WHITE PAPER Best Practices Guide to Strong … Practices Guide to Strong Identity Access Control ... Best Practices Guide to Strong Identity Access Control WHITE PAPER A ... is in

WHITE PAPER

Best Practices Guide to Strong Identity Access ControlPrevent and Contain Breaches - Without Impacting Users

SECUREAUTH CORPORATION +1 949-769 2559 www.secureauth.com 2

Best Practices Guide to Strong Identity Access Control WHITE PAPER

TABLE OF CONTENTS

Executive Summary 3

The Evolving Face of Cybersecurity 4

Recommendation 1: Risk Mitigation and Heightened Security 5

Recommendation 2: Cost Reduction and Faster Time to Value 8

Recommendation 3: Consolidation and Centralization 10

Recommendation 4: User Acceptance and Adoption 12

The SecureAuth Way: Strong Security. Cost Savings. Seamless Access 14



Across every industry, cyber criminals are attacking businesses large and small. As technologies evolve, so do the possibilities for fi nding new ways to infi ltrate organizational

defenses and steal data. These breaches are more than a brand embarrassment; they can drive customers into withdrawing their business and launching civil lawsuits, result in regulatory fi nes and leave staff with a massive cleanup eff ort for months to come.

One of the most common and eff ective criminal methods targets stolen credentials. From cracking passwords to malware that captures keystrokes from an infected device, obtaining credentials is in every criminal toolbox, from lone wolf hackers to government-funded overseas groups. It’s no mystery why. One set of valid credentials can open the door to personal data like Social Security numbers, birthdates, and payment card numbers, help infi ltrate other accounts or give malicious actors free reign to explore a company database with an insider’s privilege.

Given the valuable payoff possible, it’s no surprise that Verizon’s The 2016 Data Breach Investigations Report1 says that 63 percent of confi rmed data breaches involved leveraging weak, default or stolen passwords: “Static credentials continue to be targeted by several of the top hacking action varieties and malware functionalities.”

How prevalent are these threats? Consider a fi nding that 94 percent of Tor requests2 are malicious requests designed to harm customers. Project Honey Pot3 found that 18 percent of global email spam – approximately 6.5 trillion unwanted messages a year – start with a bot from the Tor network.

These strikes are not just eff ective, but swift too. According to the Verizon report, attackers were able to compromise systems in minutes or less 93 percent of the time. The infi ltrated organizations, on the other hand, typically took weeks or more to discover the breach —and usually they were tipped off by customers or law enforcement, rather than their own security teams.

1 http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/2 https://blog.cloudfl are.com/the-trouble-with-tor/3 http://www.projecthoneypot.org/

These strikes are not just eff ective, but swift too. According to the Verizon report, attackers were able to compromise systems in minutes or less 93 percent of the time. The infi ltrated organizations, on the other hand, typically took weeks or more to discover the breach —and usually they were tipped off by customers or law enforcement, rather than their own security teams.



The Evolving Face of Cybersecurity

While every IT team is aware of potential breaches, what’s less understood are the most effective defenses. It’s clear that the standard username and password combination is not offering sufficient protection. Yet teams trying to address these challenges often do so in check-the-box fashion. That just isn’t effective against criminal attacks that are creative, sophisticated and skilled. For instance, a company will typically require its employees to create passwords featuring special characters, upper/lower case numbers and minimum lengths to stop attackers. Yet password complexity is irrelevant for criminals using keystroke capturing or social phishing.

One solution businesses turn to again and again is two-factor authentication. Yet this hasn’t provided the right security solution either. Many users resent having to take a burdensome extra step and will try to create a workaround. Hard tokens can present an IT burden, from distribution to replacing lost tokens. Users can still fall prey to social engineering, forget their passwords or create security question answers that can be easily found through social media accounts and public records. U.S. National Institute of Standards and Technology1 (NIST) is recommending phasing out SMS/Text one-time passcodes because of security vulnerabilities as well.

These vulnerabilities can surprise teams who believe that meeting compliance regulations equals security. But compliance is only a baseline, rather than a complete blueprint for an adequate security program. Teams must move beyond check-the-box data protection and implement a fresh security approach that’s as innovative and modern as the threats they’re facing.

