the Guide Guide Usher: a comprehensive enterprise
Transcription
the Guide Guide Usher: a comprehensive enterprise
Usher: a comprehensive enterprise security guide USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE TABLE OF CONTENTS Introduction 5 Logical access controls 6 Physical access controls 6 Identity authentication solutions 7 Chapter 1: Components of an enterprise security deployment with Usher 8 Mobile credentials (Usher Security) 8 Usher badge 9 Time-limited Usher codes 9 Validation panels 11 Digital keys for physical access 13 Sight code panel (only available in SDK) 13 Chapter 2: Badge security and configuration 14 256-bit AES encryption of user attributes 14 Integration with Touch ID 15 Offline capabilities 15 Add a badge from deep link in email 15 Badge information 16 Upload profile image 17 Remove a badge locally 17 Badge recovery 18 Image caching 18 Encrypted access tokens for authentication 19 Offline Usher code generation 19 Encrypted X.509 PKI certificates 20 Out-of-band identity transmission 20 Encrypted channel for data transmission 21 Chapter 3: Network management 22 Network creation 23 User management 24 Usher agent for Active Directory 24 Network administrators 25 Badge management and design 26 Chapter 4: Authentication and access 27 Logical access and methods 28 Physical access and methods 31 Behavioral-based conditions/fencing 34 Extension to Apple Watch 35 USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE Chapter 5: Workforce productivity with Usher Professional 36 Discovery views 37 User profiles 38 Search capabilities and saved groups 39 Chapter 6: Intelligence and reporting with Usher Analytics 40 Interface 41 Transaction logs 43 Pre-built dashboards 44 Chapter 7: Usher server 46 Server architecture 47 Server components 47 Common library and tools 47 Server deployment 48 Deployment architectures 48 Secure Cloud 48 Certifications and controls 48 FIDO certification 48 Systems 49 Current server environment (multi-tenant) 49 Operations 50 Technology 50 Monitoring 50 Maintenance 50 Security operations 51 Vulnerability management 51 Event logging and auditing 52 Chapter 8: Custom implementation (SDKs) 53 Mobile SDK workflows 54 Usher as a mobile app authentication mechanism 55 Usher as an enterprise SSO provider 56 Usher as a step-up authorization provider 56 Usher as a peer-to-peer authentication provider 57 Mobile SDK 57 Server-side SDK 57 Platform RESTful API 58 Physical Access Control System API 58 Chapter 9: Deployment scenarios 59 Higher education 60 Federal government 62 International airport 63 Financial services 64 USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE Chapter 10: System requirements 66 Up-to-date documentation links 67 Recommended production configuration 67 Development and pilot configuration 68 Usher Professional and Usher Analytics 68 Usher physical gateways 69 Usher evaluation edition license keys 69 Introduction The threat of industrial espionage today is all too real; it seems that every day another company’s confidential information is hacked—and the cost of these security breaches is escalating at an alarming rate. According to a study conducted by the Ponemon Institute, the average cost of an information security breach to a U.S. company is $3.5 million; this figure doesn’t even include the mega-corporations who were most recently the victim of an attack. What the Ponemon figure also doesn’t represent is the post-attack cost to a company’s reputation. We all know public trust is a key requirement for revenue and business continuity. Reputation can be a company’s biggest value driver, or its worst enemy. For one highly visible retailer, the latter came true in 2014. This namebrand retailer estimated that in Q2 2014, the costs associated with their security breach exceeded $148 million. Forrester Research Analyst John Kindervag suggests that over time, those costs could eclipse $1 billion. The moral of the story: your information is too valuable to be protected by traditional and outdated security measures. As a result of these trends, businesses of all types are making 2015 the year of information security, or InfoSec. MicroStrategy has identified three crucial types of investments in the field of identity and access management (IAM) and advanced authentication (AA) and built all three of them into a single security offering, Usher. This Usher product guide addresses industry issues as well as capabilities, security details, and use cases. USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE | Introduction Investment 1: Logical access controls Logical access controls ensure only appropriately credentialed employees have access to your workstations, applications, and information networks. Unfortunately, at many companies, employees across the organization have unhindered access— typically “resolved” by controlling access via passwords. Here’s an alarming statistic: 76% of all cybersecurity breaches are caused by weak or compromised passwords. Equally striking, it costs your firm anywhere from $51–$147 every time someone needs a password reset. This cost is driven by the number of calls your help desk fields exclusively for password resets (Fact: 30% of all help desk calls are a result of forgotten passwords). Standard logical access controls like passwords are surprisingly expensive to your firm–even without a breach. By relying on passwords, your organization is leaving itself vulnerable to even greater costs, as passwords are easily hacked by internal and external threats alike. It is critically important for your organization to secure its sensitive information using effective logical access controls. Essentially any access control utility that relies on simple data entry—including passwords, PINs, and knowledge-based questions—is not enough. Security measures like these cannot account for the person inputting the data. Much like physical security platforms, logical access platforms must leverage the person’s true, non-replicable identity. Investment 2: Physical access controls Most companies utilize various forms of physical locks and keys for access control; these solutions have obvious weaknesses. These weaknesses do not, however, stem from the solutions themselves. Rather, they are the result of the user. Studies have shown that the top threat to an organization’s data is its own employees. In fact, it has been reported that 69% of serious organizational data leaks are caused by employee activities—both malicious and non-malicious in nature. With activities of malicious intent, these leaks are often a result of employees physically accessing server rooms and devices that contain sensitive information. In these situations, physical access controls are either abused or, even worse, non-existent. usher.com 6 | Introduction USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE The most infamous information security hack of 2014 is a poignant example of failed physical access controls. According to the hacker group responsible, they were able to obtain their victim’s private information by leveraging employees on the inside with physical access to the target network. If this is true, it implies employees physically injected a virus into the network that enabled the hackers to access their victim’s data remotely. Additionally, if the hacker group did in fact leverage employees, then it will be very difficult for the victim to recover fully. As CSO Online points out, “physical security related breaches…are hard to contain and recover from because evidence can be tampered with or simply removed.” What makes this story even more worrisome is that the employees were said to have “similar interests” to the hacker group. No organization wants to believe their employees are capable of being adversarial. However, it is nearly impossible for an organization to prevent the possibility of a bad egg—there’s always the risk of a disloyal or embittered employee attempting an information security breach. When this happens, it is critically important that your company has suitable physical access controls to prevent a breach. So what can your organization do to prevent a physical security-related attack? Most importantly, consider how your employees currently access your physical computer network environment. Is it with the turn of a key? Is it an electronic key fob? Is there an actual guard standing at the door? All of these methods lend themselves to human error. Physical keys or key fobs can be lost or stolen. A guard can mistakenly grant access to an unauthorized person. Every organization needs a physical access control solution that authenticates individuals based not only on something they have (such as a key, key fob, or physical badge), but also on something they know (like passcodes and PINs), and something they are (biometrics). From the user’s standpoint, the access tool needs to be difficult to lose, steal, and replace. Investment 3: Identity authentication solutions As greater emphasis is placed on improving physical and logical access controls, it becomes increasingly important to manage these controls centrally. Information security is simply too important to be directed by individual departments. Distributed ownership leads to unclear accountability, making it difficult to identify security vulnerabilities and breaches without a single unified platform. This trend toward centralized administration is called converged access management (CAM). CAM is the ideal that every organization must strive to achieve. However, CAM is all but impossible to achieve when employees are forced to use different forms of identification for different types of authentication purposes. If employees use a physical badge to gain physical access and a password to gain logical access, it is highly likely that separate administrators manage each type of access. Organizations in this position sacrifice both efficiency and security. To guarantee the best protection, organizations must adopt a single, comprehensive identity authentication solution. For employees, this means a single authentication tool that is simple to use. For administrators, this means an authentication platform that is difficult to defeat and doesn’t require a specialized skillset to manage. And crucially, the identity authentication solution must provide comprehensive threat monitoring and analysis. usher.com 7 | Introduction USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE Chapter 1: Components of an enterprise security deployment with Usher Mobile credentials (Usher Security) Mobile security badges allow enterprises to replace outdated methods of authentication such as passwords, ID cards, keys, and security tokens, with a mobile app. Mobile security badges are a more secure solution because they offer multi-factor authentication, dynamically changing codes, encryption, telemetry, geo-fence controls, time-fence controls, and biometrics, all running on a single instance on mobile devices. Swipe up for additional profile information Employee Badge Swipe left and right for additional badges Ying Gayle Le Marketing Manager 0621 BADGE KEYS QR CODE READER SETTINGS usher.com 8 | Chapter 1 USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE Usher badge The badge is the center of the Usher user experience. Badges are uniquely branded for a given enterprise and present publicly viewable information like name, title, and a photo. Users can have multiple badges in the same app, and simply swipe left or right to switch between them. Locally on the mobile phone, the Usher badge stores nothing more than basic user information (such as name, title, and photo), an access token that authenticates the user, and a X.509 PKI certificate that identifies the smartphone to the server as an Usher-enabled device. Usher badge data User attributes Only a simple, descriptive part of the identity is stored on the phone Picture A photo of the user for visual identification X.509 PKI certificate An X.509 PKI certificate ensures that only Usher identities are authenticated Access token An access token for authentication of the user The Usher mobile app stores data on the smartphone in an encrypted format. Time-limited Usher codes Usher acts as an extension of a user’s identity and communicates that identity to a wide range of devices and systems within the enterprise, including watches, phones, tablets, computers, systems, and doorways. It does so using three different methods: 1. Usher codes: human-readable time codes of 4 to 8 digits that expire every 60 seconds or other configurable time period. 