The Remote Access Revolution: Practical Solutions for the Enterprise Dean Ocampo, CISSP, Check Point Software Manager, Web Security Product Marketing Steve Neville, Entrust, Inc. Sr. Manager, Identity Products & Solutions April 5, 2006
Agenda The Realities of Remote Access Today Check Point: A Comprehensive Solution for Remote Access Changes in the Strong Authentication Market Entrust IdentityGuard—A Practical Revolution in Action Customer Case Study Conclusion & Questions
The Rise of Work Anywhere 2005 Statistics* 45.1M Teleworkers 26.1M 1+ day/week Average 3.4 locations Drivers** Recruiting Incentive 2nd only to salary Rising Gas $$ Next let’s look at some usage stats for remote access. In a US survey of consumers, the Dierenger group attempted to asses the usage of RA in the US population. Their stats show that about 45.1M workers in the US work from home at least 1/month, about 26M of these work at home at least 1/ week. The chart on the right shows the growth of RA the last few years, reflecting the general economy and increased employment over the last few years. Actually, as the economy and employment improves, many companies are looking at teleworking as recruiting incentive and came in second only to salary as to major factors when workers consider a job. And do I need to say anything about the price of gas? One of the most interesting stats out of this report is that these remote access users access the network from many different locations, averaging 3.4 different places they access the network when they telework. The American Interactive Consumer Survey is the premier U.S. survey comparing consumer use of the Internet with traditional marketing channels for purchase decision making and purchasing. * American Interactive Consumer Survey, Dieringer Group **Robert Half International
The Rise of Work Anywhere Extranet Partners Day Extenders Part-time Teleworkers Road Warriors Full-Time Teleworker Branch Offices Large 45.1M @ Home 24.3M @ Client/ Customer 20.6M @ Car 16.3M @ Vacation In fact, of these 45.1M users, 24M access from a Client or Customer site. Read through stats- on Vacation And this starts to get to an interesting question, with all the remote access products we now have in our portfolio, what product do we offer to a customer and when. In reality, the answer depends on how our customer needs to use it. What you see here is a break down of the major catagories of remote access user types you would see in the distributed business, essentially following categorization that the Gartner Group uses. When you look at your customers needs from this perspective, you can start seeing how they intend to use it and get a feel for what their priorities will be. This is a tool we will revisit in a few minutes. 15.1M @ Outside 7.8M @ Train/Plane *American Interactive Consumer Survey, Dieringer Group
Work Anywhere Endpoint Diversity Day Extenders Email Basic applications Home computer Add more remote users beyond current 20 percent Less technical employees Partners Reduce remote access support costs Browser based; no client maintenance Less end user complexity Additional access options Access from home PC, corporate PC, Internet kiosk Teleworkers Email Applications Company computer Mobile workers Email Basic applications Company computer or public computer [Note: This slide is optional and may be omitted. Use for customers who are not familiar with SSL VPN.] SSL VPNs are a new way to enable remote access and have emerged as the result of several business trends. First of all, browsers have become ubiquitously deployed and almost all universally support SSL encryption. Second, people who use the Web today use SSL on a regular basis for paying bills or ordering online. Third, most applications in an organization have moved away from a client/server model to a Web-based model. Given this scenario, SSL VPN gateways have emerged as a way to marry these three trends and enable secure remote access through browsers via SSL VPN as well as grant them access to internal applications. Thus SSL VPN enables anywhere-based access, using the browser as a client secured through SSL. This has resulted in two main advantages: 1) there is no software to install for remote access and 2) a Web-based interface that is friendly and familiar even for nontechnical users. Both of these result in reduced helpdesk calls for either software issues or user interface issues. But best of all, SSL VPNs are enabling new business trends. First, statistically speaking, typically about 20 percent of an organization’s employees have some type of remote access. With the increased reliance on online and networked applications, most organizations would like to grow the proportion of their employees with remote access beyond the core 20 percent—growing even beyond 50 percent. And SSL VPN is a great way to do that, especially as you grow the pool of remote access users, you start running across less-technical users where an easy-to-use Web-based interface is a great fit. In addition, SSL VPN enables a new class of users: Day Extenders. A Day Extender is an employee who will check her email or do some work maybe an extra hour from home or another hour on the weekend—thus extending her day. The browser-based capability of SSL VPN is a great way to enable Day Extenders in an organization, driving increased productivity without extra cost. Intranet Email Applications Files Extranet Portal Extranet access Partner computers
