Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication Wrong

Download Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication Wrong

Post on 02-Nov-2014

321 views

Category:

Software

0 download

Embed Size (px)

DESCRIPTION

If you're like many IT security professionals, you're on a quest to do a better job of authenticating users in the face of new security and business challenges. Have you gotten caught up in one of five authentication traps, like many of your peers? Full replay of the recording is available online: https://go.duosecurity.com/Forrester_Webinar_Signs_Youre_Doing_Authentication_Wrong.html In this webinar, you will learn: * Five signs you're doing authentication wrong * Forrester research on key trends and generational shifts in the authentication market * How to assess solution usability, deployability and security * Will it ever be truly possible to "kill the password?" Join the following guest speakers as they comment on the virtues of a thoughtfully deployed authentication solution. * Eve Maler, Forrester Research * Brian Kelly, Duo Security * Daniel Frye, CedarCrestone

TRANSCRIPT

<ul><li> 1. 5 Signs Youre Doing Authentication Wrong March 25, 2014 #duowebinar </li></ul><p> 2. 5 Signs You're Doing Authentication Wrong Eve Maler, Forrester Research 5 Signs You're Doing Authentication Wrong Brian Kelly, Duo Security Helping You Get It Right Daniel Frye, CedarCrestone Choosing The Appropriate Solution #duowebinar 3. 5 Signs Youre Doing Authentication Wrong Eve Maler, Principal Analyst Forrester Research #duowebinar 4. 5 Signs Youre Doing Authentication Wrong A Listicle About Security And Usability Eve Maler, Principal Analyst March 25, 2014 5. Youre engaging in security theater 6. 2014 Forrester Research, Inc. Reproduction Prohibited 3 Yeah, we really do have a problem 7. 2014 Forrester Research, Inc. Reproduction Prohibited 4 Source: December 30, 2013, Market Overview: Employee And Customer Authentication Solutions In 2013, Part 1 Of 2 Forrester report 2 out of 3 top data breach types involve the keys to the kingdom 8. 2014 Forrester Research, Inc. Reproduction Prohibited 5 Passwords (and security Qs) have a weak UDS profile Source: February 24, 2014, Market Overview: Employee And Customer Authentication Solutions In 2013, Part 2 Of 2 Forrester report Usability Deployability Security Memorywise-Effortless Accessible Resilient-to-Physical-Observation Scalable-for-Users Negligible-Cost-per-User Resilient-to-Targeted-Impersonation Nothing-to-Carry Server-Compatible Resilient-to-Throttled-Guessing Physically-Effortless Nothing-to-Provision-to-User Resilient-to-Unthrottled-Guessing Easy-to-Learn Mature Resilient-to-Internal-Observation Efficient-to-Use Multiple-Purposes Resilient-to-Leaks-from-Other-Verifiers Infrequent-Errors Available-Offline Resilient-to-Phishing Easy-Recovery-from- Loss Resilient-to-Theft No-Trusted-Third-Party Requiring-Explicit-Consent Unlinkable 9. 2014 Forrester Research, Inc. Reproduction Prohibited 6 Passwords (and security Qs) have a weak UDS profile Source: February 24, 2014, Market Overview: Employee And Customer Authentication Solutions In 2013, Part 2 Of 2 Forrester report Usability Deployability Security Memorywise-Effortless Accessible Resilient-to-Physical-Observation Scalable-for-Users Negligible-Cost-per-User Resilient-to-Targeted-Impersonation Nothing-to-Carry Server-Compatible Resilient-to-Throttled-Guessing Physically-Effortless Nothing-to-Provision-to-User Resilient-to-Unthrottled-Guessing Easy-to-Learn Mature Resilient-to-Internal-Observation Efficient-to-Use Multiple-Purposes Resilient-to-Leaks-from-Other-Verifiers Infrequent-Errors Available-Offline Resilient-to-Phishing Easy-Recovery-from- Loss Resilient-to-Theft No-Trusted-Third-Party Requiring-Explicit-Consent Unlinkable !!! 10. 