1 / 49

An Introduction to RSA Authentication Manager Express

An Introduction to RSA Authentication Manager Express. Helmut Wahrmann helmut.wahrmann @rsa.com. Authentication Landscape Solution Details Business Value Opportunity DEMO. Agenda. Authentication Market by the Numbers. Millions of SSL VPN users in 2012 1.

shaina
Download Presentation

An Introduction to RSA Authentication Manager Express

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. An Introduction to RSA Authentication Manager Express Helmut Wahrmann helmut.wahrmann@rsa.com

  2. Authentication Landscape Solution Details Business Value Opportunity DEMO Agenda

  3. Authentication Market by the Numbers Millions of SSL VPN users in 20121 Percent of companies still using passwords for remote access authentication2 Most commonly used password3 1 Gartner Specialized SSL VPN Equipment, 2008 2 Forrester Enterprise And SMB Security Survey, North America And Europe, Q3 2008 3http://igigi.baywords.com/rockyou-com-passwords-list/

  4. Threats and Demands are Increasing External attacks Careless users writing down passwords Costly audit requirements/ Increasing regulations Requirements for more collaborative tools Ever-changing business requirements

  5. Fraudsters See An Opportunity Assumption of less sophisticated IT Security Traditionally, SMB has less adoption of strong authentication IT Budget Small and Mid-Sized Organizations are at risk Organization Size

  6. IT Staff Feels the Pressure End User Productivity The Environment • Constantly changing threat landscape • Supporting multiple groups of users and initiatives • Budget and headcount are always a consideration • Security is considered a “burden” • Users cannot experience downtime Management Has Demands • The push for mobility and collaborative tools means potentially exposing identities and Intellectual Property (IP) outside of the organization 6

  7. What We’ve HeardSecure Access for Mobility and Collaboration Required Capabilities Before Scenario “Lack of confidence about who is remotely accessing information” Proven authentication technology “Users struggle with cumbersome security mechanisms” Convenient and user-friendly solution “Diverse end-user base results in varying requirements” Choice of authentication methods on a single platform Easy to deploy and manage solution that integrates seamlessly “Security Solutions are Complex and Expensive” Fast to implement solution that can be proven to meet compliance requirements “Meeting and proving compliance is complex and time consuming” Cost-effective strong authentication that is stronger than a password, but easy to use for IT staff and end-users SOLUTION

  8. Authentication Landscape Solution Details Business Value Opportunity DEMO Agenda

  9. AMX: Multi-factor authentication with zero footprint Risk-Based Authentication On-Demand Authentication And Easy to ManageAppliance Platform

  10. SMS Included in Solution • Delivers a One-Time Password (OTP) via SMS or email • Based on the RSA SecurID algorithm • Compatible with any mobile phone from any carrier • No software to deploy or tokens to manage • Provides multi-factor authentication: • Factor #1 – PIN • Factor #2 – Mobile device or e-mail account

  11. SMS – supported options • Clickatell Plug-In • HTTP Plug-In • HTTP | HTTPS | XML over HTTP • supports proxy (plain and authenticated) • Certified gateways: https://gallery.emc.com/tags?tags=rsa_SMS_Services&taggableTypes=DOCUMENT, currently (April2011): • physical solutions w/possibility to connect GSM modem: MultiModem iSMS, Talariax sendQuick Alert Plus, LogixMobile swiftSMS • services: KPN SMS Gateway, Syniverse Mobile Enterprise Services

  12. The RSA Risk Engine • Proven, sophisticated risk engine • Protecting 350 million identities worldwide • Most common use – Online Banking • Uses dozens of characteristics to calculate the assurance level of user authentication • Self learning so it adapts to your users’ over time

  13. Risk Based AuthenticationThe Hidden Intelligence Behind RSA Authentication Manager Express Optimized for the enterprise organization

  14. Risk-Based AuthenticationMulti-factor authentication without deploying tokens • Strengthens traditional password authentication by silently applying risk-based analytics • Is the user authenticating from a known device? • Does the user’s behavior match known characteristics? • “Risky” authentication attempts require additional validation • Security Questions • On-Demand Authentication 1 3 2 4 1 1st Factor: Something you KNOW 2nd Factor: Something you HAVE 3rd Factor: Something you DO Step-Up : Something you KNOW or HAVE 2 3 4

  15. Example End-user Scenario – Before Access SSL VPN webpage Enter Username and Password Access is granted RISK: User could be fraudulent, using a stolen password

  16. On-demand Authentication or Security Questions Example End-user Scenario – After Typical behavior from registered machine AuthenticationSuccessful OR Authentication Successful Unusual behavior from unregistered machine Access SSL VPN page Redirected to the Secure Logon page Enter Username and Password Authentication characteristics are sent to the risk engine for score calculation Typical behavior – user is authenticated OR Challenge presented, successful completion of challenge results in authentication complete

