You are on page 1of 22

SecureAuth + Core Security

SecureAuth IdP
Matias Szmulewiez – RSM LATAM
Challenges of Digital Transformation
91% of IT
Enterprise managers now
consider IAM as a
key enabler for
digital business
initiatives
*ITProPortal

Customers
POS

Smart Connected
Employees Partners Meter Vehicles
Devices Things
Everyone & Anything can be an Attacker
Identity & Security: More important than ever
VULNERABILITIES IDENTITIES APT ATTACKS

WITH…
All Companies Compromised
Normally Perform Vulnerability
Scans Procedures.

Several IPS/IDP Implemented

AND…
Of breaches involve
attackers using stolen
user credentials.

Of course we need a new approach


SecureAuth + Core Security
A Global Identity Security Automation Company

> 1500 > 400 > 50 M > 750 M > 75


Clients Employees Identities Protected Devices Monitored Patents
Issued & Pending

• Serving 18% of F1000


• Used in every branch of the military and over 50 government agencies
• 71 foreign governments
• Over 170 banks and financial institutions, including half of the top 20 banks
• Over 200 healthcare providers and insurance companies
• 49 telecom companies, including the three largest in the world
Our Category Portfolio (Or Product Portfolio)
A Single Platform, Where The Worlds Of Identity / Access Management & Security Meet

Identity-Based Security Automation


El enfoque ilustrado para crear intersecciones inteligentes
entre identidad y seguridad con el objetivo de acelerar una
ciber seguridad más eficiente y efectiva.

Penetration Adaptive Threat


Testing Access Control Management
Secure Access
Management
Best Possible Security

Employees Partners Customers

Adaptive Multi-Factor Continuous Flexible Data Visualization


Authentication Authentication Authentication Workflows & Sharing

1 2 3 4 5
Secure Access
Management
Best Possible Security
Pre-Authentication
Many of SecureAuth’s risk checks happen
Including Best Possible
pre-authentication, which prevent unwanted User Experience too!
attempts before login is even possible.

Authentication Attempt Multi-Layered Risk Analysis


When a user tries to log in, the solution • Pre-Authentication checks
evaluates the risk of that attempt based
on the set of factors you choose.
Multi-Factor Authentication
• Set up to Secure
LOW RISK
If the risk is low, they will be approved without the
user even being aware that the risk checks took place.
MEDIUM RISK
Single Sign-On
• Removing log-in across systems
If the risk is too high, the user will be prompted
for an additional method of authentication.
HIGH RISK User Self-Service
If the user poses high risk, based on factors you choose, they can be • Interaction without a Help Desk call
blocked entirely or redirected to a honey pot for further investigation.

Most authentication attempts will be legitimate and access, seamless. For those who pose a risk,
however, the platform will deny access outright or require additional authentication.
Secure Access
Management

Adaptive Authentication
Multi-Layered Risk Analysis & Defense

Device Recognition Geo-Fencing


Ensures the device being Treat access requests coming from within and
used is known and recognizable outside a customer-defined geographic barrier differently

Threat Service Phone Number Fraud Prevention


Analyzes IP addresses of incoming access Block access requests from ported phones,
requests for known bad IPs and malicious behavior carriers, and phone types (e.g. Mobile, Landline, VoIP, etc.)

Directory Lookup Behavioral Biometrics


Compares identity profiles with standard Thwarts attacks by using user keystrokes and
practices to thwart fake profiles from being used mouse movements for a unique behavioral signature

Geo-Location Identity Governance


Compares a user's login location against known Identify users with high-risk access rights and
locations for employees, partners and customers adapt authentication to protect this vulnerability

Geo-Velocity User & Entity Behavior Analytics


Keeps an eye out for access requests spanning Treat access requests differently when
different locations that aren't physically possible the user behavior strays from the normal
Secure Access
Management

Multi-Factor Authentication
Set up to Secure
Any MFA

SMS OTP
The Power to Go Password-less Benefits…
The power and flexibility of allowing you to choose authentication Telephony OTP
by factor type and situation gives you the power to break out of old
school authentication and get beyond the password once and for all Email OTP Improved Protection
Multi-factor authentication with unlimited,
Static PIN customizable adaptive workflows ensure maximum security.

More Methods for Authentication Push-to-Accept


Including 25+ multi-factor options give you maximum choice and
control, while making sure security stays invisible or minimal to users. KBA/KBQ Improved User Experience
Unparalleled protection that
X.509 Native doesn’t get in the way of user experience

Automatic Workflows with Ease X.509 Java


Step up (or even step down) security based on infinitely
customizable yet highly intuitive workflows based on users and groups. Reduced Costs
Common Access Card Pain-free implementation and intuitive
Push Notification customization of adaptive workflows reduce on-going costs

Pain-free Integration
Standards-based approach ensures you are able to tie into
Device Fingerprinting
what you already have and make everything stronger and better. …and more
Over 25 different
methods
Secure Access
Management

Single Sign-On (SSO)


One Password, Infinite Access
To 800+ Apps
Built from the Identity Up
The leader in Adaptive Authentication is the only company that does
not force a compromise between security and user experience – we
ensure the best of both in a way no other SSO vendor can match. Benefits…
Any, Any Any Speed to Business Impact
We allow any device, with any identity type to authenticate to any Easily and rapidly integrate with existing infrastructure because of
identity store using any VPN to access any application – unparalleled our large library of supported technologies and pervasive use of standards.
choice and flexibility. With so many platforms and devices in your
environment today, SecureAuth IdP is virtually resource agnostic.

