usher application
components. Configuration of the SNMP service is managed via the virtual appliance’s web-based
administrative interface. The administration of this service allows for specifying a password and
access list to secure SNMP communications as well as a SNMP trap destination that will receive
alerts from the appliance.
Maintenance
For SaaS-based implementations of Usher, all management of Usher services are performed by the
MicroStrategy Operations team, with all performance and operational metrics exposed via Usher
network manager. Secure Cloud deployment of the Usher platform uses a Linux-based virtual
appliance provided by MicroStrategy. The virtual appliance provides standards based monitoring
end points that allow for the direct integration of Usher monitoring into existing Secure Cloud
monitoring solutions. For Secure Cloud deployments of Usher, all maintenance functions are
usher.com 50
| Chapter 7
handled by a web based administrative interface. The system routines managed via this interface
are the following:
• Log management: allowing for downloading of system logs as well as
specifying a remote host to receive syslog based log messages
• Patch management: MicroStrategy provides monthly system
update bundles, which can be uploaded and applied
• User management: manage the system and database level account and passwords
• Support service configuration: manage the addresses of the outside services required
to support Usher—mail relay server; NTP server (Network Time Protocol) (NTP
optional if the appliance’s system clock is synchronized to the Hypervisor’s clock
which is synchronized to a stratum-2 time server); SNMP service configuration
• Certificate management: manage system certificates
• Usher service management: start and stop all components of the Usher Platform
Security operations
Security operations for Usher are closely tied to security architecture principles. Our security
operations model reflects both security architecture designs as well as required compliance
standards certifications (see Section 4.9). We apply our knowledge of security best practices, and
have followed a plan that includes our Security Operations team as stakeholders in the security
architecture review process, as well as during compliance decision points.
The Security Operations team conducts regular security tasks on the Usher servers and network,
including, but not limited to vulnerability management, patch management and mitigations, incident
response, internal vulnerability assessments and red teaming, and event logging and analysis.
It should be noted that we maintain a physical and logical separation between the security
operations enclave and the rest of the corporate and customer-facing network domains. The
security devices that conduct vulnerability scans, logging, and malware detection are kept in a
physically isolated cage in a data center, and can only be accessed by members of the Security
Operations team.
Vulnerability management
It is critical to conduct regular intervals of vulnerability management on all hosts within the
Usher network domain. Vulnerability management programs focus on both short and long-term
vulnerability mitigation strategies for recently discovered vulnerabilities as well as ongoing patch
verification efforts. The Security Operations team works closely with IT Operations to ensure
that the reference system is as up-to-date on patches as possible, and assists in helping the IT
Operations staff understand the impact of the system patch.
usher.com 51
| Chapter 7
Besides IT Operations, the Security Operations staff assists with verifying that software fixes have been
applied. For example, if a third party security assessment team recommends that the Usher server be
configured with a particular security setting, the Usher server can enable the setting, and coordinate
with the Security Operations team to scan the systems to ensure that the setting is enabled.
Event logging and auditing
In security operations, it is imperative to maintain event logs for auditing purposes. We use a
Security Information and Event Management Tool (SIEM) to collect, aggregate, filter, store, triage,
correlate, and display security-relevant data, both in real time and for historical review and analysis.
The SIEM allows us to take large amounts of disparate data and turn it into possibly relevant
security-related events that can be further correlated into an incident, which is what we can take
action on.
usher.com 52
| Chapter 8
Chapter 8:
Custom implementation (SDKs)
The key vision of the Usher SDK is to enable third-parties to seamlessly incorporate
key components of identity management, access, and authentication - mobile,