That approach is exactly what we practice at SecureAuth. As an innovator in this space, we offer advancement in identity access control that is unique in the market. By layering two-factor and adaptive authentication, SecureAuth eliminates cumbersome extra steps to provide smooth and convenient access for users and a multi-layered defense for the organization. Just one set of credentials opens the door to all applications and all on-premise, mobile, cloud, and VPN resources via a secure and burden-less user experience.

There’s a reason companies have hired us to strengthen security in the aftermath of some of the biggest breaches in history. We know how to implement strong defenses that stop and contain attacks while protecting IT budgets and delivering a first-class user experience. Here are our recommendations for security best practices, as well as tips on how we build the most advanced security programs on the market.

1 https://pages.nist.gov/800-63-3/sp800-63b.html



RECOMMENDATION 1:

Risk Mitigation and Heightened Security

Even as you read this, your risk is growing. From managing inside risk to stopping attackers across the ocean, your team must control access to your applications and data from a rising number of threats. It only takes one staff member to fall for a phishing scam or open a malware-infected attachment to allow malicious actors into your network. Then there’s the reality of managing your partners/suppliers and customers, most of whom likely involve different access requirements – and different levels of trust.

Balancing smooth access with strong security has always required expertise. But the explosion of trends like Shadow IT, BYOD and cloud computing have made the task even more complex. IT teams need to protect a growing matrix of access points and vulnerabilities. Yet instead of adapting to this complexity through innovation, many companies simply hire more people to manage their risk, driving up costs without any real guarantee of protection.

What’s needed: security controls that offer the same complexity and sophistication as the attacks they stop while minimizing the disruption to daily routines of authenticating users.



Best PracticesImplement at least 3 pre-authentication or adaptive authentication techniques. Two-factor authentication can play a valued role on the perimeter, but it must be partnered with additional layers of adaptive authentication security. Adaptive authentication checks the risk of a user’s IP address, device, geo-location and other factors, to verify users and only burdens them with an additional authentication step if risks are present. This validates established users while blocking attackers with compromised, yet legitimate, credentials.

Develop, analyze and score risk profiles for user groups. Risk is contextual. Not all user groups are created equal; an IT administrator needs deeper access, additional privileges and greater scrutiny than the sales team. By creating different authentication processes for different user types, your security program can analyze diverse threats and workflows and apply appropriate levels of security to step up or step down protective measures as necessary. You’ll ensure adequate protection for your highest vulnerabilities while avoiding squandering resources on areas with negligible risk.

Automate actions based on risk. By understanding those specific risk levels, your system can take automated actions such as allows access with username and password, deny access outright, send requestor to a safe zone/honeypot or asking for additional authentication steps, like multi-factor authentication. Your system can also send notifications to users or administrators. Valid users can resolve minor issues with self-service tools that reduce Help Desk costs and enhance employee productivity.

Use multi-factor authentication controls that are difficult to socially engineer. The human element never disappears from the challenge of cybersecurity. If an employee or customer does fall for a social engineering scam, your security program should use controls that block the possibility of success. Instead of implementing security questions that someone could guess from reading a Facebook or LinkedIn page, utilize multiple layers of controls that will thwart a criminal who obtained a valid password by impersonating an IT administrator or authority figure.

Examine failed, denied, and other authentication events in concert with additional Security Operations Center (SOC) data.

Successful security is built on the analysis of successful and attempted attacks. Take a good look at failed authentications, instances when authentication demanded additional actions and other security-related events. By closely inspecting your aggregated access data, you’ll have a better idea of where your risk is and the controls you need to implement. SIEM integration is key to building an accurate holistic view.

Statistics Don’t Lie: The Facts on Risk

Each breaches cost the average U.S. enterprise

$15,400,0001

66%of Executives are not

confident they’re protected2

80%of breaches come from

outside the organization3

94%of TOR network requests

are per se malicious4

63%of confirmed data breaches involved leveraging weak/default/stolen passwords5

97%of breaches featuring

stolen credentials leverage legitimate partner access6

92.9%of 2015 breaches happened

in less than hour7

Attackers have a median of

146 days before they’re

discovered8

1 Statistic from Forbes - http://www.forbes.com/sites/moneybuilder/2015/10/17/an-average-cyber-crime-costs-a- u-s-company-15-4-million/#543188a11a22

