Embed Size (px)
Citation preview
Mind the Gap
Reinier van der Drift | 24th February, 2016
adding strong authentication to the enterprise
• Users & passwords
• Authentication landscape
• Challegences for today’s enterprise
• Solving the authentication puzzle
• Let’s meet Sam
• Discussions and questions
Agenda
Users & passwords
• What is authentication?
Identity verification
• What is the authentication method most used?
Passwords
• What is the main cause of cybercrime?
Password abuse
Some questions about authentication
Jeremy Grant, Senior Executive Advisor, Identity management, NIST(National Institute of Standards and Technology, US)
• Memory not equipped to memorize more than 8 characters
• Too many password(changes)
• Compliance is a burden for the user (password reset every 1-3 months)
• Internal users tend to trust each other and share passwords easily
• User wants it easy, gets it difficult
The user problem
Disruption & consolidation
Authentication landscape
6
The Nexus of Forces is the convergence and mutual reinforcement of social, mobility, cloud and information patterns that drive new business scenarios.
• Rapidly changing enterprise IT-environment through virtualization of server and workstation platforms
• Bringing IT to the cloud and offer disruptive PAAS, IAAS, SAAS services.
• Revolutionary penetration of mobile devices, like smartphones, tablets (BYOD)
• Immense popularity of social media, like Facebook, Twitter, Google, LinkedIN, ..
User authentication is a vital
component of this emerging
Nexus of Forces economy
The Nexus of Forces
Growing and Converging Markets in the Nexus of Forces
Identity Access Mgt Marketgrows from $9.6B to $18.3B by 2019 with CAGR of 14,6% (Includes eSSO/wSSO, provisioning etc)
The Total IT Security market $155B in 2019
Governance, Risk & Compliance Market $30B total marketSoftware $2-$6BCAGR of 9.4 % to 2018
Global Multi-factor Authentication Market$10.8B by 2020 with CAGR of 19,7%
1. MF Authentication
3. GovernanceRisk & Compliance 2. Security Incident &
Event Management$4.54B in 2019 at CAGRof 12.0%
4. IdentityAccess Management
• Broader acceptance of MFA (multi factor authentication): • User passwords replaced/enhanced by OTP/SMS authentication.
• FIDO initiative has broad industry support
• Mobile, smart and IoT-devices are more vulnerable than traditional devices.
• The bad guys are getting smarter.
• Security practices struggle to keep pace with rapid adoption cloud computing.
• Authentication methods continue to diversify:• push messaging to the mobile,
• embedded biometric sensors,• Bluetooth Smart-based authentication,
• contactless and NFC-based methods
• FIDO-tokens provide MFA with end-to-end security
• Enterprises and consumers have unprecedented choice of secure authentication solutions.
Major MFA trends
It’s becoming a puzzle
Challenges for today’s enterprise
10
Authentication Basics
Authentication: simple and strongSimple authentication: 1 factor
Strong authentication: 2 or > factorsExamples:
- User Name and Password
• Cards + PIN (Banks)
• PKI-card + PIN (Government)
• Token + Password (RSA)
• Cards + Biometrics (Match on Card)
There is no such thing as a ‘one-fits-all’ (strong) authentication solution
Business Drivers
Improve compliance
Increase Information security
Increase user convenience
Lower IT costs (Help Desk Calls) and Centralise Tooling
No rip and replace (re-use existing hardware)
Authentication today (point solutions)
Example of MethodsHardware tokens (Radius, USB)
Smartphones (OOB, OATH)
Phones (voice, sms)
Access cards (RFID, mifare, NFC)
Smart/PKI-cards
Biometrics
2/3 factor (combinations)
Social login
Federated authentication
Passwords/PIN-codes/Q&A
FIDO and more
Example of activities• Remote access
• Access to workstations/user devices,
• Access to networks/to servers
• Access to Applications: – generic applications,
– Single Sign-on,
– business applications
• Access to Cloud/web: – web sites
– web applications
• Business Authentication– execution of transactions
– signing of transactions
– business data (storage)
• and more
It’s just another jigsaw
Solving the authentication puzzle
14
Micro FocusAdvanced
AuthenticationFramework
Futureproof Authentication frameworkAuthentication Puzzle solved
Futureproof Authentication frameworkAdvanced Authentication USP’s
• Password replacement
• Escape from vendor lock in
• Low cost 2-factor authentication on smartphone
• Mix and match multiple authentication methods
• Integrated authentication solution for remote, on premise and web access
• Re-use available access cards for strong authentication
• Integration with IAM, SSO and SIEM
• Re-authenticate users in business processes (execution, signing)
• Linked accounts
Proximity and Smart Cards
Smartcards
Smartcards differ from proximity cards by using chips rather than antennas.
