Authentication Solutions Buyer's Guide

Transcription

1 WHITE PAPER: AUTHENTICATION SOLUTIONS BUYER'S GUIDE Authentication Solutions Buyer's Guide Who should read this paper Individuals who would like more details regarding strong authentication methods available today to secure access to corporate networks and enterprise or customer applications. Learn how your environment will dictate which method is right for you.

2

3 Content Executive Summary Why You Need Strong Authentication Assessing Options for Authentication Risk-based Authentication One-time Password Authentication How to Choose the Right Kind of Strong Authentication Strong Authentication with Digital Certificates Symantec Strong Authentication Solutions Symantec Validation and ID Protection (VIP) Service Symantec Managed PKI Service Make the Move to Strong Authentication

4 Executive Summary Authentication is the most visible security control for applications used by enterprises and their customers. It controls access and plays a crucial role for enforcing security policy. Frequently, authentication requires just a simple user ID and password, which makes it a weak, exploitable target for criminals. Your challenge is to use a stronger, cost-effective authentication solution that is easy to use. A range of strong authentication technology from Symantec helps you overcome the vulnerabilities associated with simple passwords by augmenting them with additional authentication factors such as user device identifiers, risk-based challenges, one-time passwords, or digital certificates. This approach raises the bar for would-be attackers because even if they steal a user s name and simple password, it s still not enough to get in. Choosing the best solution depends on your IT environment, your particular application or mix of applications, related business requirements that may require stronger security, and cost or usability considerations. Symantec solutions provide scalable, manageable, and cost-effective strong authentication for meeting requirements to protect your enterprise applications. Why You Need Strong Authentication Capture the benefits of strong authentication Simple passwords are not enough protection Stronger access security uses multifactor authentication such as risk-triggered challenges, one-time passwords, or digital certificates Symantec s strong authentication portfolio lets you mix and match the right solution for your requirements Reliance on simple, easy-to-guess passwords is inadequate for securing your critical applications and data. For example, of 400,000 accounts compromised in a recent attack on a large Internet portal, the most common passwords were the actual word password and the numeric string Hackers exploit weak passwords with automated attacks that try combinations of letters and numbers until the right one is found. Other hackers exploit social engineering with or phone calls to trick unsophisticated users into divulging their password by pretending to be a trusted company employee such as a technical support specialist. Research shows that weak access security is a leading cause of data breaches contributing to 82 percent of compromised records. 2 In large organizations, use of stolen credentials is the biggest cause of breaches and compromised records (Verizon Report, p. 26). For incidents like these, the use of a strong authentication solution can prevent the breach and compromise of sensitive data. Office computer users and remote workers need strong authentication to protect access to sensitive information in their organizations' servers and applications. Many government agencies such as the U.S. Department of Defense, or departments within government or commercial financial institutions, require strong authentication to log on to office computers on their networks because of the highly valuable and sensitive nature of these data. Strong authentication is also required or under consideration by some data protection regulations for private industry such as PCI DSS for retail, FFIEC for financial services, and HIPAA/HITECH for healthcare. Your business partners and customers are also well aware of security breaches and expect you to protect their data when used by your IT systems. Your use of strong authentication will help to gain their trust. It will also prevent breaches caused by risky use of technology by business partners and consumers. For example, business and consumer access to applications via mobile devices is rapidly growing. The use of weak credentials for accessing sensitive business applications such as online shopping and banking can result in a breach Verizon Business 2012 Data Breach Investigation Report (p. 25) 1

