Risk Based Authentication and AM 8 What you need to know!
Agenda Authentication Manager 8 Customer Use Cases Risk Based Authentication (RBA) RBA Integration and Deployment 2
SecurID / Authentication Manager 8 AM8 Compelling New Features Risk-Based Authentication lowers authentication costs Virtualization better control at lower cost; Mix & Match between Virtual and/or Physical Appliance Self Service & Admin Dashboards lowers TCO Software Token Provisioning improves by 57% Proven High Quality Release AM Prime Suite Advanced Token Lifecycle Management Solutions Archer Focused Solutions (Reporting) Software Token 2.0 Improves User Experience AM8.0 (Virtual Appliance) GA in Mar 2013 AM 8.1 (Hardware Appliance) GA in Dec 2013 3
The Clock is Ticking A Few Months Left Until End of Primary Support (EOPS) AM 6.1 EOPS Dec 2014 No extensions Can migrate directly to 8.x No Appliance migration AM 7.1 EOPS Dec 2014 No extensions Some Appliances may migrate For Migration Resources, visit www.emc.com/am8 4
Risk Based Authentication 5
Diverse User Populations Require Choice Employees, Temps, Contractors, Partners, Clients, Customers, Auditors, Remote Workers Convenience & Cost Security & Flexibility Risk-Based Analytics Tokenless Software Tokens Hardware Tokens Passwords On-Demand PC / Web Browser Mobile Embedded Solutions Fob / Card Token Hybrid Smart Card 6
RBA Use Case: Web-Based Remote Access For Employees, Contractors, Partners and Clients SSL VPN Web Portals OWA SharePoint Employee Mobility SSL VPN and web-based email for employees & contractors Enterprise Web Portal Web Portals for Employee, Contractor or Customer Services Manufacturing Supply Chain Order Management System hosted by XenApp Professional Services Exchange of sensitive information with clients using an online portal Healthcare Health Clinics eliminating the token necklace for medical staff Employees & Contractors Partners & Vendors Clients 7
AM8 RBA Customer Implementation Large Global Media & Marketing Conglomerate with diverse portfolio of broadcast, digital, mobile and publishing companies Problem Solution Management of digital certificate environment for authentication is time consuming, tedious and costly Difficulty meeting PCI Compliance Increased risk to the business with potential outages and breaches VPN access is single factor into corporate network High Management and Maintenance Costs AM8, 15,000 RBA/ODA Licenses & 15,000 Software Tokens for multifactor strong authentication, reduced management & administration costs Easily achieves PCI Compliance Strengthens access to sensitive applications with strong authentication for all users (VPN and ODA) 7x24 availability via multiple replicas RBA delivers multi-factor authentication, no impact to user experience & lowers costs; Software tokens meet strong 2-factor authentication requirement for non-web based applications Dramatically lowers TCO 8
AM8 RBA Customer Implementation Problem Large North American City Municipality (Population = 1 Million+) Access to HR portal access from internal corporate network only Rising help desk costs associated with employees losing tokens, re-issuing tokens Cost of issuing tokens to employees who only require occasional access Network utilization, efficiency and negative experience of dual authentication for an increasing population of remote users accessing HR portal indirectly via VPN from home office with a token. Solution Upgrade from AM7.1 to AM 8 Virtual Appliance with Web Tiers, Self Service Console significantly lowered deployment, maintenance, Help Desk costs Deployed 18,000 RBA licenses; RBA licenses do not expire and can easily be re-provisioned in AM 8 HR portal access from anywhere using RBA has streamlined operations, lowered cost and improved user experience. Tokens moving forward will only be given to users who have access to critical assets other than their own HR portal. 9
The AM8 RSA Risk Engine Based on Adaptive Authentication Risk Engine Industry most proven & sophisticated risk engine Protects 400+ million online identities over last decade Network Security vs. fraud mitigation Predictable results vs. challenge rate Assurance levels vs. risk scoring Simple Deployment vs. customization Optimized for Enterprise Use Cases RSA Risk Engine Self Tuning Risk Model Adapts to Customer Environment Common device characteristics de-prioritized in risk score Suspicious behavior based on norms for overall user population 10
