Individuals who would like more details regarding strong authentication methods available today to secure access to corporate networks and enterprise or customer applications. Learn how your environment will dictate which method is right for you.
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Authentication Solutions Buyer's Guide
1. A guide for assessing technology options for Symantec's portfolio of solutions
Authentication Solutions Buyer's Guide
Who should read this paperWho should read this paper
Individuals who would like more details regarding strong authentication
methods available today to secure access to corporate networks and
enterprise or customer applications. Learn how your environment will
dictate which method is right for you.
WHITEPAPER:
AUTHENTICATIONSOLUTIONSBUYER'SGUIDE
........................................
4. Executive Summary
Authentication is the most visible security control for applications used by enterprises and their customers. It controls access and plays a
crucial role for enforcing security policy.
Frequently, authentication requires just a simple user ID and password, which makes it a weak, exploitable target for criminals. Your
challenge is to use a stronger, cost-effective authentication solution that is easy to use.
Capture the benefits of strong
authentication
• Simple passwords are not enough
protection
• Stronger access security uses multifactor
authentication such as risk-triggered
challenges, one-time passwords, or
digital certificates
• Symantec’s strong authentication
portfolio lets you mix and match the right
solution for your requirements
A range of strong authentication technology from Symantec helps you overcome the
vulnerabilities associated with simple passwords by augmenting them with additional
authentication factors such as user device identifiers, risk-based challenges, one-time
passwords, or digital certificates. This approach raises the bar for would-be attackers because
even if they steal a user’s name and simple password, it’s still not enough to get in. Choosing the
best solution depends on your IT environment, your particular application or mix of applications,
related business requirements that may require stronger security, and cost or usability
considerations. Symantec solutions provide scalable, manageable, and cost-effective strong
authentication for meeting requirements to protect your enterprise applications.
Why You Need Strong Authentication
Reliance on simple, easy-to-guess passwords is inadequate for securing your critical applications and data. For example, of 400,000 accounts
compromised in a recent attack on a large Internet portal, the most common passwords were the actual word “password” and the numeric
string 123456.
1
Hackers exploit weak passwords with automated attacks that try combinations of letters and numbers until the right one is
found. Other hackers exploit social engineering with email or phone calls to trick unsophisticated users into divulging their password by
pretending to be a trusted company employee such as a technical support specialist.
Research shows that weak access security is a leading cause of data breaches – contributing to 82 percent of compromised records.
2
In large
organizations, use of stolen credentials is the biggest cause of breaches and compromised records (Verizon Report, p. 26). For incidents like
these, the use of a strong authentication solution can prevent the breach and compromise of sensitive data.
Office computer users and remote workers need strong authentication to protect access to sensitive information in their organizations'
servers and applications. Many government agencies such as the U.S. Department of Defense, or departments within government or
commercial financial institutions, require strong authentication to log on to office computers on their networks because of the highly
valuable and sensitive nature of these data. Strong authentication is also required or under consideration by some data protection
regulations for private industry such as PCI DSS for retail, FFIEC for financial services, and HIPAA/HITECH for healthcare.
Your business partners and customers are also well aware of security breaches and expect you to protect their data when used by your IT
systems. Your use of strong authentication will help to gain their trust. It will also prevent breaches caused by risky use of technology by
business partners and consumers. For example, business and consumer access to applications via mobile devices is rapidly growing. The use
of weak credentials for accessing sensitive business applications such as online shopping and banking can result in a breach.
1-
2-
http://www.businessinsider.com/most-popular-hacked-yahoo-passwords-2012-7
Verizon Business 2012 Data Breach Investigation Report (p. 25)
Authentication Solutions Buyer's Guide
A guide for assessing technology options for Symantec's portfolio of solutions
1
5. Assessing Options for Authentication
As you acknowledge the need for stronger access security, the quest to specify a solution for your environment begins by asking: which
authentication technology is the right one? The answer depends upon requirements determined by your applications and IT environment.
Authentication starts with “something you know,” which is a user ID and password. Passwords will have varying degrees of strength. Weak
passwords create vulnerabilities that facilitate hacking attacks such as guessing, brute force dictionary cracking, or man-in-the-middle
interception. While your organization can strengthen a simple password against guessing and dictionary attacks by enforcing rules about
their characteristics and lifespan, this often backfires because users will often take the risky step of writing them down in an insecure
location when they feel the rules make things too complex. And the rules won’t stop social engineering, capture, or interception attacks.
