Enhance your network security by introducing Multi Factor Authentication (MFA) into new or existing use cases. New threats, risks, and vulnerabilities as well as evolving business requirements underscore to the need for a strong authentication approach based on simple service delivery, choice, and future-forward scalability. Learn how to create time, location and event driven policies to trigger new MFA workflows. Managed or unmanaged devices can be leveraged using secure MFA solutions from a variety of 3rd party providers and when combined with SSO, provides a much simpler and secure user experience versus traditional two-factor authentication methods..
08448380779 Call Girls In Friends Colony Women Seeking Men
Enhance network security with Multi-Factor Authentication for BYOD and guest access
1. #ATM16
Enhance Network Security with Multi-Factor
Authentication for BYOD and Guest Access
Garth Benedict
Randy Garcia
Michael A. Tarinelli
March 31, 2016 @ArubaNetworks |
3. 3#ATM16
Mobility Changing the Security Dynamic
Distributed and mobile
work force
Demand for simplicity
Security requirements
remain
Strong authentication
Encryption
End point protection etc.
4. 4#ATM16
Security vs. Simplicity
- Customer demand for the
“coffeehouse” experience
- Industry forced to drive
security solutions at every
level
- Failure to act could result
in data breach and identity
theft
5. 5#ATM16
A Perfect Match
- Simplicity and Security – not mutually
exclusive
- 2FA/MFA Reboot – new and innovative
players in the multi-factor authentication
space
- Enhance MFA with ClearPass Policy
Manager
- Explore Adaptive Trust
- Use policy to provide “defense in depth”
overlay to MFA solution
6. 6#ATM16
Benefits of Policy Based MFA
–Reduce Breaches and save $$$
–Increase credibility among your peers and customers with new and innovative
approaches to MFA implementation.
8. 8#ATM16
What is 2FA? What is MFA?
- Two-factor authentication (2FA)
provides a second layer of security
to any type of login, requiring extra
information or a physical device to
log in, in addition to your password
- Multi-factor authentication is the
same but >2
- Something you have…
- E.g. The dreaded token
- Something you are…
- - e.g. Thumbprint
- Something you know
- E.g. username and password
9. 9#ATM16
Not your grandma’s MFA
Current Trends of MFA (Cloud + Mobile)
- New companies launching innovative solutions
(DUO, Authy, Yubico, etc.)
- Leverages mobile device for additional factors
- OTP, Click, swipe, proximity, biometric options,
USB key, SDKs, etc.
Legacy Providers
- Hardware tokens from RSA, Safenet, Vasco,
McAffee, etc.
- Hated by end users and IT departments alike
- Move to soft tokens and mobile well underway
10. 10#ATM16
New Players vs. Legacy Establishment
Cloud + Mobile is the trend
Leveraging smart device + App
Making huge strides
Incumbents still have market share
Supported for years on CPPM
Pivoting to Cloud + Mobile strategy
11. 11#ATM16
Security Concerns
- 95 percent of breaches involve the exploitation of stolen
credentials.
- The misuse of administrative privileges is a primary
method for attackers to spread inside a target enterprise
- elevation of privileges by guessing or cracking a
password for an administrative user
- Sharing passwords
- Attackers take advantage of network devices becoming
less securely configured over time
12. 12#ATM16
Wait! Its hard to use!
Importance of MFA
- Yes. It does introduce an extra step
- But, it’s a key element of any “defense in depth”
strategy
- Innovate with new tools that are more user friendly
- Reduce the burden and leverage Policy to force MFA
and times and places of your choosing.
- Attackers take advantage of network devices becoming
less securely configured over time
13. 13#ATM16
Where is MFA Headed?
3rd Party Integrations
- Many new and existing companies providing services
- Cloud and mobile application based
- Combination of clicks, gestures, proximity, puzzles and biometric methods
- All have their challenges (just as the old tokens did)
- SaaS, Guest/BYOD, network admin and network access use cases
User Behavior
- The biggest barrier to adoption (on both the IT and user side)
- Mobile adoption and addiction presents opportunity
- Take a broader approach to authorization
- Leverage context to trigger mobile based MFA on demand
- Leverage Microsoft InTune or MDM for Windows Laptops
15. 15#ATM16
Users that work from anywhere
and devices that roam
Access privileges and authentication
based on user- and device-roles
Mobility – The New Fight
19. 19#ATM16
Benefits of Adaptive Trust
Complete End-to-End Protection
ClearPass
Policies
Perimeter
Defense
MDM/EMM
Aruba verified integration workflows✔
ClearPass as policy and
context store
✔
Accurate rules enforcement✔
All infrastructure and security
components work together
✔
20. 20
User and Device
Security policy adapts to
need
Context sharedEmployee access
• Thomas
• Mac OS 10.9.3
• Marketing
• 10.0.1.12
Works with AD, LDAP, ClearPass dB, SQL dB
No agents/clients required
Adaptive Trust Context Sharing
21. 21#ATM16
Using Policy to drive on demand MFA
– Based on Time
– Once a day or week
– If you have not logged on from this device in the past 14 days
– If your device was unhealthy in the past 30 days
– Based on Posture
– If your device posture changes to unhealthy
– If any of your other devices posture changes to unhealthy
– If a company alert or security check is issued
– Based on other Context
– User has never logged on from this location
– User has failed user authentication 3 times
– 3rd Party application or system triggers MFA
30. 30#ATM16
Join Aruba’s Titans of Tomorrow
force in the fight against network
mayhem. Find out what your
IT superpower is.