Anywhere Challenges Security With IPSec you knew who was coming in With SSL VPN you don’t (usually) Firewall, antivirus + “Spyware is no longer just an annoying pest swarming home PCs; rather, it has evolved into a serious enterprise security threat.” – IDC Worldwide Spyware 2004-2008 Forecast and Analysis (Nov. 2004) Company- owned PC Partner PC Access Agreement The tremendous advantage of SSL VPN is that the corporation can now be accessed from anywhere, but it is also the most significant challenge for IT organizations. Let’s take the IPSec model as an example. IPSec is the current “gold standard” for remote access and used by many organizations. There are several inherent security advantages to IPSec: As there is software to install, you generally knew what endpoint PCs had the software (corporate-owned PCs, for example) Most good IPSec clients come with security controls included with the software and thus provide good security. For example, the Check Point SecureClient enables a personal firewall, as well as configuration checking in the client. For third-party PCs, due to software installation, you had the opportunity to negotiate and require an access agreement that could help mitigate risks through policy. In summary, IPSec gave you a good, controllable access model with good security controls. With SSL VPN, there is a new variable—and that is the Everywhere Endpoint. Given that the anywhere browser is the access client, your model now has a nearly infinite number of variations on where a user could enter your network, and this includes: Corporate-owned PC Employee PC with security software Employee PC shared with the family and little security Friend’s PCs Business center PCs Public Internet kiosk Endpoints now run the full gamut from secure to totally unsecured PCs. Company- owned PC Employee home PC Partner PC Public Internet kiosk Completely unmanaged/unsecured
Regulations Governing Information HIPAA Safeguarding Sensitive Information Basel II Risk Management EU Directive PCI/CISP FISMA California SB GLBA While some regulations have grown in houses of government, others in agencies or industry associations…they all share some common objectives – all are oriented, in one way or another, toward ensuring the integrity, accuracy, and confidentiality of information and in security of supporting systems, infrastructure and processes. In general, regulations can be categorized according to 3 motivations: risk management, safeguarding of information and strengthening internal controls. Regulations come at this from different angles, and include IT and non-IT components. IT components include the management and protection of information and infrastructure and tools for enabling or facilitating the non-it specific tasks. IT activities play a critical role in compliance – whereas IT activities account for about 20% of the total number of compliance related tasks, 80% of time involved in compliance is spent on IT-related tasks (IDC) IDC Quote: “Through the utilization of good IT control architecture, strong policies, and a technology solution capable of managing, maintaining, and reporting on the status of enterprise compliance, enterprises could significantly reduce the number of man-days required for supporting the compliance system” 80% of time involved in compliance is spent on IT-related tasks (IDC) Sarbanes-Oxley EU 8th Directive Internal Controls & Governance
Key Regulation Commonalities and Check Point Solutions Requirement Check Point Solutions Access management Site-to-Site IPSec VPNs, Remote Access IPSec VPNs, Remote Access SSL VPNs (VPN-1, Edge, Connectra) Transmission security IPSec, SSL, TLS, DES, 3DES, L2TP, etc. Authentication User/Pass + OPSEC partners for strong Authentication Policy management Unified Security Architecture (SmartCenter) Malicious software protection Integrated Intrusion Prevention and End Point Security (Integrity, Application Intelligence, Web Intelligence) Access Management—an integral starting point of all regulations, access management refers to the ability to limit, control, and manage the authorization (permission) and access by stakeholders—employees, partners, others external—to corporate network, resources and data. Access management is so central that without it a company is practically guaranteeing noncompliance with existing regulations. Different regulations describe access control specifications differently, but each contain the core principles of requiring policies, procedures and technologies for protecting the access to vital corporate resources, use of authorization and effective monitoring of authorization privileges and of access attempts. Authentication—it is not enough to assign and limit access to different resources and data. It is crucial to ensure that the person or entity gaining access is who they say they are. Without authentication, hackers and intruders can exploit this limitation. When you look at some of the key regulations like SOX, HIPAA, and GLBA, there are common requirements among them revolving around providing reasonable and appropriate access controls. As it pertains to endpoint security—Check Point Integrity can be used as a solid endpoint solution to help address access control requirements. Integrity offers desktop/laptop protection against malware while providing extensive policy enforcement controls and management tools that can be easily leveraged to ensure and illustrate robust access controls to comply across the key regulations. Ask your customer: