nick savvides business manager information protection, pacific

KILL THE P@55W0RD

Nick SavvidesBusiness ManagerInformation Protection, Pacific

WHAT’S THE VALUE TO YOU?

• A way to start a broader conversation around information protection by addressing a current pain.

• Enables a “solution sale” with infrastructure solutions (VPNs, VDI, SSO, etc)

• Enables a solution bundle or cross-sell with SAM, MPKI, and DLP

• Offer services as a value add

• Increases the deal sizes

• Reinforces your role as a trusted advisor

Copyright © 2015 Symantec Corporation2

“Most businesses are on their last data centre…

…and many are buying their last fully-

fledged laptops” *

* Gartner Analyst – Gartner Symposium, Nov 2014

Growth in SaaS is “Viral”

4

Enterprises have an average 461 cloud apps running in their organisations (nine to 10 times IT's estimates)…Source : Consumerisation of IT in the Enterprise

What did I use as DOB for that

site?

Passwords Don’t Internet Scale.

1 Week Of Logins

Human Brain vs. Internet Scale

password12345612345678abc123qwerty

monkeyletmeindragon111111baseball

Source: SplashID Worst Passwords Of 2012 Source: Tard A.K.A. Grumpy Cat

How Did We Fix This?

"Minimum 8, 2 Upper Case, 1 Number, 1 Special Character,

Change Every 30 Days”

Let’s Try One

"Minimum 8, 2 Upper Case, 1 Number, 1 Special Character, Change Every 30 Days”

Password:

P@$$w0rD C0mp73x1tY

Humans Defeat Password Complexity

I’m Smarter, I Read xkcd

WRONG!

Source: xkcd.com (it’s awesome check it out)

Derivative Passwords

Compound Passwords

Quotes & Lyrics Passwords

Then There’s The Malware & The Phishing..


… AND A STOLEN PASSWORD IS COSTLYLOSS OF IP, DAMAGE TO BRAND AND CUSTOMER TRUST, FINES AND PENALTIES


• 77% of passwords are in a 1000 word dictionary• Contextual risk: In network vs unmanaged device on public network• Risky password tricks – like password reuse (26 password protected

accounts and 5 passwords)

Passwords are Vulnerable

• Password resets #1 support call - 40% of calls are password related• $70 estimated average to reset password - Billions of dollars annually• 62% of organizations see SaaS apps as a better way to support their

mobile/remote workers = more passwords and a growing cost

Passwords are Costly

• Credential entry is a huge challenge with mobile devices• Failed logins and account lockouts are common occurrences

Passwords are Complex


EVERY ORGANIZATION NEEDS STRONG AUTHENTICATION80% OF BREACHES COULD BE ELIMINATED WITH TWO-FACTOR AUTHENTICATION

Something you ARE

3

Something you HAVE

2

Something you KNOW

1


… AND NOW SECURING ACCESS DOESN’T HAVE TO BE CUMBERSOME, COMPLEX, OR COSTLY

IT should be enabled to support business initiatives that make maximum use of mobility and the cloud without increasing complexity.

EMBRACE MOBILITY AND CLOUD WITHOUT

INCREASED IT BURDENUsers should be able to gain access to the resources they need to do their jobs anytime, anywhere, and from their device of choice.

SECURE UNIVERSAL ACCESS FROM ANY DEVICE

Securing access should not translate to “a poor user experience”. IT should not have to choose between an easy and secure access solution.

EASY AND SECURE IS POSSIBLE

Easy

SYMANTEC MAKES STRONG AUTHENTICATION EASYVIP ACCESS PUSH | PASSWORDLESS FINGERPRINT AUTHENTICATION | SSOUltimate in ConvenienceEliminating the password during authentication saves users time and reduces errors

Superior protection Keep users informed of each attempt and gives them the option to deny a sign-in request or accept using a fingerprint or PIN

Strong securityInvisible 2048-bit asymmetric key securely and uniquely identifies the device, while a fingerprint securely identifies the user

Easy IntegrationEasy SAML integration with any online application through VIP Login. VPNs and Remote Access with RADIUS


SHOW ME…


#1: WE ELIMINATED THE ONE-TIME PASSWORD – ONE PASSWORD FOR ALL CLOUD-BASED APPS!VIP PUSH AND IDENTITY ACCESS MANAGER • Single sign-on portal

to all cloud-based apps provides access anytime, anywhere WITH ONE PASSWORD

VIP Access Push adds a second layer of security with one tap – no 6-digit code.

Identity and context-based policies authorize access to only the apps a user needs to do his/her job

Easy to create connectors allow IT to add additional business critical apps (including custom apps) with ease


#2: WE ELIMINATED ALL PASSWORDS! With the use of the

biometric sensor on iPhones/iPads and VIP Login on SAM we can eliminate ALL passwords (even the COMPLEX active directory password) and still provide 2FA for all cloud-based apps in the app catalog.