5 Assessing Options for Authentication As you acknowledge the need for stronger access security, the quest to specify a solution for your environment begins by asking: which authentication technology is the right one? The answer depends upon requirements determined by your applications and IT environment. Authentication starts with something you know, which is a user ID and password. Passwords will have varying degrees of strength. Weak passwords create vulnerabilities that facilitate hacking attacks such as guessing, brute force dictionary cracking, or man-in-the-middle interception. While your organization can strengthen a simple password against guessing and dictionary attacks by enforcing rules about their characteristics and lifespan, this often backfires because users will often take the risky step of writing them down in an insecure location when they feel the rules make things too complex. And the rules won t stop social engineering, capture, or interception attacks. A mandatory requirement for strong authentication is the best defense. Strong authentication requires each person attempting access to present a second factor, which is something you have, in addition to a password. Even if an unauthorized person obtained your password, they could not gain access without the second factor. The strongest authentication systems use technologies called one-time passwords (OTP) or digital certificates to completely remove the vulnerabilities of password guessing or a man in the middle attack. A use-case requiring less stringent strong security can use a variant called risk-based authentication. Two factors of proof make stronger authentication Risk-based Authentication Risk-based authentication has recently gained acceptance as a reasonably good form of protecting logon security. One attraction is lower cost: risk-based authentication does not require the use of tokens, smartcards, or biometrics. It s a simpler type of multifactor authentication that can significantly reduce costs associated with deployment to a large user population. It also eliminates associated burdens that may negatively affect usability of traditional solutions. Riskbased authentication works by establishing a baseline for normal user behavior when logging on to a system, such as recording what device and/or location they normally use for access. With risk-based authentication, when the logon behavior is normal, a simple password may be deemed acceptable. But when a log on is attempted by an unknown device or from an unusual location, the user is challenged to enter an additional code, which is ed to them or sent to them via SMS text message. Risk-based authentication is included with Symantec Validation and Identity Protection (VIP). Risk-based Authentication Pros Tokenless no special application software or hardware required for users Lower cost for a large user base Cons Optimal for web applications, but might not work with others Requires small, but necessary changes to server-based code of each web application Easier for unsophisticated users 2

6 One-time Password Authentication One-time-password (OTP) technology is a form of two-factor authentication (2FA). It s often used for authenticating VPN and partner-facing web portals. OTP may also serve well for some custom applications. As mentioned, OTP solutions augment traditional user names and passwords with various choices for something you have, With OTP, a user PC, smartphone, or special hardware token, may all serve as a second factor during logon. With an OTP system, when a user enters the logon ID and password (the first factor ), the system also requires the user enter a unique one-time code or password generated by software on their hardware token device, PC, or Smartphone, and enters it into the system. One Time Password technology is also included in Symantec VIP. One-time Password Based Authentication Pros Proven and time tested security method Cons Its most secure mode requires a token, which can make it more costly than risk-based authentication (Note: Symantec VIP software tokens are free) No application changes required; is supported out-of-box by many applications and networking hardware via a standard protocol called RADIUS Available from wide variety of suppliers and resellers How to Choose the Right Kind of Strong Authentication If you need strong authentication for VPN, web, or cloud applications, you should consider a 2FA solution that provides either risk-based or OTP authentication. The best 2FA solutions are both easy to implement and easy to use which is what makes them good choices for basic requirements. The implementation of risk-based versus OTP technology is a matter of business need and customer preferences. For example, many organizations choose risk-based authentication for consumer-facing applications because it will keep the cost down when there are many thousands of users. One-time password is typically considered the best option for very high security requirements. The Best Value Symantec VIP is cloud-based Software as a Service (SaaS). This lowers your cost and provides flexibility for remote access and other use cases. Symantec VIP provides more value: riskbased authentication and one time password authentication in a single subscription. Some 2FA solutions are difficult to implement and use, which discourages their use and defeats the purpose. Symantec VIP solves usability challenges by supporting a wide variety of authentication options for end users, and also makes management easier for IT departments by supporting industry standards such as RADIUS, and enterprise directories such as Microsoft Active Directory. A self-service portal further enhances the end-user experience and reduces the burden on IT. A standards-based, cloud-delivered solution such as Symantec VIP Service, which includes both risk-based and OTP technology, will bring your organization more flexibility at a lower cost than alternatives requiring an on-premise proprietary solution. 3