2 A 2015 Survey – Cybersecurity in the Boardroom. https://www.veracode.com/sites/default/files/Resources/Whitepapers/cybersecurity-in-the-boardroom- whitepaper.pdf?mkt_tok=3RkMMJWWfF9wsRogs6TBZKXonjHpfsX87uslWaG1lMI/ 0ER3fOvrPUfGjI4ATMJiPa+TFAwTG5toziV8R7fMLM160cIQWRjj

3 Verizon Data Breach Report 2016. http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/4 The Trouble with Tor. https://blog.cloudflare.com/the-trouble-with-tor5 Verizon Data Breach Report 2016. http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/6 Verizon Data Breach Report. http://www.retailtouchpoints.com/features/industry-insights/verizon-data- breach-study-5-steps-to-mitigate-risk

7 Verizon Data Breach Report 2016. http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/8 Mandiant M-Trends 2015: A View From The Frontlines - https://www2.fireeye.com/ WEB-2015-MNDT-RPT-M-Trends-2015_LP.html



THE SECUREAUTH WAY: Advanced Risk Management SecureAuth offers risk-based analysis for unrivaled protection that goes beyond compliance standards. By providing 25+ multi-factor authentication methods with adaptive authentication, we offer more layers of risk analysis than any other access control vendor coupled with more choice and flexibility for multi-factor authentication.

Global threat intelligence, via a network of 11 million advanced threat sensors, is combined with contextual factors such as IP address reputation, geo-location or geo-velocity to match security controls to risk. Device recognition further distinguishes between devices that match a stored footprint and are assigned to a specific user and devices that don’t. Behavioral biometrics offers continuous authentication to identify malicious actors by comparing known user keystroke timings and mouse movements to stored templates.

Teams enjoy extensive visibility into login activity (including failures), application and realm usage, password strength, and compliance thanks to a record documenting access and usage by every user across every connected system. When correlated with other SIEM data, the result: reduced time to detect malicious actors or compromised credentials and start breach remediation.

SecureAuth’s flexible identity access control options are especially useful for mitigating risk and security gaps with partners and customers in addition to employees. Customizable workflows for various users and groups can be harnessed to adaptive security controls, with convenient multifactor authentication based on identified risks. Because SecureAuth adapts to what organizations are already utilizing, third parties and customers can be on-boarded quickly and confidently with minimal learning curve. As a result, organizations experience consistent identity and access protection without a negative impact or even awareness of higher security steps among their user communities (employees, partners, and customers).



RECOMMENDATION 2:

Cost Reduction and Faster Time to Value

In our mobile world, businesses face an increasing loss of control over their data, devices and applications. The fear of a breach can be so intense that many IT leaders will evaluate solutions in terms of technical effectiveness, rather than cost savings and business efficiency. Yet for many, the decision to direct more budget toward security has not reduced their challenges, only reduced their ability to invest in new innovations.

Consider the unpredictability of anticipating implementation costs. Many teams struggle to accurately understand the resources required, or how to control budget spending. According to Gartner1, “Integration typically consumes 35 percent of the cost and effort of an application solution.” Businesses that spend a significant portion of their security budget on integration or developer labor may not have the additional budget required to protect their resources in a sustainable, flexible security program.

With millions of dollars on the line in many cases, teams need a solution that delivers adequate security while integrating with existing solutions. Businesses must prioritize cost-effective technologies that offer rapid time to value.

1 ftp://public.dhe.ibm.com/software/websphere/pdf/GartnerROIReport.pdf



Best PracticesPhase out hard tokens.Hard tokens involve replacement costs and an administrative burden in managing and deploying them. A smarter choice is evolving to more modern authentication techniques that identify users through elements such as device recognition, behavioral biometrics, and multi-factor authentication methods that utilize mechanisms users already use daily (smartphone, email, land-line phones). Not only does this eliminate the burden of an extra step for users, they can access their data wherever they are without carrying a hard token around.

Utilize self-service tools whenever possible.Every day Help Desk staff and employees lose hours of productivity tackling password resets, locked user accounts, enrollment, and provisioning requests. Self-service tools are more secure and can get users back to work instead of spending long periods of time on calls and checking the status of their latest ticket. The IT team can address higher-value tasks and save budget for important projects instead of on support overhead.

