SecureAuth Solution Enhancements in 2017
•Download as PPTX, PDF•
0 likes•274 views
Our webinar reviewing the latest enhancements released in SecureAuth IdP 9.1 and SecureAuth Cloud Access.
Recommended
More Related Content
What's hot
What's hot (20)
Similar to SecureAuth Solution Enhancements in 2017
Similar to SecureAuth Solution Enhancements in 2017 (20)
More from SecureAuth
More from SecureAuth (20)
Recently uploaded
Recently uploaded (20)
SecureAuth Solution Enhancements in 2017
- 2. WEBINAR HOUSEKEEPING + All attendee audio lines are muted + Submit questions via Q&A panel at any time + Questions will be answered during Q&A at the end of the presentation + Slides and recording will be sent later this week + Contact us at webinars@secureauth.com SecureAuth Solution Enhancements in 2017
- 3. Agenda SecureAuth Solution Enhancements in 2017 + Secureauth.com/Support + Portfolio Release Schedule Review + IdP + Cloud Access Product Updates
- 4. Keeping you in the know + Manage Your Communications + Service Status & Alerts + Support Tickets + Support Policies + Documentation + Training + Downloads + Value-Added Modules www.secureauth.com/support
- 5. Portfolio Release Schedule Jan 2017 Apr 2017 July 2017 RADIUS Server 2.3.8 Credential Provider 2.8.2 Authenticate 5.0 February 9th RADIUS Server 2.3.9 April 7th April 12th June 6th IdP 9.1 July 27th Passcode for Windows 2.0.1 February 23rd Cloud Access Continually Updated
- 7. End of Life/End of Support
- 8. + SecureAuth IdP v8.1 and prior - no longer supported + SecureAuth IdP v9.1 begins the new EOL process End of Life/End of Support support.secureauth.com/hc/en-us/articles/115001377647/
- 10. Office 365 is Under Attack … have at least one insider threat each month … have at least one compromised account each month … have at least one privileged user threat each month Analyzing usage of over 20,000 cloud services found that 58.4% of sensitive data in the cloud is stored in Microsoft Office documents. 71.4% 57.1% 45.9% All information on this slide is sourced at Office 365 Adoption Rate, Stats, and Usage
- 11. Adaptive Authentication with Office 365 + Third party apps and older Outlook clients (2013 and older) use a protocol called WS-Trust + WS-Trust was designed for user name and password only + The Adaptive Auth with O365 feature plugs the hole caused by the WS-Trust protocol Feature Summary
- 12. Feature Summary Link-to-Accept — New MFA Method + Link-to-Accept authentication by simply tapping a link in an email or SMS message + Link-to-Accept is a great upgrade in usability for those already using OTPs via SMS or email + Link-to-Accept adds a new email template customizer for branding
- 13. Feature Summary YubiKey — New MFA Method + Allows Admins to configure IdP to include YubiKey devices as a 2FA/MFA Method + YubiKey provides a company controlled and assigned device to employees for 2FA/MFA method + Becoming popular – Facebook, Google, and Salesforce use for all of their employees
- 14. Enhanced Device Recognition Factors in Device Recognition prior to 9.1 Factors in Device Recognition in 9.1 14 settings to evaluate 34 settings to evaluate vs Feature Summary
- 15. Admin API + Allows an enterprise to make direct calls/integrations to update our web.config. + Create, update, and maintain realms in IdP without going into the IdP UI + Ability to configure and maintain IdP using API integrations from legacy systems (e.g. Change Management and other control systems) Feature Summary
- 16. Feature Summary Password Throttling + Enhances ‘incorrect password lockout’ feature to better prevent brute force attacks and unnecessary lockout of user at directory level + Existing feature has a few flaws: + Hacker can lock a user out simply by knowing their username and entering incorrect passwords + In default configuration, lockout is session based - a hacker only has to refresh the page in order to keep trying passwords in a brute force attack
- 18. Summary of New 2017 Capabilities SecureAuth Cloud Access + RADIUS Support + Cloud Access for iOS + Country Change (Adaptive Rule) + VPN Geo-Whitelist NEW
- 19. RADIUS Support + Now supports RADIUS protocol + Support for a wide variety of VPN and other products + Easy to configure: on-prem RADIUS connector is cloud-managed + Supports Adaptive Authentication (with compatible products), different policies for different RADIUS clients Feature Summary
- 20. Feature Summary SecureAuth Cloud Access for iOS + Mobile app that puts Cloud Access SSO portal in your pocket + Launch web-based apps using embedded browser + Copy vaulted passwords to log into native mobile apps
- 21. Feature Summary Country Change (Adaptive Rule) + Additional geographic location adaptive authentication checks related to Geo- Velocity & Geo-Fencing + Triggers if the user’s IP address Geo- Locates to a different country than their last known location + You determine the resulting action Allow Prompt for MFA Deny Previous Location Current Location
- 22. Feature Summary VPN Geo-Whitelist + Reduces false positive MFA prompts for users who connect and disconnect from a VPN regularly + Administrators configure the external IP address of the VPN server(s) + Geo-based rule triggers are suppressed when users switch to or from that address
- 23. © SecureAuth Corporation 2017
- 24. Keeping you in the know + Manage Your Communications + Service Status & Alerts + Support Tickets + Support Policies + Documentation + Training + Downloads + Value-Added Modules www.secureauth.com/support
Editor's Notes
- Hello everyone, I’m Damon Tepe, Director of Product Marketing, and I’ll be joined today by Director of Product Management for IdP, Rich Gibsen and Director of Product Management for Cloud Access, Robert Dana. Our collective goal is to get you familiar with new enhancements made in 2017 to SecureAuth IdP and SecureAuth Cloud Access respectively. Lets take care of some housekeeping items and have a look at the agenda to get started.