web, server, and intelligence - into their applications to enable custom use
cases that are pertinent to their customers and business partners.
The Usher platform is being continually built with the intent of easily integrating
with existing and future infrastructure and software. For each possible integration
point, a Software Development Kit (SDK) including an API, documentation,
tutorial, and sample code (or complete sample projects) is available. The diagram
below is a high-level global view of the various Usher SDK components:
SAMPLE CODE PROJECT:
LIBRARY/CLIENT:
Usher mobile API for mobile apps
DESKTOP APP
SERVER SIDE APP
Usher admin API for desktop apps
Usher admin API for desktop apps
WEB APP
MOBILE APP
Usher web API for web apps
USHER REST APIS
USHER SERVER API
USHER DATA SERVICES API
USHER ADMIN API
USHER SERVER INFRASTRUCTURE
SDK DOCUMENTATION:
CLIENT SIDE APIS
USHER REST APIS
DIRECTORY SERVICES
PACS SERVICES
Cloud/Customer premise
SERVER SIDE REST APIS
DIRECTORY SERVICES
PACS SERVICES
TRANSACTION SERVICES
TRANSACTION SERVICES
usher.com 53
| Chapter 8
APIs and other necessary elements are set up and maintained through the Usher network
management web console. Specifically, the console allows app developers to:
• Register their application and retrieve their Usher API license keys
• Configure the third-party-server-to-Usher-server trust elements
• Monitor their Usher API usage
• Manage the application to Usher network permissions
The following sections will detail different SDK packages:
• Usher Professional app workflow
• Usher server-side SDK
• RESTful API
• PACS API
Visit https://developer.usher.com/ to view reference resources. This website helps
third-party developers easily integrate Usher into their desktop, web, mobile, or server
applications. The resources are organized by platform (iOS vs. Android vs. Java) as
well as by the type of application being integrated (web vs. mobile vs server).
Mobile SDK workflows
Often, a customer is interested in using the Usher platform for authenticating into their existing
mobile applications, but is also uninterested in the inconvenience and login workflow that goes
along with downloading an additional app (Usher). The following scenarios enable a customer to
leverage the Usher platform in existing mobile apps for stronger authentication:
• Usher as mobile app authentication mechanism (directly via app)
• Usher as a mobile app authentication mechanism (via authentication app)
• Usher as enterprise SSO
• Usher as step-up authentication provider
• Usher as a peer-to-peer authentication provider
usher.com 54
| Chapter 8
Usher as a mobile app authentication mechanism
Directly via app
ACME CORPORATION MOBILE APP
USHER
1.
Usher user token
1. User is authenticated with Usher network from mobile app using credentials and/or biometrics
2. Mobile app can now leverage Usher functionality like Usher stamp scanning, Usher code, peerto-peer verification, etc
For SAML-based mobile apps
Detailed authentication workflow:
ACME CORP. AUTHENTICATION APP
USHER
1.
6.
Usher user token
3.
9.
ACME CORP. BACKEND
Usher service-side API
2. 4. 8. 10.
5.
7.
Acme Corporation backend
ACME CORP. MOBILE APP
1. User was previously authenticated to Usher network from mobile app
2. Acme Corp. mobile app is launched and request session with Acme Corp. backend
3. Acme Corp. backend requests resource session validation from Usher platform
4. Acme Corp. backend sends resource session ID along with local session ID to Acme Corp mobile app
5. Acme Corp. mobile app invokes Acme Corp. mobile authentication app for resource session ID
6. Acme Corp. mobile app validates the access of resource session
7. Acme Corp. mobile app invokes Acme Corp. mobile app
8. Acme Corp. mobile app requests status for local session ID
9. Acme Corp. backend retrieves user identity from Usher platform for resource session
10. Acme Corp. backend sends confirmation (and user information) that local session is now active
for the user
Note: this workflow is very similar to the workflow that would allow a user to authenticate with an
enterprise web application.
usher.com 55
| Chapter 8
Usher as an enterprise SSO provider
Usher user token
Acme Corporation backend API
1.
2.
3.
USHER
ACME CORP. BACKEND
Usher service-side API
A simplified workflow can be described:
1. User is authenticated to Usher network from mobile app and acquires Usher token
2. Mobile app forwards token to customer backend
3. Customer backend confirms that the Usher user token is valid and corresponds to the user by
calling the network API before performing further action
Usher as a step-up authorization provider
Usher user token
Acme Corporation backend API
4.
USHER
1. 3.
2.
5.
ACME CORP. BACKEND
In the case of Usher as a step-up authorization provider, a high-level workflow can be described as:
