protect against security breaches by securing endpoints with multi-factor authentication
DESCRIPTION
In this age of an interconnected global business ecosystem, businesses rely on network connections with partners, suppliers, and others for efficient business processes. You just have to look at the headlines to see that several recent security breaches have compromised these connections as a way into a corporate network. Utilizing CA Advanced Authentication, CenterPoint Energy is making connections more secure through multi-factor authentication and reduce the risk of standard network credentials becoming compromised. For more information on CA Security solutions, please visit: http://bit.ly/10WHYDmTRANSCRIPT
ca Securecenter
Protect Against Security Breaches by Securing Endpoints with Multi-Factor AuthenticationMike Phillips
Session Number SCX07S #CAWorld @jamiebass25
CenterPoint Energy Corporate Technology Security Director
Jamie Bass
PwCAdvisory Director
2 © 2014 CA. ALL RIGHTS RESERVED.
Protect Against Security Breaches by Securing Endpoints with Multi-Factor Authentication
In this age of an interconnected global business ecosystem,
businesses rely on network connections with partners,
suppliers, and others for efficient business processes. You just
have to look at the headlines to see that several recent security
breaches have compromised these connections as a way into a
corporate network. Utilizing CA Advanced Authentication,
CenterPoint Energy is making connections more secure through
multi-factor authentication and reduce the risk of standard
network credentials becoming compromised.
Mike PhillipsCenterPoint Energy
Corporate Technology Security Director
Jamie BassPwC
Advisory Director
3 © 2014 CA. ALL RIGHTS RESERVED.
Agenda
BACKGROUND AND PROBLEM FACED
CENTERPOINT’S APPROACH
TECHNICAL CHALLENGES
DEPLOYMENT PLAN
Q & A
1
2
3
4
5
BACKGROUND AND PROBLEM FACED
5 © 2014 CA. ALL RIGHTS RESERVED.
Introduction
CenterPoint Energy is a company with more than 5 million metered customers and
a long history of service. CenterPoint Energy is composed of an electric
transmission and distribution utility serving the Houston metropolitan area, local
natural gas distribution businesses in six states, a competitive natural gas sales and
service business serving customers in the eastern half of the U.S.
We also operate an interstate pipeline operation with two natural gas pipelines in
the mid-continent region, and a field services business with natural gas gathering
operations, also in the mid-continent region. We're an established company with
substantial assets that are managed by experienced people. CenterPoint Energy's
vision is to be recognized as America's leading energy delivery company and We
know that reliable energy is not a luxury. It's up to us to keep the lights on and to
provide clean natural gas for homes, factories and businesses.
OVERVIEW OF CENTERPOINT ENERGY
6 © 2014 CA. ALL RIGHTS RESERVED.
Interconnected business ecosystem*
Businesses are becoming increasingly interconnected with third-parties– External connections and efficient access
is a requirement for staying competitive
– Not controlling this access effectively can be detrimental
An effective security model must be deployed to balance and control this
Organization
Suppliers
Vendors
Other agents
Partners
PERIMETER DEFENSES ARE BECOMING IMPRACTICAL
Users
Vendor
PartnersSupplier
Users
Partners
Supplier
Users
Vendors
Users
Agents
Vendors
UsersPartners
Agents
Contractors
UsersUsers
UsersUsers
7 © 2014 CA. ALL RIGHTS RESERVED.
The threat is real
Despite following best security practices, an organization is still susceptible to weaknesses from an external party– There have been recent breaches leveraging smaller, less secure
external parties to get into large enterprise environments
– Hackers have a long history of attacking the supply chain for certain industry sectors
Often vendors will have access to very critical components of the infrastructure
SEVERE IMPACTS FOR DOING THIS INCORRECTLY
8 © 2014 CA. ALL RIGHTS RESERVED.
The threat is increasing
Recent reports from Department of Homeland Security indicate increased number of security breaches– We exist in a ‘copy cat world’ where
successful attacks are quickly executed on other organizations with similar infrastructure
Due to the evolving regulatory landscape, organizations are being held accountable
THESE ATTACKS ARE HAPPENING MORE FREQUENTLY
9 © 2014 CA. ALL RIGHTS RESERVED.
External users pose unique challenges
Third-party access to the organization poses several security concerns not seen with internal users– Security capabilities of these external parties will vary
– Monitoring capabilities for items such as user activity outside the corporate network is limited
– Lack of visibility to the actual user behind the connection and the full connection path
Assessing the security posture of each third party is difficult
UNCONTROLLED ACCESS POINTS
CENTERPOINT’S APPROACH
11 © 2014 CA. ALL RIGHTS RESERVED.
Improve the external authentication process
Leverage advanced authentication for external users– Protect against phishing attacks and more accurately tie access to an
actual end user with Multi-Factor Authentication (MFA)
– Risk based authentication can leverage location, time, etc.
– Provides centralized authentication for improved management and monitoring capabilities
Find all of the external connections– Many of these are setup and managed outside of IT
– Some of these many not even be active anymore
THIS IS BOTH A TECHNICAL AND BUSINESS EFFORT
12 © 2014 CA. ALL RIGHTS RESERVED.
CenterPoint’s path to secure these connections
Standardize
•Define policies and supporting standards for third-party connections
•Leverage leading industry practices and recommended security frameworks
Inventory
•Gather details around existing connections to the network and build an inventory
•Assign business and technical owners to these connections
Assess
•Determine risk level for existing connections
• Identify gaps from policies / standards
Prioritize
•Prioritize connections for integration with MFA
•Consider the risk they pose and the ease of integration
ROADMAP FOR SECURING EXTERNAL CONNECTIONS
13 © 2014 CA. ALL RIGHTS RESERVED.
