White Paper. McAfee Cloud Single Sign On Reviewer s Guide

Transcription

1 White Paper McAfee Cloud Single Sign On Reviewer s Guide

2 Table of Contents Introducing McAfee Cloud Single Sign On 3 Use Cases 3 Key Features 3 Provisioning and De-Provisioning 4 Single Sign On and Authentication 4 IP-initiated SSO 4 SP-initiated SSO 5 Multi-factor Authentication 5 Monitoring and Management 6 Pricing and Support 7 Getting Started 7 2 McAfee Cloud Single Sign On Reviewer s Guide

3 Organizations of all sizes around the world are adopting the Software-as-a-Service (SaaS) model, but many are concerned about protecting the security of their enterprise applications and data in the cloud. They also want to reduce the expense and IT administrative overhead of managing access to cloud applications. McAfee Cloud Single Sign On is an identity and access management (IAM) solution designed to enable enterprises to securely control and monitor employee (or other stakeholder) access to SaaS applications. Features include standards-based federated single sign-on; provisioning/de-provisioning of user accounts (automatically synchronized with enterprise identity repositories); fully integrated multi-factor authentication for stronger data protection; and a management console with dashboard for monitoring, management, and compliance reporting of all identity events. Introducing McAfee Cloud Single Sign On McAfee Cloud Single Sign On is an IAM solution for managing user accounts and access to SaaS applications. It s designed for companies that are outsourcing applications to the cloud to cut costs and provide users with access to industry-leading applications. But moving to the cloud comes with its own set of risks and IT management headaches. Use Cases Provisioning When a company outsources applications to the cloud, someone has to manage user access to those SaaS applications. Manual account administration can quickly become a big expense. For example, if an average administrator takes five minutes to create or delete a SaaS account, and each employee requires access to 10 SaaS applications, on average, that s 50 minutes required per hire or termination. If you multiply that by the rate of new hires, the time and expense involved quickly adds up. De-provisioning Similarly, it s vital to make sure those SaaS accounts are rapidly disabled or deleted when the user leaves the organization. Otherwise, a disgruntled ex-employee may still have access to sensitive information, which they could potentially share with your competitors. Password management If your organization is like most, each user has multiple user IDs and passwords. The problem becomes even worse if your security team requires strong password policies, like combining numbers and special characters or forcing arbitrary password changes. As a result, most users write down their passwords and store them in a convenient, insecure location; sticky notes with passwords adhered to keyboards or tacked to a bulletin board abound in many organizations or, because of strong password policies, users tend to use the same password for the majority of their applications. Strong authentication If you re moving sensitive data or applications into the cloud, you need to be concerned about how to verify that only known, authorized individuals or groups have access to those applications, so you can reduce the potential for a breach. Key Features Provides tools to automatically create and delete SaaS application accounts for users, making it easy for IT to add or terminate user accounts and ensure that ex-employees no longer have access Provides secure, standards-based single sign-on (SSO) for hundreds of popular SaaS applications to make life easier for users, while slashing the number of password-related helpdesk calls Includes multi-factor authentication using a one-time password (OTP) delivered via any mobile device (such as a mobile phone) to protect sensitive assets in the cloud by forcing the user to verify his identity 3 McAfee Cloud Single Sign On Reviewer s Guide