Two factors of proof make
stronger authentication
A mandatory requirement for strong authentication is the best defense. Strong authentication
requires each person attempting access to present a second factor, which is “something you
have,” in addition to a password. Even if an unauthorized person obtained your password, they
could not gain access without the second factor. The strongest authentication systems use
technologies called one-time passwords (OTP) or digital certificates to completely remove the
vulnerabilities of password guessing or a man in the middle attack. A use-case requiring less
stringent strong security can use a variant called risk-based authentication.
Risk-based Authentication
Risk-based authentication has recently gained acceptance as a reasonably good form of
protecting logon security. One attraction is lower cost: risk-based authentication does not require
the use of tokens, smartcards, or biometrics. It’s a simpler type of multifactor authentication
that can significantly reduce costs associated with deployment to a large user population. It also
eliminates associated burdens that may negatively affect usability of traditional solutions. Risk-
based authentication works by establishing a baseline for normal user behavior when logging on
to a system, such as recording what device and/or location they normally use for access. With
risk-based authentication, when the logon behavior is normal, a simple password may be
deemed acceptable. But when a log on is attempted by an unknown device or from an unusual
location, the user is challenged to enter an additional code, which is emailed to them or sent to
them via SMS text message. Risk-based authentication is included with Symantec™ Validation and Identity Protection (VIP).
Risk-based Authentication
Pros Cons
Tokenless – no special application software or hardware
required for users
Optimal for web applications, but might not work with others
Lower cost for a large user base Requires small, but necessary changes to server-based code of each
web application
Easier for unsophisticated users
Authentication Solutions Buyer's Guide
A guide for assessing technology options for Symantec's portfolio of solutions
2
6. One-time Password Authentication
One-time-password (OTP) technology is a form of two-factor authentication (2FA). It’s often used for authenticating VPN and partner-facing
web portals. OTP may also serve well for some custom applications. As mentioned, OTP solutions augment traditional user names and
passwords with various choices for “something you have,” With OTP, a user PC, smartphone, or special hardware token, may all serve as a
second factor during logon. With an OTP system, when a user enters the logon ID and password (the “first factor”), the system also requires
the user enter a unique one-time code or password generated by software on their hardware token device, PC, or Smartphone, and enters it
into the system. One Time Password technology is also included in Symantec VIP.
One-time Password Based Authentication
Pros Cons
Proven and time tested security method Its most secure mode requires a token, which can make it more
costly than risk-based authentication (Note: Symantec VIP
software tokens are free)
No application changes required; is supported “out-of-box” by
many applications and networking hardware via a standard
protocol called RADIUS
Available from wide variety of suppliers and resellers
How to Choose the Right Kind of Strong Authentication
The Best Value
• Symantec VIP is cloud-based Software as
a Service (SaaS). This lowers your cost
and provides flexibility for remote access
and other use cases.
• Symantec VIP provides more value: risk-
based authentication and one time
password authentication in a single
subscription.
If you need strong authentication for VPN, web, or cloud applications, you should consider a 2FA
solution that provides either risk-based or OTP authentication. The best 2FA solutions are both
easy to implement and easy to use—which is what makes them good choices for basic
requirements.
The implementation of risk-based versus OTP technology is a matter of business need and
customer preferences. For example, many organizations choose risk-based authentication for
consumer-facing applications because it will keep the cost down when there are many thousands
of users. One-time password is typically considered the best option for very high security
requirements.
Some 2FA solutions are difficult to implement and use, which discourages their use and defeats the purpose. Symantec VIP solves usability
challenges by supporting a wide variety of authentication options for end users, and also makes management easier for IT departments by
supporting industry standards such as RADIUS, and enterprise directories such as Microsoft Active Directory®. A self-service portal further
enhances the end-user experience and reduces the burden on IT. A standards-based, cloud-delivered solution such as Symantec VIP Service,
which includes both risk-based and OTP technology, will bring your organization more flexibility at a lower cost than alternatives requiring an
on-premise proprietary solution.
Authentication Solutions Buyer's Guide
A guide for assessing technology options for Symantec's portfolio of solutions
3
7. Strong Authentication with Digital Certificates
PKI Made Easy
• Symantec™ Managed PKI simplifies the
complexity of using digital certificates.
As a managed service, the infrastructure
is ready to go. All you do is activate the
account.
• Managed PKI automates client-side
configuration of applications and makes
the user experience transparent.
