Your SlideShare is downloading. ×
Authentication Solutions Buyer's Guide
Authentication Solutions Buyer's Guide
Authentication Solutions Buyer's Guide
Authentication Solutions Buyer's Guide
Authentication Solutions Buyer's Guide
Authentication Solutions Buyer's Guide
Authentication Solutions Buyer's Guide
Authentication Solutions Buyer's Guide
Authentication Solutions Buyer's Guide
Authentication Solutions Buyer's Guide
Authentication Solutions Buyer's Guide
Authentication Solutions Buyer's Guide
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Authentication Solutions Buyer's Guide

1,126

Published on

Individuals who would like more details regarding strong authentication methods available today to secure access to corporate networks and enterprise or customer applications. Learn how your …

Individuals who would like more details regarding strong authentication methods available today to secure access to corporate networks and enterprise or customer applications. Learn how your environment will dictate which method is right for you.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,126
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. A guide for assessing technology options for Symantecs portfolio of solutionsAuthentication Solutions Buyers GuideWho should read this paperWho should read this paperIndividuals who would like more details regarding strong authenticationmethods available today to secure access to corporate networks andenterprise or customer applications. Learn how your environment willdictate which method is right for you.WHITEPAPER:AUTHENTICATIONSOLUTIONSBUYERSGUIDE........................................
  • 2. ContentExecutive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Why You Need Strong Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Assessing Options for Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2Risk-based Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2One-time Password Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3How to Choose the Right Kind of Strong Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Strong Authentication with Digital Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Symantec Strong Authentication Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Symantec™ Validation and ID Protection (VIP) Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Symantec™ Managed PKI Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Make the Move to Strong Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Authentication Solutions Buyers GuideA guide for assessing technology options for Symantecs portfolio of solutions
  • 3. Executive SummaryAuthentication is the most visible security control for applications used by enterprises and their customers. It controls access and plays acrucial role for enforcing security policy.Frequently, authentication requires just a simple user ID and password, which makes it a weak, exploitable target for criminals. Yourchallenge is to use a stronger, cost-effective authentication solution that is easy to use.Capture the benefits of strongauthentication• Simple passwords are not enoughprotection• Stronger access security uses multifactorauthentication such as risk-triggeredchallenges, one-time passwords, ordigital certificates• Symantec’s strong authenticationportfolio lets you mix and match the rightsolution for your requirementsA range of strong authentication technology from Symantec helps you overcome thevulnerabilities associated with simple passwords by augmenting them with additionalauthentication factors such as user device identifiers, risk-based challenges, one-timepasswords, or digital certificates. This approach raises the bar for would-be attackers becauseeven if they steal a user’s name and simple password, it’s still not enough to get in. Choosing thebest solution depends on your IT environment, your particular application or mix of applications,related business requirements that may require stronger security, and cost or usabilityconsiderations. Symantec solutions provide scalable, manageable, and cost-effective strongauthentication for meeting requirements to protect your enterprise applications.Why You Need Strong AuthenticationReliance on simple, easy-to-guess passwords is inadequate for securing your critical applications and data. For example, of 400,000 accountscompromised in a recent attack on a large Internet portal, the most common passwords were the actual word “password” and the numericstring 123456.1Hackers exploit weak passwords with automated attacks that try combinations of letters and numbers until the right one isfound. Other hackers exploit social engineering with email or phone calls to trick unsophisticated users into divulging their password bypretending to be a trusted company employee such as a technical support specialist.Research shows that weak access security is a leading cause of data breaches – contributing to 82 percent of compromised