The CISO s Guide to Deploying True Password-less Security. by Bojan Simic and Ed Amoroso

Transcription

1 The CISO s Guide to Deploying True Password-less Security by Bojan Simic and Ed Amoroso

2 TRUST ANYONE HYPR Deployment Overview for Managers HYPR is designed to eliminate credential stuffing, phishing and password reuse for consumer and employee-facing applications. Unlike authentication methods that rely on centralized passwords stored inside the enterprise, HYPR leverages decentralized authentication to securely store your users credentials on their personal devices. This decentralized approach to password-less security removes the hackers primary target and forces attackers to focus on each device individually - drastically shifting the economics in the enterprise s favor. The HYPR platform is designed to empower true password-less security for large-scale consumer applications, enterprise business use, and integration with existing identity and access management (IAM) infrastructures. An advantage of the platform is a level of interoperability that enables practical transition to a true password-less architecture for a full range of mobile, web, and desktop applications. This white paper provides security and IT managers with a high-level executive overview of the typical deployment process for HYPR. The purpose is to help managers and practitioners better understand the types of activities that will be required to decentralize their authentication process using the HYPR platform for their organization. More detailed descriptions of the actual steps involved in deployment will be provided by the HYPR team to project participants HYPR All Rights Reserved.

3 Two Categories of HYPR Deployment HYPR deployments follow two categories of use cases each with its own set of practical, technical, and administrative concerns. The specifics of these deployment use cases are sufficiently different to warrant management explanation hence, this document. The following sections explain how each case proceeds in the most typical projects. HYPR for Consumer Applications This case involves a line of business, digital identity and fraud teams seeking to reduce customer fraud and account takeover caused by credential stuffing and password reuse. It is generally performed in the context of some digital transformation initiative for business-to-consumer offerings and to meet regulatory comliance requirements such as PSD2 or SCA (Strong Customer Authentication). HYPR for Enterprise Use This case involves enterprise security teams wishing to decentralize their authentication to reduce the risk of compromise such as phishing and advanced persistent threat (APT) exfiltration. It is generally performed to enable true password-less authentication to Windows and MacOS workstations, as well as Single Sign-On, VPN, and VDI login HYPR All Rights Reserved.

4 TRUST ANYONE HYPR Deployment for Consumer Applications Modern digital transformation initiatives are often at the root of the management decision to deploy HYPR for large-scale consumer mobile applications. As service and application providers realize the need to minimize personal credential risk, while also optimizing the user experience with as little friction as possible, the decision to integrate HYPR makes perfect sense, because it directly supports both increased security and an improved end user experience. This initial use case for HYPR deployment involves a business or provider dealing with a large consumer base and wanting decentralized credential support. Retail banks, social media companies, Internet service providers, insurance companies, and on-line vendors are good examples of this category of deployment. In this use case, HYPR enables true password-less authentication for consumer facing mobile and web applications. The result is a phishing-resistant login experience powered by the user s mobile device. IDENTITY MANAGEMENT SYSYEM HYPR FIDO SERVER Password-less Consumer Authentication 1. User Request User Validity Check WEB APPLICATION 3. Authentication Initiation 4. Authentication Challenge HYPR USER FIDO Signed Response 6. Authentication Complete HYPR FIDO AUTHENTICATOR This use case presumes that a trained team of capable developers is present that will understand how to integrate the HYPR software development toolkit (SDK). To ensure success, various cross-functional teams would be involved in the HYPR deployment process. For example, user experience teams, cyber security teams, privacy teams, and software engineering teams will participate in the integration, with direct support from the HYPR team. This team approach allows for meticulous attention to details as the HYPR toolkit is used by these large groups of developers and experts for enabling password-less security HYPR All Rights Reserved

5 Deploy HYPR for Consumer Authentication in 2 Easy Steps Integration of HYPR for consumer mobile applications will generally focus on the following two common integration points: Back-End Infrastructure This includes the applications, systems, and networks that support the decentralized security which characterizes HYPR security. Front-End Mobile Apps These are used by consumers to gain access to the specific set of services being secured. Deployment to these integration points is straightforward because, in contrast to most enterprise teams, the typical organization working to embed HYPR for consumer applications will have experience with software development toolkits (SDKs). They will have no trouble selecting a desired interface such as OATH or Open ID Connect for use with their application, and it is not unusual for total project integration efforts to take less than a full day of work. A recent consumer application project for a Global 2000 Financial Institution, for example, involves integration of HYPR into the company s mobile application experience for Internet-based ecommerce services. In this case, tens of millions of consumers used these on-line services and the overall successful deployment process took only two and a half days of work HYPR All Rights Reserved. 5

