1 © Copyright 2012 EMC Corporation. All rights reserved.

Authentication Addressing a Changing IT Environment

Seth Geftic RSA, The Security Division of EMC

2 © Copyright 2012 EMC Corporation. All rights reserved.

Agenda

AGENDA

• Today’s challenges

• Technology overview

• Scenarios

2

3 © Copyright 2012 EMC Corporation. All rights reserved.

Strong Authentication

Supports business collaboration and productivity

By protecting sensitive information shared with internal and external users

Enabling access to information anytime and from any device

Driving achievement of business goals

4 © Copyright 2012 EMC Corporation. All rights reserved.

Challenges

5 © Copyright 2012 EMC Corporation. All rights reserved.

Before: Controlled Network Environment

Server Applications

Remote Managed Device

Inside the Network

Network or

VPN

Employees

Corporate Users

Managed Devices

Controlled Access Points

Information on a Network

6 © Copyright 2012 EMC Corporation. All rights reserved.

Today: Any User, Any Device, Anywhere

Server Applications

Cloud Applications

Remote Managed Device

BYOD

Inside the Network

Network VPN

Virtual Desktop Mobile Apps Web Browser

External and Temporary Users

Unmanaged Devices

Uncontrolled Access Points

Information in Public Cloud and Hosted Applications

Employees

Contractors

Partners

Customers

7 © Copyright 2012 EMC Corporation. All rights reserved.

Advancement of Threats

•Collecting personal identifiable information and credentials for business and personal accounts

(Spear) Phishing Attacks

•Infecting machines and mobile devices - silently collecting information as authorized users enter credentials

Trojans (Zeus and Others)

•Executing planned and precise attacks targeted at gaining network access for further exploitation

Advanced Persistent Threats (APT)

•Developing “community” of attackers includes organized crime, nation states and anti-establishment groups

Evolution of Attackers

8 © Copyright 2012 EMC Corporation. All rights reserved.

Diverse User Population

BYOD

Cloud and Managed Service

Advanced Threats

Today’s Challenge:

Establishing Trusted Identities in a Constantly Changing, Expanding and Dispersed IT Environment

9 © Copyright 2012 EMC Corporation. All rights reserved.

Diverse User Populations Require Choice

Choice of credentials to meet convenience requirements – External users and customers require convenient and easy to manage solutions

Scalability and costs aligned with size of user population – Large user populations require lower cost per user

– Scalability to address future authentication plans

Single management platform – Ability to manage choice of credentials on a single platform to minimize IT resources

and maximize efficiency

Internal Employees, Temporary Employees, Contractors, Partners, Clients, Customers, Auditors, Remote workers

10 © Copyright 2012 EMC Corporation. All rights reserved.

BYOD – Protect Access from Any Device

Use of the mobile device as the authenticator

Strong authentication natively integrated with 3rd party remote access applications

Authentication SDKs accessible on application development platforms for custom app development

11 © Copyright 2012 EMC Corporation. All rights reserved.

Cloud – Extend Authentication Controls

Secure authentication and identity validation to cloud-based resources

Seamless federation of authentication credentials to cloud applications

Integrated approach to authentication and cloud-based identity management

Hosted and managed strong authentication services

TO

TH

E

CLO

UD

FR

OM

TH

E

CLO

UD

12 © Copyright 2012 EMC Corporation. All rights reserved.

Threats – Layer Authentication Controls

RISK –BASED ANALYSIS

• Evaluate risk of activity based on device and user characteristics

• Compare risk to accepted policy controls

CREDENTIAL MATCHED TO

RISK

• Require user credential appropriate to risk level

• Allow different credentials for different use cases and users

MONITORING AND

REPORTING

• Monitor risk levels and adjust policies

• Report activities for compliance audits

13 © Copyright 2012 EMC Corporation. All rights reserved.

Technologies

14 © Copyright 2012 EMC Corporation. All rights reserved.

Two-factor Authentication:

The act of identifying an individual by using any

combination of something they know, something

they have or something they are.

One-time Password (OTP)

14

OTP = PIN + Tokencode PIN: Something the user knows

Tokencode: Something the user has

15 © Copyright 2012 EMC Corporation. All rights reserved.

Risk-Based Authentication

Web Browser

Risk Engine

Device Profile

User Behavior Profile

PASS

FAIL

Protected Resources PASS

RISKY

Identity Challenge

?

Access Denied

SSL VPN

OWA

SharePoint

Web Portals

Authentication Policy

Assurance Level

Activity Details

Fraud Network

Step-up Authentication

16 © Copyright 2012 EMC Corporation. All rights reserved.

Digital Certificates (PKI)

User

Certificate Authority

Key Recovery Module

Validation Manager

17 © Copyright 2012 EMC Corporation. All rights reserved.

Dynamic Knowledge-Based Authentication

A method to authenticate an individual by asking

top-of-mind questions developed on the fly based

on publicly and commercially available data

sources in real-time

18 © Copyright 2012 EMC Corporation. All rights reserved.

Knowledge-based

Authentication

• Nothing to deploy • Prior contact not required

• Support for mobile devices

• Hosted solutions available

• Protect account enrollment • Secure high-risk transactions

Technologies Address Challenges

Diverse User Population

BYOD Cloud and Managed Services

Advanced Threats

One-time Passwords

• Choice of authenticators

• Authenticators for mobile devices • OTP embedded in mobile apps

• Integration with Federation tech. • MSSP partnerships

• Time-based OTP • Layered with risk-based*

Risk-based Authentication

• Nothing for users to manage

• Support access from all devices

• Hosted solutions available

• Security policies aligned to threats

Digital Certificates

• Available on USB, desktop, smart card

• Support for device authentication

• Hosted services available

• Component of a layered strategy

* Coming in 2013

23 © Copyright 2012 EMC Corporation. All rights reserved.

Scenarios

24 © Copyright 2012 EMC Corporation. All rights reserved.

Core Platforms

Target Market

Use Case

Technology

Protection of any application, portal or

network infrastructure

One-time Passwords

Risk-based

Authentication (2013)

Protection of SSL VPNs and web applications

Risk-based Authentication

Small and mid-size organizations

Protection of web applications

Risk-based Authentication

Non-traditional and Risk Based OTP

Traditional OTP Risk Based

Large companies

Large Consumer Applications

25 © Copyright 2012 EMC Corporation. All rights reserved.

Solution Platforms

Target Market

Use Case

Technology

Validation of consumer identities in high risk scenarios: Account Enrollment

and Customer Support Calls

Dynamic Knowledge-based Authentication

Authentication of machines and

devices to networks

Public Key Infrastructure

Large Organizations

Digital Certificates Knowledge-based Authentication

Organizations in B-C markets

26 EMC CONFIDENTIAL

Authentication Brokering

Identity Correlation

& Analytics Policy

Evaluation

Out-of-Band

Adaptive

Risk Engine

SIEM/SOC Notifications

Authentication Policy

Enforcement

Adaptive Access Control

Plug in

Advanced: Situation Aware Authentication

Knowledge Challenge OTP Cert/PW Biometric Other

External Sources

eFN/CCI Other

Session Awareness

Inside Network

Remote Access

Cloud & Mobile Access

Enterprise Systems

Physical Access

Travel Mobile Composite Netwitness Live

27 © Copyright 2012 EMC Corporation. All rights reserved.

Final Thoughts

28 © Copyright 2012 EMC Corporation. All rights reserved.

Authentication is

not a silver bullet

It is only one part of a layered defense strategy