records.2In largeorganizations, use of stolen credentials is the biggest cause of breaches and compromised records (Verizon Report, p. 26). For incidents likethese, the use of a strong authentication solution can prevent the breach and compromise of sensitive data.Office computer users and remote workers need strong authentication to protect access to sensitive information in their organizationsservers and applications. Many government agencies such as the U.S. Department of Defense, or departments within government orcommercial financial institutions, require strong authentication to log on to office computers on their networks because of the highlyvaluable and sensitive nature of these data. Strong authentication is also required or under consideration by some data protectionregulations for private industry such as PCI DSS for retail, FFIEC for financial services, and HIPAA/HITECH for healthcare.Your business partners and customers are also well aware of security breaches and expect you to protect their data when used by your ITsystems. Your use of strong authentication will help to gain their trust. It will also prevent breaches caused by risky use of technology bybusiness partners and consumers. For example, business and consumer access to applications via mobile devices is rapidly growing. The useof weak credentials for accessing sensitive business applications such as online shopping and banking can result in a breach.1-2-http://www.businessinsider.com/most-popular-hacked-yahoo-passwords-2012-7Verizon Business 2012 Data Breach Investigation Report (p. 25)Authentication Solutions Buyers GuideA guide for assessing technology options for Symantecs portfolio of solutions1
  • 4. Assessing Options for AuthenticationAs you acknowledge the need for stronger access security, the quest to specify a solution for your environment begins by asking: whichauthentication technology is the right one? The answer depends upon requirements determined by your applications and IT environment.Authentication starts with “something you know,” which is a user ID and password. Passwords will have varying degrees of strength. Weakpasswords create vulnerabilities that facilitate hacking attacks such as guessing, brute force dictionary cracking, or man-in-the-middleinterception. While your organization can strengthen a simple password against guessing and dictionary attacks by enforcing rules abouttheir characteristics and lifespan, this often backfires because users will often take the risky step of writing them down in an insecurelocation when they feel the rules make things too complex. And the rules won’t stop social engineering, capture, or interception attacks.Two factors of proof makestronger authenticationA mandatory requirement for strong authentication is the best defense. Strong authenticationrequires each person attempting access to present a second factor, which is “something youhave,” in addition to a password. Even if an unauthorized person obtained your password, theycould not gain access without the second factor. The strongest authentication systems usetechnologies called one-time passwords (OTP) or digital certificates to completely remove thevulnerabilities of password guessing or a man in the middle attack. A use-case requiring lessstringent strong security can use a variant called risk-based authentication.Risk-based AuthenticationRisk-based authentication has recently gained acceptance as a reasonably good form ofprotecting logon security. One attraction is lower cost: risk-based authentication does not requirethe use of tokens, smartcards, or biometrics. It’s a simpler type of multifactor authenticationthat can significantly reduce costs associated with deployment to a large user population. It alsoeliminates associated burdens that may negatively affect usability of traditional solutions. Risk-based authentication works by establishing a baseline for normal user behavior when logging onto a system, such as recording what device and/or location they normally use for access. Withrisk-based authentication, when the logon behavior is normal, a simple password may bedeemed acceptable. But when a log on is attempted by an unknown device or from an unusuallocation, the user is challenged to enter an additional code, which is emailed to them or sent tothem via SMS text message. Risk-based authentication is included with Symantec™ Validation and Identity Protection (VIP).Risk-based AuthenticationPros ConsTokenless – no special application software or hardwarerequired for usersOptimal for web applications, but might not work with othersLower cost for a large user base Requires small, but necessary changes to server-based code of eachweb applicationEasier for unsophisticated usersAuthentication Solutions Buyers GuideA guide for assessing technology options for Symantecs portfolio of solutions2