2. QR codes: machine-readable, dynamic QR codes for scanning that expire every 60 seconds. 3. Bluetooth signals: Bluetooth low energy (BLE) signals that can transmit and detect Usher users in close proximity using very low power consumption. usher.com 9 | Chapter 1 USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE Prior to Usher, personal identity validation was limited to two imperfect systems: 1. The low-cost, low-security system that uses laminated pictures on official looking cards, which are easily forged, stolen, or counterfeited. 2. The high-cost, higher-security solution that provides electronic validation using dedicated biometric readers or smartcards with card readers or sensors. With Usher, users enter time-limited Usher codes into their Usher badge’s user validation panel to verify the identity of other users. After the pre-set time period expires, each code is refreshed and replaced with a newly generated code. The previous code is rendered invalid and can no longer be used. All Usher codes are linked to a specific device, enabling the server to precisely identify the device being used. This architectural design ensures that the security risk associated with stolen Usher codes is minimal, preventing replay attacks. Given the time sensitivity, these codes are designed to withstand brute force attacks with the server throttling guessing attempts. In short, the attacker only has the time period for which the Usher code is valid to try each and every combination, making it highly improbable for the in-use Usher code to be guessed. 9867 6231 60s 5512 Old Usher code is expired 9867 120s New Usher code generated New Usher code generated 180s Old Usher code is expired 6231 One-time, time-limited Usher codes act as short-lived, temporary identifiers of the client. usher.com 10 | Chapter 1 USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE Validation panel The QR validation panel, which is the third tab in the bottom navigation pane in the Usher Security app, is a built-in QR code scanner. This panel lets users capture Usher QR codes, allowing them to open entryways, unlock workstations, log in to applications, and authorize transactions (an SDKonly functionality). For low-light situations, there is a built-in flashlight button at the top-left corner. Validation Ying Gayle Le Marketing Manager Scan QR code for access Organization Badge Issue Date Email Acme Corp. Employee Badge Sep 04, 2015 yinggle@acmecorp.com User Validation You can validate users by their Usher Code or by scanning their QR code. Usher Code 0621 QR Code The User Validation panel (accessed by tapping on a badge to bring up the Badge Information view, and then selecting “User Validation”) empowers users to verify the identities of other Usher users, both remotely and in-person. usher.com 11 | Chapter 1 USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE When remote, any Usher user can ask another Usher user via phone or chat for their 4- or 8-digit Usher code, then type it into the User Validation panel and press ‘Enter.’ When in-person, navigate to the QR code tab and scan the other user’s personal QR code from their badge information view. Either workflow should return the same result: You can then tap on the envelope in the top-right-hand corner to conveniently add the validated user to your phone’s contact list. usher.com 12 | Chapter 1 USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE Digital keys for physical access Favorite Keys All Plastic ID cards used for physical access are easily lost, stolen, or counterfeited—problems that can HQ P3 Garage go days without being discovered. Additionally, physical ID cards grant entry based on L3 exit L2 exit L2 enter L1 enter possession, without regard to the cardholder’s identity. By interoperating with the world’s most prevalent physical access systems (Lenel, Honeywell, Paxton, Datawatch, S2 Security), physical entry points can be controlled by Usher using encrypted digital keys attached to a mobile device. Users can rely on the smartphone or Apple Watch to securely access virtually every entryway with digital keys that can be remotely HQ 14 Flr Elevator S HQ P3 Lane 2 Entry HQ P3 Lane 2 Exit HQ P3 Lane 3 Exit Innovation Lab distributed and revoked in an instant. Sight code panel (only available in SDK) Sight codes are animated, time-limited fractal images that are impossible to counterfeit and provide instant visual indication that people are members of the same Usher network. They are revealed by swiping left on an Usher badge, and are perfect for quick visual identification of a group of people (i.e. employee identification in emergency response situation, quick identification of event attendees). This has applications for any physical space that hosts multiple events concurrently: badges for attendees of each event will display different sight codes. usher.com 13 | Chapter 2 USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE Chapter 2: Badge security and configuration 256-bit AES encryption of user attributes Only basic identity information, such as a user’s name, title, company, and photo, is stored locally on the client. All user attributes are encrypted with 256-bit AES encryption and stored in the phone’s encrypted storage area, ensuring that the user’s data cannot be compromised. 256-bit AES encryption AB123NOSJCV NI39UR84HNJ ILWSNHIOE8949U4JJIOEWNF OWEU0490R094JRFMEFI0QI4 30UR9U043JFIOEJFI0EJR9034 NJKJUIJAOIENOFEUFNAU932 2I02I92UE93IUJIFIOSDHVIOSF D0V9KGSDFSDJFISVNSODV0S D9FI1VS0DUV0SUJCSIDF0VUS EWI2928484721901JAOIENOF Basic user information is stored in a n encrypted format on the smartphone. usher.com 14 | Chapter 2 USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE Integration with Touch ID Mobile hardware and software are becoming sophisticated enough so that everyone with a smartphone can have a powerful, state-of-the-art biometric reader in their pockets. This added layer of security comes at no added cost to the enterprise, as no investment in additional biometric verification hardware is needed. With Touch ID, the device operating system (OS) determines the procedure for capturing a fingerprint in order to perform feature extraction and verification. A dialog that requests the user to present their fingerprint is displayed. This dialog disappears upon successful acquisition of the fingerprint image by the device, followed by a successful verification. The same dialog is displayed if the verification is unsuccessful for up to three consecutive tries. The fingerprint feature extraction is controlled and performed by the mobile OS; applications such as Usher have no access to the extraction process or to the template. Usher does not have fingerprint feature extraction explicitly in its workflow; instead, the presence of user enrollment is checked and verification functionality is disabled if the user has not enrolled their fingerprint. Offline capabilities Usher offers several options for situations where network connectivity is not available. 1. Physical access: you can have a Bluetooth reader at the door, which is connected to the network (hard-wired or Wi-Fi), and a disconnected Usher mobile client can unlock the door. 2. Logical access: a disconnected Usher mobile client can unlock a Mac workstation with Bluetooth. 3. Peer-to-peer validation: works when the validated user is offline, but the validator must be online. Add a badge from deep link in email If a user has just installed the Usher app and has not yet added a badge, there will be a welcome screen displayed to remind this user to check his email and see if there’s an invitation to add a badge. After the administrator creates an Usher network and invites the corresponding users, the end user being invited (or the administrator user himself ) will receive an email. If the user opens the mail on her phone and clicks the activation link in the mail, the badge will be automatically added in the Usher Security app (the mobile client). usher.com 15 | Chapter 2 USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE If the Usher mobile client is not detected on the phone, the activation link will redirect the user to the Usher Security app page on Apple Store or Google Play store to allow the end user to download and install it. After that, the user can click the activation link in the email. The badge the end user has been invited to add will be loaded automatically in the Usher Security app and displayed to the end user. If this badge has already been added in the Usher Security app in the past, a message saying “%Badge Name% badge has already been added previously” will be displayed. Badge information A “badge information” section is located in the “settings” of the Usher Security app. All Badges added in the Usher Security app will be listed in this section. Clicking a badge listed here will display all information related to it, which includes: 1. Organization Ying Gayle Le 2. Badge 3. Issue date 4. Email Marketing Manager Organization Badge Issue Date 5. Time-limited Usher code (also found Email Acme Corp. Employee Badge Sep 04, 2015 yinggle@acmecorp.com on the main view of the badge) User Validation 6. Time-limited QR code (scannable for You can validate users by their Usher Code or by scanning their QR code. the purposes of verifying the legitimacy Usher Code 0621 of this badge) QR Code usher.com 16 | Chapter 2 USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE Upload profile image If the administrator does not add an image for a user in his profile when they create a badge using Network Manager, no image will be shown in the user’s badge. This user may be able to upload or change her picture from the badge by tapping on the image placeholder in the badge information view to activate the camera and photo library. Any new image captured or selected will be synced and stored on the server along with the user’s other information. Remove a badge locally When in the badge Information view (accessed by tapping on any badge) scrolling down reveals a button that allows a user to remove the badge from the app altogether. A pop-up dialog will prompt the user to confirm the badge deletion. If this badge is the only badge in the Usher Security app, deleting it will redirect the user to the welcome screen. To remove multiple badges at once, navigate to the settings tab at the bottom of the app, and then select “manage badges.” Settings Ying Gayle Le Marketing Manager SERVER You can validate users by their Usher Code or by scanning their QR code. Usher Code 0621 Usher Server 9 badges YOUR BADGES Badge Recovery QR Code App Passcode Manage Badges Touch ID Not Required Passcode Not Required CONTACT US Send Feedback Remove Badge Report a Problem usher.com 17 | Chapter 2 USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE Badge recovery Badge recovery allows users to recover badges for the Usher Security app through the settings screen of the application when at least one badge has been added. Otherwise, users will need to enter an email address on the application landing page at first launch. The user will receive an email with a deep link to restore all of the badges associated with his or her email address. Image caching In order to improve performance and reduce time/network traffic cost for users when switching between badges or validating other users in Usher, Usher offers an image cache policy. Each time a user validates another users’ badge in the validation panel or refreshes all his badges in the Usher Security app, the client will check the image cache for each of these badges. 