7 Strong Authentication with Digital Certificates Some application use-cases require a specific strong, 2FA technology called digital certificates. Examples are user-specific authentication to Wi-Fi access points or network switches, encrypted , document signing for Adobe Certified Document Service or Microsoft Office, or device authentication in mobile Bring Your Own Device (BYOD) initiatives. 3 All of these require using digital certificates to take advantage of the most secure capabilities. When an environment also includes VPN, web, or cloud applications, many organizations choose to use digital certificates for these applications as well in order to integrate strong authentication under one solution. All such applications must be certificate-enabled, which means some applications might not include support for this type of strong authentication. Digital certificates provide strong authentication through a cryptography method called Public PKI Made Easy Symantec Managed PKI simplifies the complexity of using digital certificates. As a managed service, the infrastructure is ready to go. All you do is activate the account. Managed PKI automates client-side configuration of applications and makes the user experience transparent. Our solution saves you money because you don t have to manage the systems. We do it for you. Key Encryption. To manage digital certificates properly requires a Public Key Infrastructure (PKI) such as Symantec Managed PKI. The Symantec Managed PKI solution, like Symantec VIP Service, is also a cloud-based offering. This makes it much easier to deploy and manage than on-premise PKI solutions such as Microsoft PKI software, and supports more deployment complexity than with a 2FA solution. Certificated-based Authentication Pros Enables strong authentication for applications requiring this mechanism Also supports most other applications, so you can boost efficiency and save money by using digital certificates for all strong authentication requirements Cons Requires PKI system for managing the certificate lifecycle, so there is more complexity Requires client-side configuration of applications to use a certificate 3- For more examples, see our white paper, Why Digital Certificates are Essential for Managing Mobile Devices, 4

8 Symantec Strong Authentication Solutions Symantec solutions features and capabilities will provide your enterprise with strong, scalable, and manageable authentication for protecting online identities and interactions between consumers, business partners, and employees. Symantec Validation and ID Protection (VIP) Service A cloud-based service for preventing unauthorized access to sensitive networks and applications. Symantec VIP will replace your simple password security with strong, robust security for access to your enterprise networks and applications, and prevent unauthorized access by malicious attackers. Users have the same experience as before, but with the added security of a second factor for authentication. Deployment is simple with an existing infrastructure and usually can be pre-configured by an administrator. Key Features Cloud-based infrastructure Secure, reliable, and scalable service delivers authentication without requiring dedicated on-premise server hardware. Certified annually by third parties. Multiple two-factor credential options Deploy OTP credentials in a variety of hardware, software, or mobile form factors. Free mobile device credentials Support for more than 900 mobile devices including Android, ios, Windows Phone 7, J2ME, and BREW. Tokenless risk-based authentication Leverage device and behavior profiling to implement strong authentication and block risky logon attempts without the requirement of a hardware credential. Out-of-band authentication support Authenticate users via SMS messages or voice-enabled phone calls when elevated risk is detected. Case Study: First Tech Federal Credit Union The Problem The national credit union wanted to differentiate its services by offering highly secure options for online banking without adding IT overhead. Solution Used Symantec Validation and ID Protection (VIP) Service with VIP Access for Mobile. Results First Tech has established a name for itself in offering convenient strong authentication for its customers. It achieved 100% reliability of delivery 5

