Passwords Are Dead Long Live Multi-Factor Authentication Chris Webber, Security Strategist Copyright 2015 Centrify Corporation. All Rights Reserved. 1
Threat Landscape Breach accomplished Initial attack on End User Leverage account access of Privileged User 63% of data breaches involved weak, default or stolen passwords Hackers target both end and privileged users 2016 Centrify Corporation. All Rights Reserved. 2
Threat Landscape FBI has lead in probe of 1.2 billion stolen Web credentials 2 million FB, Twitter, Gmail passwords stolen and posted online http://www.reuters.com/article/us-usa-cyberattack-russiaiduskbn0td2yn20151124 http://tech.firstpost.com/news-analysis/2-million-fb-twitter-gmail-passwords-stolen-andposted-online-215958.html 10 million stolen passwords were just released here s how to see if yours is one of them http://bgr.com/2015/02/12/10-million-passwords-leaked-hack-check/ Hackers post millions of stolen Gmail passwords on Russian site http://www.cbsnews.com/news/russian-hackers-steal-5-million-gmail-passwords/ Update: LinkedIn Confirms Account Passwords Hacked http://www.pcworld.com/article 257045/ 6_5m_linkedin_passwords_posted_online_after_apparent_hack.html Assume every password has been stolen 2016 Centrify Corporation. All Rights Reserved. 3
Future of Enterprise IT On-Premises Mobile SaaS IaaS Access Anywhere De-perimeterization Data is everywhere Enterprises no longer trust their networks 2016 Centrify Corporation. All Rights Reserved. 4
Compliance 8.3 remote Secure all individual non-console administrative access and all access to the CDE using multi-factor authentication. All administrative access into the cardholder data environment, even from within a company s own network will need MFA Troy Leach, PCI Security Standards Council Chief Technology Officer 2016 Centrify Corporation. All Rights Reserved. 5
The Goal CLOUD (IAAS & PAAS) APPLICATIONS DATA CENTER SERVERS NETWORK DEVICES Secure Access to Apps & Infrastructure From Any Device BIG DATA For All Users END USER PARTNER PRIVILEGED IT USER OUTSOURCED IT CUSTOMER 2016 Centrify Corporation. All Rights Reserved. 6
The Time to Act is Now MFA Everywhere Password risk increases 2014 2015 Today The year of the breach Millions more passwords stolen Limit Lateral Movement Enforce Least Privilege Log & Monitor 2016 Centrify Corporation. All Rights Reserved. 7
Solution Benefits IT RISK Reduce Risk Step-by-step DANGER GOOD BETTER GREAT OPTIMAL 2016 Centrify Corporation. All Rights Reserved. 8
Reduce Risk Across Hybrid IT RISK DANGER Too Many Passwords Too Much Privilege Basic Authentication GOOD Establish Identity Assurance BETTER Limit Lateral Movement GREAT Enforce Least Privilege OPTIMAL Log & Monitor 2016 Centrify Corporation. All Rights Reserved. 9
Establish Identity Assurance RISK DANGER Too Many Passwords Too Much Privilege Basic Authentication GOOD Establish Identity Assurance BETTER Limit Lateral Movement GREAT Enforce Least Privilege OPTIMAL Log & Monitor 2016 Centrify Corporation. All Rights Reserved. 10
Identity Consolidation SERVERS NETWORK APPS SaaS IaaS PRIVILEGED ACCOUNTS PRIVILEGED ACCOUNTS PRIVILEGED ACCOUNTS PRIVILEGED ACCOUNTS PRIVILEGED ACCOUNTS jsmith joans js josmith joansmith joan joan.s j.smith smithjoan smithj End Users Copyright 2015 Centrify Corporation. All Rights Reserved. 11
MFA Everywhere MFA for VPN MFA for Cloud Infrastructure (IaaS) MFA for On-Prem Apps MFA for Cloud Apps MFA for Server Login and Privilege Elevation MFA for Shared Resources 2016 Centrify Corporation. All Rights Reserved. 12
Context-Aware Policy DEVICE WHO WHEN WHERE 2016 Centrify Corporation. All Rights Reserved. 13
Cloud-based Adaptive MFA Strong authentication without user hassle Limit user frustration with context Time of day, work hours Inside/outside corporate network User role or attributes Specific privileged role or command Device attributes (type, management status) Location Support flexible factors Push notification to smartphones and wearables Biometrics for mobile One time passcode (OTP) over SMS, email, or from OATH-compliant devices Smartcard and derived credentials Interactive phone call Offline or connected 2016 Centrify Corporation. All Rights Reserved. 14
