enhance network security with multi-factor authentication for byod and guest access
TRANSCRIPT
#ATM16
Enhance Network Security with Multi-Factor Authentication for BYOD and Guest AccessGarth BenedictRandy GarciaMichael A. Tarinelli
May 2, 2023 @ArubaNetworks |
2
Setting the stage
3#ATM16
Mobility Changing the Security Dynamic
Distributed and mobile work force
Demand for simplicitySecurity requirements
remain Strong authentication Encryption End point protection etc.
4#ATM16
Security vs. Simplicity
- Customer demand for the “coffeehouse” experience
- Industry forced to drive security solutions at every level
- Failure to act could result in data breach and identity theft
5#ATM16
A Perfect Match
- Simplicity and Security – not mutually exclusive
- 2FA/MFA Reboot – new and innovative players in the multi-factor authentication space
- Enhance MFA with ClearPass Policy Manager
- Explore Adaptive Trust- Use policy to provide “defense in
depth” overlay to MFA solution
6#ATM16
Benefits of Policy Based MFA
–Reduce Breaches and save $$$–Increase credibility among your peers and customers with new and innovative
approaches to MFA implementation.
7
Multifactor Authentication Overview
8#ATM16
What is 2FA? What is MFA?
- Two-factor authentication (2FA) provides a second layer of security to any type of login, requiring extra information or a physical device to log in, in addition to your password
- Multi-factor authentication is the same but >2
- Something you have…- E.g. The dreaded token
- Something you are…- - e.g. Thumbprint
- Something you know- E.g. username and password
9#ATM16
Not your grandma’s MFA
Current Trends of MFA (Cloud + Mobile) - New companies launching innovative solutions
(DUO, Authy, Yubico, etc.)- Leverages mobile device for additional factors- OTP, Click, swipe, proximity, biometric options,
USB key, SDKs, etc.
Legacy Providers- Hardware tokens from RSA, Safenet, Vasco,
McAffee, etc.- Hated by end users and IT departments alike- Move to soft tokens and mobile well underway
10#ATM16
New Players vs. Legacy Establishment
Cloud + Mobile is the trendLeveraging smart device + AppMaking huge strides
Incumbents still have market shareSupported for years on CPPMPivoting to Cloud + Mobile strategy
11#ATM16
Security Concerns- 95 percent of breaches involve the exploitation of stolen
credentials.
- The misuse of administrative privileges is a primary method for attackers to spread inside a target enterprise
- elevation of privileges by guessing or cracking a password for an administrative user
- Sharing passwords
- Attackers take advantage of network devices becoming less securely configured over time
12#ATM16
Wait! Its hard to use!Importance of MFA
- Yes. It does introduce an extra step
- But, it’s a key element of any “defense in depth” strategy
- Innovate with new tools that are more user friendly
- Reduce the burden and leverage Policy to force MFA and times and places of your choosing.
- Attackers take advantage of network devices becoming less securely configured over time
13#ATM16
Where is MFA Headed?
3rd Party Integrations- Many new and existing companies providing services- Cloud and mobile application based- Combination of clicks, gestures, proximity, puzzles and biometric methods- All have their challenges (just as the old tokens did)- SaaS, Guest/BYOD, network admin and network access use cases
User Behavior - The biggest barrier to adoption (on both the IT and user side)- Mobile adoption and addiction presents opportunity- Take a broader approach to authorization- Leverage context to trigger mobile based MFA on demand- Leverage Microsoft InTune or MDM for Windows Laptops
14
ClearPass and Adaptive TrustIntroducing a new approach to MFA
15#ATM16
Users that work from anywhereand devices that roam
Access privileges and authenticationbased on user- and device-roles
Mobility – The New Fight
16#ATM16
HOME OFFICE/ROAD WARRIORS
Access on VPNs, mostly open SSIDs
Same privileges and authenticationas when in the office
The Extended Enterprise
17#ATM16
ClearPass at a Glance
AAA• RADIUS• TACACS
DirectoryProfilingLocationApplication
Modern style RESTful APIContext RichPartner Ecosystem
GuestOnBoard (BYOD, CA)OnGuard (Posture)
Adaptive Trust
18#ATM16
Static Perimeter Defense
IDS/IPS
Firewalls
Adaptive Trust Defense
Perimeter Defense
Auth and Automation
PhysicalComponents
A/V
Security and Policy for each user or
group
Webgateways
Time for a New Defense Model
19#ATM16
Benefits of Adaptive Trust
Complete End-to-End Protection ClearPass
Policies
Perimeter DefenseMDM/EMM
Aruba verified integration workflows✔ClearPass as policy and context store
✔
Accurate rules enforcement ✔All infrastructure and security components work together
✔
20
User and Device
Security policy adapts to needContext sharedEmployee access
• Thomas• Mac OS 10.9.3• Marketing• 10.0.1.12
Works with AD, LDAP, ClearPass dB, SQL dB No agents/clients required
Adaptive Trust Context Sharing
21#ATM16
Using Policy to drive on demand MFA
– Based on Time– Once a day or week– If you have not logged on from this device in the past 14 days– If your device was unhealthy in the past 30 days
– Based on Posture– If your device posture changes to unhealthy– If any of your other devices posture changes to unhealthy– If a company alert or security check is issued
– Based on other Context– User has never logged on from this location– User has failed user authentication 3 times– 3rd Party application or system triggers MFA
22
Putting it all togetherMFA and Policy in Action - Demos
23#ATM16
Demo 1 – Place Holder - Explanation and Workflow
24#ATM16
Demo 1 – Place Holder - Screen Shots
25#ATM16
Demo 2 – Place Holder - Explanation and Workflow
26#ATM16
Demo 2 – Place Holder - Screen Shots
27#ATM16
Demo 3 – Place Holder - Explanation and Workflow
28#ATM16
Demo 3 – Place Holder - Screen Shots
29#ATM16
CloseIncludes slides, color spots speaker remarks
30#ATM16
Join Aruba’s Titans of Tomorrow force in the fight against network mayhem. Find out what your IT superpower is.
Share your results with friends and receive a free superpower t-shirt.
www.arubatitans.com
Month day, year