An Introduction to RSA Authentication Manager Express. Helmut Wahrmann helmut.wahrmann@rsa.com

An Introduction to RSA Authentication Manager Express Helmut Wahrmann helmut.wahrmann@rsa.com

Authentication Landscape Agenda Solution Details Business Value Opportunity DEMO

Authentication Market by the Numbers 124 45 123456 Millions of SSL VPN users in 2012 1 Percent of companies still using passwords for remote access authentication 2 Most commonly used password 3 1 Gartner Specialized SSL VPN Equipment, 2008 2 Forrester Enterprise And SMB Security Survey, North America And Europe, Q3 2008 3 http://igigi.baywords.com/rockyou-com-passwords-list/

Threats and Demands are Increasing External attacks Careless users writing down passwords Costly audit requirements/ Increasing regulations Requirements for more collaborative tools Ever-changing business requirements

Fraudsters See An Opportunity Assumption of less sophisticated IT Security IT Budget Traditionally, SMB has less adoption of strong authentication Small and Mid- Sized Organizations are at risk Organization Size

IT Staff Feels the Pressure The Environment End User Productivity Constantly changing threat landscape Security is considered a burden Supporting multiple groups of users and initiatives Users cannot experience downtime Budget and headcount are always a consideration Management Has Demands The push for mobility and collaborative tools means potentially exposing identities and Intellectual Property (IP) outside of the organization 6

What We ve Heard Secure Access for Mobility and Collaboration Before Scenario Lack of confidence about who is remotely accessing information Users struggle with cumbersome security mechanisms Diverse end-user base results in varying requirements Security Solutions are Complex and Expensive Meeting and proving compliance is complex and time consuming Required Capabilities Proven authentication technology Convenient and user-friendly solution Choice of authentication methods on a single platform Easy to deploy and manage solution that integrates seamlessly Fast to implement solution that can be proven to meet compliance requirements Cost-effective strong authentication that is stronger than a password, but easy to use for IT staff and end-users SOLUTION

Authentication Landscape Agenda Solution Details Business Value Opportunity DEMO

AMX: Multi-factor authentication with zero footprint Risk-Based Authentication On-Demand Authentication And Easy to Manage Appliance Platform

SMS Included in Solution Delivers a One-Time Password (OTP) via SMS or email Based on the RSA SecurID algorithm Compatible with any mobile phone from any carrier No software to deploy or tokens to manage Provides multi-factor authentication: Factor #1 PIN Factor #2 Mobile device or e-mail account

SMS supported options Clickatell Plug-In HTTP Plug-In HTTP HTTPS XML over HTTP supports proxy (plain and authenticated) Certified gateways: https://gallery.emc.com/tags?tags=rsa_sms_services&taggabletypes =DOCUMENT, currently (April 2011): physical solutions w/possibility to connect GSM modem: MultiModem isms, Talariax sendquick Alert Plus, LogixMobile swiftsms services: KPN SMS Gateway, Syniverse Mobile Enterprise Services

The RSA Risk Engine Proven, sophisticated risk engine Protecting 350 million identities worldwide Most common use Online Banking Uses dozens of characteristics to calculate the assurance level of user authentication Self learning so it adapts to your users over time

Risk Based Authentication The Hidden Intelligence Behind RSA Authentication Manager Express Optimized for the enterprise organization

Risk-Based Authentication Multi-factor authentication without deploying tokens 2 3 1 Strengthens traditional password authentication by silently applying risk-based analytics Is the user authenticating from a known device? Does the user s behavior match known characteristics? 4 Risky authentication attempts require additional validation Security Questions On-Demand Authentication 1 2 3 4 1 st Factor: Something you KNOW 2 nd Factor: Something you HAVE 3 rd Factor: Something you DO Step-Up : Something you KNOW or HAVE

Example End-user Scenario Before Access SSL VPN webpage Enter Username and Password Access is granted RISK: User could be fraudulent, using a stolen password