1. If there is no image being cached, the client will fetch the image from server and cache it. 2. If there is an image being cached, the client will compare the timestamp of this badge image with the server to see if it is the latest one. 3. If the image being cached is not the latest one, the client will fetch the latest image from the server and update it. 4. If the image being cached is the latest one, the client will display the cached image. usher.com 18 | Chapter 2 USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE Encrypted access tokens for authentication Usher employs access tokens instead of usernames and passwords, eliminating the need to send user credentials over Wi-Fi, 3G or 4G networks for user authentication. This ensures that credentials cannot be intercepted or phished during data transmission. Access tokens are stored in an encrypted format on the smartphone and are only valid for a specific, but configurable, time period. Upon expiry, Usher users must re-authenticate themselves to Usher and obtain a new token. 256-bit AES encryption AB123NOSJCV NI39UR84HNJ ILWSNHIOE8949U4JJIOEWNF OWEU0490R094JRFMEFI0QI4 30UR9U043JFIOEJFI0EJR9034 NJKJUIJAOIENOFEUFNAU932 2I02I92UE93IUJIFIOSDHVIOSF D0V9KGSDFSDJFISVNSODV0S D9FI1VS0DUV0SUJCSIDF0VUS EWI2928484721901JAOIENOF Offline Usher code generation All Usher codes used for identification can be generated on the client, including the QR code, and numeric Usher code. For numeric Usher code generation, the Usher server sends an initial key to the Usher-enabled device, which stores this key on the phone in an encrypted format. The Usher-enabled device then uses this key to generate time-limited numeric codes locally on the smartphone. The Usher architecture is designed such that the initial key remains valid only for a specific, configurable time period. Before expiry, the Usher server issues a new key to the device for generating a new set of codes. The time-limited codes, which expire after a pre-set time limit, not only are designed to withstand brute force attacks but also make it highly improbable for the code to be guessed. In addition, the Usher server will throttle any attempts to guess Usher codes, thereby preventing a brute force attack. QR CODE 2165 USHER CODE usher.com 19 | Chapter 2 USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE Encrypted X.509 PKI certificates Usher uses X.509 PKI client certificates to help secure communications between the Usher mobile app and the Usher server. The Usher server issues a unique X.509 PKI certificate to each Usherenabled device when the Usher mobile app is launched for the first time on that device. This certificate is generated to the X.509 PKI standard, and, upon issue, is stored in the mobile phone’s encrypted storage area. A mobile phone identifies itself as an Usher-enabled device to the Usher server by including its unique X.509 PKI certificate in every data transmission. This in turn prevents rogue devices from impersonating an Usher device and establishing fraudulent communication with the Usher server to steal identity information. 256-bit AES encryption AB123NOSJCV NI39UR84HNJ ILWSNHIOE8949U4JJIOEWNF OWEU0490R094JRFMEFI0QI4 30UR9U043JFIOEJFI0EJR9034 NJKJUIJAOIENOFEUFNAU932 2I02I92UE93IUJIFIOSDHVIOSF D0V9KGSDFSDJFISVNSODV0S D9FI1VS0DUV0SUJCSIDF0VUS EWI2928484721901JAOIENOF Out-of-band identity transmission All identity information is transmitted out-of-band from the Usher server to the Usher mobile app. This ensures that no two Usher clients directly share identity data and that the Usher server always validates the identity independently. This includes identity validation through QR and numeric Usher codes. This approach also ensures that malicious apps can never steal identity data from the smartphone client. Additionally, since a malicious app cannot present a valid Usher-issued X.509 PKI certificate, the Usher server will immediately reject any communication attempts from it, ensuring that identities always remain secure. usher.com 20 | Chapter 2 USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE Other Usher mobile client Usher mobile client 2 Offer personal code 9867 9867 Usher code QR code 1 Generate time-limited personal code Submit personal code 3 1:23 Usher server Receive identity information 4 1:23 Usher code Encrypted channel for data transmission The Usher server and the underlying identity management solutions use the TLS protocol with 256bit AES cipher to send identity verification requests and verified identities to one another. These requests include the access token for user authentication, the X.509 PKI certificate to identify the device, and an Usher code; and the transmission is always encrypted. The Usher server matches the client’s X.509 PKI certificate with a copy maintained in the Usher server database and, upon positive identification, sends the verified identity back to the client. This process ensures that only known Usher-enabled devices can send identity requests to Usher and receive identity information from it. Additionally, all identity requests are processed exclusively through the Usher server, which, in turn, accesses identity information through Usher connectors. Certificate pinning: To ensure that the client is talking only to known servers, all trusted servers’ certificates are pinned in the application to prevent a man-in-the-middle attack that may use fraudulent certificates or malicious proxy servers. The usage of certificate pinning also prevents cyber thieves from deploying a fraudulent server to masquerade as an Usher server. 1 At initial launch, the client sends “Certificate Signing Request” Client public key 256-bit AES CSR infromation signed with client private key 2 Server generates a certificate and maintains an encrypted copy Usher server 3 Usher client receives the certificate 4 Usher client encrypts the certificate on the client side Certificate database usher.com 21 USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE | Chapter 3 Chapter 3: Network management Security and IT personnel today are required to handle all information securityrelated issues, including replacing ID badges, resetting passwords, and managing databases with employee and customer information. The ideal security solution includes a management tool that allows IT personnel to manage all aspects of security systems – including deploying mobile security badges, monitoring logical and physical access, and understanding all enterprise workforce activity. usher.com 22 | Chapter 3 USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE Network creation An Usher network is the group of users in your organization who can use the Usher app on their smartphone to validate their identity, log into applications, gain access to secure physical resources, and so on. Network creation is the process of developing and naming a specific Usher network, and is accessed at the Network Manager web portal. For both Secure Cloud and on-premise deployments, Network Manager will reside at a URL unique to that specific implementation, which you can get from your Usher account team. Network Manager is the web interface to the Usher Server that allows Usher Networks to be created and managed. The Network Manager is a PHP application that runs under Apache. Through it, Usher administrators can create an Usher network, configure gateways (to web applications, physical access systems and work stations), and then distribute or revoke access to gateways among their users, quickly and simply. Upon visiting the network manager site, administrators set up a network by following these steps: 1. Enter badge name 2. Enter network name 3. Edit badge design 4. Create an administrator account by submitting name, title, and photo (optional) 5. Enter valid email address: Usher sends an email message with instructions to install the Usher client and acquire the badge 6. Log into network manager with the newly acquired Usher badge (by scanning the QR code on the screen) usher.com 23 | Chapter 3 USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE User management User management allows administrators to set up a user population for their Usher network. Administrators do so using one of the following methods: • Manual user entry • User import from supported applications • User import from CSV file • Identity Management (IDM) system synchronization • Active Directory • OpenLDAP Please note that a combination of manual entry and IDM synchronization is not supported at this point in time. Usher agent for Active Directory Many organizations use Active Directory as a central repository for user management. With the Usher agent, an administrator can now synchronize their Usher user base with Active Directory in a matter of minutes. All of this is done through a lightweight agent running as a service on a Windows machine. It connects to Active Directory and synchronizes the user groups, or the organizational units one wishes to incorporate into their Usher deployment. In this deployment scenario, the Usher Active Directory agent is installed on customer premises. The Usher agent connects to the customer’s active directory via LDAPS. Communication between the Usher security server and the Usher agent is secured with TLS. The two-way communication channel is used for authentication purposes, as well as to update settings (i.e. import more user groups or synchronize more LDAP fields). The one-way communication channel is dedicated to send updates from Active Directory to the Usher network to keep user information up to date (every 20 seconds). usher.com 24 | Chapter 3 USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE This architecture can be deployed over a proxy or a firewall – and as the communication is outbound, it doesn’t require any change in firewall settings. The AD credentials are encrypted on the Usher agent, and the decryption key is stored on the Usher server The tool is entirely self-service, and has the benefit of letting changes performed on your user information in Active Directory be reflected in the Usher user base in seconds – one can even synchronize users’ pictures between Active Directory and Usher. Disabled users in Active Directory will be removed from the Usher user base in seconds as well. Network administrators Network manager allows administrators to: • Add, delete, and manage other Usher network users and administrators • View the status of other administrators – “active” or “inactive” usher.com 25 USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE | Chapter 3 Badge management and design Badge management includes various functions to change badge functionality: Design allows an administrator to modify badges: • Color (gradient option available) • Patterns – choose from eight provided background patterns • Background image – upload PNG or JPG files • Icon – upload PNG or JPG files Properties allows an administrator to: • Edit badge name • Enable Usher code broadcasting to access high-security door readers • Toggle location tracking on or off • Set location or time-based restrictions for badge usage usher.com 26 USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE | Chapter 4 Chapter 4: Authentication and access control options Today’s methods of authentication and access are both wide-ranging and outdated – because enterprises continue to rely on twentieth-century thinking to secure a digital world. The solution needed today includes authentication and access methods that replace the outdated methods (passwords, badges, ID cards, keys, security tokens), and can connect to all enterprise assets, including applications, domains, data and processes, with physical systems: watches, phones, tablets, computers, doors, facilities, vehicles, safes, and gates. Access to these resources and spaces may be granted using one of several methods and customization options with the Usher Security app. These fall under the categories of logical