protect against security breaches by securing endpoints with multi-factor authentication

ca Securecenter

Protect Against Security Breaches by Securing Endpoints with Multi-Factor AuthenticationMike Phillips

Session Number SCX07S #CAWorld @jamiebass25

CenterPoint Energy Corporate Technology Security Director

Jamie Bass

PwCAdvisory Director

2 © 2014 CA. ALL RIGHTS RESERVED.

Protect Against Security Breaches by Securing Endpoints with Multi-Factor Authentication

In this age of an interconnected global business ecosystem,

businesses rely on network connections with partners,

suppliers, and others for efficient business processes. You just

have to look at the headlines to see that several recent security

breaches have compromised these connections as a way into a

corporate network. Utilizing CA Advanced Authentication,

CenterPoint Energy is making connections more secure through

multi-factor authentication and reduce the risk of standard

network credentials becoming compromised.

Mike PhillipsCenterPoint Energy

Corporate Technology Security Director

Jamie BassPwC

Advisory Director


Agenda

BACKGROUND AND PROBLEM FACED

CENTERPOINT’S APPROACH

TECHNICAL CHALLENGES

DEPLOYMENT PLAN

Q & A

1

2

3

4

5

BACKGROUND AND PROBLEM FACED


Introduction

CenterPoint Energy is a company with more than 5 million metered customers and

a long history of service. CenterPoint Energy is composed of an electric

transmission and distribution utility serving the Houston metropolitan area, local

natural gas distribution businesses in six states, a competitive natural gas sales and

service business serving customers in the eastern half of the U.S.

We also operate an interstate pipeline operation with two natural gas pipelines in

the mid-continent region, and a field services business with natural gas gathering

operations, also in the mid-continent region. We're an established company with

substantial assets that are managed by experienced people. CenterPoint Energy's

vision is to be recognized as America's leading energy delivery company and We

know that reliable energy is not a luxury. It's up to us to keep the lights on and to

provide clean natural gas for homes, factories and businesses.

OVERVIEW OF CENTERPOINT ENERGY


Interconnected business ecosystem*

Businesses are becoming increasingly interconnected with third-parties– External connections and efficient access

is a requirement for staying competitive

– Not controlling this access effectively can be detrimental

An effective security model must be deployed to balance and control this

Organization

Suppliers

Vendors

Other agents

Partners

PERIMETER DEFENSES ARE BECOMING IMPRACTICAL

Users

Vendor

PartnersSupplier

Users

Partners

Supplier

Users

Vendors

Users

Agents

Vendors

UsersPartners

Agents

Contractors

UsersUsers

UsersUsers


The threat is real

Despite following best security practices, an organization is still susceptible to weaknesses from an external party– There have been recent breaches leveraging smaller, less secure

external parties to get into large enterprise environments

– Hackers have a long history of attacking the supply chain for certain industry sectors

Often vendors will have access to very critical components of the infrastructure

SEVERE IMPACTS FOR DOING THIS INCORRECTLY


The threat is increasing

Recent reports from Department of Homeland Security indicate increased number of security breaches– We exist in a ‘copy cat world’ where

successful attacks are quickly executed on other organizations with similar infrastructure

Due to the evolving regulatory landscape, organizations are being held accountable

THESE ATTACKS ARE HAPPENING MORE FREQUENTLY


External users pose unique challenges

Third-party access to the organization poses several security concerns not seen with internal users– Security capabilities of these external parties will vary

– Monitoring capabilities for items such as user activity outside the corporate network is limited

– Lack of visibility to the actual user behind the connection and the full connection path

Assessing the security posture of each third party is difficult

UNCONTROLLED ACCESS POINTS

CENTERPOINT’S APPROACH


Improve the external authentication process

Leverage advanced authentication for external users– Protect against phishing attacks and more accurately tie access to an

actual end user with Multi-Factor Authentication (MFA)

– Risk based authentication can leverage location, time, etc.

– Provides centralized authentication for improved management and monitoring capabilities

Find all of the external connections– Many of these are setup and managed outside of IT

– Some of these many not even be active anymore

THIS IS BOTH A TECHNICAL AND BUSINESS EFFORT


CenterPoint’s path to secure these connections

Standardize

•Define policies and supporting standards for third-party connections

•Leverage leading industry practices and recommended security frameworks

Inventory

•Gather details around existing connections to the network and build an inventory

•Assign business and technical owners to these connections

Assess

•Determine risk level for existing connections

• Identify gaps from policies / standards

Prioritize

•Prioritize connections for integration with MFA

•Consider the risk they pose and the ease of integration

ROADMAP FOR SECURING EXTERNAL CONNECTIONS


Technology can be implemented in a phased approach

Deploy advanced authentication technology– Deploy the base infrastructure for CA Strong Authentication