4 Provisioning and De-Provisioning McAfee Cloud Single Sign On provides connectors for Microsoft Active Directory (AD) and other lightweight directory access protocol (LDAP)-enabled directory services. Other identity profile sources include relational database management systems, enterprise IAM systems from vendors like IBM, Oracle, CA, NetIQ (Novell), web services, and file-based repositories. Identity repository connectors can be used for synchronized provisioning and de-provisioning as well as user authentication. Provisioning can be synchronized with identity repositories to automatically create and terminate SaaS applications for new hires or when a user leaves the organization. Policies can be defined to create SaaS accounts on specific applications, based on user profile elements. For example, the system administrator can create AD groups and define rules that new user accounts in sales are automatically provisioned with a Salesforce.com account, while those assigned to the marketing group are provided with a Marketo account. Just-in-time (JIT) provisioning allows you to dynamically create an account using the Security Assertion Markup Language (SAML) protocol. With JIT provisioning, you create an account the first time the user tries to access the application. However, since JIT provisioning is not synchronized with AD, it does not support automated de-provisioning. Single Sign-On and Authentication Single sign-on (SSO) has multiple advantages. Using SSO reduces or completely eliminates the need for a user to remember multiple combinations of user IDs and passwords. This removes the temptation to reuse the same password for multiple applications or to write down and post passwords in insecure locations. It also significantly eliminates the need to manage complex password reset processes (such as creating and responding to a series of private questions) or maintaining a helpdesk unit to reset passwords for users. McAfee Cloud Single Sign On includes more than 400 SSO and provisioning connectors. Unlike other competing products, McAfee Cloud Single Sign On supports multiple SSO models, providing the broadest range of authentication models in the industry. Federated SSO The default, preferred SSO security model is federated SSO using well-known, mature industry standards, such as SAML. Other SSO or authentication standards that are supported include OpenID and OAuth. API Some applications that don t support standards expose a proprietary SSO API, which McAfee Cloud Single Sign On can use Agent-based There are also applications which can be SSO-enabled by deploying an agent on the platform. McAfee Cloud Single Sign On provides the ability to deploy.net, Java, or PHP agents. HTTP POST Finally, the lowest common denominator is the SaaS application that requires the user to enter credentials via an HTML form. In this use case, McAfee Cloud Single Sign On provides the ability to capture the user ID and password the first time the user attempts to log on and then encrypts and vaults the credentials and replays them using the HTTP POST protocol whenever the user accesses the application after that. McAfee Cloud Single Sign On also includes generic connectors that can be used to create customized SSO connectors, where one is not available for a target SaaS application. IP-initiated SSO McAfee Cloud Single Sign On supports both identity provider (IP)-initiated SSO and service provider (SP)-initiated SSO. In IP-initiated SSO, the user logs directly into the SSO portal (see Figure 1). If Integrated Windows Authentication (IWA) is enabled by the system administrator, the user can access the SSO portal without entering any further credentials. (McAfee Cloud Single Sign On picks up the IWA Kerberos ticket and uses it to authenticate the user to the portal.) Once the user is authenticated to the portal, a dynamically generated landing page is displayed that contains links to all the SaaS applications that the user has access to. Note that the user can t see an application that he doesn t have access to. At that point, the user simply clicks on the link and is transparently redirected to the target application, without being required to enter a user ID or password. 4 McAfee Cloud Single Sign On Reviewer s Guide

5 Figure 1. End-user McAfee Cloud Single Sign On portal. SP-initiated SSO Alternatively, in the SP-initiated scenario, when users try to access the SaaS application directly, they are redirected to the SSO portal, where they must enter their credentials before being given access to the application. Multi-factor Authentication McAfee Cloud Single Sign On administrators can configure two different multi-factor authentication scenarios. The system administrator can protect the SSO portal itself with multi-factor authentication and require the user to enter an OTP before gaining access. 1 Alternatively, the system administrator can configure any individual SaaS application with OTP protection, requiring the user to enter an OTP in order to gain access. The OTP server included in McAfee Cloud Single Sign On is based on McAfee One Time Password. The software can be used for out-of-band authentication using a variety of channels, including: Smartphone app: Apple iphone, Apple ipad, Android, BlackBerry, Windows Mobile SMS text message PC-based client application , IM, or chat Third-party device, such as YubiKey USB token 5 McAfee Cloud Single Sign On Reviewer s Guide

6 Figure 2. OTP smart phone app. Figure 3. McAfee Cloud Single Sign On console. Figure 2 shows an example of the McAfee One Time Password app installed on a smartphone. Note that, unlike a hardware token, a soft token can be used to manage access to multiple SaaS applications. When the user is prompted to enter a one-time password, he goes to his phone, taps the Generate one-time password button on the app, retrieves the OTP created by the app, and enters it into the screen prompt. The app does not require the user to have an active cell phone link with the OTP server. If the user has an ordinary cell phone, rather than a smartphone, the OTP server can send it to the user as a short message service (SMS) text message, which requires the user to have an active cell signal. McAfee Cloud Single Sign On supports other forms of multi-factor authentication, such as Intel Identity Protection Technology (Intel IPT). Intel IPT is a chip embedded on the motherboard of Intel Ultrabook computers. It enables an administrator to restrict access to a known, registered, properly configured laptop. The PC itself becomes another form of two-factor authentication. Monitoring and Management McAfee Cloud Single Sign On includes a management console (see Figure 3) that is used by the administrator to: Add and configure SaaS applications, including SSO and provisioning connectors, application-specific multi-factor authentication, and other application-specific parameters Add and configure user accounts Monitor use activity through a live dashboard showing current activity, such as logins, logouts, errors, and more McAfee Cloud Single Sign On collects comprehensive data on all identity events, which can be used to generate reports used to track historical activity or for compliance/audit reporting. 6 McAfee Cloud Single Sign On Reviewer s Guide