1. Acme Corp. authenticates mobile app user
2. Acme Corp. grants mobile app user access to Usher network (trusted relationship)
3. Acme Corp. sends badge retrieval information to mobile app
4. Mobile app retrieves badge and Usher user token and can leverage Usher functionality,
which includes biometrics and/or Usher code
5. Acme Corp. will validate Usher user token with Usher network as well as a second factor, which
may be the user’s Usher code or biometrics).
usher.com 56
| Chapter 8
Usher as peer-to-peer authentication provider
3.
2.
Usher user 1 token
Usher user 2 token
1.
1.
USHER
1. The mobile user is authenticated with Usher
2. Mobile app discovers users in the vicinity (optional)
3. Mobile app authenticates other mobile app user (using Usher stamp or Usher code)
Mobile SDK
There are two Usher mobile SDKs: one for the Apple iOS platform (iOS 7 and later) and one for the
Android platform (Android 4.0 and later).
Each Usher mobile SDK is composed of:
• Platform specific API libraries (iOS Framework and JAR libraries for Android)
• Usher mobile API documentation
• Tutorials describing the typical use cases and basic concept of the Usher mobile API
• Sample code/projects for each typical use case:
• Usher as an enterprise SSO provider
• Usher as a secondary factor for authentication
• Usher as a step-up authentication provider
• Scanning an Usher Stamp (e.g. QR code) to gain access to a logical resource
• Peer-to-peer authentication/verification
Server-Side SDK
The Usher server-side SDK is geared toward enabling backend application developers to easily
integrate with the Usher platform. Establishing a trusted connectivity setup between Usher and the
third-party application requires an advanced level of knowledge of important security concepts.
Any error in this setup could lead to a less-than-secure setup and/or unstable configuration.
The Usher server-side SDK encapsulates best practices steps and ensures they meet the Usher
deployment guidelines.
usher.com 57
| Chapter 8
In most use cases, the mobile backend will need to interact with the Usher platform backend
servers. For example:
• Initiate a resource access workflow using an Usher stamp
• Initiate a trusted third-party-server-to-Usher-server session to perform actions on behalf of the user
• Initiate a trusted third-party-server-to-Usher-server session to provision a new Usher account
• Validate Usher user identity using an Usher code
While most of these tasks would be trivial to achieve by leveraging the Usher platform API, it is
much faster and less-error prone to leverage the Usher server-side SDK.
Platform RESTful API
The Usher platform API is a RESTful endpoint structure that the Usher server exposes. These APIs
provide programmatic access to Usher data and are utilized by different components of the
platform such as the Usher mobile client, network manager, etc., to carry out transactions. Request
and response payloads are formatted as JSON and use standard HTTP methods like GET, PUT, POST,
and DELETE.
Physical Access Control System API
The Usher platform supports native connectivity to a large number of physical access control
systems (PACS): Lenel, S2, Honeywell etc. In the event a customer’s system is not amongst those
Usher connects to out-of-the-box or requires additional flexibility, the Usher platform can be
extended using the Usher PACS Web Service API facility.
Functionality supported with a custom PACS agent connectivity:
• Retrieve keys/resources available to a specific user
• Activate a key/resource (e.g. “Open South-East lobby door in HQ building
• Encryption of the communication channel (HTTP over SSL)
Below is a diagram illustrating how a custom PACS agent can be implemented allowing the Usher
platform to interface with your PACS system. The Usher PACS agent web service API used for
implementation included in the Appendix.
CUSTOMER PREMISE
USHER CLOUD
Usher network
management
web console
Usher servers
Web service application server
Custom web service
Usher
PACS
web
service
API
Physical
access
control
system
interface
Physical
access
control
system
usher.com 58
| Chapter 9
Chapter 9:
Deployment scenarios
Higher education institution
Federal government
Financial services institution
usher.com 59
| Chapter 9
Higher education institution
Overview
Higher education institutions today have multiple concerns on a day-to-day basis. Safety for the
student body as well as faculty and staff is extremely important, and running a successful educational
institution requires the administration to focus first and foremost on security. Physical security, as well
as cyber security, is a high focus for these institutions, which is why most turn to different physical and
