Airlock Web Application Firewall & Customer IAM
Airlock Suite protects your e-banking and banking apps at highest swiss quality. It deals with the issues of filtering and authentication in one complete and coordinated solution – setting new standards for usability and services. Airlock is the established standard for eBanking – and that’s a fact. Our lengthy experience of working in the international financial sector means that you benefit from the best possible online security – reliable, efficient and process-optimised.
The Airlock Web Application Firewall offers a unique combination of protective mechanisms for web applications. Whether your objective is PCI DSS compliance, security for online banking or protection for eCommerce: Airlock WAF will upgrade security for your internet applications – a permanent solution with a host of well thought-out functionalities. Thanks to Airlock WAF, businesses can exploit the potential of the internet without jeopardizing the security and availability of their web applications and services. Each access is systematically monitored and filtered at every level. Used in conjunction with an authentication solution such as Airlock Login or IAM, Airlock WAF can force upstream user authentication and authorization. This allows a uniform, central single sign-on infrastructure. All important information is also made available via monitoring and reporting functions. Airlock WAF is the only web application security solution on the market that provides superlative end-to-end protection for complex web environments.
Secure Reverse Proxy
- TCP/IP and SSL termination Virtualization of applications Central policy enforcement point.
- Upstream Authentication Upstream Authorization No anonymous interactions with applications possible.
- Multi-level filtering ICAP content filtering Content rewriter (Raw, HTML) SOAP/XML, AMF and JSON filters Client fingerprinting.
- Protection of REST and SOAP webservices Built-in support for JSON Dynamic Value Endorsement (DyVE) Session Management based on Access Tokens.
- URL encryption Smart form protection Cookie protection with central cookie store Advanced Declarative Application Security (ADAPS).
Central Security Hub
- Malware scanners are integrated via ICAP SIEM integration using Airlock Operations App for Splunk HSM devices can be connected Co-browsing Secure web archiving.
High Availability and Performance
- Only authorized traffic on applications Load-balancing for applications Failover for applications
Depending on the web application, the required security level, the network access and more, users have to be authenticated in a secure manner, but still convenient and with minimal administration for both the client and the helpdesk. Airlock is able to use ANYTHING to authenticate users, assign credentials by self services and migrate authentication methods by the user itself.
Scales easily with lots of users, flexibility, better price-performance ratio than traditional IAM solutions, easy onboarding with user self-services, bring your own identity (BYOI).
Wide Range of Integrated Authentication Methods
Password, mobile TAN (mTAN), mobile OTP, matrix card, email OTP, RSA SecurID, Kobil SecOVID, VASCO Digipass, client certificates (X.509, SuisseID, etc.), CrontoSign, Kobil AST, Swisscom Mobile ID (Mobile Signature Services), OATH tokens.
Single Sign-On (SSO) Standards
SAML 2.0 IDP and SP, OAuth 2.0, OpenID Connect, Kerberos, NTLM, HTTP cookies, HTTP headers, URL tickets, Basic Auth, on-behalf login.
Self-registration of accounts and tokens, migration of tokens, automatic password reset, kiosk and portal function for own user data.
In road traffic and virtual traffic alike, uniform standards define clear rules that are essential for safety and security. This is why Airlock Suite meets all the main international compliance standards – from PCI DSS and OWASP to MAS.
Our Solutions Helps
- Payment Card Industry Data Security Standard (PCI DSS) Companies that process credit card transactions are obliged to comply with the credit card industry’s data protection guidelines. Large eCommerce companies should also have the security of their networks verified by an external body every three months. The most efficient way of meeting these requirements is to implement the upstream Airlock web application firewall (WAF). It ensures that protection is always fully up to date, with no need for constant changes to all your web applications or adaptations to counter new threats. Read our whitepaper about PCI DSS compliance.
- EBA Guideleines to strengthen requirements for the security of internet payments across the EU The European Banking Authority issued guidelines to strengthen requirements for the security of internet payments across the EU. Concerned about the increase in frauds related to internet payments, the EBA decided that the implementation of a more secure framework for internet payments across the EU was needed. These Guidelines are based on the technical work carried out by the European Forum on the Security of Retail Payments (SecuRe Pay). With the Airlock Suite you get the needed central policy enforcement tool to fullfill the policy reuirements.
- Monetary Authority of Singapore (MAS) The data protection guidelines of the Monetary Authority of Singapore (MAS) are highly important in the world of international finance. For this reason, Airlock WAF and IAM are entirely compliant with the MAS guidelines, and they protect sensitive data with the help of HSM and end-to-end-encryption.