Risk-Based Authentication Strengthens Traditional Password Authentication By Silently Applying Risk-based Analytics Device Identification User Behavior Device Fingerprint Network Forensics Device Token Profile Relative Velocity Web Browser SSL VPN Web Portals Activity Details Assurance Level Authentication Policy PASS RISKY Protected Resources OWA RSA Risk Engine Identity Challenge PASS? FAIL SharePoint On-Demand Tokencode Challenge Questions 11
Risk Assessment Device Identification Analyzes Detailed Hardware & Software Characteristics of Each Device Device FingerPrint: Collects & evaluates multiple facts about user device such as User Agent String, System Display, Software Fingerprint, Time Zone, Languages, Enabled Cookies and Enabled for Java Behavior Analysis Assesses Impact of Behavior Anomalies Based on Frequency and Recentness Profile Anomalies: Assesses Recent changes to user profile such as password or account changes Increases Network Forensics: Matches device IP configuration Assurance to previously registered IP addresses for user device; DHCP receives partial credit based on strength of match Device Token: Identifies device using a combination of anti-theft protected Cookies & Flash Shared Objects (FSO s) to prevent impersonation & future identification & ensure unique match; Without Device Tokens, strength of match determined by statistical probability Decreases Comparative Anomalies: Compare behavior patterns and assesses behavior anomalies Assurance such as new or infrequently used IP address Velocity Anomalies: Compares the number of occurrence within a specified period of time (velocity) of a user vs. user population Risk Engine automatically updates scoring algorithm based on statistical probability of certain characteristics within each unique deployment 12
Assurance Levels Assurance Level 4 Pre-defined Levels defined by Policy Description Degree of confidence of each user authentication attempt Use Case Minimum assurance required to authenticate without challenge; High Medium-High* Medium Low BEST for protecting sensitive assets when higher challenge rates are acceptable VERY GOOD for protecting sensitive assets when higher challenge rates not acceptable GOOD when a balance between protection and end user convenience is required Use with least sensitive assets & for end user convenience Authentication from easily-identifiable or corporate-owned assets (e.g. employee laptop) Authenticate from same location (e.g. branch or home office) Authentication from corporate & individual-owned assets when policy can be dictated (e.g. cookies must be enabled). Laptop users that frequently authenticate while traveling Authentication from uncontrolled, non-managed assets (e.g., a personal laptop or home PC) When corporate policy cannot be enforced or when tracking objects (e.g., cookies or FSO) cannot be reliably used Minimum device assurance while challenging users primarily based on suspicious behavior * RSA Recommended 13
Device & Behavior Impact on Assurance Device Matching Technique Match based on two or more uniquely identifying elements & statistical data Match based on one uniquely identifying element plus statistical data Match based on one uniquely identifying element Device ID Match Strong Behavioral Analysis Risk Low High HIGH HIGH MED-HIGH VERY LOW MED-HIGH MEDIUM LOW VERY LOW MEDIUM MEDIUM LOW VERY LOW Match based on statistical data VERY LOW VERY LOW VERY LOW VERY LOW Weak Unrecognized / unbound device VERY LOW VERY LOW VERY LOW VERY LOW Assurance Levels Adjusted for Behavioral Risk 14
Integration & Deployment 15
End User On-Boarding Per User by Security Domain Silent Collection Engine is passive Period of passivity is configurable (14 Days is Recommended) User browser session information collected during authentication Once assurance reached user prompted in-line for step up challenge* Self-Service Console User login to Self-Service Console User enters step-up challenge based on policy (Life Questions or On Demand) RBA is active immediately No history * If user does not enter Step-Up Information they will not be able to authenticate 16
