Enhance network security with Multi-Factor Authentication for BYOD and guest access
Download as PPTX, PDF6 likes2,802 views
The document discusses enhancing network security through multi-factor authentication (MFA) for BYOD and guest access, highlighting the importance of balancing security with user simplicity. It reviews current MFA trends, including the shift from hardware tokens to mobile and cloud-based solutions, and emphasizes policy-based MFA to improve security practices while reducing breaches. The document also outlines future directions for MFA, focusing on user behavior and contextual authentication to adapt to the evolving security landscape.
Enhance network security with Multi-Factor Authentication for BYOD and guest access
- 1. #ATM16 Enhance Network Security with Multi-Factor Authentication for BYOD and Guest Access Garth Benedict Randy Garcia Michael A. Tarinelli March 31, 2016 @ArubaNetworks |
- 3. 3#ATM16 Mobility Changing the Security Dynamic Distributed and mobile work force Demand for simplicity Security requirements remain Strong authentication Encryption End point protection etc.
- 4. 4#ATM16 Security vs. Simplicity - Customer demand for the “coffeehouse” experience - Industry forced to drive security solutions at every level - Failure to act could result in data breach and identity theft
- 5. 5#ATM16 A Perfect Match - Simplicity and Security – not mutually exclusive - 2FA/MFA Reboot – new and innovative players in the multi-factor authentication space - Enhance MFA with ClearPass Policy Manager - Explore Adaptive Trust - Use policy to provide “defense in depth” overlay to MFA solution
- 6. 6#ATM16 Benefits of Policy Based MFA –Reduce Breaches and save $$$ –Increase credibility among your peers and customers with new and innovative approaches to MFA implementation.
- 8. 8#ATM16 What is 2FA? What is MFA? - Two-factor authentication (2FA) provides a second layer of security to any type of login, requiring extra information or a physical device to log in, in addition to your password - Multi-factor authentication is the same but >2 - Something you have… - E.g. The dreaded token - Something you are… - - e.g. Thumbprint - Something you know - E.g. username and password
- 9. 9#ATM16 Not your grandma’s MFA Current Trends of MFA (Cloud + Mobile) - New companies launching innovative solutions (DUO, Authy, Yubico, etc.) - Leverages mobile device for additional factors - OTP, Click, swipe, proximity, biometric options, USB key, SDKs, etc. Legacy Providers - Hardware tokens from RSA, Safenet, Vasco, McAffee, etc. - Hated by end users and IT departments alike - Move to soft tokens and mobile well underway
- 10. 10#ATM16 New Players vs. Legacy Establishment Cloud + Mobile is the trend Leveraging smart device + App Making huge strides Incumbents still have market share Supported for years on CPPM Pivoting to Cloud + Mobile strategy
- 11. 11#ATM16 Security Concerns - 95 percent of breaches involve the exploitation of stolen credentials. - The misuse of administrative privileges is a primary method for attackers to spread inside a target enterprise - elevation of privileges by guessing or cracking a password for an administrative user - Sharing passwords - Attackers take advantage of network devices becoming less securely configured over time
- 12. 12#ATM16 Wait! Its hard to use! Importance of MFA - Yes. It does introduce an extra step - But, it’s a key element of any “defense in depth” strategy - Innovate with new tools that are more user friendly - Reduce the burden and leverage Policy to force MFA and times and places of your choosing. - Attackers take advantage of network devices becoming less securely configured over time
- 13. 13#ATM16 Where is MFA Headed? 3rd Party Integrations - Many new and existing companies providing services - Cloud and mobile application based - Combination of clicks, gestures, proximity, puzzles and biometric methods - All have their challenges (just as the old tokens did) - SaaS, Guest/BYOD, network admin and network access use cases User Behavior - The biggest barrier to adoption (on both the IT and user side) - Mobile adoption and addiction presents opportunity - Take a broader approach to authorization - Leverage context to trigger mobile based MFA on demand - Leverage Microsoft InTune or MDM for Windows Laptops