access, physical access, and behavioral-based conditions. usher.com 27 | Chapter 4 USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE Logical access and methods Web applications refer to resources that users access through a browser (web browser or mobile browser). These can be cloud applications or enterprise-grade, internally hosted applications. While Usher can be configured to provide authentication into any SAML 2.0-enabled web application or any VPN solution that supports FreeRadius, the Usher gateway configuration interface provides customized templates for several high-profile, prolific applications. These include, but are not limited to: • Amazon AWS • Zendesk • Join.me • Salesforce.com • Flowdock • Yammer • MicroStrategy Web • Box • GoToMeeting • Google Apps • Asana • RemedyForce • Github • New Relic • Cisco VPN • Rally • Active Directory • Juniper VPN • Wordpress • Dropbox Federation Services • Citrix VPN • Slack Usher’s VPN functionality is implemented as a module that sits on a RADIUS server, one of the most popular VPN servers in the market. As a result, Usher’s VPN solution is designed to work with vendors that support the RADIUS protocol, like Cisco, Juniper, Citrix, and F5. In this way, Usher adds an additional layer of security for remote system access that is convenient to the end user. usher.com 28 | Chapter 4 USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE Method 1: QR code scan When accessing a shared logical resource, such as an open workstation, the resource’s front-end Usher user interface is assigned a time-limited QR code by the Usher server. A user then scans the QR code from the validation panel of her Usher client, telling the Usher server who she is, as well as the gateway identifier associated with the QR code. The Usher server confirms the validity of the user and then passes the corresponding parameters to the web application using the SAML protocol in order to request access to the resource on behalf of the user. Method 2: pairing (push notifications) When performing a QR code scan on any SAML-enabled web application, the user can request that the system remember the specific user on this particular machine. This is known as pairing the client to the gateway. The Usher server will remember the user’s device token the next time the user goes to access the resource. The site will display a button to log in with Usher. Clicking on the button will trigger the Usher server to send a push notification to that user’s Usher client. The user can simply confirm the notification to log in. This feature works on Apple Watches with the Usher WatchKit app on them, as well as Android Watches, for which there is no native Usher application currently in production. As long as the phone is locked and configured to send its push notifications to an Apple/Android watch that is paired with it, the user will receive a push notification on his watch that allows one-tap access to a paired, logical resource gated by Usher. usher.com 29 | Chapter 4 USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE Method 3: mobile single sign-On (app switching) The Usher Security application supports mobile SSO workflows, which lets users log into third-party mobile applications running on the same device. Third-party mobile apps may implement the Mobile SDK to call the Usher Security app with a request to verify the user’s identity and obtain an access token. The communication between the Usher Security app and third-party apps is achieved via deep-linking between the applications. Method 4: one-time-passwords (Usher codes) On the main screen of each badge, the small white bar under the time-limited Usher code will degrade over time to let a user know that it is about to expire. Aside from entering the time-limited Usher codes into their client to validate the identities of other users, a user can use her Usher code to log into organizational VPNs in much the same way as one-time-passwords generated by security tokens do. Usher’s VPN authentication inherits all security settings you set for your network, allowing you to customize the security based on your needs usher.com 30 | Chapter 4 USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE Physical access and methods For physical access, Usher has Usher Physical Access (PACs) Web Services (specialized for specific Physical Access systems such as Honeywell EBI, Lenel OnGuard, and Tyco C-Cure) that broker calls between the Usher Server and the Physical Access System’s API layer. Some web services run on Windows Server under IIS (Lenel, Honeywell), while others run under Tomcat containers (S2). A “Standard PACS Adapter” also exists which allows for system integrators to write their own Web Services for PACS systems that are not supported by Usher out of the box. Method 1: Digital keys The key panel lets users tap on a key to unlock doors, elevators, and gateways. Virtually any entryway that is controlled by a PACS can be unlocked using Usher keys. Usher offers a list of all entryways a person has authorization to unlock and lets him organize his favorite keys on the key ring panel. The favorites key ring is also accessible in the Usher app on the Apple Watch. By default, the key panel shows your favorite keys. Tap on the ‘All’ button at the top-right of the screen to bring up all the keys you have access to, organized by badge. Here, you can then add and remove your favorite keys. These keys can be accessed by providing up to three factors of authentication—having your phone with you, knowing your phone’s passcode, and presenting your fingerprint (with iOS Touch ID). Most importantly, administrators can monitor and record who accesses each entry point at any given time—providing unparalleled insight into potential threats. usher.com 31 | Chapter 4 USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE Method 2: QR scans Another way to unlock doors is by simply scanning the Usher QR code affixed to a door. An organization can place an Usher QR code at each entryway. A user then scans the Usher stamp with his validation panel, and Usher communicates with the PACS to unlock the door to which the Usher stamp is affixed. With the key panel and QR scans, Usher bypasses legacy door readers and communicates directly with the PACS, so enterprises can use Usher without purchasing new door reader hardware. Method 3: Bluetooth readers For hands-free door entry, Usher uses Bluetooth to automatically unlock the door without the user needing to remove the smartphone from a pocket or purse. Using the same information advertised for peer-to-peer user discovery, a door reader can obtain the badge ID via Bluetooth and then make a request to the PACS, which unlocks the door if the user is both within a customizable physical range and is authorized to enter. With Bluetooth low energy (BLE), Usher minimizes battery consumption, as the user does not need to have the Usher Security app running in the foreground. Whether access was granted or denied is displayed on the door reader. usher.com 32 | Chapter 4 USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE Method 4: iBeacons Another method of context-based physical access is the Usher Nearby widget–in the Today view of iPhone’s drop-down notification center, which is accessible from the lock screen. iBeacons, which are relatively inexpensive, are deployed to powered sources near physical entryways, and set to constantly broadcast its presence via Bluetooth. When an Usher user is within range of the iBeacon and opens her Usher Nearby widget, the client on the phone receives the number the iBeacon is transmitting. It then maps the iBeacon to its associated key, and calls the Usher server for access to this resource. In this way, just one button in the widget can take on the identity of the key for any specific door the user is standing next to. This feature is also integrated with the glance of the Usher app for the Apple Watch. When a user swipes up from the bottom of their Apple Watch, the glance searches for iBeacons associated with physical entries nearby and displays them to the user for access. Furthermore, iBeacons and Usher can be configured to automatically unlock doors when a user reaches a certain distance from the door. This delivers maximum convenience, as a user can leave their phone in-pocket. usher.com 33 | Chapter 4 USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE Method 5: NFC chips Near Field Communication (NFC) chips are similar to Bluetooth chips and allow the sharing of small payloads of data. Most Android devices have NFC chips located somewhere on the device. When Usher-configured NFC chips are deployed throughout an enterprise environment, Android device end-users can take advantage of NFC for convenience. Users simply need to place the spot of their device where the NFC chip is located against the shown sticker located near the door. The location of the NFC chip is different depending on the Android device. The Usher client does not have to be open, but must be running in the background of your device. For the majority of devices, the NFC chip is located near the camera, but some trial and error may be needed for your particular device. Tap Here to open NFC Behavioral-based conditions/fencing Network administrators can set restrictions for how Usher badges are used, based on time and geolocation for better control and security over network resources. In other words, any resource (logical or physical) can be gated so that access is only possible during certain hours or in certain geographic locations. usher.com 34 | Chapter 4 USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE Additionally, administrators can set up Usher to require fingerprint verification every time a person uses it, or before accessing specific resources. This is significantly more convenient than typing in a password, and prevents unauthorized use of the Usher badge by providing an additional authentication factor for highly secure situations. Since only certain types of smartphones contain fingerprint readers, a passcode alternative is available for devices lacking this feature. Extension to Apple Watch Usher for Apple Watch turns Apple’s most personal device into the key that unlocks the enterprise, both logically and physically. It’s a new take on enterprise security that combines the powerful security capabilities required by modern organizations with the simplicity of a consumer WatchKit app. The iPhone and Apple Watch work in concert and are contextually aware of the systems, hardware, and entryways that users approach. Users receive push notifications on their Apple Watch, prompting them to unlock their workstation, log into a system, or open a doorway, and they can do so with a tap or gesture. In addition, the WatchKit app boasts a digital keychain which synchronizes with the digital keychain in the Usher app on its owner’s smartphone that is paired with it. A user can also use Apple Watch Force Touch to switch between badges and access the dynamic 4-digit Usher codes associated with various badges for multi-factor authentication (e.g., into a VPN) or identity verification. The glance feature of the WatchKit app mirrors the Usher Nearby widget on the phone; it searches for the nearest iBeacon and lets an authorized user unlock any door they are standing in front of. usher.com 35 USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE | Chapter 5 Chapter 5: Workforce productivity with Usher Professional With Usher Professional, a mobile application available on both smartphone and tablet, managers gain access to personalized and localized intelligence about resource utilization, transaction authorization, and all other activity being performed by their subordinates in the enterprise context. It is especially applicable to teams where employees are in the field. usher.com 36 | Chapter 5 USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE Discovery views There are three discovery views for Usher Professional: grid, list, and map view. By tapping on