Authentication Addressing a Changing IT...
Transcript of Authentication Addressing a Changing IT...
1 © Copyright 2012 EMC Corporation. All rights reserved.
Authentication Addressing a Changing IT Environment
Seth Geftic RSA, The Security Division of EMC
2 © Copyright 2012 EMC Corporation. All rights reserved.
Agenda
AGENDA
• Today’s challenges
• Technology overview
• Scenarios
2
3 © Copyright 2012 EMC Corporation. All rights reserved.
Strong Authentication
Supports business collaboration and productivity
By protecting sensitive information shared with internal and external users
Enabling access to information anytime and from any device
Driving achievement of business goals
4 © Copyright 2012 EMC Corporation. All rights reserved.
Challenges
5 © Copyright 2012 EMC Corporation. All rights reserved.
Before: Controlled Network Environment
Server Applications
Remote Managed Device
Inside the Network
Network or
VPN
Employees
Corporate Users
Managed Devices
Controlled Access Points
Information on a Network
6 © Copyright 2012 EMC Corporation. All rights reserved.
Today: Any User, Any Device, Anywhere
Server Applications
Cloud Applications
Remote Managed Device
BYOD
Inside the Network
Network VPN
Virtual Desktop Mobile Apps Web Browser
External and Temporary Users
Unmanaged Devices
Uncontrolled Access Points
Information in Public Cloud and Hosted Applications
Employees
Contractors
Partners
Customers
7 © Copyright 2012 EMC Corporation. All rights reserved.
Advancement of Threats
•Collecting personal identifiable information and credentials for business and personal accounts
(Spear) Phishing Attacks
•Infecting machines and mobile devices - silently collecting information as authorized users enter credentials
Trojans (Zeus and Others)
•Executing planned and precise attacks targeted at gaining network access for further exploitation
Advanced Persistent Threats (APT)
•Developing “community” of attackers includes organized crime, nation states and anti-establishment groups
Evolution of Attackers
8 © Copyright 2012 EMC Corporation. All rights reserved.
Diverse User Population
BYOD
Cloud and Managed Service
Advanced Threats
Today’s Challenge:
Establishing Trusted Identities in a Constantly Changing, Expanding and Dispersed IT Environment
9 © Copyright 2012 EMC Corporation. All rights reserved.
Diverse User Populations Require Choice
Choice of credentials to meet convenience requirements – External users and customers require convenient and easy to manage solutions
Scalability and costs aligned with size of user population – Large user populations require lower cost per user
– Scalability to address future authentication plans
Single management platform – Ability to manage choice of credentials on a single platform to minimize IT resources
and maximize efficiency
Internal Employees, Temporary Employees, Contractors, Partners, Clients, Customers, Auditors, Remote workers
10 © Copyright 2012 EMC Corporation. All rights reserved.
BYOD – Protect Access from Any Device
Use of the mobile device as the authenticator
Strong authentication natively integrated with 3rd party remote access applications
Authentication SDKs accessible on application development platforms for custom app development
11 © Copyright 2012 EMC Corporation. All rights reserved.
Cloud – Extend Authentication Controls
Secure authentication and identity validation to cloud-based resources
Seamless federation of authentication credentials to cloud applications
Integrated approach to authentication and cloud-based identity management
Hosted and managed strong authentication services
TO
TH
E
CLO
UD
FR
OM
TH
E
CLO
UD
12 © Copyright 2012 EMC Corporation. All rights reserved.
Threats – Layer Authentication Controls
RISK –BASED ANALYSIS
• Evaluate risk of activity based on device and user characteristics
• Compare risk to accepted policy controls
CREDENTIAL MATCHED TO
RISK
• Require user credential appropriate to risk level
• Allow different credentials for different use cases and users
MONITORING AND
REPORTING
• Monitor risk levels and adjust policies
• Report activities for compliance audits
13 © Copyright 2012 EMC Corporation. All rights reserved.
Technologies
14 © Copyright 2012 EMC Corporation. All rights reserved.
Two-factor Authentication:
The act of identifying an individual by using any
combination of something they know, something
they have or something they are.
One-time Password (OTP)
14
OTP = PIN + Tokencode PIN: Something the user knows
Tokencode: Something the user has
15 © Copyright 2012 EMC Corporation. All rights reserved.
Risk-Based Authentication
Web Browser
Risk Engine
Device Profile
User Behavior Profile
PASS
FAIL
Protected Resources PASS
RISKY
Identity Challenge
?
Access Denied
SSL VPN
OWA
SharePoint
Web Portals
Authentication Policy
Assurance Level
Activity Details
Fraud Network
Step-up Authentication
16 © Copyright 2012 EMC Corporation. All rights reserved.
Digital Certificates (PKI)
User
Certificate Authority
Key Recovery Module
Validation Manager
17 © Copyright 2012 EMC Corporation. All rights reserved.
Dynamic Knowledge-Based Authentication
A method to authenticate an individual by asking
top-of-mind questions developed on the fly based
on publicly and commercially available data
sources in real-time
18 © Copyright 2012 EMC Corporation. All rights reserved.
Knowledge-based
Authentication
• Nothing to deploy • Prior contact not required
• Support for mobile devices
• Hosted solutions available
• Protect account enrollment • Secure high-risk transactions
Technologies Address Challenges
Diverse User Population
BYOD Cloud and Managed Services
Advanced Threats
One-time Passwords
• Choice of authenticators
• Authenticators for mobile devices • OTP embedded in mobile apps
• Integration with Federation tech. • MSSP partnerships
• Time-based OTP • Layered with risk-based*
Risk-based Authentication
• Nothing for users to manage
• Support access from all devices
• Hosted solutions available
• Security policies aligned to threats
Digital Certificates
• Available on USB, desktop, smart card
• Support for device authentication
• Hosted services available
• Component of a layered strategy
* Coming in 2013
23 © Copyright 2012 EMC Corporation. All rights reserved.
Scenarios
24 © Copyright 2012 EMC Corporation. All rights reserved.
Core Platforms
Target Market
Use Case
Technology
Protection of any application, portal or
network infrastructure
One-time Passwords
Risk-based
Authentication (2013)
Protection of SSL VPNs and web applications
Risk-based Authentication
Small and mid-size organizations
Protection of web applications
Risk-based Authentication
Non-traditional and Risk Based OTP
Traditional OTP Risk Based
Large companies
Large Consumer Applications
25 © Copyright 2012 EMC Corporation. All rights reserved.
Solution Platforms
Target Market
Use Case
Technology
Validation of consumer identities in high risk scenarios: Account Enrollment
and Customer Support Calls
Dynamic Knowledge-based Authentication
Authentication of machines and
devices to networks
Public Key Infrastructure
Large Organizations
Digital Certificates Knowledge-based Authentication
Organizations in B-C markets
26 EMC CONFIDENTIAL
Authentication Brokering
Identity Correlation
& Analytics Policy
Evaluation
Out-of-Band
Adaptive
Risk Engine
SIEM/SOC Notifications
Authentication Policy
Enforcement
Adaptive Access Control
Plug in
Advanced: Situation Aware Authentication
Knowledge Challenge OTP Cert/PW Biometric Other
External Sources
eFN/CCI Other
Session Awareness
Inside Network
Remote Access
Cloud & Mobile Access
Enterprise Systems
Physical Access
Travel Mobile Composite Netwitness Live
27 © Copyright 2012 EMC Corporation. All rights reserved.
Final Thoughts
28 © Copyright 2012 EMC Corporation. All rights reserved.
Authentication is
not a silver bullet
It is only one part of a layered defense strategy