- 14. 14 ClearPass and Adaptive Trust Introducing a new approach to MFA
- 15. 15#ATM16 Users that work from anywhere and devices that roam Access privileges and authentication based on user- and device-roles Mobility – The New Fight
- 16. 16#ATM16 HOME OFFICE/ROAD WARRIORS Access on VPNs, mostly open SSIDs Same privileges and authentication as when in the office The Extended Enterprise
- 17. 17#ATM16 ClearPass at a Glance AAA • RADIUS • TACACS Context Based Policy • Directory • Profiling • Location • Application ClearPass Exchange • Modern style RESTful API • Context Rich • Partner Ecosystem Mobility Use Cases • Guest • OnBoard (BYOD, CA) • OnGuard (Posture) Adaptive Trust
- 18. 18#ATM16 Static Perimeter Defense IDS/IPS Firewalls Adaptive Trust Defense Perimeter Defense Auth and Automation Physical Components A/V Security and Policy for each user or group Web gateways Time for a New Defense Model
- 19. 19#ATM16 Benefits of Adaptive Trust Complete End-to-End Protection ClearPass Policies Perimeter Defense MDM/EMM Aruba verified integration workflows✔ ClearPass as policy and context store ✔ Accurate rules enforcement✔ All infrastructure and security components work together ✔
- 20. 20 User and Device Security policy adapts to need Context sharedEmployee access • Thomas • Mac OS 10.9.3 • Marketing • 10.0.1.12 Works with AD, LDAP, ClearPass dB, SQL dB No agents/clients required Adaptive Trust Context Sharing
- 21. 21#ATM16 Using Policy to drive on demand MFA – Based on Time – Once a day or week – If you have not logged on from this device in the past 14 days – If your device was unhealthy in the past 30 days – Based on Posture – If your device posture changes to unhealthy – If any of your other devices posture changes to unhealthy – If a company alert or security check is issued – Based on other Context – User has never logged on from this location – User has failed user authentication 3 times – 3rd Party application or system triggers MFA
- 22. 22 Putting it all together MFA and Policy in Action - Demos
- 23. 23#ATM16 Demo 1 – Place Holder - Explanation and Workflow
- 24. 24#ATM16 Demo 1 – Place Holder - Screen Shots
- 25. 25#ATM16 Demo 2 – Place Holder - Explanation and Workflow
- 26. 26#ATM16 Demo 2 – Place Holder - Screen Shots
- 27. 27#ATM16 Demo 3 – Place Holder - Explanation and Workflow
- 28. 28#ATM16 Demo 3 – Place Holder - Screen Shots
- 29. 29#ATM16 Close Includes slides, color spots speaker remarks
- 30. 30#ATM16 Join Aruba’s Titans of Tomorrow force in the fight against network mayhem. Find out what your IT superpower is. Share your results with friends and receive a free superpower t-shirt. www.arubatitans.com
- 31. Month day, year
Editor's Notes
- #4: The Situation and the Challenge MOBILITY AND THE DEMAND FOR SIMPLICITY ARE HERE TO STAY BUT SECURITY REQUIREMENTS REMAIN
- #5: The Implication – specifically bullet 3 EVERYONE EXPECTS TO BE CONNECRTED AND CONDUCT BUISINESS IN THE SAME WAS WE ARE CONNECTED AND CONDUCT OUR PERSONAL BUSINESS. ANYWHERE ANYTIME. IT SECURITY IS CHALLENED TO TO COME UP WITH INNOVATIVE SOLUTIONS TO MATCH THE NEW WORLD
- #6: THE ARUBA POSTION – THIS IS WHAT WE WANT THE AUDIENCE TO BELIEVE CONSIDER NEW TOOLS THAT HAVE DRIVEN INNOVATION TO LEGACY SECURTY SOLUTIONS (E.G. MFA) MARRY THESE TOOLS WITH CLEARPASS POLICY ENGINE TO MAKE THE SOLUTION MORE ELEGANT. ENFORCE MFA WHEN AND WHERE YOU WANT VIA POLICY
- #7: The Benefit THIS IS WHY OUR POSITION MATTERS. IT WILL HAVE BENEFITS. THIS SLIDE NEEDS WORK OBVIOUSLY Poll audience Assess established customer vs. newbie ratio Benefits MFA could reduce risk thus save money Innovative MFA solutions could elevate credibility among peers and customers
- #8: TRANSITION. BLANK SCREEN. CHECK IN WITH AUDIENCE. GET THEIR ATTENTION BACK ON US. WHAT FOLLOW IS NOT SPECIFIC TO ARUBA. IT’S A BIT OF AN OVERVIEW AND INDUSTRY UPDATE.