9 Transaction monitoring support Evaluate activity related to end-user s monetary transactions, including anomalous amount, anomalous destination, transaction velocity anomaly, and high risk touch points, which allows your organization to challenge the user with an additional factor of authentication. Self-service credential provisioning Deploy strong authentication to consumers without requiring IT helpdesk or administrator configuration or intervention. Web-based application integration Add strong authentication to your application using the Symantec VIP web services API in your preferred programming language. of one-time passwords for mobile members. The VIP Network also expanded customers options for OTP access to multiple First Tech accounts. Finally, the cloud-based solution enabled national deployment without additional IT overhead. 4 Enterprise infrastructure support Also integrates with popular enterprise VPNs, webmail, SSO applications, and corporate directories to support internal mobile applications. Symantec Managed PKI Service A cloud-based service to power strong authentication, encryption, and digital signing applications. As your enterprise electronically conducts more transactions and correspondence, there is a growing need to authenticate users, restrict access to confidential information, and verify integrity or origination of sensitive documents. Symantec Managed PKI Service, based on Public Key Infrastructure, will allow your enterprise to provide this level of strong trust-based security. It can implement multi-purpose credentials; is good for one-to-many applications such as ; works both online and offline; and supports multiple cryptographic use-cases such as authentication, encryption, and non-repudiation. With PKI, you can facilitate tighter integration with your business partners, protect data against internal and external threats, ensure business continuity, and maintain compliance with government and corporate regulations. Key Features Trusted, cloud-based infrastructure Backed by 24 hours a day, 7 days a week, 365 days a year monitoring, management, and escalation across the globe with full disaster recovery. Certified annually by a third-party as part of a SSAE 16/SOC 2 security audit, regular WebTrust audits, and specialized government audits. Broad application support Managed PKI Issues X.509 certificates that interoperate with a wide variety of operating systems, devices, VPN, mail, and web browser software. Providing certificate profiles for common applications enables strong authentication, encryption and signing, and document signing (Adobe PDF signing). Automated certificate lifecycle management Automates configuration of common authentication, encryption, and signing applications across multiple platforms and browsers. Case Study: Triton Systems of Delaware, LLC The Problem This leading provider of off-premise automated teller machines in North America needed to support remote key transport while eliminating the cost of having two engineers visit each ATM when master key codes required changing. Solution Used Symantec Managed PKI Service Results Triton Systems became the first retail ATM manufacturer to market with remote key transport feature, which increased competitive advantage. Triton s ATM owners can now save more than $450 in costs for the life of each machine without compromising security or reliability

10 Our client software automatically configures a user s browser, VPN client, mail client, or other application to use Symantec certificates. It also automates the process of renewing certificates, preventing expired certificates from interrupting business continuity. Symantec O3 For Authenticating Cloud Applications Many organizations are putting applications in the cloud to save money. As unintended consequences, IT often loses control of access and end users often take a hit in usability especially when they are authenticating to multiple cloud applications. The practical pitfall is recalling different authentication credentials for the various applications. A common response by users is to re-use a single credential for all the applications. This behavior will weaken your security and magnify the risk of a breach. Symantec O3 enables strong single sign-on across cloud, software-as-a-service (SaaS), and web applications and services. It readily integrates with existing identity sources such as Active Directory, LDAP, and relational databases. It also federates authentication for the various cloud/web services, and offers users a simple single-sign-on experience. The solution also maintains a context-based policy engine to oversee access control. For more information about Symantec O3, see Make the Move to Strong Authentication With Symantec, you can quickly enable the benefits of strong access security in corporate and customer-facing applications. Depending on application requirements, you will need one of three solutions: risk-based authentication (Symantec VIP), a 2FA solution with one-time passwords (Symantec VIP), or a digital certificate-based solution (Symantec Managed PKI). To learn more, call your Symantec account representative or visit our Symantec User Authentication Solutions page at families/?fid=user-authentication. Choosing the Right Authentication Method Symantec VIP Symantec Managed PKI Application Use Cases One-Time Passwords Risk-based Digital Certificates Virtual Private Networks (VPNs) * Web/Cloud-based Applications * Secure Wireless Access Secure Document Signing Support for BYOD Initiatives * Supported as a secondary user case 7

11

12 About Symantec Symantec protects the world s information, and is a global leader in security, backup, and availability solutions. Our innovative products and services protect people and information in any environment from the smallest mobile device, to the enterprise data center, to cloud-based systems. Our worldrenowned expertise in protecting data, identities, and interactions gives our customers confidence in a connected world. More information is available at or by connecting with Symantec at go.symantec.com/socialmedia. For specific country offices and contact numbers, please visit our website. Symantec World Headquarters 350 Ellis St. Mountain View, CA USA +1 (650) (800) Copyright 2013 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and the Checkmark Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. 1/