  • 5. One-time Password AuthenticationOne-time-password (OTP) technology is a form of two-factor authentication (2FA). It’s often used for authenticating VPN and partner-facingweb portals. OTP may also serve well for some custom applications. As mentioned, OTP solutions augment traditional user names andpasswords with various choices for “something you have,” With OTP, a user PC, smartphone, or special hardware token, may all serve as asecond factor during logon. With an OTP system, when a user enters the logon ID and password (the “first factor”), the system also requiresthe user enter a unique one-time code or password generated by software on their hardware token device, PC, or Smartphone, and enters itinto the system. One Time Password technology is also included in Symantec VIP.One-time Password Based AuthenticationPros ConsProven and time tested security method Its most secure mode requires a token, which can make it morecostly than risk-based authentication (Note: Symantec VIPsoftware tokens are free)No application changes required; is supported “out-of-box” bymany applications and networking hardware via a standardprotocol called RADIUSAvailable from wide variety of suppliers and resellersHow to Choose the Right Kind of Strong AuthenticationThe Best Value• Symantec VIP is cloud-based Software asa Service (SaaS). This lowers your costand provides flexibility for remote accessand other use cases.• Symantec VIP provides more value: risk-based authentication and one timepassword authentication in a singlesubscription.If you need strong authentication for VPN, web, or cloud applications, you should consider a 2FAsolution that provides either risk-based or OTP authentication. The best 2FA solutions are botheasy to implement and easy to use—which is what makes them good choices for basicrequirements.The implementation of risk-based versus OTP technology is a matter of business need andcustomer preferences. For example, many organizations choose risk-based authentication forconsumer-facing applications because it will keep the cost down when there are many thousandsof users. One-time password is typically considered the best option for very high securityrequirements.Some 2FA solutions are difficult to implement and use, which discourages their use and defeats the purpose. Symantec VIP solves usabilitychallenges by supporting a wide variety of authentication options for end users, and also makes management easier for IT departments bysupporting industry standards such as RADIUS, and enterprise directories such as Microsoft Active Directory®. A self-service portal furtherenhances the end-user experience and reduces the burden on IT. A standards-based, cloud-delivered solution such as Symantec VIP Service,which includes both risk-based and OTP technology, will bring your organization more flexibility at a lower cost than alternatives requiring anon-premise proprietary solution.Authentication Solutions Buyers GuideA guide for assessing technology options for Symantecs portfolio of solutions3
  • 6. Strong Authentication with Digital CertificatesPKI Made Easy• Symantec™ Managed PKI simplifies thecomplexity of using digital certificates.As a managed service, the infrastructureis ready to go. All you do is activate theaccount.• Managed PKI automates client-sideconfiguration of applications and makesthe user experience transparent.• Our solution saves you money becauseyou don’t have to manage the systems.We do it for you.Some application use-cases require a specific strong, 2FA technology called digital certificates.Examples are user-specific authentication to Wi-Fi access points or network switches, encryptedemail, document signing for Adobe Certified Document Service or Microsoft Office, or deviceauthentication in mobile “Bring Your Own Device” (BYOD) initiatives.3All of these require usingdigital certificates to take advantage of the most secure capabilities.When an environment also includes VPN, web, or cloud applications, many organizations chooseto use digital certificates for these applications as well in order to integrate strong authenticationunder one solution. All such applications must be certificate-enabled, which means someapplications might not include support for this type of strong authentication.Digital certificates provide strong authentication through a cryptography method called PublicKey Encryption. To manage digital certificates properly requires a Public Key Infrastructure (PKI) such as Symantec Managed PKI.The Symantec Managed PKI solution, like Symantec VIP Service, is also a cloud-based offering. This makes it much easier to deploy andmanage than on-premise PKI solutions such as Microsoft PKI software, and supports more deployment complexity than with a 2FA solution.Certificated-based AuthenticationPros ConsEnables strong authentication for applications requiring this mechanism Requires PKI system for managing thecertificate lifecycle, so there is more complexityAlso supports most other applications, so you can boost efficiency and save money byusing digital certificates for all strong authentication requirementsRequires client-side configuration ofapplications to use a certificate3- For more examples, see our white paper, Why Digital Certificates are Essential for Managing Mobile Devices, http://www.symantec.com/content/en/us/enterprise/white_papers/b-why-certs-mobile-devices-wp-21259170-en.us.pdfAuthentication Solutions Buyers GuideA guide for assessing technology options for Symantecs portfolio of solutions4
