Johns Hopkins MFA & Risk Analysis Presented by: Etan Weintraub & Patrick Ostendarp

Slides:

Advertisements

Similar presentations

Agenda 2 factor authentication Smart cards Virtual smart cards FIM CM

Advertisements

Welcome to Middleware Joseph Amrithraj

Office 365 Identity June 2013 Microsoft Office365 4/2/2017

New Release Announcements and Product Roadmap Chris DiPierro, Director of Software Development April 9-11, 2014

© 2011 All rights reserved to Ceedo. Ceedo - Flexible Computing Certificate-Based Authentication (CBA - 2FA) The organization MUST be able to positively.

The VeriTrak Enterprise Application Created for The Verification Company By CTO Source, Inc. This presentation provides an overview of the system and links.

Using Evernote and Google Docs in your web or mobile application (and potentially Dropbox and Skydrive) By Peter Messenger Senior Developer – Triple Point.

Secure Lync mobile Authentication

Secure SharePoint mobile connectivity

15 Tactical Improvements to IT Security Virtual Keyboard, Two Factor Authentication, Active Confirmation and FAA Access to CPS Online Ganesh Reddy.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Key Provisioning Use Cases and Requirements 67 th IETF KeyProv BOF – San Diego Mingliang Pei 11/09/2006.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Windows Vista And Longhorn Server PKI Enhancements Avi Ben-Menahem Lead Program Manager Windows Security Microsoft Corporation.

Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.

CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.

PKI-Enabled Applications That work! Linda Pruss Office of Campus Information Security

Designed By: Technical Training Department

The Office of Information Technology Two-Factor Authentication.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Managing Client Access

Wireless Password: ONLINE GAMING / GAMBLING KNOW - YOUR - CUSTOMER AND RISK MANAGEMENT.

Mobile One-Time Password. Page 2 About Changingtec -Member of group -Focus on IT security software CompanyChanging Information Technology Inc Set upApril.

Access and Identity Management System (AIMS) Federal Student Aid PESC Fall 2009 Data Summit October 20, 2009 Balu Balasubramanyam.

Module 9: Planning Network Access. Overview Introducing Network Access Selecting Network Access Connection Methods Selecting a Remote Access Policy Strategy.

Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software

© NeoAccel, Inc. TWO FACTOR AUTHENTICATION Corporate Presentation.

70-411: Administering Windows Server 2012

© Aladdin Knowledge Systems 2006 Aladdin eToken Overview April 2006 ®

Mobile Device Management Central Management of Wintel Laptop Software and Hardware in a Secure Environment.

20411B 8: Installing, Configuring, and Troubleshooting the Network Policy Server Role Presentation: 60 minutes Lab: 60 minutes After completing this module,

“Stronger” Web Authentication: A Security Review Cory Scott.

Project Server 2003: DC340: Security (Part 1 of 2): How to securely deploy Project Server in an enterprise environment Pradeep GanapathyRaj (PM), Karthik.

MCTS Guide to Microsoft Windows Server 2008 Applications Infrastructure Configuration (Exam # ) Chapter Four Windows Server 2008 Remote Desktop Services,

Phone: Mega AS Consulting Ltd © 2007  CAT – the problem & the solution  Using the CAT - Administrator  Mega.

CAEN Wireless Network College of Engineering University of Michigan October 16, 2003 Dan Maletta.

Paul Andrew. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.

Module 3 Configuring File Access and Printers on Windows 7 Clients.

Single Sign-On across Web Services Ernest Artiaga CERN - OpenLab Security Workshop – April 2004.

Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.

MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.

Secure Lync mobile Authentication V5V5.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

Administration. Session Objective Become familiar with: – Managing a mobile phone based assessment – Managing Phones (c) Smap Consulting Pty Ltd2.

Adxstudio Portals Training

© ITT Educational Services, Inc. All rights reserved. IS3230 Access Security Unit 7 Authentication Methods and Requirements.

CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.

Module 1: Introduction to Administering Accounts and Resources.

Secure Skype for Business

Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.