2013 Forrester Research, Inc. Reproduction Prohibited 7 But password policy has become a bludgeon We conclude that the sites with the most restrictive password policies do not have greater security concerns, they are simply better insulated from the consequences of poor usability. ... Most organizations have security professionals who demand stronger policies, but only some have usability imperatives strong enough to push back. When the voices that advocate for usability are absent or weak, security measures become needlessly restrictive. The watchers must be watched, not merely to ensure that they do not steal or cheat, but also to ensure that they do not decide to make their job a little easier at the cost of great inconvenience to everyone else. Florencio and Herley, Where do security policies come from? (2010) [emph added] 11. 2014 Forrester Research, Inc. Reproduction Prohibited 8 What compensating controls can we use to better effect? Lockout policy Getting securely random closer to memorable Risk-based and contextual authentication Real-time strength checking 12. Youre unifying on a single login experience 13. 2014 Forrester Research, Inc. Reproduction Prohibited 10 Weird but true tales Since its hard to type passwords on mobile devices or speak them out loud to customer service reps, we force all passwords to be short and uppercase. We want to give everyone the identical login experience on every channel. How do we do that? We have two-factor auth: Users give a password to log in, and if they forget their password, we ask them security questions. 14. 2013 Forrester Research, Inc. Reproduction Prohibited 11 Authentication stages and tasks have different needs New account enrollment, with users and devices potentially never seen before. Stronger authentication to access higher-value, higher-risk functions. Front-door authentication to access ordinary functions. Password reset and other security profile changes, which may require re- enrollment. Onboarding LoginStep-up Recovery Source: December 30, 2013, Market Overview: Employee And Customer Authentication Solutions In 2013, Part 1 Of 2 Forrester report 15. 2012 Forrester Research, Inc. Reproduction Prohibited Think in terms of responsive design for authentication tasks per channel 12 Pick up risk-based clues from the channel and task wherever possible Leverage users smart mobile devices if they have them 16. 2014 Forrester Research, Inc. Reproduction Prohibited 13 Mobile first means IT has less room to maneuver than ever Business owners want in-app registration and login Individuals demand user experiences with a clear purpose Security task flows on mobile devices feel different 17. Your authentication chain has weak links 18. 2014 Forrester Research, Inc. Reproduction Prohibited 15 Whats your task/channel matrix? Web Mobile web Mobile app Phone CSR Phone IVR Register user Register device Routine login Account recovery Change email 19. 2014 Forrester Research, Inc. Reproduction Prohibited 16 Whats your population and scenario? Benefit in sharing credentials Degree of freedom to walk away from relationship Baseline Greater benefit Large benefit None (captive) Some at cost A lot Regular employee Contractor Nonpaying affiliate Paying affiliate Bank customer Privileged employee Social network user Retail customer Service- paying customer Payout beneficiary Employee of partner 20. 2014 Forrester Research, Inc. Reproduction Prohibited 17 Its intractably hard to stamp out all passwords Back-end privileged accounts API client credentials and access tokens PINs to unlock MDM-protected devices Passwords as a required first factor of many third-generation strong authentication solutions 21. Youre pretending your enterprise is unextended 22. 2014 Forrester Research, Inc. Reproduction Prohibited 19 Source: December 30, 2013 Market Overview: Employee And Customer Authentication Solutions In 2013, Part1 Of 2 Forrester report The extended enterprise needs Zero Trust authentication 23. 