Jump Box Multi-factor Authentication for Infrasctructure Block cyber attacks MFA for login and privilege elevation MFA for remote access MFA for shared password checkout Control step-up auth. via roles Multi-factor Authentication to Cloud Service Centrify Identity Platform ENTERPRISE DATA CENTER Centrify Cloud Connector Multi-factor Authentication for Login and Privilege Elevation Audit DB Multi-factor Authentication for Login Privilege Elevation Shared Account Sessions and Auditing SERVER SUITE 2016 Centrify Corporation. All Rights Reserved. 15
Multi-factor Authentication for Secure Access Reduce password risk MFA on a per-app basis MFA for IaaS console access MFA for VPN MFA + SSO = fewer passwords 2016 Centrify Corporation. All Rights Reserved. 16
MFA + SSO for SaaS Mitigate Risk Stop Passwords Demand SAML Enable BYOD 2016 Centrify Corporation. All Rights Reserved. 17
MFA + SSO for IaaS Minimize Attack Surface Provide role-based access to IaaS console Lock down the root or billing account and require MFA on access AWS, Google Compute, Azure 2016 Centrify Corporation. All Rights Reserved. 18
MFA + SSO Everywhere Based on Context Single Sign-On to Business Apps Challenge for MFA Block Access to Business Apps? Approved Location Unknown Location Blocked location 2016 Centrify Corporation. All Rights Reserved. 19
Rethink Benefits Reduce Risk across Hybrid IT Limit Lateral Movement RISK DANGER Too Many Passwords Too Much Privilege Basic Authentication GOOD Establish Identity Assurance BETTER Limit Lateral Movement GREAT Enforce Least Privilege OPTIMAL Log & Monitor 2016 Centrify Corporation. All Rights Reserved. 20
Mitigate VPN Risk VPN-less Access to specific App On-Premise Apps Employees, Contractors, Partners, Customers VPN Connections On-Premise Apps VPN-less Access to Specific Resource On-Premise Infra Employees, Contractors, Outsourced IT VPN Connections On-Premise Infra 2016 Centrify Corporation. All Rights Reserved. 21
Automate App Provisioning Monitor / Report Offboard Onboard Create / Update License / Authorize Role-Based Provisioning Mobile App Provisioning Comprehensive Deprovisioning SSO / MFA / IWA / Remote Access Enable Mobile 2016 Centrify Corporation. All Rights Reserved. 22
Rethink Benefits Reduce Risk across Hybrid IT Enforce RISK Least Privilege DANGER Too Many Passwords Too Much Privilege Basic Authentication GOOD Establish Identity Assurance BETTER Limit Lateral Movement GREAT Enforce Least Privilege OPTIMAL Log & Monitor 2016 Centrify Corporation. All Rights Reserved. 23
Implement Comprehensive Privileged Identity Management username and username PRIVILEGED INDIVIDUAL ACCOUNTS Log in as yourself Elevate privilege when needed Attribute activity to individual PRIVILEGED SERVICE ACCOUNTS Check out service account password Log in as service (shared) account Attribute account use to individual Core Rule: Get users to log in as themselves, while maximizing control of shared accounts 2016 Centrify Corporation. All Rights Reserved. 24
Log & Monitor RISK DANGER Too Many Passwords Too Much Privilege Basic Authentication GOOD Establish Identity Assurance BETTER Limit Lateral Movement GREAT Enforce Least Privilege OPTIMAL Log & Monitor 2016 Centrify Corporation. All Rights Reserved. 25
Monitor Privileged Sessions SERVERS NETWORK IaaS PRIVILEGED ACCOUNTS PRIVILEGED ACCOUNTS PRIVILEGED ACCOUNTS Privileged Sessions Report and Replay 2016 Centrify Corporation. All Rights Reserved. 26
Orchestrate with SIEM and Threat Analytics Vendors Expose Events Expose Actions for Remediation Leverage Event Data (including Video) within existing SOC Actions received from Threat Analytics Vendors Integrate with Existing Enterprise Tools 2016 Centrify Corporation. All Rights Reserved. 27
The Time to Act is Now MFA Everywhere Password risk increases 2014 2015 Today 2016 Centrify Corporation. All Rights Reserved. 28
Thank You Copyright 2015 Centrify Corporation. All Rights Reserved. 29