  17. RSA Authentication Manager ExpressDetails • Scalability: Up to 2,500 users • Integrations: • SSL VPNs • Outlook Web Access • Web portals • Citrix thin clients • Authentication Methods: • Risk-based Authentication • SMS • Platform: Appliance with Linux operating system • Replication: 2nd Appliance provides replication

  18. AMX Integration: Which Products Does AMX Support? • A third-party product already supports RBA if either of the following is true: • It is a certified “RSA Secured” solution for Authentication Manager Express • Examples: Juniper SA, Cisco ASA, Checkpoint NGX, Citrix Access Gateway, Citrix XenApp, etc. • See rsasecured.com for an up-to-date list of supported applications • It is compatible with the RSA Authentication Agent for Web for SecurID • Web applications built on IIS or Apache web servers • Examples: Outlook Web Access, SharePoint, etc. • A third-party product should be compatible with RBA if all of the following are true: • It is a certified “RSA Secured” solution for SecurID • Integration uses the native SecurID APIs (RADIUS implementations are NOT supported) • The user interface is entirely browser-based and does NOT require any installed client components • Note: AMX supports On-Demand Authentication for any product that already offers ODA for Authentication Manager 7.1 (except RADIUS).

  19. AMX Integration: How do I get RBA support added to a compatible third-party product? • Visit rsasecured.com to see if a certified solution already exists • Verify that the product is compatible with RBA (see previous slide) • Contact Partner Engineering to request support for this product • Qualification will be prioritized based on customer demand, available resources, and willingness of the prospective partner to collaborate • Develop a custom RBA integration • Integration template and validation tool available on AMX supplemental DVD and on SecurCare Online • XML-based template does not require advanced programming skills and is intended to be consumable by customers and partners without PS development

  20. Authentication Landscape Solution Details Business Value Opportunity DEMO Agenda

  21. Employee Vendor Partner Use Cases Remote employees connecting to the network over an SSL VPN SSL VPN Web Portal Citrix Partners accessing a Microsoft IIS web portal that provides access an deal registration site Vendors utilizing an order management system presented over Citrix XenApp 21

  22. RSA Authentication Manager Express Ensures Compliance Strengthens Critical Infrastructure Keeps Users Productive Accelerates Time to Value • Goes beyond password-only to deliver true multi-factor authentication • Seamlessly deploy to SSL VPN, web portals and Citrix thin clients • Minimal changes to IT environment • No changes to password policy! • Reduces deployment time and costs • Integrates with leading vendors • Nothing to deploy to users • Users keep existing username/password • Choice of different authentication methods • Silent enrollment • Invisible security • Gives high level of assurance to every user authentication • Verify and report that each user and application is protected to pass an audit

  23. RSA Authentication: Three Platforms Enterprise- Consumer ApplicationsMore than 10,000 users Small and mid-size organizations Fewer than 2,500 users Enterprise with More than 1,000 users TargetMarket Protection of SSL VPNs and web applications Users: Employees, partners, clients Protection of any application, portal or network infrastructureUsers: Employees, partners, customers Protection of web applicationsUsers: typically customers or clients UseCase Convenient for end-users and IT staffLower TCO Enterprise class features and scalability, authenticator form factor options Scalable, convenient, cost-effective; Available on-prem or hosted Value Proposition RSA Authentication Manager Express RSA Authentication Manager RSA Adaptive Authentication Maximum Flexibility and Optimization

  24. Target market is adjacent to existing AM and Adaptive Authentication markets * In a future release, Authentication Manager w/RBA will be positioned as the On-Premise solution for all Enterprise use cases

  25. Differentiating AMX from RSA Authentication Manager

  26. Licensing, Configuration and Pricing • Platform: Version 1.0 is offered on a Hardware Appliance only (same h/w as the SecurID Appliance 130) • Licensing: Single SKU perpetual licensing per user includes software and all authentication features • Pricing: Volume based pricing tiers (similar to RSA Authentication Manager) • Appliance bundles are available • Maintenance: • Annual software maintenance is 21% of license fee • 3-year AHR is included with the h/w appliance • Years 4 and 5 optional and additional • Configuration: • Supports up to 1 replica • Can be deployed in multiple ways for different user bases: • RBA + ODA or Security Questions step-up • On-demand Authentication only

  27. Authentication Landscape Solution Details Business Value Opportunity DEMO Agenda

  28. What Makes Us BetterKey Unique Differentiators • Self-Learning Risk Engine • Dozens of risk indicators • Proven: 250 million users protected with RSA risk-engine • “Tell me about how your current authentication solution adapts based on the authentication attempt?” • Risk-based authentication and ODA (SMS) on a plug-and-play appliance platform • Unique combination of a risk-engine with On-demand and Security Questions simplified for mid-market organizations • Fastest path to two-factor authentication • Convenient to install, manage and deploy to users • Seamless migration from passwords to strong authentication • “Describe to me how your current IT staff could manage an alternative technology?”