- OWASP Top Ten The Open Web Application Security Project (OWASP) regularly draws up a list of the major international security challenges. The focus here is on tools and concepts for secure development, and on protecting web applications. The Airlock team constantly monitors this information and incorporates it into Airlock Suite by issuing software updates. Read more in our whitepaper about the OWASP Top 10
- EICAR The Airlock Suite is the first security vendor outside the antivirus industry receiving the EICAR certificate proofing to have no backdoors. The EICAR Trustworthiness Strategy is to enhance transparency in the contemporary IT Security environment and its ever evolving threats and vulnerabilities scenario and to enable trust into IT Security products that help creating a safer environment.
According to a study by the Service Desk Institute, over 80% of businesses are already using self-services – for example, to block accounts, reset forgotten passwords or register new customers. This comes as no surprise, because the benefits are crystal clear. Helpdesks are often full to capacity with simple repetitive tasks – especially if they have to deal with large numbers of users. That’s why user self-services will ease the pressure on your support staff, as well as slashing costs and cutting down user waiting times. Another advantage: Airlock can also handle central authentication solutions in environments with higher security requirements.
- Cost savings
- Higher flexibility in administration
- Greater convernience for users
- Higher availability of applications and helpdesk
- Supports full lifecycle of an user account
Airlock IAM is usually deployed in combination with Airlock WAF, which functions as an upstream HTTP reverse proxy to ensure secure session management and ward off web attacks (filtering). As well as authenticating and authorizing users, Airlock IAM forwards identity information to the protected applications in suitable form – even across corporate boundaries.
- Strong authentication All web application firewalls (WAFs) filter data traffic. But Airlock WAF does far more: when combined with Airlock Login or IAM, Airlock WAF provides a central policy enforcement point for authentication and authorization. We are convinced that upstream authentication is the most important security filter bar none. Why is two-factor authentication (2FA) so important? Because passwords are often stolen, forgotten or guessed. That’s why they should be backed up with a second factor. But deciding to do this separately in every application is a costly undertaking that would soon become technically outmoded, because the application landscape is constantly growing and changing. Nor should the architectural complexities of this approach be overlooked. With Airlock, the decision on a central solution only needs to be taken once: it doesn’t matter which applications (or how many) you decide to “hook up”, and these aspects have no impact on the cost.
- Risk-based Authentication Today, strong authentication using two factors is best practice for business applications. However, this measure is often considered to be cumbersome in everyday work. This is where risk-based authentication (or adaptive authentication) comes in. Instead of stricly enforcing the second factor, Airlock IAM analyzes the context of a login attempt and compares it to previous sessions of the same user. Typically, attributes such as the originating network, geographical location or the browser used are considered. In case Airlock IAM concludes that a login attempt occurs from the user’s internal workplace or from his home-office, the second factor may be omitted.
The Airlock Pinpoint Add-on provides a quick and easy way for IBM® Security Trusteer® PinpointTM integration. In combination with on-board fraud detection features of the Airlock Suite, such as client fingerprinting, risk-based authentication or dynamic value endorsement (DyVE), this offers a holistic and centralized approach to fraud management. Your organization profits from more accurate fraud identification and prevention—all while helping to lower costs and improve end-user experience. Current Status Standard fraud solutions typically provide only a single layer of protection, take too long to deploy or are incapable of keeping up with the ever-changing threat landscape. Moreover, out-of-band solutions lack the ability to take proactive action and prevent loss due to ongoing fraudulent actions. About IBM® Security Trusteer® PinpointTM IBM® Security Trusteer® Pinpoint™ Detect offers a fundamentally different approach that can help financial organizations detect fraud and can help significantly reduce false positives. The IBM approach to fraud detection is based on three core principles—visibility, a global threat intelligence network, and agility by design.
Airlock Suite and Trusteer Pinpoint – The Highlights
Monitoring technical attributes such as the browser used, IP addresses, SSL session IDs, language or screen resolution for suspicious events – Detect abnormal user behavior – Dynamic whitelisting technology on Airlock WAF keeps users within desired workflows and enforces the use of legitimate user input for the current session – Risk-based Authentication dynamically adapts authentication requirements to contextual information of the user session, e.g., the geolocation of the user, IP address ranges, time of access, or cookies – Leverage out- of- the- box protection, backed by the IBM global threat intelligence network – Man in the middle protection – Man in the browser protection – Collect technical ground truth for suspicious sessions for later analysis – Proactively block fraudulent actions while they are ongoing.