7 Pricing and Support McAfee Cloud Single Sign On is sold as an annual subscription. Subscription pricing varies from a maximum of just under $5/user/month down to below $1/user/month, depending on the number of user licenses and the subscription duration (one, two, or three years). The license includes: Unlimited use of more than 400 cloud connectors for provisioning and SSO Some competitors charge extra for additional connectors Tools to create custom connectors McAfee Professional Services is also available to create customer connectors Built-in multi-factor authentication using McAfee One Time Password soft token technology Some competitors charge extra for multi-factor authentication 24/7 support services Some competitors charge extra for support outside normal business hours Integration with McAfee Web Protection Users can log onto McAfee Web Gateway and directly log onto the McAfee Cloud Single Sign On portal without re-entering credentials. McAfee also has developed a roadmap for adding integration with other McAfee cloud security solutions. The assurance that comes from dealing with the largest independent security software vendor in the world Getting Started McAfee Cloud Single Sign On can be installed on a Windows or Linux server, in either 32-bit or 64-bit configurations. The installation package includes all McAfee Cloud Single Sign On services: Identity and SSO service Provisioning service Built-in OTP server The software can be installed: On-premises or in the cloud On any virtual appliance, Amazon EC2, or DMZ-ready hardware appliance System requirements: Browsers: Internet Explorer 6, 8, or higher; Firefox 3.6 or higher; Chrome 16 or higher; Safari or higher Mobile browsers: Android 2.0 devices; ios devices and Safari browser Server operating system: 32-bit or 64-bit Red Hat Enterprise Linux Server and Advanced Platform 5.0 Microsoft Windows Server 2003 or Windows Server 2008 Hardware requirements: Intel multi-core server with 2 GB RAM Title Provisioning Guide Product Guide Installation Guide Integration Guide Description A complete guide to the management console; covers the configuration tasks needed to administer McAfee Cloud Single Sign On. Provides information for software developers who want to write custom Java code that extends McAfee Cloud Single Sign On functionality. Includes the tasks and procedures that you need to install and uninstall McAfee Cloud Single Sign On as a stand-alone server on Microsoft Windows and Linux operating system platforms. The guide also includes how to start and stop the McAfee Cloud Single Sign On service after it is installed. Offers instructions on how to integrate Java-based and.net web applications that do not support SAML2 authentication with McAfee Cloud Single Sign On. Note: In addition to these guides, there are separate guides that document how to configure the different cloud connectors. For more information, see the Provisioning Guide. 7 McAfee Cloud Single Sign On Reviewer s Guide

8 About McAfee McAfee, a wholly owned subsidiary of Intel Corporation (NASDAQ:INTC), is the world s largest dedicated security technology company. McAfee delivers proactive and proven solutions and services that help secure systems, networks, and mobile devices around the world, allowing users to safely connect to the Internet, browse, and shop the web more securely. Backed by its unrivaled global threat intelligence, McAfee creates innovative products that empower home users, businesses, the public sector, and service providers by enabling them to prove compliance with regulations, protect data, prevent disruptions, identify vulnerabilities, and continuously monitor and improve their security. McAfee is relentlessly focused on constantly finding new ways to keep our customers safe. 1 McAfee One Time Password can also be deployed to deliver multi-factor authentication for VPN access and other use cases not related to McAfee Cloud Single Sign On. 2 For more information, visit Mission College Boulevard Santa Clara, CA McAfee and the McAfee logo are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other marks and brands may be claimed as the property of others. The product plans, specifications, and descriptions herein are provided only for information and are subject to change without notice. They are provided without warranty of any kind, expressed or implied. Copyright 2013 McAfee, Inc wp_cloud-sso-rev-gde_0413_fnl_ASD