cyber security solutions. However, the available solutions today focus only on one area of security,
which is why one of the nation’s most elite private universities turned to Usher for a consolidated,
intelligent, and comprehensive security solution that would be easy for students to use.
The problem with the student ID card
University students today are constantly in communication with one another and are always upto-date on the latest technology. Therefore, universities are always striving to provide valuable and
useful services to students that can be consumed on mobile devices. That’s why, with the rise of
today’s major security issues–both physical and cyber–and the critical understanding of universities
to protect students and their data, one university decided a better solution was necessary.
Used by students around campus, Usher provides a consolidated means of access and
identification. Universities have long relied on plastic physical ID cards so students can gain access
to buildings, events, or even make purchases with the ID card. And in an emergency situation,
these ID cards establish a student’s identity and prove he is a member of the university community.
With modern physical access control systems, these ID cards often serve as a proximity-based key,
with the ability to unlock doors at buildings around campus. Students can present their ID cards
to gain tickets for special events or sporting events on campus. And, ID cards also serve as a debit
card, with payment processing capabilities (on either a debit account or credit account). Thus, the
ID card serves as the center of a student’s on-campus world.
Envisioning a mobile solution
As with all physical objects that we use in our daily lives, problems arise when the ID card is lost,
stolen, or counterfeited. On a university campus, a student ID card in the hands of the wrong
person can be a major security issue, giving the unauthorized user access to buildings, events,
and even payments. And physical cards don’t provide any form of intelligence or analytics, since
showing an ID card to a university official can’t be tracked. With no insight, security threats can’t be
monitored, and security issues take longer to be addressed by the campus security officials.
usher.com 60
| Chapter 9
With Usher, one of the nation’s elite universities can now offer students a mobile app that
consolidates the use of the ID card, as well as web application access. This university has deployed
Usher, including the following use cases:
• Mobile student ID cards to 4,000 students
• Logical access to 100+ web applications (integration with Shibboleth)
• Mobile payments in the food court, dining hall, bookstore, and campus printers
• Physical access to campus buildings
• Event ticketing
With almost 90% of today’s university students in possession of a smartphone, a mobile app that
integrates physical access, web and application access, ID card management, and mobile payments
is a solution that all students are excited to use.
Additionally, Usher requires no new infrastructure investments, so the university chose Usher as the
solution since there were no additional costs involved with deploying the solution.
And finally, with Usher Analytics, IT departments, network administrators, and campus security
can have full insight into student movement and activity on campus. Every Usher action
performed by students is logged and can be reviewed in real life or after the action, so security
and administrative teams can know exactly what is happening on campus at all times. Security
threats can be monitored, and security issues can be followed up-to-the-minute, so in the event
of a real emergency, campus security officials know exactly where the problem is and can respond
faster. This gives university officials peace of mind that security, both physical and logical, is being
monitored and any issues can be solved faster than ever.
Just the beginning of the mobile movement
With Usher, university officials know they are offering students a valuable solution, and
administrators know they have the best insight into campus activity at all times. With Usher, the
university reduces costs dramatically, eliminating the need to print and manage student ID cards,
distribute and manage physical keys for building access, and manage and reset usernames and
passwords. Thus, Usher provided the comprehensive security solution this university needed.
usher.com 61
| Chapter 9
Federal government
Overview
The federal government operates across a wide variety of agencies and industries, all of which
are vital to the operation of the country. In particular, the network of first responders ensures that
emergency situations are attended to and resolved. Often, first responders arrive on a scene in