Example End-user Scenario After Typical behavior from registered machine Authentication Successful OR Access SSL VPN page Redirected to the Secure Logon page Enter Username and Password Unusual behavior from unregistered machine On-demand Authentication or Security Questions Authentication Successful Authentication characteristics are sent to the risk engine for score calculation Typical behavior user is authenticated OR Challenge presented, successful completion of challenge results in authentication complete

RSA Authentication Manager Express Details Scalability: Up to 2,500 users Integrations: SSL VPNs Outlook Web Access Web portals Citrix thin clients Platform: Appliance with Linux operating system Replication: 2 nd Appliance provides replication Authentication Methods: Risk-based Authentication SMS

AMX Integration: Which Products Does AMX Support? A third-party product already supports RBA if either of the following is true: It is a certified RSA Secured solution for Authentication Manager Express Examples: Juniper SA, Cisco ASA, Checkpoint NGX, Citrix Access Gateway, Citrix XenApp, etc. See rsasecured.com for an up-to-date list of supported applications It is compatible with the RSA Authentication Agent for Web for SecurID Web applications built on IIS or Apache web servers Examples: Outlook Web Access, SharePoint, etc. A third-party product should be compatible with RBA if all of the following are true: It is a certified RSA Secured solution for SecurID Integration uses the native SecurID APIs (RADIUS implementations are NOT supported) The user interface is entirely browser-based and does NOT require any installed client components Note: AMX supports On-Demand Authentication for any product that already offers ODA for Authentication Manager 7.1 (except RADIUS).

AMX Integration: How do I get RBA support added to a compatible third-party product? 1. Visit rsasecured.com to see if a certified solution already exists 2. Verify that the product is compatible with RBA (see previous slide) 3. Contact Partner Engineering to request support for this product Qualification will be prioritized based on customer demand, available resources, and willingness of the prospective partner to collaborate 4. Develop a custom RBA integration Integration template and validation tool available on AMX supplemental DVD and on SecurCare Online XML-based template does not require advanced programming skills and is intended to be consumable by customers and partners without PS development

Authentication Landscape Agenda Solution Details Business Value Opportunity DEMO

Use Cases SSL VPN Remote employees connecting to the network over an SSL VPN Web Portal Citrix Partners accessing a Microsoft IIS web portal that provides access an deal registration site Vendors utilizing an order management system presented over Citrix XenApp Employee Partner Vendor 21

RSA Authentication Manager Express Strengthens Critical Infrastructure Accelerates Time to Value Keeps Users Productive Ensures Compliance Goes beyond password-only to deliver true multi-factor authentication Seamlessly deploy to SSL VPN, web portals and Citrix thin clients Minimal changes to IT environment No changes to password policy! Reduces deployment time and costs Integrates with leading vendors Nothing to deploy to users Users keep existing username/password Choice of different authentication methods Silent enrollment Invisible security Gives high level of assurance to every user authentication Verify and report that each user and application is protected to pass an audit

RSA Authentication: Three Platforms Target Market Small and mid-size organizations Fewer than 2,500 users Enterprise with More than 1,000 users Enterprise- Consumer Applications More than 10,000 users Use Case Protection of SSL VPNs and web applications Users: Employees, partners, clients Protection of any application, portal or network infrastructure Users: Employees, partners, customers Protection of web applications Users: typically customers or clients Value Proposition Convenient for endusers and IT staff Lower TCO Enterprise class features and scalability, authenticator form factor options Scalable, convenient, cost-effective; Available on-prem or hosted RSA Authentication Manager Express RSA Authentication Manager RSA Adaptive Authentication Maximum Flexibility and Optimization