each individual team member, a manager can contact a team member directly or be kept informed of their recent enterprise access activity with usage data collected from their Usher Security application. usher.com 37 | Chapter 5 USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE User profile Tapping on a user brings up their user profile. The first tab of the user profile shows trend lines for their usage of both physical gateways and logical resources. The second tab is a bar graph of the locations the user performed Usher actions from, as well as how many actions were performed at each location. The third tab maps out the locations the resources were accessed from. Tapping on each location provides a scrollable log of actions taken at the location. From within the Usher Professional interface, a manager can directly initiate an email to a subordinate if the manager notices unusual items or patterns in the access history. For added insight, Usher Professional can integrate individual access data with other types of individual data (e.g., HR information) that is stored in analytics projects, such as those created in MicroStrategy Analytics. usher.com 38 | Chapter 5 USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE Search capabilities and saved groups In Usher Professional, a manager can filter, search, and create groups. Usher Professional can be calibrated to display users in the immediate vicinity, users within 300 feet, users within five miles, or all users in your badge network. A manager can save a group discovered by using any of these filter options, and check up on members of that particular group later. For example, a manager may wish to bookmark anyone who attended a particular planning meeting. To help with sorting through every user in a particular network, a manager can search based on name or title keyword, and save groups based on this. An example would be everyone who has “associate” in his or her title. Groups that are saved from the search functionality can be edited to clean out irrelevant search results (e.g., if the previous associate search was for intended to find junior-level employees, but also included a couple associate vice presidents in the results.) Usher Professional can be customized with more detailed user profiles for searches. The flexibility to add fields such as skills or certifications enables managers to more efficiently utilize the human capital theoretically at their disposal. Additionally, a manager can create and save a group of employees based on geo-location in the map view by creating a circle of a certain radius from a point or by using a freeform selection tool. After creating and saving a group, a manager can also send communications to the entire group as they would to an individual. usher.com 39 USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE | Chapter 6 Chapter 6: Intelligence and reporting with Usher Analytics Built on the industry-leading MicroStrategy Analytics Platform, Usher Analytics captures, analyzes, and displays visualizations of all Usher activity, providing both global visibility of users and an audit trail for governance, risk management, and cyber security oversight. It also provides proactive alerts when abnormal activity is detected or when thresholds are exceeded, and delivers a full spectrum of analytic capabilities, from simple time analysis to sophisticated correlations and data mining. Whenever an action is taken on an Usher Security client, the action is passed to the Usher server log and then to Usher Analytics, where it is stored in a MySQL database. If the Usher server is installed on-premise, a customer has flexibility in storing these action logs in a variety of ways. Usher Analytics provides complete visibility of all identity actions across a network in near real time, enabling state-of-the-art risk management, cyber security, and auditability to provide actionable insights at all times. For example, immediate detection of abnormal activities and irregular patterns (such as afterhours access), outlier behavior, or users who seem to be in two places at once. As an offering, Usher Analytics comes out-of-the-box with a set of pre-built MicroStrategy Analytics schema and objects, such as reports, dashboards, metrics, and filters. However, organizations also have the flexibility to upload their own data to the project for additional analysis. The current Usher Analytics solution, hosted in our cloud environment, utilizes the latest innovations in in-memory architecture to enable world-leading data warehousing options for massive datasets shown against traditional online analytical processing (OLAP) services. usher.com 40 | Chapter 6 USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE Interface Our main dashboard, accessible from the network manager site, contains information about the users, resources, and transactions of the viewer’s networks. The second section of this dashboard presents an overview of members’ activities and will allow you to see which users are most active, access the most resources, and initiate the most connections. usher.com 41 | Chapter 6 USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE If location services are enabled on the user’s device, a pair of location coordinates will be recorded for each transaction that they initiate. You can, at a glance, see the last known location of each member on your network. Usher Analytics will also provide the administrators the functionality to categorize their most used resources, or rank and sort which resources are susceptible to failure, as shown below: usher.com 42 | Chapter 6 USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE If an Usher network administrator wanted to dive deeper into an individual Usher user’s behavior or transactions, there is a convenient view of the data for auditing. The view below provides a summary of usage, resource distribution of that user, and the segmentation of where actions are being performed. Transaction logs The Transaction log is a summary of all Usher network actions. It comes with a robust filter panel, and gives you have the power to drill-down and filter into specific activity types, timeframes, or set of actions for full compliance and auditing. usher.com 43 | Chapter 6 USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE Pre-built dashboards These are the current out-of-the-box Usher Analytics dashboards as accessible from the web in network manager: Network panel – provides an overview of the network as a whole. User panel – lists all users and provides trends and metrics around their usage. usher.com 44 USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE | Chapter 6 Gateway panel – lists all gateways and provides trends and metrics around its usage. The gateway panel is divided into the analysis of physical and logical gateways. usher.com 45 USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE | Chapter 7 Chapter 7: Usher server The nerve center of the platform, the Usher server is a scalable, high-performance server that can host one or many Usher networks. It can be installed onpremise, or used in Amazon’s secure cloud as multi-tenant or single tenant. The Usher server is a Java web application built using the Play Framework, which follows the model-view-controller (MVC) architectural pattern. The server runs on an Apache Tomcat web server and utilizes a MySQL database. The operating system needed for the Usher server is Red Hat Linux. The Usher server has also been tested on CentOS and Windows; while the server can be made to run on these platforms, these are not certified. Play Framework • Lightweight, stateless, MVC • Built on Scala, Akka, Iteratee IO • Highly scalable, asynchronous programming • ORM support (EBean) • In-memory DB support • Easy to build (sbt) and deploy (built in Netty, supports other application servers) usher.com 46 | Chapter 7 USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE Server architecture USHER SERVER DIRECTORY GATEWAYS LOGICAL GATEWAYS PHYSICAL GATEWAYS Server components IDM kernel IDENTITY MANAGEMENT NETWORK (ORGANIZATION) MANAGEMENT RESOURCE MANAGEMENT USHER SERVICE LOGICAL ACCESS SUPPORT (Biometric etc.) IDM common library and tools Common library and tools The Usher server provides generic components, tools, and applications to the platform: Server common interface (common-interface project) Server general library (common-library project) • SAML • PKI • Other utilities, including HttpClient Server common modules (common project) • Multiple-language message support • License support • Mail support • OAuth • Security • General configuration support IDM common classes (common project) • UsherModel • UsherController • SQLOperator Log, LogSDK and LogServer (common project, LogServer) • Cache SDK usher.com 47 | Chapter 7 USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE Server deployment The Usher server is built and deployed using the RPM Package Manager. RPM packages can be built automatically and contain all WAR files and database changes for the server. The deployment process is also automated, which un-packages the RPM build, deploys the WAR files to the correct Tomcat instances, and executes any DB changes. Deployment architectures Usher can be deployed across a variety of deployment architectures. The deployment architectures that are possible are: Secure Cloud deployment Multi-tenant - with or without Active Directory Site Agent Single-tenant - with or without Active Directory Site Agent On-premise Secure Cloud Usher uses Amazon Web Services for hosting our multi-tenant or single-tenant Secure Cloud Usher servers. Our cloud team will work with you to size an environment specific to your enterprise requirements. Secure Cloud is monitored, managed, and maintained by experts. Certifications and controls Usher cloud environments are designed to ensure compliance with the most strict security frameworks. Our personnel are highly trained on the infrastructure, process, methodologies, and applications. 1. Vulnerability and penetration testing 2. 24x7 monitoring and alerts 3. SOC 2 Type II, PCI, HIPAA, Safe Harbor FIDO certification The FIDO (Fast IDentity Online) Alliance, a coalition of vendors that includes Microsoft, Google, Intel, Lenovo, RSA, Samsung, Qualcomm and various credit card companies, has developed open specifications for stronger, more secure authentication. usher.com 48 | Chapter 7 USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE FIDO’s specifications were also developed to address the lack of interoperability among strong authentication technologies and to remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler and stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO authentication is stronger, more private, and easier to use when authenticating to online services. FIDO certification is performed using a set of test tools developed by the FIDO Alliance, followed by participation in a proctored interoperability event. Usher has passed a rigorous series of tests that measure compliance with the FIDO Universal Authentication Framework (UAF) and ensure interoperability with other FIDO certified products and services that support FIDO 1.0 specifications, thus achieving FIDO certification. Systems Our environments are architected using best practices to ensure high availability and redundancy. Systems are backed up every night so we can recover in case of unforeseen events. 1. 