complete chaos – and the larger the emergency, the more disorganization it is. First responders
today have no way to quickly and easily identify one another, and responders from different units
have no way to communicate while on the scene. These issues are why one of the largest global
security and defense technology companies for the federal government turned to Usher for a
solution for first responders in the field.
A nationwide mobile network
Creating a network for all first responders that allowed for identity verification and communication
was the most important task for improving the emergency response network. In the world of
technology today, using mobile devices is a necessity for connecting groups of first responders and
allowing them to communicate easily. And for administrators, it is equally important to be able to
quickly locate all responders on duty, dispatch those responders to emergencies, stay in contact
with them, and create groups on the fly so they can quickly identify one another. Without these
capabilities, responders aren’t able to react to and resolve emergencies.
Envisioning a mobile solution
Usher is the exclusive partner of the largest defense technology company in delivering a
nationwide mobile network for the federal government to support all first responders. The federal
government will provide Usher on smartphones and tablets with a secure mobile badge as well as
a dedicated network. Usher is used to provide the following for first responders and administrators:
• Biometric login for shared devices
• Identity verification
• Workforce management via communication channels such as push-to-talk, text, phone, and email
• On-the-fly group creation
• Analytics with live tracking capabilities for responders in the field
With this mobile solution, first responders will be able to easily identify and communicate with
one another, so response teams are able to focus fully on addressing emergency situations.
Administrators will be able to better coordinate emergency response, and the emergency
situations will be safer for everyone involved.
usher.com 62
| Chapter 9
Overview
Large international airports operate on the same size and scale of many major American cities, with
daily operations across many different industries and professions. And for every airport, security is a
top concern–ensuring that everyone coming and going, including both employees and passengers,
is confirmed via identification documents such as a driver’s license, passport, or employee ID badge.
Often, airports have additional facilities that require another identification check. Securing the
airport facilities is an issue on the national and international level, which is why one of the largest
international airports turned to Usher for a solution that would help ensure security within its facilities
as well as to offer the most enjoyable and convenient experience to travelers.
Security and customer rewards on a mobile device
When one of the largest international airports turned to Usher to improve their security solution,
they were looking for a mobile solution that would appeal to today’s generation of travelers
and employees. For internal use, multiple systems, applications, and physical locations required
employees to use various inconvenient and outdated methods of authentication. Additionally, the
airport wanted to provide a way to identify and reward VIP customers (frequent travelers). Currently,
there is only one solution in the marketplace that addresses both of these needs in one mobile app.
Envisioning a mobile security solution
With Usher, the international airport is able to offer employees a mobile security solution that
consolidates multiple security systems into one mobile app that can be used around the facilities.
They also envisioned being able to offer a mobile VIP card for frequent travelers, making the airport
experience even more enjoyable. This airport has deployed Usher, including the following use cases:
• Check-in/check-out system and reporting for 100 users across multiple business units
(employees get paid for using the gym on a regular basis and are tracked accordingly)
• Salesforce.com login
• MicroStrategy Web login
• Mac unlock via Bluetooth
• Physical access for new administration facility
• Airport ID for employees, partners, and vendors
• Usher-driven VIP card for frequent airport travelers
usher.com 63
| Chapter 1
As the mobile revolution continues to spread, all industries will continue to look for more
innovative and secure ways to provide identity verification, physical access, and logical access
that is combined in one application. Usher unlocks these possibilities for international airports,