Consider the Total Cost of Ownership.When it comes to pricing security solutions, the Total Cost of Ownership is the metric that matters in assessing value. A new platform that takes months to deploy out of the box must be evaluated in terms of the productivity lost. If it fails to integrate with custom built applications, if developers must spend weeks on coding new workfl ows and building integrations, those costs must be factored in as well. By prioritizing solutions that minimize labor and maintenance costs, teams can save millions of dollars.

THE SECUREAUTH WAY: Savings and Speed SecureAuth off ers a number of features that save budget while accelerating time to value. Self-Service tools can reset passwords, unlock accounts, handle auto-enrollment/provisioning and speed overall resolution, while reducing support costs. Thanks to standards-based development, SecureAuth can integrate into custom-built applications and nearly every device, VPN, identity store, application and more, saving thousands of hours in labor. A GUI-based confi guration wizard accelerates deployment by allowing teams to point and click their way through deployment. SecureAuth solutions deploy in days, rather than months or years, to deliver immediate impact.

We invite you to review our pricing and deployment times vs other alternative solutions.

30+% of Helpdesk

calls are for password

resets, account unlocking calls

Average helpdesk wage

and productivity loss for user =

$35 per call

If users calls the helpdesk once a month in just a 5000 user company – the cost for

password reset and account

unlocking calls = $630,000

per year



RECOMMENDATION 3:

Consolidation and Centralization

A typical organization today deals with an array of VPN, cloud, on-Premise, mobile, and homegrown resources. This kind of complexity requires an advanced, consolidated access control approach that centralizes security while offering the agility to address future needs. Yet many organizations selectively deploy security and access controls in some areas or departments while leaving other parts of the enterprise open.

Often this is because the team lacks centralized management. Instead they deal with multiple authentication systems, various solution limitations, and conflicting policies that were created anew for each application, group of applications, and/or groups of users. Users often have multiple logins across different silos. The overall result is a tangle of technologies and rules that alienate and confuse users. Specialized administrators with expertise in specific platforms must be hired to tackle multiple integrations and manage disparate systems.

All of this adds up to rising administrative costs. Users encounter rigid authentication workflows, inconsistent policies and burdensome requirements. The disorganization burns up staff hours and resources while obstructing the team’s ability to detect anomalies and respond to threats across the organization.



Best PracticesDrop the idea of the quick fix for an enterprise solution. When a problem arises, many teams turn to quick fix solutions that later become more complicated and demanding than anticipated. With point solutions everywhere, the team finds itself supporting and maintaining an ever-growing number of technologies, which then breeds multiple multi-factor authentication controls and policies simply to let users perform their jobs. Users also suffer from even more passwords, policies, and disruptions.

Prioritize the most flexible solution with the most future potential.Many teams believe that only cloud solutions can protect cloud resources, but this isn’t true. On-premise tools can manage cloud identities, while cloud solutions can manage on-premise identities. What matters is selecting a solution that provides the greatest flexibility now and in the foreseeable future.

Choose integration-friendly solutions that maximize existing security investments. When a new security solution requires abandoning existing tools, that’s a sign to look elsewhere and find a solution that lets your team utilize what you already have. All too often teams find themselves asked to deploy a new datastore or directory when they already have what they need. Or they have a mixed bag of client devices to support - iOS, Android, Windows, Blackberry, Mac, Java - but the new vendor only supports a few of them. Finding a solution that can work with existing tools saves time and money.

Look for a vendor who can be a partner in both security and compliance.Auditing and reporting might not seem like the most urgent aspect of security when you are worrying about a breach. But they are key to fulfilling compliance regulations, which means you want to choose a vendor that can share useful information with your existing SIEM or UBA, such as adding failed authentications to your SOC dashboard. Only then will you achieve an accurate holistic view of all security threats, and save considerable effort in compliance audits with a centralized repository of data.

THE SECUREAUTH WAY: Centralized Security SecureAuth works with your existing security ecosystem and technologies to reveal meaningful trends, patterns and anomalies for more accurate interpretation. With more support for devices, identity types, VPNs, identity stores, MFA methods, and applications, SecureAuth requires minimal coding and supports more integrations than any other identity security vendor, so that it easily fits in with other investments.

