Strong authentication. NetIQ - All Rights Reserved

Transcription

1 Strong authentication NetIQ - All Rights Reserved

2 Agenda Strong authentication Demo 2

3 Questions about Identification / Authentication What is authentication? Identity verification, are you who you say you are What is authentication from a business perpective? Managing the risk and potential damage that he is not who he claims to be.. What is the authentication method most used? Passwords What is the main cause of cybercrime? Jeremy Grant, Senior Executive Password abuse Advisor, Identity management, NIST (National Institute of Standards and Technology, US) 3

4 Some questions about Compliance What is compliance? Prove that you comply with rules and regulations How do you prove compliance? Audit trails of actions of employees based on identification/authentication What is the authentication method used in most cases? Passwords Better Authentication is a major asset to adhere to compliancy requirements. 4

5 Some questions about your organisation Is information security important for you? No doubt about that Is compliance important for your organisation? Probably, and could severely damage careers. What is the best authentication method? Sorry, there is none So what to do? Look for a Universal Authentication Solution 5

6 Some questions about your organisation What data needs good security? Personal, Financial, Intellectual rights etc How to identify information? Data classification. What data storage is involved? Dedicated application, Data storage (filr?) Mail? So what to do? Look for a Universal Authentication Solution 6

7 Authentication Who is allowed to do what? / Who did what? Who: Authentication factors Knowledge ( know ) Possession ( have ) Biometrics ( are ) Strong authentication: 2+ factors What: Authorization Roles & responsibilities Segregation of duties Four eyes principle Physical/Logical access Usage of services Payments Justifications for strong authentication Compliance Information security User convenience/efficiency IT-costs reduction 7 7

8 Identification/Authentication is NOT about technology, It s about the RISK YOU ARE PREPARED TO TAKE that the person is not who he claims to be. Menno Stijl, CTO-Authasas,

9 Password issues

10 Biggest incidents with passwords IRS Using apparently stolen credentials and knowledge-based authentication information VTech which reportedly used poor password security Ashley Madison ensnares 37 million cheaters could lead to a blackmail and espionage effort DoD Defense Manpower Data Center (DMDC) LastPass Kaspersky

11 How do they do it? Key loggers Password in wallets/browsers Written passwords Looking Hacking Phishing (on- & offline) Social engineering

12 Authentication Authentication today today Methods (examples) Events (examples) Hardware tokens (OTP, USB) Remote access (Radius, EAP,..) Smartphones (OOB, OATH) Access to workstations/user devices, Phones (voice, sms) Access to networks/to servers Access to Applications: Access cards (RFID, mifare, NFC) generic applications, Smart/PKI-cards Single Sign-on, Biometrics 2/3 factor (combinations) Social login Federated authentication Passwords/PIN-codes/Q&A FIDO U2F and more business applications Access to Cloud services/applications: Federation (SAML, OpenID, oauth) Pre-Federation (federation emulation) Business Authentication execution of transactions signing of transactions business data (storage) and more 12

13 Solution Let board create security policy, govern and enforce Create awareness Technical solutions

14 NetIQ Access Manager Access Management Layer Central point of access Transparent to end users Enforces authentication and authorization Web based Single Sign On Uses current infrastructure (ID Store) Scalable and customizable

15 Authentication Create Authentication methodstoday Methods (examples) Events (examples) Hardware tokens (OTP, USB) Remote access (Radius, EAP,..) Smartphones (OOB, OATH) Access to workstations/user devices, Access to networks/to servers Phones (voice, sms) Access cards (RFID, mifare, NFC) Smart/PKI-cards Biometrics 2/3 factor (combinations) Social login Federated authentication Passwords/PIN-codes/Q&A FIDO U2F and more Advanced Authentication Framework Access to Applications: generic applications, Single Sign-on, business applications Access to Cloud services/applications: Federation (SAML, OpenID, oauth) Pre-Federation (federation emulation) Business Authentication execution of transactions signing of transactions business data (storage) and more 15

16 Strong authentication design Level 1: No authentication. Would be considered annoying Level 2: Simple Authentication (e.g. name pasword). The lack of strong authentication is not considered to be a risk. Identification adds positive contribution to user experience (personal pages) Level > 3: Strong authentication: Confidential, Financial Personal data Step up authentication

17 Strong authentication design Single Sign On Quick win Risks should be known. Needs policy Only after strong authentication Registered Identity

18 Even better : Multiple factor Something you know Something you have Something you are Factor 1: Something you know = Name / Password /PIN Universal password Password policy (And the nice add on's : PWD)

19 Second factor : Someting you have Returns One Time Password (OTP) or OAB Unique device Unique relation between user & device

20 Second factor : Someting you have Kerberos Certificates Smart Cards Proximity Cards

21 Third factor : Someting you are Extra hardware No go for non managed devices Popular for B2C & G2C

22 Do not forget the desktop Random passwords Cached logon Tap&Go 1:N PIN caching Actions of tapping a card NetIQ SSPR

23 User enrollment Must be easy Must be secure Must have validation

24 Different methods handles by the framework Step up authentication User enrollment

25 NetIQ - All Rights Reserved

26 NetIQ - All Rights Reserved

27 This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time. Copyright 2015 NetIQ Corporation. All rights reserved. ActiveAudit, ActiveView, Aegis, AppManager, Change Administrator, Change Guardian, Compliance Suite, the cube logo design, Directory and Resource Administrator, Directory Security Administrator, Domain Migration Administrator, Exchange Administrator, File Security Administrator, Group Policy Administrator, Group Policy Guardian, Group Policy Suite, IntelliPolicy, Knowledge Scripts, NetConnect, NetIQ, the NetIQ logo, PSAudit, PSDetect, PSPasswordManager, PSSecure, Secure Configuration Manager, Security Administration Suite, Security Manager, Server Consolidator, VigilEnt, and Vivinet are trademarks or registered trademarks of NetIQ Corporation or its subsidiaries in the United States.