  • 7. Symantec Strong Authentication SolutionsSymantec solutions’ features and capabilities will provide your enterprise with strong, scalable, and manageable authentication forprotecting online identities and interactions between consumers, business partners, and employees.SSymantec™ Vymantec™ Validation and ID Proalidation and ID Protection (tection (VIP) SerVIP) ServiceviceA cloud-based service for preventing unauthorized access to sensitive networks and applications.Case Study: First Tech FederalCredit UnionThe ProblemThe national credit union wanted todifferentiate its services by offeringhighly secure options for onlinebanking—without adding IToverhead.Solution UsedSymantec Validation and IDProtection (VIP) Service with VIPAccess for Mobile.ResultsFirst Tech has established a name foritself in offering convenient strongauthentication for its customers. Itachieved 100% reliability of deliverySymantec VIP will replace your simple password security with strong, robust security for accessto your enterprise networks and applications, and prevent unauthorized access by maliciousattackers. Users have the same experience as before, but with the added security of a secondfactor for authentication. Deployment is simple with an existing infrastructure and usually can bepre-configured by an administrator.Key FeaturesCloud-based infrastructure – Secure, reliable, and scalable service delivers authenticationwithout requiring dedicated on-premise server hardware. Certified annually by third parties.Multiple two-factor credential options – Deploy OTP credentials in a variety of hardware,software, or mobile form factors.Free mobile device credentials – Support for more than 900 mobile devices including Android™,iOS®, Windows® Phone 7, J2ME®, and BREW.Tokenless risk-based authentication – Leverage device and behavior profiling to implementstrong authentication and block risky logon attempts without the requirement of a hardwarecredential.Out-of-band authentication support – Authenticate users via SMS messages or voice-enabledphone calls when elevated risk is detected.Authentication Solutions Buyers GuideA guide for assessing technology options for Symantecs portfolio of solutions5
  • 8. of one-time passwords for mobilemembers. The VIP Network alsoexpanded customers’ options for OTPaccess to multiple First Techaccounts. Finally, the cloud-basedsolution enabled nationaldeployment without additional IToverhead.4Transaction monitoring support – Evaluate activity related to end-user’s monetary transactions,including anomalous amount, anomalous destination, transaction velocity anomaly, and highrisk touch points, which allows your organization to challenge the user with an additional factorof authentication.Self-service credential provisioning – Deploy strong authentication to consumers withoutrequiring IT helpdesk or administrator configuration or intervention.Web-based application integration – Add strong authentication to your application using theSymantec VIP web services API in your preferred programming language.Enterprise infrastructure support – Also integrates with popular enterprise VPNs, webmail, SSO applications, and corporate directories tosupport internal mobile applications.Case Study: Triton Systems ofDelaware, LLCThe ProblemThis leading provider of off-premiseautomated teller machines in NorthAmerica needed to support remotekey transport while eliminating thecost of having two engineers visiteach ATM when master key codesrequired changing.Solution UsedSymantec Managed PKI ServiceResultsTriton Systems became the first retailATM manufacturer to market withremote key transport feature, whichincreased competitive advantage.Triton’s ATM owners can now savemore than $450 in costs for the lifeof each machine – withoutcompromising security or reliability.5SSymantec™ Managed PKI Serymantec™ Managed PKI ServiceviceA cloud-based service to power strong authentication, encryption, and digital signing applications.As your enterprise electronically conducts more transactions and correspondence, there is agrowing need to authenticate users, restrict access to confidential information, and verifyintegrity or origination of sensitive documents. Symantec Managed PKI Service, based on PublicKey Infrastructure, will allow your enterprise to provide this level of strong trust-based security.It can implement multi-purpose credentials; is good for one-to-many applications such as email;works both online and offline; and supports multiple cryptographic use-cases such