Target market is adjacent to existing AM and Adaptive Authentication markets Use Case Customer Profile Mid-Market < 2,500 users (employees/partners) Large Enterprise 2500+ users (employees/partners) Consumer 100,000+ users (B2C portals) Web-based applications (RBA/ODA only) AMX RSA Adaptive Authentication* (Hosted or On-Premise) Web-based applications (SecurID HW/SW tokens) RSA Authentication Manager Non-web based (SecurID HW/SW tokens) RSA Authentication Manager * In a future release, Authentication Manager w/rba will be positioned as the On-Premise solution for all Enterprise use cases

Differentiating AMX from RSA Authentication Manager S I Z I N G P R O D U C T RSA Authentication Manager Express 1.0 RSA Authentication Manager 7.1 License size Up to 2,500 registered users No limit to number of registered users on software; 50k on RSA SecurID Appliance Market Targeted at mid-sized organizations with between 50 and 1,500 users Targeted at mid-to-large sized enterprise and consumer opportunities Target customers Healthcare, retail, technology Financial, healthcare, retail, technology, telecom Platform RSA Authentication Appliance (1U hardware appliance) Software: Widows, Linux, Solaris, VMware RSA Authentication Appliance: 130 or 250 Replicas 1 replica supported Up to 15 on software; up to 5 on RSA SecurID Appliance RADIUS Not available in AMX 1.0 Full RADIUS client included Native LDAP Microsoft AD 2003/2008 Microsoft AD 2003/2008 Sun Java Directory Server F E A T U R E S Authentication methods Applications Risk based On-demand (SMS or email) SSL VPNs Web-based applications Web-based thin-clients (Citrix) More Hardware tokens Software tokens On-demand (SMS or email) VPNs (SSL and IPSec) Web-based applications Citrix MS Windows Logon Wireless

Licensing, Configuration and Pricing Platform: Version 1.0 is offered on a Hardware Appliance only (same h/w as the SecurID Appliance 130) Licensing: Single SKU perpetual licensing per user includes software and all authentication features Pricing: Volume based pricing tiers (similar to RSA Authentication Manager) Appliance bundles are available Maintenance: Annual software maintenance is 21% of license fee 3-year AHR is included with the h/w appliance Years 4 and 5 optional and additional Configuration: Supports up to 1 replica Can be deployed in multiple ways for different user bases: RBA + ODA or Security Questions step-up On-demand Authentication only

AMX List Price Product List Price AMX0000025 AMX per User qty btw 10-25 $92.00 AMX0000100 AMX per User qty btw 30-100 $85.00 AMX0000150 AMX per User qty btw 105-150 $78.00 AMX0000250 AMX per User qty btw 155-250 $73.00 AMX0000500 AMX per User qty btw 255-500 $64.00 AMX0000750 AMX per User qty btw 505-750 $58.00 AMX0001500 AMX per User qty btw 755-1500 $51.00 AMX0002500 AMX per User qty btw 1505-2500 $44.00 Product List Price AMX-0010500 AMX Appl130 H/W (incl. Adv H/W Repl Yrs1-3) $3 594,00 Product PARTNERS, Not for resale! List Price AMXAPP-NFR-KIT-130 AMX Demo Kit for 25 users $2 000,00

Authentication Landscape Agenda Solution Details Business Value Opportunity DEMO

What Makes Us Better Key Unique Differentiators Self-Learning Risk Engine Dozens of risk indicators Proven: 250 million users protected with RSA risk-engine Tell me about how your current authentication solution adapts based on the authentication attempt? Risk-based authentication and ODA (SMS) on a plug-and-play appliance platform Unique combination of a risk-engine with On-demand and Security Questions simplified for mid-market organizations Fastest path to two-factor authentication Convenient to install, manage and deploy to users Seamless migration from passwords to strong authentication Describe to me how your current IT staff could manage an alternative technology?

Non-Unique Comparative Differentiators Out-of-the-box integration with 3rd party devices Juniper, Citrix, Cisco and CheckPoint SSL VPNs Reduces deployment costs and resources Tell me about what would happen if a security solution did not integrate into your existing environment or a system in the future? Low acquisition and operating costs (TCO) Single-SKU perpetual license is reasonably priced when compared to competitive offerings Tell me about how you would make the decision between a less secure solution and AMX at comparable price points?