- All attendee audio lines are muted – this is for everyone listening pleasure You can submit questions via the Q&A panel at any time throughout the session (it’s located on the right hand side of your console) Those submitted Questions will be answered during the Q&A at the end of the presentation (and if we run out of time, we will follow-up with you directly) These slides and a recording of this session will be sent to you later this week, so no need to submit question asking for them If you have questions related to this webinar or any others, you can always contact us at webinars@secureauth.com
- We expect this webinar to go about 30-35 minutes. I will review where you can find various helpful pieces of product or service information. I will also review our portfolio release schedule so far this year. Following that, Rich Gibsen will go over key enhancements made to IdP in 2017 and Robert Dana will follow that with key enhancements made to Cloud Access this year also. Let dive in
- This may be a bit of review for some, but I wanted to make sure everyone in the audience knows where to access key bits of information. Manage Your Communications Select your email preferences to receive relevant product, marketing, and/or company information Service Status & Alerts Sign-up to receive the most up-to-date information related service status or security alerts Support Tickets Option to submit ticket online, or you can always call support at 1-866-859-1526 (including if you want to upgrade to anything we show today) Support Policies Understand support ticket severity levels and expected response times, Mission Critical Support options, and how and what to expect when opening a support ticket, and more Documentation Explore our documentation from Release Notes to Integration Guides to Administration Guides and our extensive Knowledge Base, a wealth of product/service information can be found here Training Learn more about SecureAuth University and how you can become more fluid using SecureAuth products and services. From free videos, to instructor led courses, to certification programs and more, ‘getting and remaining trained’ starts under our “Support” tab Downloads Get latest versions of products, applications, tools, and hot fixes And lastly Value-Added Modules Offerings to simplify and/or expand your solution. These come from our SecureAuth Tailoring Services (e.g. SAML-enabling .Net or Java apps or Using proximity cards in an authentication workflow). Whether you come to secureauth.com homepage and click “Support” or you use the direct URL on the screen, we have tried to consolidate relevant information for you into one convenient area. Let move on to review when pieces of our solution portfolio were released so far in 2017…
- We’ve had some decent release activity so far in 2017. RADIUS 2.3.8 and 2.3.9 were both out by April 7th Passcode for Windows 2.0.1 was released in late February Credential Provider 2.8.3 came out in mid April Authenticate 5.0 was made available in early June IdP 9.1 was recently released in late July AND Cloud Access is continually updated as a cloud-based service
- Rich hand off IdP
- a – Access to these features are available to customers current with maintenance b – Extended support is available at a fee c – Critical fixes only
- What is Limited Support? Take this opp to explain
- IdP 9.1
- Office 365 has now become the most popular and used cloud service, recently surpassing Salesforce. Skyhigh has published some great statistics that show O365 is under attack, all of the stats on the slide came from a blog published by Skyhigh Networks - https://www.skyhighnetworks.com/cloud-security-blog/7-charts-reveal-the-meteoric-rise-of-office-365/. (there is a link in the bottom right hand corner of the slide) The first stat tells why attackers are interested – nearly 60% of an organization’s sensitive data is stored in Microsoft Office documents (think Word, Excel, PPT, OneDrive). As for attacks… 71.4% of orgs using O365 experience at least one compromised account each month, said another way 3 out of 4 O365 deployments will have at least 12 compromised accounts in 2017….seems a bit high. 57.1% will have at least one insider threat each month, and 45.9% will have at least one privileged user threat each month. Bottom line, Office 365 is under attack and organization using it, or considering a move, need to have a strong protection plan in place.