and allows airports to offer passengers unprecedented security and convenience, all at their
fingertips. And for employees, consolidated access to web and mobile applications, physical
locations and facilities, as well as a convenient identification method, brings in a new standard of
security and convenience.
Financial services institution
Overview
Financial services institutions deal with some of the highest risk transactions, managing billions
of dollars in transactions, investments, and accounts. Every transaction that occurs requires the
approval of the individual account holder, and the approval process relies on outdated methods of
security and authentication, including passwords and security questions, that are easily guessed or
found online. Additionally, employees handle and transfer large amounts of cash, which they pass
on to other bank employees, requiring employees to be able to identify one another. This is why
one of the largest financial services institutions turned to Usher for secure identity verification and
multi-factor authentication for employee access to highly-secure bank and customer data.
The need for a long-term security solution
The sheer amount of money controlled by financial services institutions requires the highest-level
of security. Additionally, when a customer reports fraud, the financial institution ends up footing
the bill, costing the institution tens of millions of dollars every year. With so many security issues,
financial services institutions are beginning to understand the need for a comprehensive security
solution that provides identity verification, multi-factor authentication, system and application
access, and security analytics. However, these institutions also understand that convenience is an
important factor, and want a solution that will provide security without sacrificing convenience.
usher.com 64
| Chapter 1
Envisioning a mobile security solution
With Usher, financial services institutions can replace outdated methods of authentication and
identification, ensuring high-risk transactions are properly authorized. This financial services
institution has deployed Usher, including the following use cases:
• Workstation login
• System and application access
• Biometric verification for physical access
• Analytics for monitoring access
• Identity verification for bank employees
Bank employees use Usher to log into their workstations and access bank and customer data in a way
that is multi-factor and does not expose their credentials to key-logging viruses. Before they unlock a
vault or log into highly secure systems, they can conveniently use Touch ID for biometric verification.
Administrators are given access-monitoring tools, eliminating security threats caused by
unauthorized access. If an administrator notices an off-duty employee trying to access a system
containing valuable information or assets, the administrator can instantly revoke the employee’s
access. Administrators can quickly grant and revoke security privileges remotely, eliminating the
security risk of lost or stolen hardware (badges, keys, fobs, passwords).
Individuals working for the bank can identify each other either in person or over the phone–
eliminating the long list of security questions or relying on ID cards that can be counterfeited–by
asking for their four-digit Usher code that changes every minute. The bank distributes this solution
to all of their cash-in-transit teams for employee-to-employee validation.
The safety, security, and location of cash-in-transit teams is of paramount importance, and banking
security operations personnel are able to monitor the geographic location of these teams with the
solution as well.
Financial services institutions understand the value of both security and customer convenience. As
security continues to be a pressing issue for these institutions, they will look to solutions that can
solve all their issues, while providing valuable services to customers. Investments will continue to
grow in the security area, and mobile solutions will continue to dominate the list of necessities for
all financial services institutions.
usher.com 65
| Chapter 1
Chapter 10:
System requirements
usher.com 66
| Chapter 1
Up-to-date documentation links
The user content (Documentation) teams cover system requirements as part of the MicroStrategy
Product Help. Making sure the content is accurate and up-to-date for every release is one of the biggest
challenges they have undertaken for the benefit of users. The content is readily available to customers.
• System requirements for go.usher.com are part of the Usher Help, available at
https://microstrategyhelp.atlassian.net/wiki/display/USHER/
• System requirements for an on-premises installation of Usher are part of the MicroStrategy