99.9% SLA 2. Highly redundant 3. Disaster recovery – metadata and virtual machines are backed up every day 4. High availability Current server environment (multi-tenant) Hardware load balancing and firewall *Paired load balancers in an active/passive configuration Mirror/Staging servers Webserver 1 (10,20,127,22) Webserver 2 (10,20,127,23) Database master (10,20,120,10) Database replica (10,20,127,14) MPT servers Webserver 1 (10,27,21,113) Database master (10,27,21,113) EA/Perf testing servers Webserver 1 (10,20,121,25) Webserver 2 (10,20,123,19) Database master (10,20,101,13) Database master (10,20,105,3) Webserver 1 (10,20,125,24) Webserver 2 (10,20,127,24) Database master (10,20,105,13) Database replica (10,20,120,13) Development servers UAT servers Webserver 1 (10,20,109,13) Test servers Webserver 2 (10,20,109,26) Webserver 1 (10,26,243,1) Webserver 2 (10,26,243,52) Database master (10,26,243,3) Database replica (10,26,243,4) usher.com 49 | Chapter 7 USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE Operations For SaaS-based implementations of Usher, all management of Usher services are performed by the MicroStrategy Operations team. For single-tenant Secure Cloud deployments of Usher, most day-to-day operational functions will be handled through the web based administrative interface. System and database accounts, which provide superuser-level access to the underlying OS and database are configured via the administrative interface and can be used to access these components directly should that level of access be warranted. Any access of the underlying OS or database should be done with coordination of Usher support staff as changes to these components may render the Usher service inoperable. Technology The environment’s architecture is designed for high availability, so no guesswork or tuning is required from the customer since the environments are built and managed by our experts. 1. 64-bit architecture 2. Massive, high-speed networks 3. State-of-the-art computing platforms Monitoring For SaaS-based implementations of Usher, the MicroStrategy Operations team manages all Usher services. For Secure Cloud deployments of Usher, the virtual appliance provided by MicroStrategy exposes an SNMPv3 (Simple Network Monitoring Protocol version 3) interface, which will allow for monitoring of both the underlying Linux server health, as well as the Usher application components. Configuration of the SNMP service is managed via the virtual appliance’s web-based administrative interface. The administration of this service allows for specifying a password and access list to secure SNMP communications as well as a SNMP trap destination that will receive alerts from the appliance. Maintenance For SaaS-based implementations of Usher, all management of Usher services are performed by the MicroStrategy Operations team, with all performance and operational metrics exposed via Usher network manager. Secure Cloud deployment of the Usher platform uses a Linux-based virtual appliance provided by MicroStrategy. The virtual appliance provides standards based monitoring end points that allow for the direct integration of Usher monitoring into existing Secure Cloud monitoring solutions. For Secure Cloud deployments of Usher, all maintenance functions are usher.com 50 | Chapter 7 USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE handled by a web based administrative interface. The system routines managed via this interface are the following: • Log management: allowing for downloading of system logs as well as specifying a remote host to receive syslog based log messages • Patch management: MicroStrategy provides monthly system update bundles, which can be uploaded and applied • User management: manage the system and database level account and passwords • Support service configuration: manage the addresses of the outside services required to support Usher—mail relay server; NTP server (Network Time Protocol) (NTP optional if the appliance’s system clock is synchronized to the Hypervisor’s clock which is synchronized to a stratum-2 time server); SNMP service configuration • Certificate management: manage system certificates • Usher service management: start and stop all components of the Usher Platform Security operations Security operations for Usher are closely tied to security architecture principles. Our security operations model reflects both security architecture designs as well as required compliance standards certifications (see Section 4.9). We apply our knowledge of security best practices, and have followed a plan that includes our Security Operations team as stakeholders in the security architecture review process, as well as during compliance decision points. The Security Operations team conducts regular security tasks on the Usher servers and network, including, but not limited to vulnerability management, patch management and mitigations, incident response, internal vulnerability assessments and red teaming, and event logging and analysis. It should be noted that we maintain a physical and logical separation between the security operations enclave and the rest of the corporate and customer-facing network domains. The security devices that conduct vulnerability scans, logging, and malware detection are kept in a physically isolated cage in a data center, and can only be accessed by members of the Security Operations team. Vulnerability management It is critical to conduct regular intervals of vulnerability management on all hosts within the Usher network domain. Vulnerability management programs focus on both short and long-term vulnerability mitigation strategies for recently discovered vulnerabilities as well as ongoing patch verification efforts. The Security Operations team works closely with IT Operations to ensure that the reference system is as up-to-date on patches as possible, and assists in helping the IT Operations staff understand the impact of the system patch. usher.com 51 | Chapter 7 USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE Besides IT Operations, the Security Operations staff assists with verifying that software fixes have been applied. For example, if a third party security assessment team recommends that the Usher server be configured with a particular security setting, the Usher server can enable the setting, and coordinate with the Security Operations team to scan the systems to ensure that the setting is enabled. Event logging and auditing In security operations, it is imperative to maintain event logs for auditing purposes. We use a Security Information and Event Management Tool (SIEM) to collect, aggregate, filter, store, triage, correlate, and display security-relevant data, both in real time and for historical review and analysis. The SIEM allows us to take large amounts of disparate data and turn it into possibly relevant security-related events that can be further correlated into an incident, which is what we can take action on. usher.com 52 | Chapter 8 USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE Chapter 8: Custom implementation (SDKs) The key vision of the Usher SDK is to enable third-parties to seamlessly incorporate key components of identity management, access, and authentication - mobile, web, server, and intelligence - into their applications to enable custom use cases that are pertinent to their customers and business partners. The Usher platform is being continually built with the intent of easily integrating with existing and future infrastructure and software. For each possible integration point, a Software Development Kit (SDK) including an API, documentation, tutorial, and sample code (or complete sample projects) is available. The diagram below is a high-level global view of the various Usher SDK components: SAMPLE CODE PROJECT: LIBRARY/CLIENT: Usher mobile API for mobile apps DESKTOP APP SERVER SIDE APP Usher admin API for desktop apps Usher admin API for desktop apps WEB APP MOBILE APP Usher web API for web apps USHER REST APIS USHER SERVER API USHER DATA SERVICES API USHER ADMIN API USHER SERVER INFRASTRUCTURE SDK DOCUMENTATION: CLIENT SIDE APIS USHER REST APIS DIRECTORY SERVICES PACS SERVICES Cloud/Customer premise SERVER SIDE REST APIS DIRECTORY SERVICES PACS SERVICES TRANSACTION SERVICES TRANSACTION SERVICES usher.com 53 | Chapter 8 USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE APIs and other necessary elements are set up and maintained through the Usher network management web console. Specifically, the console allows app developers to: • Register their application and retrieve their Usher API license keys • Configure the third-party-server-to-Usher-server trust elements • Monitor their Usher API usage • Manage the application to Usher network permissions The following sections will detail different SDK packages: • Usher Professional app workflow • Usher server-side SDK • RESTful API • PACS API Visit https://developer.usher.com/ to view reference resources. This website helps third-party developers easily integrate Usher into their desktop, web, mobile, or server applications. The resources are organized by platform (iOS vs. Android vs. Java) as well as by the type of application being integrated (web vs. mobile vs server). Mobile SDK workflows Often, a customer is interested in using the Usher platform for authenticating into their existing mobile applications, but is also uninterested in the inconvenience and login workflow that goes along with downloading an additional app (Usher). The following scenarios enable a customer to leverage the Usher platform in existing mobile apps for stronger authentication: • Usher as mobile app authentication mechanism (directly via app) • Usher as a mobile app authentication mechanism (via authentication app) • Usher as enterprise SSO • Usher as step-up authentication provider • Usher as a peer-to-peer authentication provider usher.com 54 | Chapter 8 USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE Usher as a mobile app authentication mechanism Directly via app ACME CORPORATION MOBILE APP USHER 1. Usher user token Usher mobile API for mobile apps 1. User is authenticated with Usher network from mobile app using credentials and/or biometrics 2. Mobile app can now leverage Usher functionality like Usher stamp scanning, Usher code, peerto-peer verification, etc For SAML-based mobile apps Detailed authentication workflow: ACME CORP. AUTHENTICATION APP USHER 1. 6. Usher user token Usher mobile API for mobile apps 3. 9. ACME CORP. BACKEND Usher service-side API 2. 4. 8. 10. 5. 7. Acme Corporation backend Usher mobile API for mobile apps ACME CORP. MOBILE APP 1. User was previously authenticated to Usher network from mobile app 2. Acme Corp. mobile app is launched and request session with Acme Corp. backend 3. Acme Corp. backend requests resource session validation from Usher platform 4. Acme Corp. backend sends resource session ID along with local session ID to Acme Corp mobile app 5. Acme Corp. mobile app invokes Acme Corp. mobile authentication app for resource session ID 6. Acme Corp. mobile app validates the access of resource session 7. Acme Corp. mobile app invokes Acme Corp. mobile app 8. Acme Corp. mobile app requests status for local session ID 9. Acme Corp. backend retrieves user identity from Usher platform for resource session 10. Acme Corp. backend sends confirmation (and user information) that local session is now active for the user Note: this workflow is very similar to the workflow that would allow a user to authenticate with an enterprise web application. usher.com 55 | Chapter 8 USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE Usher as an enterprise SSO provider ACME CORP. MOBILE APP Usher user token Usher mobile API for mobile apps Acme Corporation backend API 1. 2. 3. USHER ACME CORP. BACKEND Usher service-side API A simplified workflow can be described: 1. User is authenticated to Usher network from mobile app and acquires Usher token 2. Mobile app forwards token to customer backend 3. Customer backend confirms that the Usher user token is valid and corresponds to the user by calling the network API before performing further action Usher as a step-up authorization provider ACME CORP. MOBILE APP Usher user token Usher mobile API for mobile apps Acme Corporation backend API 4. USHER 1. 3. 2. 