Share your results with friends
and receive a free superpower
t-shirt.
www.arubatitans.com
The Situation and the Challenge
MOBILITY AND THE DEMAND FOR SIMPLICITY ARE HERE TO STAY BUT SECURITY REQUIREMENTS REMAIN
The Implication – specifically bullet 3
EVERYONE EXPECTS TO BE CONNECRTED AND CONDUCT BUISINESS IN THE SAME WAS WE ARE CONNECTED AND CONDUCT OUR PERSONAL BUSINESS. ANYWHERE ANYTIME. IT SECURITY IS CHALLENED TO TO COME UP WITH INNOVATIVE SOLUTIONS TO MATCH THE NEW WORLD
THE ARUBA POSTION – THIS IS WHAT WE WANT THE AUDIENCE TO BELIEVE
CONSIDER NEW TOOLS THAT HAVE DRIVEN INNOVATION TO LEGACY SECURTY SOLUTIONS (E.G. MFA) MARRY THESE TOOLS WITH CLEARPASS POLICY ENGINE TO MAKE THE SOLUTION MORE ELEGANT. ENFORCE MFA WHEN AND WHERE YOU WANT VIA POLICY
The Benefit
THIS IS WHY OUR POSITION MATTERS. IT WILL HAVE BENEFITS. THIS SLIDE NEEDS WORK OBVIOUSLY
Poll audience
Assess established customer vs. newbie ratio
Benefits
MFA could reduce risk thus save money
Innovative MFA solutions could elevate credibility among peers and customers
TRANSITION. BLANK SCREEN. CHECK IN WITH AUDIENCE. GET THEIR ATTENTION BACK ON US. WHAT FOLLOW IS NOT SPECIFIC TO ARUBA. IT’S A BIT OF AN OVERVIEW AND INDUSTRY UPDATE.
SOMETHING YOU HAVE, SOMETHIG YOU KNOW, SOMETHING YOU ARE
INDUSTRY SHIFT TOWARDS NEW APPROACHES DRIVEN BY MOBILITY AND PREVALANCE OF SMART DEVICES
OF COURSE THE ESTABLISHED VENDORS ARE GOING NO WHERE AND HAVE MARKET SHARE. THEY ARE ALSO PIVOTING BUT MOVING SLOWLY. THIS SLOW SHIF HAS ALLOWED NEW INNOVATORS TO GAIN SIGNIFCANT FOOT HOLD
FROM SANS.ORG: USE MFA FOR ALL ADMIN ACCESS TO PROTECT NETWORK FROM ATTACH. SANS NOTES MANY MFA TECHNIQUES.
NOTE: CONSIDER AN FOLLOWUP SLIDE WITH MORE EDUCATION AND TERMINOLOGY
Use multi-factor authentication for all administrative access, including domain administrative access. Multi-factor authentication can include a variety of techniques, to include the use of smart cards, certificates, One Time Password (OTP) tokens, biometrics, or other similar authentication methods.
AS ELEGANT AS THE NEW SOLUTIONS ARE ITS STILL AN UNDENIABLE NEXT STEP SO THE IMPORTANCE OF INNOVATION AND USING POLICY TO LIMIT THE FREQUENCY OF THE NEXT STEP MIGHT BE NICE
WE’VE ALREADY TALKED ABOUT THE NEW PLAYERS NOW TALK ABOUT THE ELEMENTS – FINGER PRINTS, TAP A BUTTON, SWIPE, SHAKE, ALSO TALK ABOUT AND SHOW EXAMPLES OF WHERE WE SEE THIS TODAY IN THE CONSUMER SPACE.
THIS SLIDE NEEDS WORK.
TRANSITION SLIDE. WE WILL GIVE AN ARUBA CLEARPASS OVERVIEW IN THIS SECTION. ONE SLIDE TO EXPLAIN THE CLEARPASS PLATFORM. WE CAN’T ASSUME WHOLE AUDIENCE KNOWS OUR STUFF. REST OF SLIDES EXPLAIN ADAPATIVE TRUST, CP EXCHANGE AND THIS IS IMPORTANT FOR THE TAKE HOME POINT OF USING POLICY TO ENHANCE MFA
MOBILITY – USERS ARE EVERYWHERE AND SO IS YOUR SECURITY PERIMITER.
Even though wired connections still exist, faster and more reliable wireless and cellular networks have increased a users ability to work from anywhere, at any time. While increasing productivity and user satisfaction, IT must plan for and tackle new security concerns that comes with mobile users and mobile devices as they roam a campus or travel to a remote site.