VPN. CONFIDENTIAL Agenda Introduction Types of VPN What are VPN Tokens Types of VPN Tokens RSA How tokens Work How does a user login to VPN using VPN.

CSCI 530 Lab Passwords. Overview Authentication Passwords Hashing Breaking Passwords Dictionary Hybrid Brute-Force Rainbow Tables Detection.

A l a d d I n. c o m Strong Authentication and Beyond Budai László, IT Biztonságtechnikai tanácsadó.

Using Your Own Authentication System with ArcGIS Online

Leverage your Business with Selenium Automation Testing

Guide to Linux Installation and Administration, 2e

AuthLite 2-Factor for Windows Administration

Module 1: Introduction to Administering Accounts and Resources

Introduction to SQL Server 2000 Security

Multi-Factor Authentication (MFA)

Office 365 Identity Management

TaxSlayer Multi-Factor Authentication

The main cause for that are the famous phishing attacks, in which the attacker directs users to a fake web page identical to another one and steals the.

This presentation document has been prepared by Vault Intelligence Limited (“Vault") and is intended for off line demonstration, presentation and educational.

Azure Multi-Factor Authentication (MFA)

System Center Configuration Manager Cloud Services – Cloud Distribution Point Presented By: Ginu Tausif.

Mark Quirk Head of Technology Developer & Platform Group

Getting Started With LastPass Enterprise

Presentation transcript:

Johns Hopkins MFA & Risk Analysis Presented by: Etan Weintraub & Patrick Ostendarp

Background First foray into MFA (2009) – system administrators only –Solution had to support Windows & Linux –Investigated a few vendors. Went with Aladdin (now Safenet) –Dual role tokens Used PKI environment for smartcard component – Windows –Created secondary accounts for system access. Accounts configured in AD for ‘Smart card is required for interactive logon’ Used radius connections for OTP verification - Linux

Background - Deployment Standard token deployment –Started with internal IT –Expanded to additional admins –Eventually made mandatory for all system administrators in central IT Normal feedback –Admins did not like relying on token –Plenty of ‘what-if’ scenarios Currently have 300+ admins with tokens

Background - Issues We allowed admins to create their own secondary accounts –Major mistake –No centralized management, reporting, monitoring, etc. Issues with certain *Nix flavors connecting to radius Standard token issues –Broken –Lost

Next up – MFA for Users Johns Hopkins uses CA SiteMinder as their primary WebSSO platform –Don’t worry – we have a large Shibboleth deployment too Investigated two primary solutions –CA Riskminder / Authminder –SecureAuth Focused more on risk analysis aspects of solution vs. second factor authentication options Use-case driving need was VPN protection

MFA for Users – Take 2 Decided to purchase Authminder / Riskminder solution –Ended up scrapping the product due to multiple incompatibility issues not found in proof-of-concept Used lessons learned from project to develop in-house risk based analysis solution called Enterprise Step-up Authentication (ESA) –We’ll get into more detail in a minute First MFA options –SMS OTP –Safenet OTP –Secret Questions and Answers

ESA - Risk Analysis On Login Page –Browser/Device Fingerprint built and passed along to risk analysis engine – After successful ID/PW Verification, Check: –Tables with User / Device / IP blocked/untrusted/allowed –User / Device velocity checks (how many attempts in an hour) –Geolocation (Current IP vs Last IP) Freegeoip.net –Device / User profile matching (Have we seen this pair before?) Exact Match versus Close Match

ESA – Levels of Protection Standard –90% of our WebSSO sites –Risk Only checks. No MFA unless high risk determined Step-up –Require step-up authentication if new device / user combination –Save information for 60 days Always Step-up –Primarily for IT Admin sites –Require step-up even if device / user combination is found

MFA for Users – What’s Next? Production Beta of TOTP using Google Authenticator –Many users have short code SMS blocked –Out of the country / no cell coverage / etc. Expanding radius offering to support TOTP –Allow system admins to use Google Authenticator instead of Safenet token Adding a web service component to ESA –Allow for check of client after authentication Improving self-service –Creating a myIT page for users and system admins to manage information about their IT profile

Demonstration