- SecureAuth offer comprehensive protection for office 365 allowing any user (employee, partner, customer), to take any path to access O365 (browser, 3rd party client, mobile app), as long as SecureAuth is protecting it. In addition to providing nearly 30 MFA methods, we offer adaptive authentication which does numerous pre-authentication risk checks to ensure the legitimacy of any access request. So even if an attacker has stolen credentials (valid user ID and password) AND could bypass a given MFA method…. with SecureAuth protecting, that attacker would not get thru because some (if not all) of ~10 risk checks would show red flags and the request would be denied. Adaptive authentication is the back-up plan or insurance policy to your identity security program. Many 3rd party apps and older outlook clients (typically 2013 and older), use a protocol called WS-Trust. Both WS-Trust and WS-Fed are federation protocols and facilitate communication between systems. Both are Microsoft developed protocols, with WS-Fed being the more modern of the two. Unfortunately, WS-Trust was designed to support username and password only…..cannot accept MFA or adaptive authentication. We have plugged that hole (username and password only support) with adaptive authentication for O365. Our adaptive auth capabilities around WS-Trust are limited and not the full stack of risk analysis you’re familiar with. But we can add the following adaptive risk checks to enhance authentication protection beyond just a password: The Blocking feature allows you to white/blacklist based on: IP Application type (example: only allow outlook) User agent (which is the OS+Browser type) Threat Service – check IP address against threat Dbs
- Just like Push-to-Accept pretty much describes what you need to do to authenticate, Link-to-Accept allows users to complete two-factor authentication by simply tapping a link in an email or SMS message Link-to-Accept is a great upgrade in usability for customers already using one-time passcodes via SMS or email Link-to-Accept adds a new email template customizer to the IdP Admin for easy branding of customers’ emails Phone Number Fraud Prevention ensures protection at the device level (NIST conforming) Makes authentication as easy as Push-to-Accept, simply push the link provided 2FA method that doesn’t require user to install an application on a smart phone (BYOD…any internet enabled device) Customize the look of Link-to-Accept emails without coding Reduces the mental load of remembering a one-time passcode from one screen and typing it into another Removes the anxiety of watching the time-based passcode timer tick away
- Our next new two-factor authentication method is YubiKey. YubiKey is a hardware authentication device made by Yubico. It plugs into the USB port of a computer and can now be configured to be used as a single factor, replacing UN/PW or as 2FA/MFA Method…..obviously one cannot use the YubiKey as both single and second factor (org must choose how they want to use) YubiKey provides a company controlled and assigned device to employees for 2FA/MFA method Becoming popular – Facebook, Google, and Salesforce use for all of their employees YubiKey devices are easy to use and only require employees to insert and touch Appeal to organizations that don’t want to or can’t allow use of personal phone to obtain a passcode Easy to set-up/configure
- Formerly known as Device Fingerprint or Digital Fingerprint (aka DFP) Now measuring new browser components Deprecated inactive browser components Calibrated default settings to more accurately recognize devices More accurate measurements of device components = more accurate determination of device Calibrated defaults allow customers to take advantage of the feature out of the box More intuitive UI allows customers and support to more easily update and troubleshoot In this slide, I just want to show you a couple things: 1) we used to look at 14 different settings to perform Device Recognition prior to release 9.1 2) we are now looking at 34 different setting to perform Device Recognition in 9.1, obviously, we can be a lot more accurate by looking at 20 additional settings. Lastly, I want to call attention to how easy it is to change device recognition settings. One simply needs to click “OFF”, “LOW”, “HIGH”. Off means don't look at that setting. Low and High are simply ways to weight particular settings. Low = less important; High = more important. For example, screen resolution is a low while installed language is high. This simply means looking at language is more important than screen resolution to that particular customer.
- The new Admin API features allows customers to make integration calls to IdP configuration settings With this new feature, Administrators can create, update, and maintain IdP realms without opening the IdP user interface. Gives our customers the ability to maintain IdP from legacy or centralized change management or other control systems. Easily configure IdP realms without having to manually create and update realms in the IdP Admin Console (easier to centrally update) Scale effectively and integrate the maintenance and configuration of IdP into customer’s change management policies and procedures
- Enhances ‘incorrect password lockout’ feature to better prevent brute force attacks and unnecessary lockout of user at directory level Existing feature has a few flaws: Hacker can lock a user out simply by knowing their username and entering incorrect passwords In default configuration, lockout is session based - a hacker only has to refresh the page in order to keep trying passwords in a brute force attack So here is what happens… an attacker wants to cause problems and inconvenience say the CEO of a particular company. By simply guessing passwords incorrectly, the attacker can lock out the CEO’s account, causing disruption to that CEO’s day. To make matters worse, an attack only has to refresh the page in order to continue. So what have we done…? We’ve made the following enhancements: Now allows more freedom to configure a realm to throttle and block a user Select max number of password attempts – no longer enter infinite number of passwords trying to guess the correct one Select time period for those attempts – Attackers/Users have a certain time period to enter passwords (example could be 5 minutes) Select lock out option (is it a certain time period vs full directory lock out)
- Lets now turn our attention to Cloud Access. As a reminder, Cloud Access is our IDaaS or cloud-based adaptive access control platform Robert the floor is yours…
- Enhancements to Cloud Access so far in 2017 come in the form of… RADIUS Support Improved Directory Integration Cloud Access for iOS Country Change (Adaptive Rule) VPN Geo-Whitelist Hybrid & Basic Email-based Password Reset Let take a deeper look at each….