Improved User Experience


Easy to Install and Manage Sign in once and access every connected app or system; comprehensive
All functions and features of SecureAuth IdP are exceptionally easy solution that does not get in the way of unparalleled user experience.
to manage because it is all accomplished from the same console.
Administrators can effortlessly navigate through an already-coded
GUI where preferences are made through drop-downs and wizards.
Reduced Costs
Complete Control That Adapts to You Seamless, standards-based integrations, simplified administration
and accelerated provisioning/de-provisioning reduce on-going
Settings – by specific users, groups, apps, or devices – can be enabled,
support costs and lower total cost of ownership (TCO).
edited, or removed for any facet quickly without third-party assistance.
Use all, some or none by situation and at your discretion – you’re in control.

Handle Revocations Without All The Headaches


SecureAuth IdP SSO makes revoking access for users and devices
hassle-free as well. If an employee leaves the company or if a device is
compromised, administrators can quickly and comprehensively disable
access with just one action.
Secure Access
Management

User Self-Service
Increase Productivity, Decrease the IT Burden

Critical Self-Service Functionality Benefits…


SA’s User Self-Service solution enables users to address common issues
all by themselves – password resets, account unlocking, self-enrollment
(device and tokens), provisioning, profile updates and more. Reduce Friction and User Frustration
Increase satisfaction and good will by enabling users
instead of forcing them to call the Help Desk.

Rapid Implementation
SecureAuth’s User Self-Service functionality deploys in a matter of hour.
Reduce Help Desk Costs and Volume
Use self-service to radically decrease the number of calls to the
Help Desk and dramatically reduce the average per incident cost.
Integrated Component of a Comprehensive Id Solution
Unlike most other multi-factor authentication or SSO providers, SA IdP
offers User Self-Service as a fully integrated offering inside our single
Adaptive Access Control product. Increase Support Productivity
Get more out of valuable Support resources by keeping them
focused on real problems instead of dealing with trivial requests.

Instantaneous Revocation
Administrators can easily and instantly revoke a user or a device,
ensuring that they remain in control.
Secure Access
Management

Evolution to Identity Security Automation


PASSWORD MULTI-FACTOR BASIC ADAPTIVE ENHANCED ADAPTIVE
AUTHENTICATION AUTHENTICATION AUTHENTICATION
• ~40% of resources • ~60% of resources • ~5% of resources • ~1% of resources
• Easily bypassed • Increasingly bypassed • Difficult to bypass • Very difficult to bypass
• Poor UX • Poor UX • Great UX • Great UX
• No cost to deploy • Cost to deploy • Cost to deploy • Cost to deploy
• Expensive to maintain • Expensive to maintain • 5 additional layers of • More additional layers of
(PW reset calls) (PW reset calls + MFA risk/threat protection risk/threat protection
enrollment & problems) • Easy to maintain with self- • Easy to maintain with
service tools self-service tools

AUTOMATED ACTIONS
Step Up Step Down Redirect Block Reset Suspend Remove
PW Access Acct
Secure Access
Management Adaptive Authentication

Normal Day Travel Day Lost/New Laptop Stolen Credentials Stolen Laptop
Device Recognition

Directory Lookup

Geo-Location

Geo-Fencing

Geo-Velocity

Threat Service

Phone Number Fraud Prevention

Identity Governance Medium Medium Medium Medium Medium


User & Entity Behavior Analytics Low High High High High

Allow Allow Allow Allow Allow


MFA Step MFA Step MFA Step MFA Step MFA Step
Deny Deny Deny Deny Deny
Redirect Redirect Redirect Redirect Redirect
Secure Access
Management
Securing Access from Any to Any
Any Any Any Any
Any VPN ID Store Any MFA
Device ID Type Application

Tablets & User Logon ID SMS OTP


Smartphones SA web SSO token Telephony OTP
3rd Party Web token Email OTP
SAML Static PIN
NYLM/Kerberos Push-to-Accept
Lightweight Virtual
X509 Cert Directory KBA/KBQ
CAC LDAP
Desktops & X.509 Native
AD_LDS
Laptops PIV X.509 Java
Smartcard WS-Trust
Common Access Card
Form Post Push Notification WS-Fed
Facebook Device Fingerprinting Form-based
LinkedIn …and more
Mobile
Google ODBC Over 25 different
Windows Live Web Services methods Web Token
Secure Access
Management The New Adaptive