- #9: SOMETHING YOU HAVE, SOMETHIG YOU KNOW, SOMETHING YOU ARE
- #10: INDUSTRY SHIFT TOWARDS NEW APPROACHES DRIVEN BY MOBILITY AND PREVALANCE OF SMART DEVICES
- #11: OF COURSE THE ESTABLISHED VENDORS ARE GOING NO WHERE AND HAVE MARKET SHARE. THEY ARE ALSO PIVOTING BUT MOVING SLOWLY. THIS SLOW SHIF HAS ALLOWED NEW INNOVATORS TO GAIN SIGNIFCANT FOOT HOLD
- #12: FROM SANS.ORG: USE MFA FOR ALL ADMIN ACCESS TO PROTECT NETWORK FROM ATTACH. SANS NOTES MANY MFA TECHNIQUES. NOTE: CONSIDER AN FOLLOWUP SLIDE WITH MORE EDUCATION AND TERMINOLOGY Use multi-factor authentication for all administrative access, including domain administrative access. Multi-factor authentication can include a variety of techniques, to include the use of smart cards, certificates, One Time Password (OTP) tokens, biometrics, or other similar authentication methods.
- #13: AS ELEGANT AS THE NEW SOLUTIONS ARE ITS STILL AN UNDENIABLE NEXT STEP SO THE IMPORTANCE OF INNOVATION AND USING POLICY TO LIMIT THE FREQUENCY OF THE NEXT STEP MIGHT BE NICE
- #14: WE’VE ALREADY TALKED ABOUT THE NEW PLAYERS NOW TALK ABOUT THE ELEMENTS – FINGER PRINTS, TAP A BUTTON, SWIPE, SHAKE, ALSO TALK ABOUT AND SHOW EXAMPLES OF WHERE WE SEE THIS TODAY IN THE CONSUMER SPACE. THIS SLIDE NEEDS WORK.
- #15: TRANSITION SLIDE. WE WILL GIVE AN ARUBA CLEARPASS OVERVIEW IN THIS SECTION. ONE SLIDE TO EXPLAIN THE CLEARPASS PLATFORM. WE CAN’T ASSUME WHOLE AUDIENCE KNOWS OUR STUFF. REST OF SLIDES EXPLAIN ADAPATIVE TRUST, CP EXCHANGE AND THIS IS IMPORTANT FOR THE TAKE HOME POINT OF USING POLICY TO ENHANCE MFA
- #16: MOBILITY – USERS ARE EVERYWHERE AND SO IS YOUR SECURITY PERIMITER. Even though wired connections still exist, faster and more reliable wireless and cellular networks have increased a users ability to work from anywhere, at any time. While increasing productivity and user satisfaction, IT must plan for and tackle new security concerns that comes with mobile users and mobile devices as they roam a campus or travel to a remote site. Stress that each location, device type and access method used can pose new challenges. The key is to deploy a solution that leverages identity information for users and devices. If a laptop is connected to wired at a desk, they have to expect that the same user may connect a tablet to the network on another floor or in the next building. IT needs a way to enforce policies that do not put limits on how people actually work today. We’re mobile…
- #17: MANY COMPANIES ARE SHIFTING HOTEL MODEL, WFH ETC. ROAD WARRIOR CULTURE IS GROWING. NEED TO CONSIDER LOCATION AS A KEY ELEMENT OF SECURITY POLICY. The same is true for home offices and when connecting to guest networks. IT should have a common way of authenticating users even when connecting over VPNs. You can mention that ClearPass works when users connect over popular VPN solutions, as well as when using our VIA client or RAPs. While IT can assign the same privileges to users when on the road, they can also alter access too. They may not want to let users get to extremely confidential data while a user is using something other than an IT-issued laptop from a public venue, like a coffee shop or airport terminal. This is also a good time to ask if MDM/EMM is being used or is being considered. This will let IT force the use of pin codes on smart phones and tablets, create secure containers for enterprise data and perform wipes when users are off-net. It ties in well with network access services like those provided by ClearPass. Now lets look at IT concerns.