• Our solution saves you money because
you don’t have to manage the systems.
We do it for you.
Some application use-cases require a specific strong, 2FA technology called digital certificates.
Examples are user-specific authentication to Wi-Fi access points or network switches, encrypted
email, document signing for Adobe Certified Document Service or Microsoft Office, or device
authentication in mobile “Bring Your Own Device” (BYOD) initiatives.
3
All of these require using
digital certificates to take advantage of the most secure capabilities.
When an environment also includes VPN, web, or cloud applications, many organizations choose
to use digital certificates for these applications as well in order to integrate strong authentication
under one solution. All such applications must be certificate-enabled, which means some
applications might not include support for this type of strong authentication.
Digital certificates provide strong authentication through a cryptography method called Public
Key Encryption. To manage digital certificates properly requires a Public Key Infrastructure (PKI) such as Symantec Managed PKI.
The Symantec Managed PKI solution, like Symantec VIP Service, is also a cloud-based offering. This makes it much easier to deploy and
manage than on-premise PKI solutions such as Microsoft PKI software, and supports more deployment complexity than with a 2FA solution.
Certificated-based Authentication
Pros Cons
Enables strong authentication for applications requiring this mechanism Requires PKI system for managing the
certificate lifecycle, so there is more complexity
Also supports most other applications, so you can boost efficiency and save money by
using digital certificates for all strong authentication requirements
Requires client-side configuration of
applications to use a certificate
3- For more examples, see our white paper, Why Digital Certificates are Essential for Managing Mobile Devices, http://www.symantec.com/content/en/us/enterprise/white_papers/b-why-certs-mobile-devices-
wp-21259170-en.us.pdf
Authentication Solutions Buyer's Guide
A guide for assessing technology options for Symantec's portfolio of solutions
4
8. Symantec Strong Authentication Solutions
Symantec solutions’ features and capabilities will provide your enterprise with strong, scalable, and manageable authentication for
protecting online identities and interactions between consumers, business partners, and employees.
SSymantec™ Vymantec™ Validation and ID Proalidation and ID Protection (tection (VIP) SerVIP) Servicevice
A cloud-based service for preventing unauthorized access to sensitive networks and applications.
Case Study: First Tech Federal
Credit Union
The Problem
The national credit union wanted to
differentiate its services by offering
highly secure options for online
banking—without adding IT
overhead.
Solution Used
Symantec Validation and ID
Protection (VIP) Service with VIP
Access for Mobile.
Results
First Tech has established a name for
itself in offering convenient strong
authentication for its customers. It
achieved 100% reliability of delivery
Symantec VIP will replace your simple password security with strong, robust security for access
to your enterprise networks and applications, and prevent unauthorized access by malicious
attackers. Users have the same experience as before, but with the added security of a second
factor for authentication. Deployment is simple with an existing infrastructure and usually can be
pre-configured by an administrator.
Key Features
Cloud-based infrastructure – Secure, reliable, and scalable service delivers authentication
without requiring dedicated on-premise server hardware. Certified annually by third parties.
Multiple two-factor credential options – Deploy OTP credentials in a variety of hardware,
software, or mobile form factors.
Free mobile device credentials – Support for more than 900 mobile devices including Android™,
iOS®, Windows® Phone 7, J2ME®, and BREW.
Tokenless risk-based authentication – Leverage device and behavior profiling to implement
strong authentication and block risky logon attempts without the requirement of a hardware
credential.
Out-of-band authentication support – Authenticate users via SMS messages or voice-enabled
phone calls when elevated risk is detected.
Authentication Solutions Buyer's Guide
A guide for assessing technology options for Symantec's portfolio of solutions
5
9. of one-time passwords for mobile
members. The VIP Network also
expanded customers’ options for OTP
access to multiple First Tech
accounts. Finally, the cloud-based
solution enabled national
deployment without additional IT
overhead.
4
Transaction monitoring support – Evaluate activity related to end-user’s monetary transactions,
including anomalous amount, anomalous destination, transaction velocity anomaly, and high
risk touch points, which allows your organization to challenge the user with an additional factor
of authentication.
Self-service credential provisioning – Deploy strong authentication to consumers without
requiring IT helpdesk or administrator configuration or intervention.
Web-based application integration – Add strong authentication to your application using the
Symantec VIP web services API in your preferred programming language.
Enterprise infrastructure support – Also integrates with popular enterprise VPNs, webmail, SSO applications, and corporate directories to
support internal mobile applications.