Technology can be implemented in a phased approach
Deploy advanced authentication technology– Deploy the base infrastructure for CA Strong Authentication
– Migrate external connections to the infrastructure
– Consider internal use-cases
Expand the capabilities of advanced authentication– Integrate with CA Single Sign-On to protect web interfaces
– Integrate with CA Risk Authentication for adaptive, context aware authentication
GET IMMEDIATE VALUE QUICKLY, BUT ALSO PLAN FOR EXTENDED CAPABILITIES IN THE FUTURE
14 © 2014 CA. ALL RIGHTS RESERVED.
Lessons learned
Must partner with business and IT stakeholders– Clearly articulate objectives
– Make it easy to do the right thing
Developing complete inventory is a stretch goal– Knowledge of connections distributed
– Chasing a moving target
THE PROBLEM CROSSES BUSINESS AND IT BOUNDARIES
TECHNICAL DEPLOYMENT
16 © 2014 CA. ALL RIGHTS RESERVED.
Overview of PwC
SECURITY CAPABILITIES WITH BUSINESS UNDERSTANDING
PwC is a global leader in information security and privacy solutions, with a history of deploying CA Security products
Over 1,600 dedicated security practitioners globally
Access to 2 offshore centers in India & China (Service Delivery Centers – SDCs)
Integrated offerings developed over 15+ years
Capabilities to assess, plan, implement, and respond to security incidents
17 © 2014 CA. ALL RIGHTS RESERVED.
Technology requirements
Challenges to look for in advanced authentication integration– Simplify and automate the distribution and management of tokens
– Need to be able to deploy this across broad technical areas of the environment such as modems, web interfaces, Virtual Desktop Infrastructure (VDI), Virtual Private Networks (VPN) etc.
– Effectively leverage and integrate with existing and planned infrastructure (Active Directory, CA Single Sign-On, CA Identity Management, etc.)
Make management, support, and integration easy
NEED TO CONSIDER THE ARCHITECTURE, INTEGRATION POINTS, AND USABILITY
18 © 2014 CA. ALL RIGHTS RESERVED.
Product requirements
VPN – Virtual Private Network; UI – User Interface; ISDN – Integrated Services Digital Network;
CONSIDER SECURITY, SCALABILITY, AND USABILITY
Flexible means of One Time Password (OTP) generation and distribution
Authentication for web interfaces as well as network infrastructure components such as VPN, VDI, etc.
Integration with threat and fraud prevention tools
Ease of use, proven scalability, and real customer success
19 © 2014 CA. ALL RIGHTS RESERVED.
CA Strong Authentication product fit
Flexible options for OTP distribution: text, app, call, etc.
Multiple integration options: web, RADIUS, etc.
IdentityMinder integration to provide user interface for enrolling and managing soft tokens
Integrates with CA Risk Authentication to provide features such as risk profiling, device fingerprinting, etc.
OTP – One Time Password; RADIUS – Remote Authentication Dial In User Service; IDM – Identity Management; UI – User Interface;
HOW CA AUTHMINDER FITS THE ENVIRONMENT
DEPLOYMENT PLAN
21 © 2014 CA. ALL RIGHTS RESERVED.
Deployment plan
PwC – Pricewaterhouse Coopers; CNP – CenterPoint Energy; UI – User Interface; VDI – Virtual Desktop Infrastructure;
RADIUS – Remote Authentication Dial In User Service;
5 PHASE DEPLOYMENT PLAN FOR CA AUTHMINDER IMPLEMENTATION
Validate ProductExpand
and RefineIntegrate
ApplicationsPlan
Deployment
• Perform Proof of Concept with key infrastructure components
• Architect the infrastructure integration
• Identify remote connection platforms for authentication
• Develop integration plan
• Develop plan to manage soft token provisioning
• Deploy base infrastructure per CA / PwC / CenterPoint joint design
• Pilot with a non-critical connection and small user set
• Validate infrastructure sizing and UI / workflows for managing tokens
• Start migrating prioritized connections
• Gradually expand the solution
• Refine the rules to strengthen authentication
DeployFoundation
22 © 2014 CA. ALL RIGHTS RESERVED.
SummaryA few words to review
Remember
You are only as secure as your least secure vendor (none are too small to consider)
Implementing a second layer of authentication can protect you from things occurring outside of your network
Do
Be aware of recent breaches and ensure you raise the bar for attackers
Provide users with flexibility and an easy way to do the right thing
Don’t
Be convinced that you are secure because your infrastructure has advanced monitoring and protection
Cripple the business with cumbersome processes they will find a way to circumvent
23 © 2014 CA. ALL RIGHTS RESERVED.
For More Information
To learn more about Security,
please visit:
http://bit.ly/10WHYDm
Insert appropriate screenshot and text overlayfrom following “More Info Graphics” slide here;
ensure it links to correct pageSecurity
24 © 2014 CA. ALL RIGHTS RESERVED.
For Informational Purposes Only
© 2014 CA. All rights reserved. All trademarks referenced herein belong to their respective companies.
This presentation provided at CA World 2014 is intended for information purposes only and does not form any type of warranty. Some of the specific slides with customer references relate to customer's specific use and experience of CA products and solutions so actual results may vary.
For Customer/Partner content please note:
Customer/Partner content provided in this presentation has not been reviewed for accuracy and is based on information provided by CA Partners and Customers.
Terms of this Presentation