- With this RADIUS support, Cloud Access can provide multi-factor and adaptive authentication for a wide variety of VPN and other products. VPN often a starting point for MFA mandates and stronger access controls. But you may want to replace legacy MFA for your VPN looking for easier management, better user experience, and/or improved security. Orgs need a solution that can be deployed quickly and easily, with a minimum of planning and infrastructure change. Unlike any other competing product (including Duo, Microsoft, Okta or OneLogin), SecureAuth Cloud Access RADIUS: Deploys in minutes with a simple, Cloud-based configuration UI Provides multi-factor and adaptive authentication for Cisco, Palo Alto, Citrix, and any other VPN product which provides the end user’s IP address Provides incredible flexibility, allowing customized workflows and adaptive policies on a per-client basis
- SecureAuth Cloud Access for IOS is a mobile application that puts the Cloud Access SSO portal into your pocket, making it easy for users to log in to their applications. The primary problem the mobile app solves is access to applications that are authenticated using vaulted passwords; normally this requires use of the Cloud Access browser plugin, but mobile browsers do not support plugins of this nature. Users can use the app either to log directly into applications using an embedded browser, or to copy passwords they need to paste to log into other mobile apps, where previously they would have to manually enter passwords viewed in the web-based SSO portal.
- The Country Change adaptive rule is related to Geo-Velocity and Dynamic Geo-Fencing; like those rules, it is based on tracking a user’s previous location and comparing it their current location. If a user is connecting from a different country than their last known location, this new rule will trigger. Creating authentication policy always involves a balance between usability (how often end users are prompted) and security. Geo-Velocity helps minimize the number of 2nd factor prompts that travelling users experience, but is only effective if a user logs in quite frequently; after 18 hours of inactivity, it becomes ineffective Geo-Fence, essentially a customizable virtual geographic boundary, is more secure than Geo-Velocity, but can be burdensome for frequent travelers who travel in and out of a fenced area and continually get prompted for an MFA step. This new Country Change adaptive rule fills a gap between Geo-Velocity & Geo-Fence; it is more secure than Geo-Velocity for users who don’t log in frequently, but is less burdensome for most frequent travelers than Geo-Fence.
- VPN Geo-Whitelist allows an organization’s administrator to tell the system about the IP addresses that VPN users appear to come from. This changes how Geo-Velocity, Geo-Fencing and Country Change rules work in order to minimize unneeded Multi-Factor Authentication prompts. When a user connects to a VPN, their IP address changes, often to a location that is physically distant from them, even though they have not physically moved. This can cause “false positive” triggers in various Geo-based rules, resulting in additional Multi-Factor Authentication prompts for legitimate users. Users connecting and disconnecting from the VPN will no longer be prompted for Multi-Factor Authentication unnecessarily.
- Thank you for taking the time to understand major enhancements in SecureAuth IdP 9.1. and SecureAuth Cloud Access As we transition into our Q&A session, I remind you to submit your questions via the panel on the bottom right hand side of your console. While we wait for some questions to populate, I’ll put back up the slide showing all the ways to get solution level information from SecureAuth…(click to next slide)
- Manage Your Communications Select your email preferences to receive relevant product, marketing, and/or company information Service Status & Alerts Sign-up to receive the most up-to-date information related service status or security alerts Support Tickets Option to submit ticket online, or you can always call support at 1-866-859-1526 (including if you want anything we show today) Support Policies Understand support ticket severity levels and expected response times, Mission Critical Support option, and how and what to expect when opening a support ticket, and more Documentation Explore our documentation from Release Notes to Integration Guides to Administration Guides and our extensive Knowledge Base, find it all here Training Learn more about SecureAuth University and how you can become more fluid using SecureAuth products and services. From free videos, to instructor led courses, to certification programs and more, getting trained starts under our “Support” tab Downloads Get latest versions of products, applications, tools, and hot fixes Value-Added Modules Offerings to simplify and/or expand your solution from our SecureAuth Tailoring Services (e.g. SAML-enabling .Net or Java apps or Using proximity cards in an authentication workflow)