asauthentication, encryption, and non-repudiation. With PKI, you can facilitate tighter integrationwith your business partners, protect data against internal and external threats, ensure businesscontinuity, and maintain compliance with government and corporate regulations.Key FeaturesTrusted, cloud-based infrastructure – Backed by 24 hours a day, 7 days a week, 365 days a yearmonitoring, management, and escalation across the globe with full disaster recovery. Certifiedannually by a third-party as part of a SSAE 16/SOC 2 security audit, regular WebTrust audits, andspecialized government audits.Broad application support – Managed PKI Issues X.509 certificates that interoperate with a widevariety of operating systems, devices, VPN, mail, and web browser software. Providing certificateprofiles for common applications enables strong authentication, email encryption and signing,and document signing (Adobe PDF signing).Automated certificate lifecycle management – Automates configuration of commonauthentication, encryption, and signing applications across multiple platforms and browsers.4-5-http://www.symantec.com/content/en/us/enterprise/customer_successes/b-first_tech_federal_cu_CS.en-us.pdfhttp://www.symantec.com/content/en/us/enterprise/customer_successes/b-triton_systems_CS.en-us.pdfAuthentication Solutions Buyers GuideA guide for assessing technology options for Symantecs portfolio of solutions6
  • 9. Our client software automatically configures a user’s browser, VPN client, mail client, or other application to use Symantec certificates. Italso automates the process of renewing certificates, preventing expired certificates from interrupting business continuity.Symantec O3™ For Authenticating Cloud ApplicationsMany organizations are putting applications in the cloud to save money. As unintended consequences, IT often loses control of access andend users often take a hit in usability—especially when they are authenticating to multiple cloud applications. The practical pitfall is recallingdifferent authentication credentials for the various applications. A common response by users is to re-use a single credential for all theapplications. This behavior will weaken your security and magnify the risk of a breach.Symantec™ O3 enables strong single sign-on across cloud, software-as-a-service (SaaS), and web applications and services. It readilyintegrates with existing identity sources such as Active Directory, LDAP, and relational databases. It also federates authentication for thevarious cloud/web services, and offers users a simple single-sign-on experience. The solution also maintains a context-based policy engine tooversee access control.For more information about Symantec O3, see https://www4.symantec.com/mktginfo/RSA_2012/assets/SymantecO3Datasheet.pdfMake the Move to Strong AuthenticationWith Symantec, you can quickly enable the benefits of strong access security in corporate and customer-facing applications. Depending onapplication requirements, you will need one of three solutions: risk-based authentication (Symantec VIP), a 2FA solution with one-timepasswords (Symantec VIP), or a digital certificate-based solution (Symantec Managed PKI). To learn more, call your Symantec accountrepresentative or visit our Symantec User Authentication Solutions page at http://www.symantec.com/products-solutions/families/?fid=user-authentication.Choosing the Right Authentication MethodSymantec VIP Symantec Managed PKIApplication Use Cases One-Time Passwords Risk-based Digital CertificatesVirtual Private Networks (VPNs) √ √ *Web/Cloud-based Applications √ √ *Secure Wireless Access √Secure Email √Document Signing √Support for BYOD Initiatives √* Supported as a secondary user caseAuthentication Solutions Buyers GuideA guide for assessing technology options for Symantecs portfolio of solutions7
  • 10. About SymantecSymantec protects the world’s information, and is aglobal leader in security, backup, and availabilitysolutions. Our innovative products and servicesprotect people and information in any environment– from the smallest mobile device, to the enterprisedata center, to cloud-based systems. Our world-renowned expertise in protecting data, identities,and interactions gives our customers confidence ina connected world. More information is available atwww.symantec.com or by connecting withSymantec at go.symantec.com/socialmedia.For specific country officesand contact numbers, pleasevisit our website.Symantec World Headquarters350 Ellis St.Mountain View, CA 94043 USA+1 (650) 527 80001 (800) 721 3934www.symantec.comCopyright © 2013 Symantec Corporation. All rightsreserved. Symantec, the Symantec Logo, and theCheckmark Logo are trademarks or registeredtrademarks of Symantec Corporation or its affiliates inthe U.S. and other countries. Other names may betrademarks of their respective owners.1/2013 21280723Authentication Solutions Buyers GuideA guide for assessing technology options for Symantecs portfolio of solutions

×