6 TRUST ANYONE HYPR Deployment for Enterprise The second use case presumes that an enterprise security or information technology (IT) team wants to integrate HYPR into their local identity and access management (IAM) ecosystem. The decentralization in this case is done to protect employee, contractor, third-party and customer credentials, but the team may not include experienced software developers. This case requires more support and simpler tools for an effective deployment. PASSWORD-LESS WORKSTATION LOGIN 1. Locked Workstation State 2. Initiate Workstation Unlock WORKSTATION 3. Request FIDO Authentication 4. Secret Authorization 5. Secret Verification MOBILE DEVICE 6. Validate Security Context 7. Workstation Unlocked HYPR FIDO SERVER HYPR s goal is for CISO-led teams to have little trouble integrating the decentralized authentication platform into their enterprise in a straightforward manner. The presumption in HYPR usage for enterprise is that simple integration is as important as the functional controls that result from the software integration. This makes sense, because if the HYPR platform cannot be simply deployed, then regardless of the security value, CISO teams will have no reasonable means to move forward. As suggested above, CISO teams rarely include teams of experienced and available software developers. The HYPR team has therefore predefined modules for deployment and integration into existing endpoint, server, and network infrastructure. Tailoring for an enterprise requires only the skills to use administrative tools and to install software, rather than any need to code new applications, middleware, or scripts HYPR All Rights Reserved

7 Deploy HYPR Across the Enterprise in 5 Easy Steps The most typical HYPR enterprise deployment includes the following five steps each of which will require the coordination of security and IT operations teams. It should be noted that most enterprise teams run Windows on their PC endpoints, in coordination with either BYOD or corporate-owned mobiles. Obviously this can vary but we list below the steps that have been the most commonly observed for HYPR customers in this common configuration: Step 1: Endpoint Credential Provider This first step requires that the enterprise team install the HYPR client onto all endpoints. The HYPR client simply changes the existing Credential Provider function on Windows endpoints to use certificate based logon from its default setting to use passwords. This first step is roughly the same for MacOS, but the specific utility is obviously different. The HYPR team will work with the enterprise to utilize whatever endpoint software deployment tool is preferred for this endpoint step. Step 2: Domain Controller Setting This second step involves the enterprise IT teams enabling Certificate Based Logon on the Windows Domain Controller. This setting is disabled by default, but the feature is required for proper client-server interaction with HYPR platform. Administrators simply need to click to enable the feature on the server. Step 3: HYPR Server Deployment The third step in the deployment process involves installation of the HYPR server either on-premise or in the cloud. This step is highly dependent on the local requirements, policies, and constraints for server deployment at the customer s enterprise. In some cases, this requires considerable documentation and assurance, and the HYPR team will assist accordingly. The HYPR server runs as a virtual appliance on the deployed server. Step 4: Enterprise Architecture Each enterprise will have different requirements for architectural support of the new HYPR platform, including the server. Data replication, disaster recovery, hot standby requirements, and other considerations are often important aspects of a HYPR enterprise deployment. Again, the HYPR team will follow local guidance from the enterprise team to ensure that all functional, resilience and assurance requirements are met. Step 5: Mobile App All HYPR deployments require the mobile app, which is used to store user credentials. Obviously, pushing the mobile app to employee and contractor mobile devices will follow the local mobile device management (MDM) and enterprise mobility management (EMM) tools in place. The end-result is that each user has the HYPR mobile app installed on their mobile device that is white-labeled and branded for their organization HYPR All Rights Reserved. 7

8 TRUST ANYONE SUMMARY The most obvious enterprise advantage enabled by the HYPR deployment is that a true password-less architecture emerges and this is both more secure for the organization and more popular with users than the existing password solution. Additional advantages include the ability to create fine-grained user access policies, and to integrate with related identity and access management (IAM) tools such as Okta, ForgeRock, CA Single Sign-On, Ping Federate, and many others. Need More Information? For additional details on HYPR deployment for either consumer or enterprise use, please reach out to getsecured@hypr.com ABOUT HYPR CORP HYPR is the leading provider of True Password-less Security. With millions of users deployed across the Global 2000, HYPR is the first Decentralized Authentication Platform designed to eliminate credential reuse, fraud and phishing for consumers and employees across the enterprise HYPR All Rights Reserved