– Migrate external connections to the infrastructure

– Consider internal use-cases

Expand the capabilities of advanced authentication– Integrate with CA Single Sign-On to protect web interfaces

– Integrate with CA Risk Authentication for adaptive, context aware authentication

GET IMMEDIATE VALUE QUICKLY, BUT ALSO PLAN FOR EXTENDED CAPABILITIES IN THE FUTURE


Lessons learned

Must partner with business and IT stakeholders– Clearly articulate objectives

– Make it easy to do the right thing

Developing complete inventory is a stretch goal– Knowledge of connections distributed

– Chasing a moving target

THE PROBLEM CROSSES BUSINESS AND IT BOUNDARIES

TECHNICAL DEPLOYMENT


Overview of PwC

SECURITY CAPABILITIES WITH BUSINESS UNDERSTANDING

PwC is a global leader in information security and privacy solutions, with a history of deploying CA Security products

Over 1,600 dedicated security practitioners globally

Access to 2 offshore centers in India & China (Service Delivery Centers – SDCs)

Integrated offerings developed over 15+ years

Capabilities to assess, plan, implement, and respond to security incidents


Technology requirements

Challenges to look for in advanced authentication integration– Simplify and automate the distribution and management of tokens

– Need to be able to deploy this across broad technical areas of the environment such as modems, web interfaces, Virtual Desktop Infrastructure (VDI), Virtual Private Networks (VPN) etc.

– Effectively leverage and integrate with existing and planned infrastructure (Active Directory, CA Single Sign-On, CA Identity Management, etc.)

Make management, support, and integration easy

NEED TO CONSIDER THE ARCHITECTURE, INTEGRATION POINTS, AND USABILITY


Product requirements

VPN – Virtual Private Network; UI – User Interface; ISDN – Integrated Services Digital Network;

CONSIDER SECURITY, SCALABILITY, AND USABILITY

Flexible means of One Time Password (OTP) generation and distribution

Authentication for web interfaces as well as network infrastructure components such as VPN, VDI, etc.

Integration with threat and fraud prevention tools

Ease of use, proven scalability, and real customer success


CA Strong Authentication product fit

Flexible options for OTP distribution: text, app, call, etc.

Multiple integration options: web, RADIUS, etc.

IdentityMinder integration to provide user interface for enrolling and managing soft tokens

Integrates with CA Risk Authentication to provide features such as risk profiling, device fingerprinting, etc.

OTP – One Time Password; RADIUS – Remote Authentication Dial In User Service; IDM – Identity Management; UI – User Interface;

HOW CA AUTHMINDER FITS THE ENVIRONMENT

DEPLOYMENT PLAN


Deployment plan

PwC – Pricewaterhouse Coopers; CNP – CenterPoint Energy; UI – User Interface; VDI – Virtual Desktop Infrastructure;

RADIUS – Remote Authentication Dial In User Service;

5 PHASE DEPLOYMENT PLAN FOR CA AUTHMINDER IMPLEMENTATION

Validate ProductExpand

and RefineIntegrate

ApplicationsPlan

Deployment

• Perform Proof of Concept with key infrastructure components

• Architect the infrastructure integration

• Identify remote connection platforms for authentication

• Develop integration plan

• Develop plan to manage soft token provisioning

• Deploy base infrastructure per CA / PwC / CenterPoint joint design

• Pilot with a non-critical connection and small user set

• Validate infrastructure sizing and UI / workflows for managing tokens

• Start migrating prioritized connections

• Gradually expand the solution

• Refine the rules to strengthen authentication

DeployFoundation


SummaryA few words to review

Remember

You are only as secure as your least secure vendor (none are too small to consider)

Implementing a second layer of authentication can protect you from things occurring outside of your network

Do

Be aware of recent breaches and ensure you raise the bar for attackers

Provide users with flexibility and an easy way to do the right thing

Don’t

Be convinced that you are secure because your infrastructure has advanced monitoring and protection

Cripple the business with cumbersome processes they will find a way to circumvent


For More Information

To learn more about Security,

please visit:

http://bit.ly/10WHYDm

Insert appropriate screenshot and text overlayfrom following “More Info Graphics” slide here;

ensure it links to correct pageSecurity






For Informational Purposes Only

© 2014 CA. All rights reserved. All trademarks referenced herein belong to their respective companies.

This presentation provided at CA World 2014 is intended for information purposes only and does not form any type of warranty. Some of the specific slides with customer references relate to customer's specific use and experience of CA products and solutions so actual results may vary.

For Customer/Partner content please note:

Customer/Partner content provided in this presentation has not been reviewed for accuracy and is based on information provided by CA Partners and Customers.

Terms of this Presentation