- #18: EXPLAIN THAT CLEARPASS IS A TRIPLE A PLATFORM. MENTION GUEST, OB, OG IF YOU WANT. FOCUS ON EXCHANGE AND POLICY.
- #19: INTRODUCE ADAPATIVE TRUST CONCEPT. MOST COMPANIES GOING BEST OF BREED. PERIMETER IS WHERE YOUR END USER IS. LEVERAGE CONTEXT AND ENFORCE POLICY. While IT has busily deployed a number of physical and software security mechanisms like Palo Alto, Tipping Point, MobileIron, and others for protecting the perimeter, #GenMobile has completely diluted the notion of a fixed perimeter – it doesn’t exist in a mobile world where users connect and work from anywhere. To head off any risks, many enterprise IT organizations are resorting to extreme measures by adopting a zero-trust approach to security. Unfortunately, zero-trust treats everyone like potential adversaries. What’s needed is a policy solution that leverages user and device data to make smarter decisions based on each user’s mobility needs. ClearPass as the authentication source sits at the heart of this new defense model as each user and device first gets authenticated before being allowed to forward traffic. Because of these first-step we’ve built-in bi-directional APIs and syslog messaging that lets us share and ingest data to either allow devices full connectivity or remove a device from the network Lets look at ClearPass Exchange.
- #20: TALK ABOUT THE MANY PLAYERS (VENDORS) OUT THERE THAT COMPRISE A SECURITY ARCHITECURE AND HOW WE TAP IN AND GLUE IT ALL TOGETHER. Adaptive Trust offers end-to-end protection needed for today’s GenMobile behavior and risks. Make sure to articulate that by leveraging all of your infrastructure you gain the ability to protect your data inside and outside of the perimeter. And as more organizations opt in for best of breed security solutions, ClearPass provides multivendor interoperability for any network and security solution.
- #21: EXPLAIN THE CONTEXT AWARE APPROACH. POLICY ADAPTS BASED ON CONTEXT. In this example, a customer with Palo Alto, Fortinet or Check Point firewalls can create accurate traffic specific policies based on user and device specific attributes. Very granular policies can be created for employees, as well as for guests as ClearPass can be used as an identity store and context server. Differentiated access can be granted per device as the firewalls will know each device that is associated with a specific user.
- #22: BOOM. WE FINALLY START TO PUT IT ALL TOGETHER. WE LEARNED ABOUT THE NEW PLAYERS. WE LEARNED ABOUT THE INNOVATION. WE HAVE OUR CONTEXT ADAPATIVE TRUST FRAME WORK LAID. NOW EXPLAIN HOW YOU CAN USE POLICY TO MAKE DECISIONS ABOUT WHEN AND WHERE TO IMPLEMENT MFA. START TO TEE UP DEMOS.
- #23: DEMO TIME. WORK FLOW DIAGRAMS AND SCREEN SHOTS PENDING.
- #31: Contest Overview - Aruba is running a marketing campaign where we ask “What is your IT superpower?” - Go to arubatitans.com to take a quick quiz to discover your superpower. - Share your results with friends and encourage others to play the game - Once you share, go to the Social and Community Hub, Gracia Commons, 3rd fl to pick up your free superpower shirt. FAQ 1. What do I have to do to get a shirt? Share your IT superpower results with friends and encourage them to play the game. Then come to the Social & Community Hub, 3rd Floor Gracia Commons to pick up your shirt. We just need your name and badge for verification. 2. Where do I get my shirt? Come to the #ATM16 Social & Community hub located at Gracia Commons on the 3rd Floor 3. Do I have to be at the event to get the shirt? Yes. You have to be at #ATM16 to get a shirt. 4. Can I get my colleague a shirt? He/she is in a session right now. Unfortunately not. We encourage your colleague to participate so that they can win a shirt for themselves. 5. Can I bring a shirt home for my colleague? Unfortunately not. You have to be at #ATM16 to get a shirt. 6. You don’t have a shirt in my size, can you ship the right size to me later? Unfortunately not. Please select the best size from our inventory on site.