Risk-Based Authentication Flow Internet Connect to SSL-VPN Login Page (Custom RBA script) DMZ SSL-VPN SecurID Web Agent Access Granted Validate artifact using SecurID APIs Intranet Protected Resources RBA integration script redirects to AM web tier SSC CTKIP RBA AM Web Tier Create auth artifact Return to SSL VPN AM Appliance Authenticate user Risk Assessment (challenge if necessary) 17
Certified RBA Integrations https://gallery.emc.com/tags?tags=rsa_risk_based_authentication&taggabletypes=document 18
RSA Authentication Risk Analytics and Intelligence AM8 Risk Based Authentication Adaptive Authentication Target Market Enterprise Web Based Applications Enterprise / Consumer Portals Risk Engine Tuned for Predictable results Tuned for Predictable challenge rates Deployment Size Small to Medium - Up to 20,000 users Medium to Large - 10,000+ users Integration Plug-and-Play PS Engagement Administration Policy Management Devices Features Self-tuning risk engine requires little administration Simplified policy management with pre-defined assurance levels Risk engine optimization specific to SecurID Supports SecurID, ODA authentication methods Case management allows for manual tuning by advanced administrators Advanced policy management allows custom weighting of additional risk factors Risk engine optimizations specific to mobile devices Supports advanced behavioral analytics: efn, IP Geo, anti-trojan 19
AM8 and Risk Based Authentication Summary Optimized for Enterprise Use Cases Expands the Use of Strong Authentication for Cost Sensitive Web Applications and Provides User Convenience Low Cost Alternative for Hardware Authenticators Simple Plug & Play Deployment Combo License includes RBA & On-Demand Authentication (ODA) No Expiration No Tokens to Purchase or Renew or Re-provision Self Tuning Risk Model Adapts to Customer Environment 20
THANK YOU
Common Device Identification Values Category Attribute Description Token Attributes Cookie Valid browser cookie is present Flash Valid flash cookie is present Invalid_cookie Cookie is invalid, expired, or does not match host machine Invalid_flash Invalid, expired or non-match Flash shared object (FSO) present on host machine No_device_matched Device not previously registered for this user Network Attributes IP Matches previously known IP address for device classc Matches previously known Class C subnet for device classb Matches previously known Class B subnet for device classa Matches previously known Class A subnet for this device Device Fingerprint software Software fingerprint based on installed browser plug-ins usragent User Agent String match browser Browser version match display Resolution (width/height) & color depth of the device s display httpacceptlang Accept Language String (from the HTTP header) userlang User Language Preferences systemlang System Language Settings browserlang Browser Language Settings timezone System Time Zone Settings 22
Common Behavioral Anomaly Events Category Anomaly Description Profile Anomalies dscpassw The user s password was recently changed or reset Velocity Anomalies (IP address) Velocity Anomalies (Users) dscaddr dscemail dscphone dscchallengemethod dscsecretquestion dscprofile dsccleardev numclassbusr10d numclassbusr30d ipage iplasthit ipauth numusrsip10m numusrsip1h numusrsip1d numusrsdev10m numusrsdev1h numusrsdev1d The user s address was recently updated The user s email address was recently updated The user s phone number was recently updated The user s challenge method was recently changed The user s security questions were recently updated Multiple elements of the user s account were recently changed or updated The user s device history was recently cleared High number of IP (class B) addresses for this user in the last 10 days High number of IP (class B) addresses for this user in the last 30 days Length of time since this IP address was first recorded Length of time since this IP address was last used Recent Identity Confirmation attempts from this IP address were unsuccessful High rate of users authenticating from the same IP address over the last 10 minutes High rate of users authenticating from the same IP address over the last hour High rate of users authenticating from the same IP address over the last day High rate of users authenticating from the same device over the last 10 minutes High rate of users authenticating from the same device over the last hour High rate of users authenticating from the same device over the last day 23