5. ACME CORP. BACKEND In the case of Usher as a step-up authorization provider, a high-level workflow can be described as: 1. Acme Corp. authenticates mobile app user 2. Acme Corp. grants mobile app user access to Usher network (trusted relationship) 3. Acme Corp. sends badge retrieval information to mobile app 4. Mobile app retrieves badge and Usher user token and can leverage Usher functionality, which includes biometrics and/or Usher code 5. Acme Corp. will validate Usher user token with Usher network as well as a second factor, which may be the user’s Usher code or biometrics). usher.com 56 | Chapter 8 USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE Usher as peer-to-peer authentication provider ACME CORP. MOBILE APP ACME CORP. MOBILE APP 3. 2. Usher user 1 token Usher mobile API for mobile apps Usher user 2 token Usher mobile API for mobile apps 1. 1. USHER 1. The mobile user is authenticated with Usher 2. Mobile app discovers users in the vicinity (optional) 3. Mobile app authenticates other mobile app user (using Usher stamp or Usher code) Mobile SDK There are two Usher mobile SDKs: one for the Apple iOS platform (iOS 7 and later) and one for the Android platform (Android 4.0 and later). Each Usher mobile SDK is composed of: • Platform specific API libraries (iOS Framework and JAR libraries for Android) • Usher mobile API documentation • Tutorials describing the typical use cases and basic concept of the Usher mobile API • Sample code/projects for each typical use case: • Usher as an enterprise SSO provider • Usher as a secondary factor for authentication • Usher as a step-up authentication provider • Scanning an Usher Stamp (e.g. QR code) to gain access to a logical resource • Peer-to-peer authentication/verification Server-Side SDK The Usher server-side SDK is geared toward enabling backend application developers to easily integrate with the Usher platform. Establishing a trusted connectivity setup between Usher and the third-party application requires an advanced level of knowledge of important security concepts. Any error in this setup could lead to a less-than-secure setup and/or unstable configuration. The Usher server-side SDK encapsulates best practices steps and ensures they meet the Usher deployment guidelines. usher.com 57 | Chapter 8 USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE In most use cases, the mobile backend will need to interact with the Usher platform backend servers. For example: • Initiate a resource access workflow using an Usher stamp • Initiate a trusted third-party-server-to-Usher-server session to perform actions on behalf of the user • Initiate a trusted third-party-server-to-Usher-server session to provision a new Usher account • Validate Usher user identity using an Usher code While most of these tasks would be trivial to achieve by leveraging the Usher platform API, it is much faster and less-error prone to leverage the Usher server-side SDK. Platform RESTful API The Usher platform API is a RESTful endpoint structure that the Usher server exposes. These APIs provide programmatic access to Usher data and are utilized by different components of the platform such as the Usher mobile client, network manager, etc., to carry out transactions. Request and response payloads are formatted as JSON and use standard HTTP methods like GET, PUT, POST, and DELETE. Physical Access Control System API The Usher platform supports native connectivity to a large number of physical access control systems (PACS): Lenel, S2, Honeywell etc. In the event a customer’s system is not amongst those Usher connects to out-of-the-box or requires additional flexibility, the Usher platform can be extended using the Usher PACS Web Service API facility. Functionality supported with a custom PACS agent connectivity: • Retrieve keys/resources available to a specific user • Activate a key/resource (e.g. “Open South-East lobby door in HQ building • Encryption of the communication channel (HTTP over SSL) Below is a diagram illustrating how a custom PACS agent can be implemented allowing the Usher platform to interface with your PACS system. The Usher PACS agent web service API used for implementation included in the Appendix. CUSTOMER PREMISE USHER CLOUD Usher network management web console Usher servers Web service application server Custom web service Usher PACS web service API Physical access control system interface Physical access control system usher.com 58 USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE | Chapter 9 Chapter 9: Deployment scenarios Higher education institution Federal government International airport Financial services institution usher.com 59 | Chapter 9 USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE Higher education institution Overview Higher education institutions today have multiple concerns on a day-to-day basis. Safety for the student body as well as faculty and staff is extremely important, and running a successful educational institution requires the administration to focus first and foremost on security. Physical security, as well as cyber security, is a high focus for these institutions, which is why most turn to different physical and cyber security solutions. However, the available solutions today focus only on one area of security, which is why one of the nation’s most elite private universities turned to Usher for a consolidated, intelligent, and comprehensive security solution that would be easy for students to use. The problem with the student ID card University students today are constantly in communication with one another and are always upto-date on the latest technology. Therefore, universities are always striving to provide valuable and useful services to students that can be consumed on mobile devices. That’s why, with the rise of today’s major security issues–both physical and cyber–and the critical understanding of universities to protect students and their data, one university decided a better solution was necessary. Used by students around campus, Usher provides a consolidated means of access and identification. Universities have long relied on plastic physical ID cards so students can gain access to buildings, events, or even make purchases with the ID card. And in an emergency situation, these ID cards establish a student’s identity and prove he is a member of the university community. With modern physical access control systems, these ID cards often serve as a proximity-based key, with the ability to unlock doors at buildings around campus. Students can present their ID cards to gain tickets for special events or sporting events on campus. And, ID cards also serve as a debit card, with payment processing capabilities (on either a debit account or credit account). Thus, the ID card serves as the center of a student’s on-campus world. Envisioning a mobile solution As with all physical objects that we use in our daily lives, problems arise when the ID card is lost, stolen, or counterfeited. On a university campus, a student ID card in the hands of the wrong person can be a major security issue, giving the unauthorized user access to buildings, events, and even payments. And physical cards don’t provide any form of intelligence or analytics, since showing an ID card to a university official can’t be tracked. With no insight, security threats can’t be monitored, and security issues take longer to be addressed by the campus security officials. usher.com 60 | Chapter 9 USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE With Usher, one of the nation’s elite universities can now offer students a mobile app that consolidates the use of the ID card, as well as web application access. This university has deployed Usher, including the following use cases: • Mobile student ID cards to 4,000 students • Logical access to 100+ web applications (integration with Shibboleth) • Mobile payments in the food court, dining hall, bookstore, and campus printers • Physical access to campus buildings • Event ticketing With almost 90% of today’s university students in possession of a smartphone, a mobile app that integrates physical access, web and application access, ID card management, and mobile payments is a solution that all students are excited to use. Additionally, Usher requires no new infrastructure investments, so the university chose Usher as the solution since there were no additional costs involved with deploying the solution. And finally, with Usher Analytics, IT departments, network administrators, and campus security can have full insight into student movement and activity on campus. Every Usher action performed by students is logged and can be reviewed in real life or after the action, so security and administrative teams can know exactly what is happening on campus at all times. Security threats can be monitored, and security issues can be followed up-to-the-minute, so in the event of a real emergency, campus security officials know exactly where the problem is and can respond faster. This gives university officials peace of mind that security, both physical and logical, is being monitored and any issues can be solved faster than ever. Just the beginning of the mobile movement With Usher, university officials know they are offering students a valuable solution, and administrators know they have the best insight into campus activity at all times. With Usher, the university reduces costs dramatically, eliminating the need to print and manage student ID cards, distribute and manage physical keys for building access, and manage and reset usernames and passwords. Thus, Usher provided the comprehensive security solution this university needed. usher.com 61 | Chapter 9 USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE Federal government Overview The federal government operates across a wide variety of agencies and industries, all of which are vital to the operation of the country. In particular, the network of first responders ensures that emergency situations are attended to and resolved. Often, first responders arrive on a scene in complete chaos – and the larger the emergency, the more disorganization it is. First responders today have no way to quickly and easily identify one another, and responders from different units have no way to communicate while on the scene. These issues are why one of the largest global security and defense technology companies for the federal government turned to Usher for a solution for first responders in the field. A nationwide mobile network Creating a network for all first responders that allowed for identity verification and communication was the most important task for improving the emergency response network. In the world of technology today, using mobile devices is a necessity for connecting groups of first responders and allowing them to communicate easily. And for administrators, it is equally important to be able to quickly locate all responders on duty, dispatch those responders to emergencies, stay in contact with them, and create groups on the fly so they can quickly identify one another. Without these capabilities, responders aren’t able to react to and resolve emergencies. Envisioning a mobile solution Usher is the exclusive partner of the largest defense technology company in delivering a nationwide mobile network for the federal government to support all first responders. The federal government will provide Usher on smartphones and tablets with a secure mobile badge as well as a dedicated network. Usher is used to provide the following for first responders and administrators: • Biometric login for shared devices • Identity verification • Workforce management via communication channels such as push-to-talk, text, phone, and email • On-the-fly group creation • Analytics with live tracking capabilities for responders in the field With this mobile solution, first responders will be able to easily identify and communicate with one another, so response teams are able to focus fully on addressing emergency situations. Administrators will be able to better coordinate emergency response, and the emergency situations will be safer for everyone involved. usher.com 62 | Chapter 9 USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE International airport Overview Large international airports operate on the same size and scale of many major