  29. Non-Unique Comparative Differentiators • Out-of-the-box integration with 3rd party devices • Juniper, Citrix, Cisco and CheckPoint SSL VPNs • Reduces deployment costs and resources • “Tell me about what would happen if a security solution did not integrate into your existing environment or a system in the future?” • Low acquisition and operating costs (TCO) • Single-SKU perpetual license is reasonably priced when compared to competitive offerings • “Tell me about how you would make the decision between a less secure solution and AMX at comparable price points?”

  30. Non-Unique Comparative Differentiators • Works anytime, anywhere • Strong authentication from any device, anywhere, anytime with nothing to carry, manage, or install • Accessibility drives productivity, user compliance and collaboration • “What would happen if senior executives could not access corporate resources because the authentication solution didn’t work?”

  31. Our Weaknesses • Acquisition cost is higher than single-point solutions • Express is more expensive than SMS-only competitors (Ex. SMS Passcode, SecurEnvoy, Etc.) • Customers looking for the cheapest option may choose point-solution vendor • “Tell me about why you want to sacrifice security, reliability and convenience just to save a little money?”

  32. Key Point #1Drive Incremental Authentication Revenue w/AMX Net New customers represent the ideal opportunity for AMX

  33. Target Market • Customer profile: • Mid-market company (< 2,500 employees) currently using passwords for authentication • Has not adopted strong authentication because existing market options were too expensive or inconvenient for the use case • Strong authentication use cases: • Employees accessing an SSL VPN and/or OWA without the use of tokens • Partners and customers accessing collaborative portals • Employee access to Citrix XenApp virtual desktops • Customer requirements • Lower TCO than hardware and software One Time Password Authenticators • Footprint-less solution for employees, partners or customers • Protection of web-based solutions only

  34. Customer Challenges • Related Before Scenarios that Compel Action • Purchase or deployment an SSL VPN in need of authentication • Development of a new business plan to launch an online portal for partners, customers or employees • Emergence of new or renewed government/industry regulations • Awareness of emerging threats • Incidents of breach, loss, or fraud • Appearance of a new security officer/executive

  35. Authentication Landscape Solution Details Business Value Opportunity DEMO Agenda

  36. Demo Environment

  37. Setup user for OnDemand Authentication

  38. Scenario 1: Pure OnDemand Authentication (no RBA)

  39. On-Demand FlowHow it works in AM7.1 SP3+ and AMX 1.0 3 3 Secure HTTPS SMS 2 1 4 5 5 User types in their Username and PIN. Note:many agents will still say „passcode”. Users need to be educated on this if using On-Demand authenticators 1 Internet The username and PIN are sent to authentication manager SMS Gateway Provider 2 The server sends a Next token code API call to the agent and the user is presented with the Next Token Code dialog. Users need to be educated on this functionality 3 Authentication Manager generates a next token code and sends this via SMS (or email) to the end user SMS 4 Telecom Network User enters the SMS (or email) OTP as Next Tokencode and logs in 5

  40. On Demand AuthenticationStep 1: Enter username and PIN Note: • User needs to enter his PIN in „Password” field • Actual password is never used • This is the behavior seen in Authentication Manager 7.1 SP3 and above

  41. On Demand AuthenticationStep 2: AMX asks for Next Tokencode

  42. On Demand AuthenticationStep 3: OnDemand Tokencode is sent • User gets OnDemand Tokencode via SMS or email • Then he enters the received tokencode as „Next Tokencode” and logs in.

  43. Scenario 2: Risk Based Authentication with ODA as step-up authentication method

  44. Risk Based AuthenticationStep 1: Login • When using RBA, login page is redirected to AMX, but... • ...the username and password are still in use!

  45. Risk Based AuthenticationStep 2: User is not trusted – step-up authentication

  46. Risk Based AuthenticationStep 3: Remembering device (optional) • Identity was confirmed by step-up authentication (here: ODA) • User’s device can be stored as known device, so the next time user logs in from the same device, the assurance level will be higher • This question is optional – policy can be set to remember all recent devices transparent to user

  47. Risk Based AuthenticationStep-Up Authentication in the logs • During the 1st login user’s device was unknown • This resulted in Assurance Level VERY LOW, which triggered the policy to do additional authentication • User authenticated successfully using OnDemand, so his identity was confirmed

  48. Risk Based Authentication2nd time login - Known User Behaviour and Device Statistics • User logs in from the same computer, using username and passwordagain. • This time his computer and behaviour match the information stored by Risk Engine • AMX accepts user’s login without requiring additional confirmation • RBA is fully transparent to the user

More Related