forrester and duo security webinar - 5 signs you're doing authentication wrong
DESCRIPTION
If you're like many IT security professionals, you're on a quest to do a better job of authenticating users in the face of new security and business challenges. Have you gotten caught up in one of five authentication traps, like many of your peers? Full replay of the recording is available online: https://go.duosecurity.com/Forrester_Webinar_Signs_Youre_Doing_Authentication_Wrong.html In this webinar, you will learn: * Five signs you're doing authentication wrong * Forrester research on key trends and generational shifts in the authentication market * How to assess solution usability, deployability and security * Will it ever be truly possible to "kill the password?" Join the following guest speakers as they comment on the virtues of a thoughtfully deployed authentication solution. * Eve Maler, Forrester Research * Brian Kelly, Duo Security * Daniel Frye, CedarCrestoneTRANSCRIPT
5 Signs You’re Doing Authentication Wrong March 25, 2014
#duowebinar
5 Signs You're Doing Authentication Wrong
Eve Maler, Forrester Research5 Signs You're Doing Authentication Wrong
Brian Kelly, Duo SecurityHelping You Get It Right
Daniel Frye, CedarCrestoneChoosing The Appropriate Solution
#duowebinar
5 Signs You’re Doing Authentication Wrong
Eve Maler, Principal AnalystForrester Research
#duowebinar
5 Signs You’re Doing Authentication Wrong A Listicle About Security And Usability
Eve Maler, Principal Analyst March 25, 2014
You’re engaging in security theater
© 2014 Forrester Research, Inc. Reproduction Prohibited 3
Yeah, we really do have a problem
© 2014 Forrester Research, Inc. Reproduction Prohibited 4
Source: December 30, 2013, “Market Overview: Employee And Customer Authentication Solutions In 2013, Part 1 Of 2” Forrester report
2 out of 3 top data breach types involve the keys to the kingdom
© 2014 Forrester Research, Inc. Reproduction Prohibited 5
Passwords (and security Qs) have a weak “UDS profile”
Source: February 24, 2014, “Market Overview: Employee And Customer Authentication Solutions In 2013, Part 2 Of 2” Forrester report
Usability Deployability Security
Memorywise-Effortless Accessible Resilient-to-Physical-Observation
Scalable-for-Users Negligible-Cost-per-User Resilient-to-Targeted-Impersonation
Nothing-to-Carry Server-Compatible Resilient-to-Throttled-Guessing
Physically-Effortless Nothing-to-Provision-to-User Resilient-to-Unthrottled-Guessing
Easy-to-Learn Mature Resilient-to-Internal-Observation
Efficient-to-Use Multiple-Purposes Resilient-to-Leaks-from-Other-Verifiers
Infrequent-Errors Available-Offline Resilient-to-Phishing
Easy-Recovery-from-Loss
Resilient-to-Theft
No-Trusted-Third-Party
Requiring-Explicit-Consent
Unlinkable
© 2014 Forrester Research, Inc. Reproduction Prohibited 6
Passwords (and security Qs) have a weak “UDS profile”
Source: February 24, 2014, “Market Overview: Employee And Customer Authentication Solutions In 2013, Part 2 Of 2” Forrester report
Usability Deployability Security
Memorywise-Effortless Accessible Resilient-to-Physical-Observation
Scalable-for-Users Negligible-Cost-per-User Resilient-to-Targeted-Impersonation
Nothing-to-Carry Server-Compatible Resilient-to-Throttled-Guessing
Physically-Effortless Nothing-to-Provision-to-User Resilient-to-Unthrottled-Guessing
Easy-to-Learn Mature Resilient-to-Internal-Observation
Efficient-to-Use Multiple-Purposes Resilient-to-Leaks-from-Other-Verifiers
Infrequent-Errors Available-Offline Resilient-to-Phishing
Easy-Recovery-from-Loss
Resilient-to-Theft
No-Trusted-Third-Party
Requiring-Explicit-Consent
Unlinkable
!!!