VIP Login can be used with any online application, such as Salesforce to support passwordless authentication with that specific application (without the use of SAM)

VIP BIOMETRICS AND IDENTITY ACCESS MANAGER


#3: WE ELIMINATED THE PASSWORD FOR MOBILE DEVICESMANAGED PKI DIGITIAL CERTIFICATES AND IDENTITY ACCESS MANAGER

Managed PKI using MDM certificates to transparently authenticate users is highly desirable for mobile initiatives using managed devices (unlocking device with a fingerprint is recognized as an authentication factor).

Also useful for BYOD, but a password may be required as the first factor.

Military grade datacenter and time tested provide superior security for both VIP and Managed PKI.

IT’S EASY TO DEMO…

VALUE PROPOSITION: WHY SHOULD MY CUSTOMERS CARE?MAKING SECURITY EASY BY REDUCING OR ELIMINATING PASSWORDS MEAN WE:


Reduce their risk of a breach Users won’t circumvent their security, saving the financial penalties, cost of remediation, loss of IP, and damage to brand or customer trust a breach results in. Reduce their cost of support30% of calls are password related, Gartner and Forrester estimate an average call costs $70 totaling billions annually.Address a growing problemAs the number of new cloud apps grow so will the number of passwords: 62% of organizations see SaaS apps as a better way to support their mobile/remote workers = more IT burden, user dissatisfaction, risk.

Security

Cost

Convenience

Easy

HOW DO I START THE CONVERSATION?

24


DISCOVERY QUESTIONS BASED ON TYPE OF BUYER

• STRATEGIC QUESTIONS– What would be your worst case scenario in a breach? (risk)– Do you know how much sensitive data you store in the cloud and

how you protect it? (risk, compliance)

• PROBING QUESTIONS– What do you use to secure remote access to your network & cloud-

based apps?• Are you using multi-factor authentication or SSO?

– Are you planning any new mobile or cloud initiatives? • Perhaps moving applications to the cloud? • What is your biggest challenge?

– What is your #1 Support Call?• Are passwords related costs an issue?

– Can you envision a scenario where you would like to provide multi-factor authentication for users without using a password?


WHAT IF MY CUSTOMER ALREADY HAS A SOLUTION?PUSH FOR A FREE TRIAL OR PROOF OF CONCEPT

• CUSTOMERS WITH SOLUTIONS– Do you feel your current solution meets your needs from a

cost, IT burden, scalability standpoint, and when looking at future initiatives?• Which credentials are you using? Have you considered token-

less risk-based authentication? Or implementing a solution that eliminates the password entirely?

• Are there other authentication needs you haven’t been able to address? Perhaps projects you’d like to undertake to offer online applications, to open systems to customers, or partners, but that were deemed too difficult to implement or cost-prohibitive to protect using your current solution?

• VIP has new easy authentication options (like Push and passwordless), a lower cost, and is tightly integrated with our SSO solution – can I interest you in a Free 60-day trial or proof of concept?


RSA SECURID

The purchase of Simplified is an unknown, but we can assume it will result in some type of a cloud-based service for RSA.

THREATS

1. New enhancements (Push & Biometrics) vs no/limited new features

2. Low up front/token costs/free mobile vs infrastructure/ALL token costs – scaling cost more $$!

3. Low IT burden - cloud-based architecture with self-service options vs customer deployment/management of infrastructure and tokens

4. Secure infrastructure - military-grade infrastructure (seed files stored in the cloud) vs on-premise auth server storing see files

5. New initiatives :Cloud-based architecture optimal for online apps or partner portals

6. Standards supported vs Proprietary

7. Tightly integrated with SAM (SSO)

SYMANTEC DIFFERENTIATORS

1. First to market, recognized market share leader, 40M users, 30K organizations, strong channel reach

2. Broad authentication offering

3. Integrated with >250 applications

4. Close integration with VPN clients

5. Mature product

RSA SECURID STRENGTHS


SAFENET AUTHENTICATION SERVICE

Gemalto purchased SafeNet in 2014 will likely integrate.

The strength of FIDO is an unknown.

THREATS

1. New enhancements (Push & Biometrics) – broadest range of authentication options

2. Quick easy deploy (not so for SafeNet)

3. Single platform including two-factor and robust risk-based authentication vs only 2FA (limited risk-based – time of day and IP range)

4. Support for complex environments - multiple user directories (Active Directory and Novell e-Directory) vs support for only Active Directory

5. Strong privacy protection (anonymize username with employee ID, etc.) vs the username to store in the cloud



1. Recognized market leader by Gartner

2. Great marketing has created perception of a dominate position in strong authentication market

3. Backward Vertical Integration

4. Product alignment to MSP

SAFENET STRENGTHS


DUO

The strength of FIDO is an unknown.