2014 Forrester Research, Inc. Reproduction Prohibited 20 Source: November 15, 2012, No More Chewy Centers: Introducing The Zero Trust Model Of Information Security Forrester report Zero Trust and the cloud have affinities All resources are accessed in a secure manner regardless of location. Access control is on a need-to- know basis and is strictly enforced. Verify and never trust. Inspect and log all traffic. The network is designed from the inside out. 24. You annoy real users as much as fraudsters 25. 2014 Forrester Research, Inc. Reproduction Prohibited 22 Source: February 24, 2014, Market Overview: Employee And Customer Authentication Solutions In 2013, Part 2 Of 2 Forrester report Usability Deployability Security Memorywise-Effortless Accessible Resilient-to-Physical-Observation Scalable-for-Users Negligible-Cost-per-User Resilient-to-Targeted-Impersonation Nothing-to-Carry Server-Compatible Resilient-to-Throttled-Guessing Physically-Effortless Nothing-to-Provision-to-User Resilient-to-Unthrottled-Guessing Easy-to-Learn Mature Resilient-to-Internal-Observation Efficient-to-Use Multiple-Purposes Resilient-to-Leaks-from-Other-Verifiers Infrequent-Errors Available-Offline Resilient-to-Phishing Easy-Recovery-from- Loss Resilient-to-Theft No-Trusted-Third-Party Requiring-Explicit-Consent Unlinkable Adding contextual cues can be a great booster shot 26. 2014 Forrester Research, Inc. Reproduction Prohibited 23 Source: February 24, 2014, Market Overview: Employee And Customer Authentication Solutions In 2013, Part 2 Of 2 Forrester report Usability Deployability Security Memorywise-Effortless Accessible Resilient-to-Physical-Observation Scalable-for-Users Negligible-Cost-per-User Resilient-to-Targeted-Impersonation Nothing-to-Carry Server-Compatible Resilient-to-Throttled-Guessing Physically-Effortless Nothing-to-Provision-to-User Resilient-to-Unthrottled-Guessing Easy-to-Learn Mature Resilient-to-Internal-Observation Efficient-to-Use Multiple-Purposes Resilient-to-Leaks-from-Other-Verifiers Infrequent-Errors Available-Offline Resilient-to-Phishing Easy-Recovery-from- Loss Resilient-to-Theft No-Trusted-Third-Party Requiring-Explicit-Consent Unlinkable Mobile-fueled third-gen solutions can add UDS strength 27. 2014 Forrester Research, Inc. Reproduction Prohibited 24 Leverage adjacent uses for employees and consumers alike Source: June 12, 2013, Introducing The Customer Authentication Assessment Framework Forrester report 28. Thank you Eve Maler +1 425 345 6756 emaler@forrester.com Twitter: @xmlgrrl 29. Helping You Get It Right Brian Kelly, Sr. Product Marketing Manager Duo Security #duowebinar 30. Passwords The security problem we all share 31. 100% 94% 416 of victims have up-to-date anti-virus software of breaches are reported by third parties 100% median number of days advanced attackers are on the network before being detected of breaches involved stolen credentials (2013) All Breaches Involve Stolen Passwords 32. Helping You Get Two-Factor Authentication Right 1. Avoid Security Theatre 2. Deploy Responsive Two-Factor Authentication 3. Remove Weak Links In Your Authentication Chain 4. Embrace Your Extended Enterprise 5. Dont Annoy Your Users 33. 1. Avoid Security Theatre Your employees and users dont want to change their passwords every 90 days my.vt.edu (Mar 2014) 34. 1. Avoid Security Theatre Your employees and users dont want to change their passwords every 90 days Maintain a reasonable password policy and require two-factor authentication xkcd.com/936/ 35. 2. Deploy Responsive Two-Factor Authentication Your sales team probably doesnt have the same risk prole as your IT administrators ! ! 36. ! 2. Deploy Responsive Two-Factor Authentication Your sales team probably doesnt have the same risk prole as your IT administrators Allow sales team to self-enroll and leverage Duos Trusted Device policy 37. ! 2. Deploy Responsive Two-Factor Authentication Your sales team probably doesnt have the same risk prole as your IT administrators Allow sales team to self-enroll and leverage Duos Trusted Device policy Require admins to use 2FA on every login not rely on phone callback or SMS OTP manually enroll 38. 