© 2013 Forrester Research, Inc. Reproduction Prohibited 7
But password policy has become a bludgeon
We conclude that the sites with the most restrictive password policies do not have greater security concerns, they are simply better insulated from the consequences of poor usability. ... Most organizations have security professionals who demand stronger policies, but only some have usability imperatives strong enough to push back. When the voices that advocate for usability are absent or weak, security measures become needlessly restrictive. The watchers must be watched, not merely to ensure that they do not steal or cheat, but also to ensure that they do not decide to make their job a little easier at the cost of great inconvenience to everyone else. – Florencio and Herley, Where do security policies come from? (2010) [emph added]
© 2014 Forrester Research, Inc. Reproduction Prohibited 8
What compensating controls can we use to better effect? › Lockout policy
› Getting “securely random” closer to “memorable”
› Risk-based and contextual authentication
› Real-time strength checking
You’re unifying on a single login experience
© 2014 Forrester Research, Inc. Reproduction Prohibited 10
Weird but true tales “Since it’s hard to type passwords on mobile devices or speak them out loud to customer service reps, we force all passwords to be short and uppercase.”
“We want to give everyone the identical login experience on every channel. How do we do that?”
“We have two-factor auth: Users give a password to log in, and if they forget their password, we ask them security questions.”
© 2013 Forrester Research, Inc. Reproduction Prohibited 11
Authentication stages and tasks have different needs
New account enrollment, with users and devices potentially never seen before.
Stronger authentication to access higher-value,
higher-risk functions.
Front-door authentication to access ordinary functions.
Password reset and other security profile changes,
which may require re-enrollment.
Onboarding
Login Step-up
Recovery
Source: December 30, 2013, “Market Overview: Employee And Customer
Authentication Solutions In 2013, Part 1 Of 2” Forrester report
© 2012 Forrester Research, Inc. Reproduction Prohibited
Think in terms of “responsive design” for authentication tasks per channel
12
• Pick up risk-based clues from the channel and task wherever possible
• Leverage users’ smart mobile devices if they have them
© 2014 Forrester Research, Inc. Reproduction Prohibited 13
“Mobile first” means IT has less room to maneuver than ever › Business owners want in-app
registration and login
› Individuals demand user experiences with a clear purpose
› Security task flows on mobile devices feel different
Your authentication chain has weak links
© 2014 Forrester Research, Inc. Reproduction Prohibited 15
What’s your task/channel matrix? Web Mobile
web Mobile app
Phone CSR
Phone IVR…
Register user Register device Routine login Account recovery Change email…
© 2014 Forrester Research, Inc. Reproduction Prohibited 16
What’s your population and scenario?
Benefit in
sharing credentials
Degree of freedom to
walk away from relationship
Baseline
Greater benefit
Large benefit
None (captive) Some at cost A lot
Regular employee
Contractor
Nonpaying affiliate
Paying affiliate
Bank customer
Privileged employee
Social network
user
Retail customer
Service-paying
customer
Payout beneficiary
Employee of partner
© 2014 Forrester Research, Inc. Reproduction Prohibited 17
It’s intractably hard to stamp out all passwords
› Back-end privileged accounts › API client credentials and access tokens
› PINs to unlock MDM-protected devices › Passwords as a required first factor of many
third-generation strong authentication solutions
You’re pretending your enterprise is unextended
© 2014 Forrester Research, Inc. Reproduction Prohibited 19
Source: December 30, 2013 “Market Overview: Employee And Customer Authentication Solutions In 2013, Part1 Of 2” Forrester report
The extended enterprise needs Zero Trust authentication
© 2014 Forrester Research, Inc. Reproduction Prohibited 20
Source: November 15, 2012, “No More Chewy Centers: Introducing The Zero Trust
Model Of Information Security” Forrester report
Zero Trust and the cloud have affinities All resources are
accessed in a secure manner regardless of
location.
Access control is on a “need-to-
know” basis and is strictly enforced.
Verify and never trust.
Inspect and log all traffic.
The network is designed from the
inside out.