Case Study: Triton Systems of
Delaware, LLC
The Problem
This leading provider of off-premise
automated teller machines in North
America needed to support remote
key transport while eliminating the
cost of having two engineers visit
each ATM when master key codes
required changing.
Solution Used
Symantec Managed PKI Service
Results
Triton Systems became the first retail
ATM manufacturer to market with
remote key transport feature, which
increased competitive advantage.
Triton’s ATM owners can now save
more than $450 in costs for the life
of each machine – without
compromising security or reliability.
5
SSymantec™ Managed PKI Serymantec™ Managed PKI Servicevice
A cloud-based service to power strong authentication, encryption, and digital signing applications.
As your enterprise electronically conducts more transactions and correspondence, there is a
growing need to authenticate users, restrict access to confidential information, and verify
integrity or origination of sensitive documents. Symantec Managed PKI Service, based on Public
Key Infrastructure, will allow your enterprise to provide this level of strong trust-based security.
It can implement multi-purpose credentials; is good for one-to-many applications such as email;
works both online and offline; and supports multiple cryptographic use-cases such as
authentication, encryption, and non-repudiation. With PKI, you can facilitate tighter integration
with your business partners, protect data against internal and external threats, ensure business
continuity, and maintain compliance with government and corporate regulations.
Key Features
Trusted, cloud-based infrastructure – Backed by 24 hours a day, 7 days a week, 365 days a year
monitoring, management, and escalation across the globe with full disaster recovery. Certified
annually by a third-party as part of a SSAE 16/SOC 2 security audit, regular WebTrust audits, and
specialized government audits.
Broad application support – Managed PKI Issues X.509 certificates that interoperate with a wide
variety of operating systems, devices, VPN, mail, and web browser software. Providing certificate
profiles for common applications enables strong authentication, email encryption and signing,
and document signing (Adobe PDF signing).
Automated certificate lifecycle management – Automates configuration of common
authentication, encryption, and signing applications across multiple platforms and browsers.
4-
5-
http://www.symantec.com/content/en/us/enterprise/customer_successes/b-first_tech_federal_cu_CS.en-us.pdf
http://www.symantec.com/content/en/us/enterprise/customer_successes/b-triton_systems_CS.en-us.pdf
Authentication Solutions Buyer's Guide
A guide for assessing technology options for Symantec's portfolio of solutions
6
10. Our client software automatically configures a user’s browser, VPN client, mail client, or other application to use Symantec certificates. It
also automates the process of renewing certificates, preventing expired certificates from interrupting business continuity.
Symantec O3™ For Authenticating Cloud Applications
Many organizations are putting applications in the cloud to save money. As unintended consequences, IT often loses control of access and
end users often take a hit in usability—especially when they are authenticating to multiple cloud applications. The practical pitfall is recalling
different authentication credentials for the various applications. A common response by users is to re-use a single credential for all the
applications. This behavior will weaken your security and magnify the risk of a breach.
Symantec™ O3 enables strong single sign-on across cloud, software-as-a-service (SaaS), and web applications and services. It readily
integrates with existing identity sources such as Active Directory, LDAP, and relational databases. It also federates authentication for the
various cloud/web services, and offers users a simple single-sign-on experience. The solution also maintains a context-based policy engine to
oversee access control.
For more information about Symantec O3, see https://www4.symantec.com/mktginfo/RSA_2012/assets/SymantecO3Datasheet.pdf
Make the Move to Strong Authentication
With Symantec, you can quickly enable the benefits of strong access security in corporate and customer-facing applications. Depending on
application requirements, you will need one of three solutions: risk-based authentication (Symantec VIP), a 2FA solution with one-time
passwords (Symantec VIP), or a digital certificate-based solution (Symantec Managed PKI). To learn more, call your Symantec account
representative or visit our Symantec User Authentication Solutions page at http://www.symantec.com/products-solutions/
families/?fid=user-authentication.
Choosing the Right Authentication Method
Symantec VIP Symantec Managed PKI
Application Use Cases One-Time Passwords Risk-based Digital Certificates
Virtual Private Networks (VPNs) √ √ *
Web/Cloud-based Applications √ √ *
Secure Wireless Access √
Secure Email √
Document Signing √
Support for BYOD Initiatives √
* Supported as a secondary user case
Authentication Solutions Buyer's Guide
A guide for assessing technology options for Symantec's portfolio of solutions
7