Non-Unique Comparative Differentiators Works anytime, anywhere Strong authentication from any device, anywhere, anytime with nothing to carry, manage, or install Accessibility drives productivity, user compliance and collaboration What would happen if senior executives could not access corporate resources because the authentication solution didn t work?

Our Weaknesses Acquisition cost is higher than single-point solutions Express is more expensive than SMS-only competitors (Ex. SMS Passcode, SecurEnvoy, Etc.) Customers looking for the cheapest option may choose point-solution vendor Tell me about why you want to sacrifice security, reliability and convenience just to save a little money?

Key Point #1 Drive Incremental Authentication Revenue w/amx

Target Market Customer profile: Mid-market company (< 2,500 employees) currently using passwords for authentication Has not adopted strong authentication because existing market options were too expensive or inconvenient for the use case Strong authentication use cases: Employees accessing an SSL VPN and/or OWA without the use of tokens Partners and customers accessing collaborative portals Employee access to Citrix XenApp virtual desktops Customer requirements Lower TCO than hardware and software One Time Password Authenticators Footprint-less solution for employees, partners or customers Protection of web-based solutions only

Customer Challenges Related Before Scenarios that Compel Action Purchase or deployment an SSL VPN in need of authentication Development of a new business plan to launch an online portal for partners, customers or employees Emergence of new or renewed government/industry regulations Awareness of emerging threats Incidents of breach, loss, or fraud Appearance of a new security officer/executive

Authentication Landscape Agenda Solution Details Business Value Opportunity DEMO

Demo Environment

Setup user for OnDemand Authentication

Scenario 1: Pure OnDemand Authentication (no RBA)

On-Demand Flow How it works in AM 7.1 SP3+ and AMX 1.0 3 3 1 2 SMS Secure HTTPS 4 Internet 5 5 Primary Instance 1 User types in their Username and PIN. Note: many agents will still say passcode. Users need to be educated on this if using On-Demand authenticators 2 The username and PIN are sent to authentication manager SMS Gateway Provider 3 The server sends a Next token code API call to the agent and the user is presented with the Next Token Code dialog. Users need to be educated on this functionality 4 Authentication Manager generates a next token code and sends this via SMS (or email) to the end user SMS Telecom Network 5 User enters the SMS (or email) OTP as Next Tokencode and logs in

On Demand Authentication Step 1: Enter username and PIN Note: User needs to enter his PIN in Password field Actual password is never used This is the behavior seen in Authentication Manager 7.1 SP3 and above

On Demand Authentication Step 2: AMX asks for Next Tokencode

On Demand Authentication Step 3: OnDemand Tokencode is sent User gets OnDemand Tokencode via SMS or email Then he enters the received tokencode as Next Tokencode and logs in.

Scenario 2: Risk Based Authentication with ODA as step-up authentication method

Risk Based Authentication Step 1: Login When using RBA, login page is redirected to AMX, but......the username and password are still in use!

Risk Based Authentication Step 2: User is not trusted step-up authentication

Risk Based Authentication Step 3: Remembering device (optional) Identity was confirmed by step-up authentication (here: ODA) User s device can be stored as known device, so the next time user logs in from the same device, the assurance level will be higher This question is optional policy can be set to remember all recent devices transparent to user

Risk Based Authentication Step-Up Authentication in the logs During the 1st login user s device was unknown This resulted in Assurance Level VERY LOW, which triggered the policy to do additional authentication User authenticated successfully using OnDemand, so his identity was confirmed

Risk Based Authentication 2nd time login - Known User Behaviour and Device Statistics User logs in from the same computer, using username and password again. This time his computer and behaviour match the information stored by Risk Engine AMX accepts user s login without requiring additional confirmation RBA is fully transparent to the user