You annoy real users as much as fraudsters
© 2014 Forrester Research, Inc. Reproduction Prohibited 22 Source: February 24, 2014, “Market Overview: Employee And
Customer Authentication Solutions In 2013, Part 2 Of 2” Forrester report
Usability Deployability Security
Memorywise-Effortless Accessible Resilient-to-Physical-Observation
Scalable-for-Users Negligible-Cost-per-User Resilient-to-Targeted-Impersonation
Nothing-to-Carry Server-Compatible Resilient-to-Throttled-Guessing
Physically-Effortless Nothing-to-Provision-to-User Resilient-to-Unthrottled-Guessing
Easy-to-Learn Mature Resilient-to-Internal-Observation
Efficient-to-Use Multiple-Purposes Resilient-to-Leaks-from-Other-Verifiers
Infrequent-Errors Available-Offline Resilient-to-Phishing
Easy-Recovery-from-Loss
Resilient-to-Theft
No-Trusted-Third-Party
Requiring-Explicit-Consent
Unlinkable
Adding contextual cues can be a great booster shot
© 2014 Forrester Research, Inc. Reproduction Prohibited 23 Source: February 24, 2014, “Market Overview: Employee And
Customer Authentication Solutions In 2013, Part 2 Of 2” Forrester report
Usability Deployability Security
Memorywise-Effortless Accessible Resilient-to-Physical-Observation
Scalable-for-Users Negligible-Cost-per-User Resilient-to-Targeted-Impersonation
Nothing-to-Carry Server-Compatible Resilient-to-Throttled-Guessing
Physically-Effortless Nothing-to-Provision-to-User Resilient-to-Unthrottled-Guessing
Easy-to-Learn Mature Resilient-to-Internal-Observation
Efficient-to-Use Multiple-Purposes Resilient-to-Leaks-from-Other-Verifiers
Infrequent-Errors Available-Offline Resilient-to-Phishing
Easy-Recovery-from-Loss
Resilient-to-Theft
No-Trusted-Third-Party
Requiring-Explicit-Consent
Unlinkable
Mobile-fueled third-gen solutions can add UDS strength
© 2014 Forrester Research, Inc. Reproduction Prohibited 24
Leverage “adjacent uses” for employees and consumers alike
Source: June 12, 2013, “Introducing The Customer Authentication Assessment Framework” Forrester report
Thank you Eve Maler +1 425 345 6756 [email protected] Twitter: @xmlgrrl
Helping You Get It Right
Brian Kelly, Sr. Product Marketing ManagerDuo Security
#duowebinar
Passwords
The security problem we all share
100% 94% 416of victims have up-to-date
anti-virus softwareof breaches are reported by
third parties
100%median number of days
advanced attackers are on the network before being detected
of breaches involved stolen credentials
(2013)All Breaches Involve Stolen Passwords
Helping You Get Two-Factor Authentication Right
1. Avoid Security Theatre
2. Deploy Responsive Two-Factor Authentication
3. Remove Weak Links In Your Authentication Chain
4. Embrace Your Extended Enterprise
5. Don’t Annoy Your Users
1. Avoid Security Theatre
‣ Your employees and users don’t want to change their passwords every 90 days
my.vt.edu (Mar 2014)
1. Avoid Security Theatre
‣ Your employees and users don’t want to change their passwords every 90 days
‣ Maintain a reasonable password policy and require two-factor authentication
xkcd.com/936/
2. Deploy Responsive Two-Factor Authentication
‣ Your sales team probably doesn’t have the same risk profile as your IT administrators
≠!
!⋆
!
2. Deploy Responsive Two-Factor Authentication
‣ Your sales team probably doesn’t have the same risk profile as your IT administrators
‣ Allow sales team to self-enroll and leverage Duo’s Trusted Device policy
!⋆
2. Deploy Responsive Two-Factor Authentication
‣ Your sales team probably doesn’t have the same risk profile as your IT administrators
‣ Allow sales team to self-enroll and leverage Duo’s Trusted Device policy
‣ Require admins ‣ to use 2FA on every login ‣ not rely on phone callback or SMS OTP ‣ manually enroll
3. Remove Weak Links In Your Authentication Chain
Know Your Humans
‣ Enroll
‣ Authenticate
‣ Migrate
‣ Deactivate
3. Remove Weak Links In Your Authentication Chain
Know Your Humans: Prove Identity
‣ Enroll
‣ Authenticate
‣ Migrate
‣ Deactivate
# #
##
3. Remove Weak Links In Your Authentication Chain
Know Your Humans
‣ Enroll: TOFU (self-enrollment), batch, manual, sync
‣ Authenticate
‣ Migrate
‣ Deactivate
3. Remove Weak Links In Your Authentication Chain
Know Your Humans
‣ Enroll
‣ Authenticate: policy, bypass
‣ Migrate
‣ Deactivate
3. Remove Weak Links In Your Authentication Chain
Know Your Humans
‣ Enroll
‣ Authenticate
‣ Migrate: change phone, token
‣ Deactivate
3. Remove Weak Links In Your Authentication Chain
Know Your Humans
‣ Enroll
‣ Authenticate
‣ Migrate
‣ Deactivate
3. Remove Weak Links In Your Authentication Chain
Remote Access Security Hygiene
‣ Understanding all points of access
‣ Fail safe (open) v. fail secure (close) tradeoffs
3. Remove Weak Links In Your Authentication Chain
Remote Access Security Hygiene
‣ Added 2FA for SSH access to your UNIX servers? Great!