Readme for each release
• The MicroStrategy 10.1 Readme will be available after GA at
https://microstrategyhelp.atlassian.net/wiki/display/README101, as well as on the
MicroStrategy download site, and in the installer.
Recommended production configuration
The following distributed architecture is suggested for production, fault tolerant Usher instances to
support high throughput. For best performance, it is necessary to provide multiple application servers.
Software specifications and minimum hardware specifications are included in this document.
NETWORK
TOMCAT SERVERS
MYSQL DB SERVERS
www-1
www-2
F5
IDM
IDM
1
F5
GW
GW
2
Active directory
Physical Access Control (PAC)
Site agent
Usher web service
Master
Replica
In this diagram, there is a load balancing appliance (labeled “Network”), and the following servers:
• Two (2) Tomcat Servers for hosting Usher security. Both nodes are online and have their load
distributed by the load balancer
• Three (3) MySQL DB servers – one master and two replicas for backup. The master is online and
the replicas are offline, but can be brought online in case of failure on the master
• One (1) server to host the Active Directory site agent
• One (1) server to host the PAC web service if PACS is included in the enterprise deployment
The MicroStrategy Analytics environment (for Usher Analytics and Usher Professional) is not
installed on any of these servers and is assumed to be running in a production configuration on
separate hardware.
Please note that the MicroStrategy 9.5 and 10 installer for Linux does not support distributed
installation at this time. Significantly more work is required to setup this architecture and involves
many manual steps. A services contract with the Usher Solutions Group at MicroStrategy or
through a certified partner is strongly recommended.
usher.com 67
| Chapter 1
Development and pilot configuration
The following architectures are suggested for non-production instances that could be used
for development and/or pilots. In this configuration, Usher security, Usher Analytics and Usher
Professional are installed on the same server using the MicroStrategy 9.5 or 10 installer for Linux.
The minimum specs for this server are four cores and 16GB RAM.
TOMCAT SERVERS
www-1
IDM
GW
MySQL
DB
Active directory
Physical Access Control (PAC)
Site agent
Usher web service
In this diagram, there are the following servers:
• One (1) Server to host Tomcat and MySQL DB
• One (1) server to host the site agent
• One (1) server to host the PAC web service if PACS is included in the deployment.
Usher Professional and Analytics
Usher Professional and Usher Analytics add no further requirements than the installation of the
MicroStrategy intelligence server, MicroStrategy Mobile, and MicroStrategy Web. They are merely
an add-on option with little extra requirements impact. For production Usher implementations, it is
recommended that the intelligence server be deployed according to MicroStrategy Analytics best
practices and the metadata for Usher Professional and Usher Analytics be hosted according to the
recommendations. For development and/or pilot installations, everything can run on a single server.
usher.com 68
| Chapter 1
Usher physical gateways
For physical access systems, Usher leverages a special Usher REST based web service for
communication with the physical access system.
USHER SERVER
CUSTOMER DEPLOYMENT
iPAD MINI
DOOR READER
(optional)
PACS
WEB SERVICE
PACS
Usher component
DOOR
3rd party component
Network (WiFi) connection
Physical (h/w) connection
PANEL
READER
BLE/NFC connection
Usher-on-premise installation/configuration steps are online in Tech Note TN240567. The Usher installer
can be downloaded from the MicroStrategy download site at https://software.microstrategy.com.
Usher evaluation edition license keys
If you are evaluating Usher, the Usher Solutions Group will provide an evaluation key that is good
for 30 days. The key can be extended at the MicroStrategy’s discretion of MicroStrategy for up to
two (2) additional 30-day periods. Following the evaluation, all software must either be properly
licensed or uninstalled.
usher.com 69
1850 Towers Crescent Plaza | Tysons Corner, VA | 22182 | Copyright ©2015. All Rights Reserved.
COLL-1430 0915
| Chapter 1
usher.com
70
microstrategy.com

the Guide Guide Usher: a comprehensive enterprise

Transcription

Similar documents

Usher Residential Personal Care Home – Decatur, GA

Headliner Usher SD7 May 2015

Usher S520.indd

Usher S-520 .indd

Lesson 1: Setting the Stage Projection Master #1

Newsletter 13.6.13.pub - St Bernard`s Batemans Bay!

HFJuly12_020 Test Usher.indd

Song List– September 2013 Artist Song title A.$.AP

Resume

DIS-10-1743 Speedweeks Broch3.indd