Strong authentication - ngage: identity, access & security · Level 2: Simple Authentication (e.g....
27
© NetIQ - All Rights Reserved Strong authentication
Transcript of Strong authentication - ngage: identity, access & security · Level 2: Simple Authentication (e.g....
© NetIQ - All Rights Reserved
Strong authentication
© nGage - All Rights Reserved
Agenda
2
● Strong authentication● Demo
© nGage - All Rights Reserved
• What is authentication?Identity verification, are you who you say you are
• What is authentication from a business perpective?Managing the risk and potential damage that he is not who he
claims to be..
• What is the authentication method most used?Passwords
• What is the main cause of cybercrime?Password abuse
3
Jeremy Grant, Senior Executive Advisor, Identity management, NIST(National Institute of Standards and Technology, US)
Questions about Identification / Authentication
© nGage - All Rights Reserved
• What is compliance?Prove that you comply with rules and regulations
• How do you prove compliance?Audit trails of actions of employees based onidentification/authentication
• What is the authentication method used in most cases?Passwords
• Better Authentication is a major asset to adhere to compliancy requirements.
4
Some questions about Compliance
© nGage - All Rights Reserved
• Is information security important for you?No doubt about that
• Is compliance important for your organisation?Probably, and could severely damage careers.
• What is the best authentication method?Sorry, there is none
• So what to do?Look for a Universal Authentication Solution
5
Some questions about your organisation
© nGage - All Rights Reserved
• What data needs good security?Personal, Financial, Intellectual rights etc
• How to identify information?Data classification.
• What data storage is involved?Dedicated application, Data storage (filr?) Mail ?
• So what to do?Look for a Universal Authentication Solution
6
Some questions about your organisation
© nGage - All Rights Reserved
Authentication
7
Who is allowed to do what? / Who did what?
Who:Authentication factors• Knowledge (‘know’)• Possession (‘have’)• Biometrics (‘are’)Strong authentication: 2+ factors
What:Authorization• Roles & responsibilities• Segregation of duties• ‘Four eyes’ principle• Physical/Logical access• Usage of services• Payments• …
7
Justifications for strong authentication• Compliance• Information security• User convenience/efficiency• IT-costs reduction
© nGage - All Rights Reserved
‘Identification/Authentication is NOT about technology,…
It’s about the RISK YOU ARE PREPARED TO TAKE that the person is not who he claims to be….’
8Menno Stijl, CTO-Authasas, 2014
© nGage - All Rights Reserved
Password issues
© nGage - All Rights Reserved
Biggest incidents with passwords
● IRS Using apparently stolen credentials and knowledge-based authentication information
● VTech which reportedly used poor password security● Ashley Madison ensnares 37 million cheaters could lead to a
blackmail and espionage effort● DoD – Defense Manpower Data Center (DMDC)● LastPass ● Kaspersky
© nGage - All Rights Reserved
How do they do it?
● Key loggers● Password in wallets/browsers● Written passwords● Looking● Hacking● Phishing (on- & offline)● Social engineering
© nGage - All Rights Reserved
Authentication todayMethods (examples)Hardware tokens (OTP, USB)
Smartphones (OOB, OATH)
Phones (voice, sms)
Access cards (RFID, mifare, NFC)
Smart/PKI-cards
Biometrics
2/3 factor (combinations)
Social login
Federated authentication
Passwords/PIN-codes/Q&A
FIDO U2F and more
12
Events (examples)Remote access (Radius, EAP, ..)
Access to workstations/user devices,
Access to networks/to servers
Access to Applications: generic applications,
Single Sign-on,
business applications
Access to Cloud services/applications: Federation (SAML, OpenID, oAUTH)
Pre-Federation (federation emulation)
Business Authenticationexecution of transactions
signing of transactions
business data (storage)
and more
Authentication today
© nGage - All Rights Reserved
Solution
● Let board create security policy, govern and enforce
● Create awareness● Technical solutions
© nGage - All Rights Reserved
NetIQ Access Manager
● Access Management Layer● Central point of access● Transparent to end users● Enforces authentication and
authorization● Web based Single Sign On● Uses current infrastructure (ID
Store)● Scalable and customizable
© nGage - All Rights Reserved
Authentication todayMethods (examples)Hardware tokens (OTP, USB)
Smartphones (OOB, OATH)
Phones (voice, sms)
Access cards (RFID, mifare, NFC)
Smart/PKI-cards
Biometrics
2/3 factor (combinations)
Social login
Federated authentication
Passwords/PIN-codes/Q&A
FIDO U2F and more
15
Events (examples)Remote access (Radius, EAP, ..)
Access to workstations/user devices,
Access to networks/to servers
Access to Applications: generic applications,
Single Sign-on,
business applications
Access to Cloud services/applications: Federation (SAML, OpenID, oAUTH)
Pre-Federation (federation emulation)
Business Authenticationexecution of transactions
signing of transactions
business data (storage)
and more
Create Authentication methods
AdvancedAuthenticationFramework
© nGage - All Rights Reserved
● Level 1: No authentication. Would be considered annoying
● Level 2: Simple Authentication (e.g. name pasword). The lack of strong authentication is not considered to be a risk. Identification adds positive contribution to user experience (personal pages)
● Level > 3: Strong authentication: Confidential, Financial Personal data
● Step up authentication
Strong authentication design
© nGage - All Rights Reserved
Single Sign On
● Quick win
● Risks should be known.
● Needs policy
● Only after strong authentication
Registered Identity
Strong authentication design
© nGage - All Rights Reserved
● Something you know● Something you have● Something you are
Factor 1:Something you know = Name / Password /PIN
● Universal password ● Password policy (And the nice add on's : PWD)
Even better : Multiple factor
© nGage - All Rights Reserved
Second factor : Someting you have
● Returns One Time Password (OTP) or OAB
● Unique device● Unique relation between user & device
© nGage - All Rights Reserved
Second factor : Someting you have
● Kerberos
● Certificates
● Smart Cards
● Proximity Cards
© nGage - All Rights Reserved
Third factor : Someting you are
● Extra hardware● No go for non managed devices● Popular for B2C & G2C
© nGage - All Rights Reserved
Do not forget the desktop
● Random passwords● Cached logon● Tap&Go● 1:N● PIN caching● Actions of tapping a card● NetIQ SSPR
© nGage - All Rights Reserved
User enrollment
● Must be easy● Must be secure● Must have validation
© nGage - All Rights Reserved
● Different methods handles by the framework● Step up authentication● User enrollment
© NetIQ - All Rights Reserved
© NetIQ - All Rights Reserved
This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time.
Copyright © 2015 NetIQ Corporation. All rights reserved.
ActiveAudit, ActiveView, Aegis, AppManager, Change Administrator, Change Guardian, Compliance Suite, the cube logo design, Directory and Resource Administrator, Directory Security Administrator, Domain Migration Administrator, Exchange Administrator, File Security Administrator, Group Policy Administrator, Group Policy Guardian, Group Policy Suite, IntelliPolicy, Knowledge Scripts, NetConnect, NetIQ, the NetIQ logo, PSAudit, PSDetect, PSPasswordManager, PSSecure, Secure Configuration Manager, Security Administration Suite, Security Manager, Server Consolidator, VigilEnt, and Vivinet are trademarks or registered trademarks of NetIQ Corporation or its subsidiaries in the United States.