‣ Did you remember turn off port forwarding and tunneling?
# Duo UNIX 2FA - sshd_config: PermitTunnel no AllowTcpForwarding no ForceCommand /usr/sbin/login_duo
duosecurity.com/docs/duounix
3. Remove Weak Links In Your Authentication Chain
Remote Access Security Hygiene
‣ Duo 2FA for Windows RDP locks down remote, interactive sessions
‣ “Run as” & non-interactive logins do not invoke credential provider
‣ Understand limitations for local auth
duosecurity.com/docs/rdp-faq
4. Embrace Your Extended Enterprise
Integrate with everything that matters
‣ On-premises: VPN, servers, web apps
‣ Cloud: Google Apps, Office 365, Salesforce, Box, and more (SAML)
‣ API: Duo Web and REST
4. Embrace Your Extended Enterprise
Authenticate users with any device
‣ Duo Push: iOS, Android, BlackBerry, Windows Phone
‣ Offline Passcodes
‣ SMS Passcodes
‣ Phone callback
‣ Tokens: HOTP/TOTP & YubiKey
4. Embrace Your Extended Enterprise
Manage from anywhere
‣ Cloud-accessible management console
‣ Manage users, devices, integrations and access logs all from web interface
‣ Admin REST API for automation
5. Don’t Annoy Your Users
Your users are smart
‣ Explain why 2FA is important (and better than archaic password policies)
‣ Give them choice
‣ Provide personal security value
‣ Get out of the way
guide.duosecurity.com
Thousands Doing It Right, Today
duosecurity.com/success-stories
Choosing TheAppropriate Solution
Daniel Frye, SVP Corporate SecurityCedarCrestone
#duowebinar
About CedarCrestone
‣ Formed in 2005 ‣ Merger of Cedar Enterprise Solutions (founded 1981)
and Crestone International (founded 1995)
‣ Global consulting & managed services company
‣ Support 2,000+ employees for CedarCrestone & affiliated companies Headquarters
Atlanta, GA
Business Challenge
‣ Evaluated susceptibility to password phishing via internal pen-testing & social engineering testing
‣ Hundreds of consultants on the road that need VPN access
‣ Needed application-centric multi-factor solution as an option for managed services clients
Choosing The Appropriate Authentication Solution
‣ Why two-factor authentication vs. other security solutions?
‣ Defining authentication solution success
‣ Protect critical resources
‣ Make it easy on users and staff
‣ Evaluation and competitive bake off
Decision: Duo Security
‣ Protect critical resources
‣ Drop-in integrations for Juniper and more
‣ Flexible API for custom integration or enhancement
‣ Make it easy on users and staff
‣ Easy To Use: Duo Push, self-enrollment
‣ Easy To Deliver: Minimal training, factor choice
‣ Easy To Trust: Secure by design
$
Duo API
Results
‣ Password-related vulnerabilities mitigated since Duo deployment
‣ Feedback from 3rd party pen-testing team very positive
‣ Feedback from staff who have used other 2FA solutions: Duo Push is much better
‣ Flexibility of mobile apps, SMS, phone callback, and YubiKey support has proven integral to success
Questions + Answers #duowebinar
Eve Maler, Forrester [email protected] @xmlgrrl
Brian Kelly, Duo [email protected] @resetbrian
Daniel Frye, [email protected] @CedarCrestone