Do you want to make sure that hacker tools like spyware, keystroke loggers, and Trojan horses can't be used to steal sensitive or valuable information about your company's financials, customer records, and other key information? Integrity ensures policy compliance out and provides encryption and digital certificate authentication for data transmission. These features will help you provide the endpoint security controls necessary to protect and preserve the integrity of data and maintain a level of privacy for your customers, which is a requirement of the regulations. Integrity's application control and Program Advisor service stops spyware, keystroke loggers, and other hacker tools preemptively, safeguarding sensitive and valuable enterprise information, which can be leveraged to ensure compliance with HIPAA, SOX, and GLBA. Integrity provides the protection at the desktop and mitigates the risk of major data loss caused by hackers, worms, spyware, and other threats that evade reactive, signature-based products. Question your customers on their endpoint security strategy and sell Integrity to provide the protection against malware and fulfill their compliance needs. Intrusion detection and blocking Integrated Intrusion Prevention (Application Intelligence, Web Intelligence) Security Auditing Cross-Product Reporting & Monitoring (Eventia Reporter) Incident handling Cross-Product Event Correlation (Eventia Analyzer)
Check Point Secure Remote Access Solutions SmartCenter SmartDefense Service Eventia Reporter Eventia Analyzer Extranet Partners Day Extenders Part-time Teleworkers Road Warriors Full-Time Teleworker Branch Offices Large VPN-1 Edge Site-to-Site IPSec VPN Integrity SecureClient Remote Access IPSec VPN Connectra Web Portal (Clientless) SSL Network Extender Remote Access SSL VPN And in the end, we now can present our customers with a comprehensive suite of solutions unified under a single security architecture. The customer can focus on their business needs and select the product that matches there needs the best. As we move down the distributed business, each needs progressily changs from fixed connectivity for Intranet VPN and branch office, down to the highly variable and mobile day extender and partner users. And for each of these needs, Check Point has solutions. From Edge which can connect branches and some remote workers. To ISC for teleworkers, with integrated endpoint security to protect company owned PCs. To SSL Network Extender and Connectra which is great for some teleworkers, daty extenders and Partners. And this all falls under the USA which presents the network as a single entity: SmartCenter management, SmartDefense service to update the infrastructure, Eventia Reporter to check its health, and Analyzer to keep a vigilant eye on the network.
Strong Authentication & Entrust IdentityGuard A Practical Revolution in Action
The need for stronger authentication… ? Customer database Sales forecasts HR records Etc… Pressure to make more information available to employees anywhere, anytime Need to balance access with corporate and regulatory compliance (PCI, SOX, HIPAA, etc…)
Payment Card Industry (PCI) Data Security Standard Formerly Visa CISP Legislation Example: Payment Card Industry (PCI) Data Security Standard Payment Card Industry (PCI) Data Security Standard Formerly Visa CISP Applies to anyone who deals with cardholder data Audit requirements and financial penalties for non-compliance First Data Corp. reports 85 percent of affected companies have yet to meet PCI standard requirements …
Implement Strong Access Control Measures
Traditional Candidate Technologies Biometrics Smartcards IT Security Extensibility Tokens Purchase & Deployment Investment Authentication Only Digital Certificates Authentication, Encryption, Digital Signatures Inert Tokens Passwords Authentication Strength
The Authentication Challenge – One Size Does Not Fit All Remote Access (Executives, Sensitive Data) Enterprise authentication requires a range of capabilities Remote Access (Avg. User) Increasing Authentication Strength Increasing Req. For Security Desktop Login Onsite Web Transaction Type
Addressing the Authentication Challenge: Entrust IdentityGuard $ Entrust delivers: Multi-factor strong authentication platform Flexible, risk-based solution Easy to use and support Inexpensive to deploy Biometrics Smartcards Tokens Traditional Purchase & Deployment Cost Digital Certificates Passwords Authentication Strength
Range of Risk-Based Strong Authentication Policy-based authentication allowing single authentication layer to meet multiple business requirements Per transaction, per user, per application, per LOB… Out-of-Band One-time-passcode to mobile device or phone Machine Auth Authorized set of workstations Grid Auth Grid location challenge and response Provide a range of risk-based authentication options Range of transparent and two-factor authentication methods Allow for cost & risk matching of authenticator to customer type (retail banking, retail brokerage, small business) Allow for use across channels Authenticate when required (and only when required) Allow authentication for given transaction risk Don’t punish customers for multiple transactions Key Point: Range that can be deployed independently or in conjunction with one another Grid Authentication: Authentication grids themselves can be readily deployed on simple, plastic cards or in conjunction with existing statements or ATM or credit cards. This puts