These chips vary in storage size and processing power but all contain
secure information (usually certificates). When a smart card is powered by
inserting into the reader, the certificate is verified (often with a PIN) for sign-
in, digital signature or other. Smartcards have the advantage of a secured
container but require a high maintenance, high priced card management
system.
Cards are widely used in hospitals, government offices and businesses.
They are often used for “physical” access to restricted and sensitive areas.
The same cards can likely be used for “logical” network access.
Proximity Cards
These work by requiring a tap of the card on a card reader. The reader
activates a small antenna inside the card and reads the transmitted code.
This code is sent to the authentication system for verification (often with an
accompanying PIN). The greatest advantage of proximity cards is ease-of-
use. The biggest disadvantage is that they are not secured and will
transmit their clear text code to any device.
Biometrics
How it works
Regardless of the manor fingerprints are captured they result in a pattern that is
analyzed to identify unique characteristics at coordinates. These coordinates are
recorded and processed through an algorithm to derive a value. The value is
then used for comparison in future login attempts.
Advantages and Disadvantages
on the first try, no matter who you are or what the weather is doing.
more inclusive and more reliable than other fingerprint sensors, which are
vulnerable to a variety of conditions including the presence of topical
contaminants, moisture, and bright ambient light. Simply stated, our sensors
work where other technologies fail.
Fingerprint readers are generally a secure and convenient reliable
authentication solution that will exceed your expectations. They securely
authenticate a user and can be integrated to enable your step-up and
transaction level access management.
Soft and Hard Tokens
Hardware Tokens
Hard tokens registered
with the Radius server
generate a number for
entry to login form and
verification. Hard tokens
are expensive, hard to
manage and distribute and
these solutions can have a
lot of components, but
they are very popular
(especially in finance).
Software Tokens
Soft tokens are generated
by software at the end
point with a registered
seed. This is less secure
than hardware tokens
because the seed can be
reused. Soft tokens are
popular because they
provide the functionality
with no devices to buy,
ship, replace or renew.
Hardware and software tokens are widely used in addition to or in place of a
password. They provide a key authentication code generated at fixed
intervals using a built-in clock and a unique random key (or "seed"). Hard
tokens come in many formats (with number pads, biometrics, etc,) and soft
token generators can run on any platform.
Network
Radius
Network
Flash / Thumb Drive Support
Flash Drive Authentication
This method allows a user to enroll and use a commercially available flash
drive (plus a PIN code) for use as in authenticating much like a smart card
might work. (The flash drive acts as both the reader and card in this
comparison.) An encrypted file (FlashPinBspLogon.dat) is placed on the
flash drive during the enrollment process, . When used for authentication the
PIN unencrypts the file and the validity is checked. This is one of the easiest
universal authentication method options available. With today’s mobile users
there are many advantage to using an inexpensive easy to replace device.
The major disadvantage is that flash drives can be easily misplaced and
may not be available when needed.
Flash/thumb drives are convenient, cheap and readily available. They can
be used to securely authenticate a user, as a backup to a primary
authentication method that might not be available for any number of reasons
and they can be integrated to enable step-up and transaction level access
management.
Let’s meet Sam
22
High Tech Manufacturing
• Customer challenge• Needed stronger authentication across wide
range of users• Diverse authentication requirements• increase security – inconsistent policies • FIDO Compliant Tokens in Windows Infra
• Micro Focus solution• Leveraged past investments, enabled future
options• Simplified deployment• One framework for integration and policy
management• Solution across Windows and Mac clients
• Customer challenge
• Improve secure access to reduce risk
• Reduce attack surface through virtual clients
• Needed one solution for all authentication types
• Micro Focus solution
• Leveraged existing finger print readers on laptops
• 2 factor authentication for Citrix access
• Solution expanded across the business
International Manufacturing
• Customer challenge
• Comply to patient privacy regulations
• Inefficient and repeated authentication cost clinician productivity
• Micro Focus solution
• Leveraged existing card readers
• Integrated with remote access system
• Provided tap ‘n go (pin only required once)
Healthcare
ANYone?
Discussion & questions
28