Stress that each location, device type and access method used can pose new challenges. The key is to deploy a solution that leverages identity information for users and devices. If a laptop is connected to wired at a desk, they have to expect that the same user may connect a tablet to the network on another floor or in the next building. IT needs a way to enforce policies that do not put limits on how people actually work today. We’re mobile…
MANY COMPANIES ARE SHIFTING HOTEL MODEL, WFH ETC. ROAD WARRIOR CULTURE IS GROWING. NEED TO CONSIDER LOCATION AS A KEY ELEMENT OF SECURITY POLICY.
The same is true for home offices and when connecting to guest networks. IT should have a common way of authenticating users even when connecting over VPNs. You can mention that ClearPass works when users connect over popular VPN solutions, as well as when using our VIA client or RAPs.
While IT can assign the same privileges to users when on the road, they can also alter access too. They may not want to let users get to extremely confidential data while a user is using something other than an IT-issued laptop from a public venue, like a coffee shop or airport terminal.
This is also a good time to ask if MDM/EMM is being used or is being considered. This will let IT force the use of pin codes on smart phones and tablets, create secure containers for enterprise data and perform wipes when users are off-net. It ties in well with network access services like those provided by ClearPass.
Now lets look at IT concerns.
EXPLAIN THAT CLEARPASS IS A TRIPLE A PLATFORM. MENTION GUEST, OB, OG IF YOU WANT. FOCUS ON EXCHANGE AND POLICY.
INTRODUCE ADAPATIVE TRUST CONCEPT. MOST COMPANIES GOING BEST OF BREED. PERIMETER IS WHERE YOUR END USER IS. LEVERAGE CONTEXT AND ENFORCE POLICY.
While IT has busily deployed a number of physical and software security mechanisms like Palo Alto, Tipping Point, MobileIron, and others for protecting the perimeter, #GenMobile has completely diluted the notion of a fixed perimeter – it doesn’t exist in a mobile world where users connect and work from anywhere. To head off any risks, many enterprise IT organizations are resorting to extreme measures by adopting a zero-trust approach to security.
Unfortunately, zero-trust treats everyone like potential adversaries. What’s needed is a policy solution that leverages user and device data to make smarter decisions based on each user’s mobility needs.
ClearPass as the authentication source sits at the heart of this new defense model as each user and device first gets authenticated before being allowed to forward traffic. Because of these first-step we’ve built-in bi-directional APIs and syslog messaging that lets us share and ingest data to either allow devices full connectivity or remove a device from the network
Lets look at ClearPass Exchange.
TALK ABOUT THE MANY PLAYERS (VENDORS) OUT THERE THAT COMPRISE A SECURITY ARCHITECURE AND HOW WE TAP IN AND GLUE IT ALL TOGETHER.
Adaptive Trust offers end-to-end protection needed for today’s GenMobile behavior and risks. Make sure to articulate that by leveraging all of your infrastructure you gain the ability to protect your data inside and outside of the perimeter. And as more organizations opt in for best of breed security solutions, ClearPass provides multivendor interoperability for any network and security solution.
EXPLAIN THE CONTEXT AWARE APPROACH. POLICY ADAPTS BASED ON CONTEXT.
In this example, a customer with Palo Alto, Fortinet or Check Point firewalls can create accurate traffic specific policies based on user and device specific attributes. Very granular policies can be created for employees, as well as for guests as ClearPass can be used as an identity store and context server. Differentiated access can be granted per device as the firewalls will know each device that is associated with a specific user.
BOOM. WE FINALLY START TO PUT IT ALL TOGETHER. WE LEARNED ABOUT THE NEW PLAYERS. WE LEARNED ABOUT THE INNOVATION. WE HAVE OUR CONTEXT ADAPATIVE TRUST FRAME WORK LAID. NOW EXPLAIN HOW YOU CAN USE POLICY TO MAKE DECISIONS ABOUT WHEN AND WHERE TO IMPLEMENT MFA. START TO TEE UP DEMOS.
DEMO TIME. WORK FLOW DIAGRAMS AND SCREEN SHOTS PENDING.
Contest Overview
- Aruba is running a marketing campaign where we ask “What is your IT superpower?”
- Go to arubatitans.com to take a quick quiz to discover your superpower.
- Share your results with friends and encourage others to play the game
- Once you share, go to the Social and Community Hub, Gracia Commons, 3rd fl to pick up your free superpower shirt.
FAQ
1. What do I have to do to get a shirt?
Share your IT superpower results with friends and encourage them to play the game. Then come to the Social & Community Hub, 3rd Floor Gracia Commons to pick up your shirt. We just need your name and badge for verification.
2. Where do I get my shirt?
Come to the #ATM16 Social & Community hub located at Gracia Commons on the 3rd Floor
3. Do I have to be at the event to get the shirt?
Yes. You have to be at #ATM16 to get a shirt.
4. Can I get my colleague a shirt? He/she is in a session right now.
Unfortunately not. We encourage your colleague to participate so that they can win a shirt for themselves.
5. Can I bring a shirt home for my colleague?
Unfortunately not. You have to be at #ATM16 to get a shirt.
6. You don’t have a shirt in my size, can you ship the right size to me later?
Unfortunately not. Please select the best size from our inventory on site.