the authentication capability in the hands of users using the same distribution channels that exist today. In addition, day-to-day use is eased by the simple form factor which makes the grid easy to carry – allowing it to be kept in the user’s wallet or purse where it is readily accessible. In terms of the authentication itself, the row/column look up format is largely intuitive, drawing from user experience in games such as bingo or battleship as well as the use of maps. In fact, independent usability testing has shown 94% unaided authentication success across a broad range of user ages and backgrounds. Machine Authentication: While leveraging the computer being used to conduct the online session, this method of authentication does not require deployment of software or hardware. Instead, by transparently capturing a fingerprint of that hardware, it can be used to compare against the computers being used in future web sessions – all transparently to the user. Further, the process for registering new computers is easily achieved by leveraging one of the other Entrust IdentityGuard strong authentication methods. For example, to register a new computer, a user could answer select challenge questions from the knowledge-based authentication method. Knowledge Authentication: Without the need to deploy any physical authenticator to the user, knowledge-based authentication provides an easy to use method of strong authentication, as it draws on information the user knows. Enrolment is a one-time process where shared secrets to be used in questions are captured and from that point, users need only answer these questions. Techniques such as allowing users to choose the questions and ensuring answers are not punctuation or case sensitive help to ensure successful completion. Scratch Pad Authentication: This method of authentication involves generating lists of one-time-passcodes that are printed on plain paper or in a scratch pad format. Each passcode is used once only at transaction time. This method (in general) is deployed primarily in central Europe today through home-grown applications, enabling organizations to leverage a commercial product like Entrust IdentityGuard to not only support a familiar authentication method, but also have an authentication platform in place to extend to new options. Out-of-Band: Like device authentication, this method leverages hardware that is already in the hands of the end user. Whether it is a mobile or fixed phone, personal digital assistant or an email account on a computer, this method allows the user to securely receive out-of-band one time passwords in a convenient way. Out-of-band authentication layered on top of, for example, machine authentication, can help address concerns about man-in-the-middle attacks. More Coming Soon! Knowledge Auth Challenge / response questions Scratch Pad Auth One-time password list
Extensible Across the Enterprise Microsoft Windows Desktops AnyUser ****** Remote Access: IP-SEC & SSL VPN, RAS, Citrix Extranet (including Microsoft Outlook Web Access)
Entrust IdentityGuard: Platform Summary Multi-factor authentication platform Range of authenticators Based on FIPS-validated cryptography Stand-alone or layered Easy to use and support Easy to use options No software or hardware to deploy Inexpensive to deploy Fraction of the cost of traditional options Seamless integration with leading remote access vendors http://www.entrust.com/cost-meter/
Check Point & Entrust IdentityGuard Certified Integration VPN-1 NGX Radius IP-SEC User Internet Radius SSL User Standard Radius Server Radius Check Point Connectra NGX Repository LDAP / Active Directory Database
Customer Case Study: Large US Financial Service Provider $ Customer Challenge: Required cost-effective option for strong authentication to replace expensive RSA tokens Absolute requirement for rapid integration with current Check Point VPN-1 for remote access Need to fit within existing and new network topology Solution: Certified integration of Entrust IdentityGuard with Check Point VPN-1 Leveraging grid authentication option
Customer Case Study: Large US Financial Service Provider $ Key Customer Success Criteria: Certified integration (OPSEC certified, Entrust Ready) Initial & ongoing cost—fraction of the cost of RSA tokens, allowing for initial full replacement and plan to expand to many new users, still at a lower TCO! Ease of integration—configuration only integration via Radius (Microsoft IAS) Check Point VPN-1 NGX Microsoft IAS IP-SEC User Internet Radius Radius MS Active Directory
Why Entrust & Check Point? We are Security Specialists… Check Point- 100% of the Fortune 100 Check Point- 98% of the Fortune 500 Check Point- ~ 100,000 Customers Entrust- #12 of 600+ security software companies Entrust- Industry pioneer and leader, with 500 employees and 90 patents Entrust- Best in class service and support, and integration with leading technology vendors
Check Point & Entrust: A Remote Access Revolution Combined solution delivers: Integrated security for diverse, anywhere access Strong VPN and Authentication Partnership Easy to use and support multi-factor authentication Inexpensive to deploy
The Remote Access Revolution: Practical Solutions for the Enterprise Thank You! The Remote Access Revolution: Practical Solutions for the Enterprise Dean Ocampo, CISSP, Check Point Software Manager, Web Security Product Marketing Steve Neville, Entrust, Inc. Sr. Manager, Identity Products & Solutions April 5, 2006