American cities, with daily operations across many different industries and professions. And for every airport, security is a top concern–ensuring that everyone coming and going, including both employees and passengers, is confirmed via identification documents such as a driver’s license, passport, or employee ID badge. Often, airports have additional facilities that require another identification check. Securing the airport facilities is an issue on the national and international level, which is why one of the largest international airports turned to Usher for a solution that would help ensure security within its facilities as well as to offer the most enjoyable and convenient experience to travelers. Security and customer rewards on a mobile device When one of the largest international airports turned to Usher to improve their security solution, they were looking for a mobile solution that would appeal to today’s generation of travelers and employees. For internal use, multiple systems, applications, and physical locations required employees to use various inconvenient and outdated methods of authentication. Additionally, the airport wanted to provide a way to identify and reward VIP customers (frequent travelers). Currently, there is only one solution in the marketplace that addresses both of these needs in one mobile app. Envisioning a mobile security solution With Usher, the international airport is able to offer employees a mobile security solution that consolidates multiple security systems into one mobile app that can be used around the facilities. They also envisioned being able to offer a mobile VIP card for frequent travelers, making the airport experience even more enjoyable. This airport has deployed Usher, including the following use cases: • Check-in/check-out system and reporting for 100 users across multiple business units (employees get paid for using the gym on a regular basis and are tracked accordingly) • Salesforce.com login • MicroStrategy Web login • Mac unlock via Bluetooth • Physical access for new administration facility • Airport ID for employees, partners, and vendors • Usher-driven VIP card for frequent airport travelers usher.com 63 | Chapter 1 USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE Just the beginning of the mobile movement As the mobile revolution continues to spread, all industries will continue to look for more innovative and secure ways to provide identity verification, physical access, and logical access that is combined in one application. Usher unlocks these possibilities for international airports, and allows airports to offer passengers unprecedented security and convenience, all at their fingertips. And for employees, consolidated access to web and mobile applications, physical locations and facilities, as well as a convenient identification method, brings in a new standard of security and convenience. Financial services institution Overview Financial services institutions deal with some of the highest risk transactions, managing billions of dollars in transactions, investments, and accounts. Every transaction that occurs requires the approval of the individual account holder, and the approval process relies on outdated methods of security and authentication, including passwords and security questions, that are easily guessed or found online. Additionally, employees handle and transfer large amounts of cash, which they pass on to other bank employees, requiring employees to be able to identify one another. This is why one of the largest financial services institutions turned to Usher for secure identity verification and multi-factor authentication for employee access to highly-secure bank and customer data. The need for a long-term security solution The sheer amount of money controlled by financial services institutions requires the highest-level of security. Additionally, when a customer reports fraud, the financial institution ends up footing the bill, costing the institution tens of millions of dollars every year. With so many security issues, financial services institutions are beginning to understand the need for a comprehensive security solution that provides identity verification, multi-factor authentication, system and application access, and security analytics. However, these institutions also understand that convenience is an important factor, and want a solution that will provide security without sacrificing convenience. usher.com 64 | Chapter 1 USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE Envisioning a mobile security solution With Usher, financial services institutions can replace outdated methods of authentication and identification, ensuring high-risk transactions are properly authorized. This financial services institution has deployed Usher, including the following use cases: • Workstation login • System and application access • Biometric verification for physical access • Analytics for monitoring access • Identity verification for bank employees Bank employees use Usher to log into their workstations and access bank and customer data in a way that is multi-factor and does not expose their credentials to key-logging viruses. Before they unlock a vault or log into highly secure systems, they can conveniently use Touch ID for biometric verification. Administrators are given access-monitoring tools, eliminating security threats caused by unauthorized access. If an administrator notices an off-duty employee trying to access a system containing valuable information or assets, the administrator can instantly revoke the employee’s access. Administrators can quickly grant and revoke security privileges remotely, eliminating the security risk of lost or stolen hardware (badges, keys, fobs, passwords). Individuals working for the bank can identify each other either in person or over the phone– eliminating the long list of security questions or relying on ID cards that can be counterfeited–by asking for their four-digit Usher code that changes every minute. The bank distributes this solution to all of their cash-in-transit teams for employee-to-employee validation. The safety, security, and location of cash-in-transit teams is of paramount importance, and banking security operations personnel are able to monitor the geographic location of these teams with the solution as well. Just the beginning of the mobile movement Financial services institutions understand the value of both security and customer convenience. As security continues to be a pressing issue for these institutions, they will look to solutions that can solve all their issues, while providing valuable services to customers. Investments will continue to grow in the security area, and mobile solutions will continue to dominate the list of necessities for all financial services institutions. usher.com 65 USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE | Chapter 1 Chapter 10: System requirements usher.com 66 | Chapter 1 USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE Up-to-date documentation links The user content (Documentation) teams cover system requirements as part of the MicroStrategy Product Help. Making sure the content is accurate and up-to-date for every release is one of the biggest challenges they have undertaken for the benefit of users. The content is readily available to customers. • System requirements for go.usher.com are part of the Usher Help, available at https://microstrategyhelp.atlassian.net/wiki/display/USHER/ • System requirements for an on-premises installation of Usher are part of the MicroStrategy Readme for each release • The MicroStrategy 10.1 Readme will be available after GA at https://microstrategyhelp.atlassian.net/wiki/display/README101, as well as on the MicroStrategy download site, and in the installer. Recommended production configuration The following distributed architecture is suggested for production, fault tolerant Usher instances to support high throughput. For best performance, it is necessary to provide multiple application servers. Software specifications and minimum hardware specifications are included in this document. NETWORK TOMCAT SERVERS MYSQL DB SERVERS www-1 www-2 F5 IDM IDM 1 F5 GW GW 2 Active directory Physical Access Control (PAC) Site agent Usher web service Master Replica In this diagram, there is a load balancing appliance (labeled “Network”), and the following servers: • Two (2) Tomcat Servers for hosting Usher security. Both nodes are online and have their load distributed by the load balancer • Three (3) MySQL DB servers – one master and two replicas for backup. The master is online and the replicas are offline, but can be brought online in case of failure on the master • One (1) server to host the Active Directory site agent • One (1) server to host the PAC web service if PACS is included in the enterprise deployment The MicroStrategy Analytics environment (for Usher Analytics and Usher Professional) is not installed on any of these servers and is assumed to be running in a production configuration on separate hardware. Please note that the MicroStrategy 9.5 and 10 installer for Linux does not support distributed installation at this time. Significantly more work is required to setup this architecture and involves many manual steps. A services contract with the Usher Solutions Group at MicroStrategy or through a certified partner is strongly recommended. usher.com 67 | Chapter 1 USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE Development and pilot configuration The following architectures are suggested for non-production instances that could be used for development and/or pilots. In this configuration, Usher security, Usher Analytics and Usher Professional are installed on the same server using the MicroStrategy 9.5 or 10 installer for Linux. The minimum specs for this server are four cores and 16GB RAM. TOMCAT SERVERS www-1 IDM GW MySQL DB Active directory Physical Access Control (PAC) Site agent Usher web service In this diagram, there are the following servers: • One (1) Server to host Tomcat and MySQL DB • One (1) server to host the site agent • One (1) server to host the PAC web service if PACS is included in the deployment. Usher Professional and Analytics Usher Professional and Usher Analytics add no further requirements than the installation of the MicroStrategy intelligence server, MicroStrategy Mobile, and MicroStrategy Web. They are merely an add-on option with little extra requirements impact. For production Usher implementations, it is recommended that the intelligence server be deployed according to MicroStrategy Analytics best practices and the metadata for Usher Professional and Usher Analytics be hosted according to the recommendations. For development and/or pilot installations, everything can run on a single server. usher.com 68 | Chapter 1 USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE Usher physical gateways For physical access systems, Usher leverages a special Usher REST based web service for communication with the physical access system. USHER SERVER CUSTOMER DEPLOYMENT iPAD MINI DOOR READER (optional) PACS WEB SERVICE PACS Usher component DOOR 3rd party component Network (WiFi) connection Physical (h/w) connection PANEL READER BLE/NFC connection Usher-on-premise installation/configuration steps are online in Tech Note TN240567. The Usher installer can be downloaded from the MicroStrategy download site at https://software.microstrategy.com. Usher evaluation edition license keys If you are evaluating Usher, the Usher Solutions Group will provide an evaluation key that is good for 30 days. The key can be extended at the MicroStrategy’s discretion of MicroStrategy for up to two (2) additional 30-day periods. Following the evaluation, all software must either be properly licensed or uninstalled. usher.com 69 USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE 1850 Towers Crescent Plaza | Tysons Corner, VA | 22182 | Copyright ©2015. All Rights Reserved. COLL-1430 0915 | Chapter 1 usher.com 70 microstrategy.com