What’s the Difference? 2FA Old Adaptive New Adaptive

Better than password alone

Difficult to hack

Low impact to user experience

Flexible workflows for all identity types

Self-service to reduce IT burden

Multiple risk analysis layers

Easily protect VPN, cloud, on-prem, mobile, and homegrown applications

Post-authentication monitoring (protection from insider threats)

Deploys in hours/days

Easily augments/integrates with existing investments

Renders compromised credentials useless

Centralized access control policies

Provide data on suspicious activity to SIEMs to reduce detection time & accelerate remediation

Single sign-on, multi-factor, & adaptive authentication, self-service in one product


Identity Security Automation
A Single Platform, Where The Worlds Of Identity / Access Management & Security Meet

SECURE PROTECT PREVENT


Essential Security and Identity Frictionless User Experience & Stop the Misuse of Credentials
Management To Achieve Strong Security with Adaptive with Security Risk Analytics &
Compliance Needs Access Control Surgical Response Actions
Per User / Month Per User / Month Per User / Month

• Reduce Password Fatigue • User Enablement & Security Controls via Adaptive Access Control • Prevent the Misuse of Credentials with Security Risk
• Enable Single Sign-on for Key Applications • Drive Strong Authentication Adoption Analytics:
• Apply Credential Security To Groups / Targets • Apply Credential Security to Entire Organization • High Risk Accounts
• Two-Factor Authentication (25+ Methods) • Securely Eliminate Password Fatigue • Privileged | Sensitive | SoD
• VPN Support (including Radius) • High Risk Devices
• Reduce Helpdesk Costs • Exploitable | Infected
• High Risk Authentications
• Anomalous | Malicious Source | 3rd Party User
Risk Score | Phone # Fraud
Identity Security Automation
A Single Platform, Where The Worlds Of Identity / Access Management & Security Meet

SECURE PROTECT PREVENT


Essential Security and Identity Frictionless User Experience & Stop the Misuse of Credentials
Management To Achieve Strong Security with Adaptive with Security Risk Analytics &
Compliance Needs Access Control Surgical Response Actions
Per User / Month Per User / Month Per User / Month

• Includes for 5 Apps: • Includes Secure Package Plus • Includes Protect Package Plus
• Single Sign-on (SAML) • Adaptive Authentication Risk Layers • Security Risk Analytics For Adaptive Authentication
• Multi-factor Authentication (25+ Methods) • Device Recognition • High Risk Account – Privileged*
• Mobile MFA Options (TOTP – Authenticate) • Threat Service (Tor Anonymous Proxy) • High Risk Accounts – Sensitive*
• Desktop MFA Option (TOTP – Passcode) • Directory Lookup • High Risk Accounts – SoD*
• Self-service Password Reset • Geo-Location • High Risk Devices – Exploitable*
• IdP Radius Server • Geo-Velocity • High Risk Devices – Infected*
• Audit & Logging • Geo-Fencing • High Risk Authentication – Anomalous*
• MFA at the Endpoint (Login for Windows/Mac) • High Risk Authentication – Malicious Source
• Advanced Mobile MFA Options • High Risk Authentication – Phone # Fraud
• Symbol-To-Accept • High Risk Authentication – 3rd Party User Risk Score
• Link-To-Accept • Unlimited Apps
• Push-To-Accept
• Single Sign-on (All Standard Federation Protocols)
• Connected Security Alliance Integrations
• Unlimited Apps
*Items in development or on Roadmap
Millions of Users Trust SecureAuth
BANKING & COMMUNICATIONS
HEALTHCARE GOVERNMENT HIGH TECH TRANSPORT EDUCATION RETAIL
SECURITIES MEDIA & SERVICES
THANK YOU
© 2018 by SecureAuth
All rights reserved
Increasing Trust Without Passwords

Level of Trust/Confidence in Authentication


Risk Analysis Risk Analysis Risk Analysis Risk Analysis
(multiple layers) (multiple layers) (multiple layers) (multiple layers)

Knowledge Hardware Biometric Biometric


(OTP, TOTP, (Fingerprint, (Fingerprint,
(KBA) push-to-accept) face, iris) face, iris)

Knowledge Knowledge Knowledge Knowledge Hardware


(OTP, TOTP,
(password) (password) (password) (password)
push-to-accept)

Single Factor Two Factor Passwordless


Authentication Authentication Authentication
Unique DNA – Security AND Business Enablement

Thinking Like an Attacker Identity Enabling The Business


Secure Access
Management

SecureAuth Threat Service


Combining Threat Intelligence & Threat Information for Best-in-Class Security

Device Recognition
Threat Intelligence
Directory Lookup Allow Access
Geo-Location

Attacker Geo-Fencing Require MFA


Geo-Velocity Threat Information
Cyber Crime Threat Service Redirect
Phone# Fraud Prevention
Anonymous Proxy Deny Access
User&Entity Behavior Analytics Black/White Lists
Hacktivism Identity Governance

Advanced Persistent Threat


(APT)

A Component of SecureAuth Adaptive Authentication