3. Remove Weak Links In Your Authentication Chain Know Your Humans Enroll Authenticate Migrate Deactivate 39. 3. Remove Weak Links In Your Authentication Chain Know Your Humans: Prove Identity Enroll Authenticate Migrate Deactivate # # ## 40. 3. Remove Weak Links In Your Authentication Chain Know Your Humans Enroll: TOFU (self-enrollment), batch, manual, sync Authenticate Migrate Deactivate 41. 3. Remove Weak Links In Your Authentication Chain Know Your Humans Enroll Authenticate: policy, bypass Migrate Deactivate 42. 3. Remove Weak Links In Your Authentication Chain Know Your Humans Enroll Authenticate Migrate: change phone, token Deactivate 43. 3. Remove Weak Links In Your Authentication Chain Know Your Humans Enroll Authenticate Migrate Deactivate 44. 3. Remove Weak Links In Your Authentication Chain Remote Access Security Hygiene Understanding all points of access Fail safe (open) v. fail secure (close) tradeoffs 45. 3. Remove Weak Links In Your Authentication Chain Remote Access Security Hygiene Added 2FA for SSH access to your UNIX servers? Great! Did you remember turn off port forwarding and tunneling? # Duo UNIX 2FA - sshd_config: PermitTunnel no AllowTcpForwarding no ForceCommand /usr/sbin/login_duo duosecurity.com/docs/duounix 46. 3. Remove Weak Links In Your Authentication Chain Remote Access Security Hygiene Duo 2FA for Windows RDP locks down remote, interactive sessions Run as &amp; non-interactive logins do not invoke credential provider Understand limitations for local auth duosecurity.com/docs/rdp-faq 47. 4. Embrace Your Extended Enterprise Integrate with everything that matters On-premises: VPN, servers, web apps Cloud: Google Apps, Office 365, Salesforce, Box, and more (SAML) API: Duo Web and REST 48. 4. Embrace Your Extended Enterprise Authenticate users with any device Duo Push: iOS, Android, BlackBerry, Windows Phone Offline Passcodes SMS Passcodes Phone callback Tokens: HOTP/TOTP &amp; YubiKey 49. 4. Embrace Your Extended Enterprise Manage from anywhere Cloud-accessible management console Manage users, devices, integrations and access logs all from web interface Admin REST API for automation 50. 5. Dont Annoy Your Users Your users are smart Explain why 2FA is important (and better than archaic password policies) Give them choice Provide personal security value Get out of the way guide.duosecurity.com 51. Thousands Doing It Right, Today duosecurity.com/success-stories 52. Choosing The Appropriate Solution Daniel Frye, SVP Corporate Security CedarCrestone #duowebinar 53. About CedarCrestone Formed in 2005 Merger of Cedar Enterprise Solutions (founded 1981) and Crestone International (founded 1995) Global consulting &amp; managed services company Support 2,000+ employees for CedarCrestone &amp; affiliated companies Headquarters Atlanta, GA 54. Business Challenge Evaluated susceptibility to password phishing via internal pen-testing &amp; social engineering testing Hundreds of consultants on the road that need VPN access Needed application-centric multi- factor solution as an option for managed services clients 55. Choosing The Appropriate Authentication Solution Why two-factor authentication vs. other security solutions? Dening authentication solution success Protect critical resources Make it easy on users and staff Evaluation and competitive bake off 56. Decision: Duo Security Protect critical resources Drop-in integrations for Juniper and more Flexible API for custom integration or enhancement Make it easy on users and staff Easy To Use: Duo Push, self-enrollment Easy To Deliver: Minimal training, factor choice Easy To Trust: Secure by design $ Duo API 57. Results Password-related vulnerabilities mitigated since Duo deployment Feedback from 3rd party pen-testing team very positive Feedback from staff who have used other 2FA solutions: Duo Push is much better Flexibility of mobile apps, SMS, phone callback, and YubiKey support has proven integral to success...</p>