Centralized contemporary and advanced access control options leverage adaptive authentication, customizable workflows and progressive multifactor authentication that can utilize the same day-to-day mechanisms already in use. Standards-based technology creates a single over-arching layer for managing identities with reduced administration, while employees, contractors, partners, and customers enjoy familiar and consistent access.

13%of people

tested click on a phishing

attachment.1

1 Verizon Data Breach Report. http://www.retailtouchpoints.com/features/industry-insights/verizon-data-breach-study-5-steps-to-mitigate-risk



RECOMMENDATION 4:

User Acceptance and Adoption

Technology is as good as the people behind it, but that doesn’t mean only the IT experts who design and implement systems. The habits and preferences of users like employees, partners, and customers must be factored into the security program too.

People often choose processes that are easy and convenient, as opposed to what adheres to security policy. There’s also the matter of simple fallibility. Users forget their passwords, write them on visible sticky notes or use the same credentials across multiple applications.

They can also grow resentful when forced to comply with old-fashioned security practices. Few users like creating complex passwords every few months for multiple applications, then recreating them when a breach is reported, worrying about losing a hardware token and waiting on hold with Help Desk calls. Instead, many develop workarounds and poor security practices that put data at risk.

Only a multi-layered security approach with consideration for user experience can offer true protection.



Best PracticesProvide the Best Possible User Experience. Today’s security innovations allow users to enjoy a smooth authentication experience while unknowingly complying with more controls. By only requiring action when risk factors are high, organizations balance security needs with user preferences.

Build in safeguards against human fallibility. Users are susceptible to phishing attacks. They create guessable passwords, lose laptops, FOBs, phones and share credentials even when instructed not to. By adopting controls such as device recognition, geo-location, IP address interrogation, behavioral biometrics, and more (Adaptive Authentication), organizations can protect themselves from the inevitable ‘human element’.

Use other identity signifi ers instead of passwordsDevice recognition, unique keystroke identifi ers, geo-location and valid IP addresses are harder for criminals to obtain, duplicate or steal. Instead of relying only on passwords and multi-factor authentication, IT teams should implement controls that cannot be compromised as easily – so that even if credentials are compromised, the risk is still severely reduced.

Empower users with self-service tools.Features like self-service password reset and account unlocking aren’t just about reducing overhead – they empower users with the ability to get back to work and access data without having to call the Help Desk or initiate an online support ticket. This is especially critical in instances such as healthcare IT, where physicians may need to access test results or medications in a life or death situation.

THE SECUREAUTH WAY: Seamless Security SecureAuth ensures users enjoy the best customer experience possible even as the organization experiences uncompromising security. Once a user has successfully authenticated their identity through elements such device recognition, threat services, IP interrogation, geographic location, behavioral biometrics, and more, they can easily access data wherever they are without the burden of an extra authentication step. Instead of carrying hard tokens and extra tools, they can use the smartphone and email they’re already using if an additional multi-factor authentication step is even warranted.

Self-service tools help users sidestep lengthy Help Desk calls and address their own administrative tasks like enrollment and updating personal information. By accessing their own data on the go, instead of being tied to hard tokens and other two-factor requirements, users enjoy greater freedom, enhanced productivity and more independence. While organizations gain the assurance of multi-layered identity security checks for greater protection.

“We’ve reduced the number

of passwords, made it easier for our users

to log into applications and

our network, and improved

security.”

— Chris Joerg, Director, Global Information Security - Unisys



THE SECUREAUTH WAY:

Strong Security. Cost Savings. Seamless Access.

SecureAuth Delivers Identity Access Control that Protects Your Budget and Your Organization.

Operating at the intersection of cybersecurity and information security, SecureAuth delivers strength and simplicity for advanced identity access control. By partnering adaptive and two-factor authentication alongside Single Sign-On and self-service tools, SecureAuth helps IT teams achieve powerful security and convenient access, while saving huge in implementation costs.

Ready to fi nd out how SecureAuth can protect your organization? Watch this quick video to better understand how SecureAuth can help your organization.

https://www.secureauth.com/determine-identities-with-confi dence

Documents

WHITE PAPER Best Practices Guide to Strong … Practices Guide to Strong Identity Access Control ... Best Practices Guide to Strong Identity Access Control WHITE PAPER A ... is in