THREATS

1. New enhancements (Push & Biometrics) – broadest range of authentication options

2. Single platform including two-factor and robust risk-based authentication vs only two-factor authentication

3. Strong enterprise focus and install base vs focus on SMB and verticals

4. Flexible - integration with customers LDAP vs requiring the use of Duo’s cloud LDAP where they store quite a bit of information.

5. Secure military-grade infrastructure vs utilizing Amazon Web Services.



1. Cloud based solution

2. Analyst perception strong for a new entrant

3. Strong innovation perception

4. Great User Experience and documentation

5. Focused marketing around strong authentication

DUO STRENGTHS

30

BROADEST RANGE OF AUTHENTICATION OPTIONS SECURE ACCESSA SYMANTEC COMPETITIVE ADVANTAGE

Copyright © 2015 Symantec Corporation

VALIDATION AND ID PROTECTION

Standalone OTP Credentials

Hard

ware

Toke

n

Mob

ile, D

esk

top

Soft

ware

Em

bedded

Out-of-Band

SM

S

Voic

e C

all

Em

ail

Tokenless

Devic

e

Fin

gerp

rint

Regis

tere

d

Com

pute

r

Inte

lligent

Auth

enti

cati

on

VIP

Acc

ess

Push

Bio

metr

ic

Fin

gerp

rint

MANAGED PKI

Certificates

Use

r

Devic

e

Org

an

izati

on

Man

ufa

cture

r


OBJECTION HANDLING

The only end user information stored by the service is the user’s credential identifier. (employee ID, username, etc.)

I can’t have sensitive employee data stored outside my enterprise.

When using biometrics unless the attacker has the user’s fingerprint, access will be denied. Better than a hardware token, biometrics bind the credential to the user.

VIP passwordless authentication is not as secure as other methods. Risk-based authentication, provides bumper-to-

bumper security. We examines on-line transactions from login to logout including monetary transactions in real-time for expected user behavior.

One-time passwords can’t protect against man in the browser attacks.

We can run in parallel with your existing solution. This allows you to continue to use your existing tokens for the remainder of their life, while enabling new users with mobile, passwordless , or risk-based.

I can’t migrate my tokens to your service, I’m keeping what I have.

Our cloud-based architecture and self-service options mean low costs, the broadest range of auth options support new initiatives, and you don’t need to rip and replace your current solution.

My current solution works fine, replacing it isn’t a priority.

IDaaS Market


• Okta is a pure Multi-tenant Hosted solution and the clear leader in the market with advanced features in…

• User provisioning,

• Extensive application catalog

• Broad API set for integration with customer workflows

• Microsoft Azure AD entered market in 5/2014

• Tight integration with AD and o365

• First IDaaS provider to offer Cloud application discovery to provide visibility into application usage

• OneLogin and Ping Identity are also contenders with Ping offering both On Premise and Hosted deployments and OneLogin offering directory in the cloud

• CA, IBM and Oracle (not listed) are also key competitors in the space as they offer separate SSO/Federation solutions and focused on extending legacy IDM platform to cloud

• Other players include Centrify, Covisint and Sailpoint

33

SYMANTEC ACCESS MANAGER DIFFERENTIATORS

FederationsSSO with 2FA to both federated and non-federated applications

Identity SourcesMultiple Identity Sources: AD, LDAP, Oracle, SAML, Built-in

Attribute MappingAggregate attributes from different sources to create dynamic policies

Deployment modelLightweight VM deployed both on-premises and hosted

Architecture Built-in High Availability


JAMES BOND STYLE SECURITY

• Physical Security– Tier 4 Data Center Facility and dual-control personnel required to access sensitive

key management and signing functions– Trusted employee background checks required for access

• Certifications and Compliance– PCI , SSAE 16/SOC 2 Certification– WebTrust for CA and Federal Government PKI Certification– Internal Symantec InfoSec Policies and Practices

• Service Management– Strict change control process for all IT services– Incident management processes and procedures with regular “fire drill” exercises

• Systems and Security Monitoring– Dedicated 24x7 Network Operations Center– External global service monitoring of critical services, daily vulnerability scans– HIDS and NIDS to monitor systems, applications and network– SSL and S/MIME for encrypted communications

NEXT STEPS


SPREAD THE WORD

• YOUR CUSTOMERS DON’T NEED TO CHOOSE BETWEEN EASY AND SECURE ACCESS!– Eliminating the Passwordless with VIP/MPKI and SAM can:

• Reduce their Risk of a Breach• Reduce their Cost of Support• Address a Growing Problem• … while Satisfying User Demand for Ease of Use

• NEXT STEPS1. Read the Sales Guide: all the material will be on ParterNet: VIP

and Identity Access Manager pages

2. Familiarize yourself with the Eliminating the Password first meeting deck

3. Utilize the recorded demos or your VIP credential to show customers how easy it is.

QUESTIONS?

37

THANK YOU!

Copyright © 2015 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.

nick savvides business manager information protection, pacific

Documents