Transcription
Single Sign-On and Multi-Factor Authentication Daria Alavidze, Principal Consultant2019
On-prem applications example
SaaS application example
SSO MFA vendors (Okta) VendorOverviewProsConsSuperior identity product, bettersuited to support cloud app heavyas well as adaptive use cases.Well-respected in the IDaaS arena.Features list includes securitypolicies that support MDM andgeolocation, the ability to integrateEase of deployment andadministration. Intelligent accesspolicies, contextual accessmanagement, robust platform fordirectory services, OKTA integrationNetwork, okta SSO, okta lifecyclemanagement.Limited reporting and monitoringfunctionality.multiple sources of identity data,and all packaged in a solution that isrelatively easy to useDoes not require an on-premgateway for SSO to cloud apps.6000 pre-built integrationsLimited out-of-the-box on-premintegrations.Requires additional components foron-prem integrations (Okta Radiusagent).Integration costs for 3rd party apps,on-prem.Products: Okta Universal Directory is a cloud-based directory service that can serve as a single source of truth for ITorganizations, and it serves as an integration point to multiple Ads and other on-premises directory services Okta SSO - makes managing and securing the extended enterprise simpler for IT and eliminates the passwordproliferation that plagues user Okta Access Gateway-Secure access to on-prem apps and protect your hybrid cloud – without changing howyour apps work today Okta Advanced Server -IT can extend the same access control to the server layer, bringing secure accessmanagement to the full breadth of on-premises and cloud resources IT needs to manage. Okta Adaptive MFA Okta LifeCycle Management -Automate all lifecycles with any business process for external and internal users
Okta MFA for VPN
SSO MFO vendors (Duo) VendorOverviewProsConsDuo positions itself as a very strongMFA vendor, not an IDaaS provider.Duo leads in some advancedfeatures and on-prem integrations,it supports out of the boxintegrations to many on-prem appslike OWA and VPNs, has nativesolutions for MFA into Linux andWindows servers and SSH sessions.Easy self-enrollment process.Coverage for all types of devices,continuous monitoring of all trustedendpoints. User-based policies(geolocation, ip range, etc.), devicebased policies, group-basedpolicies. Integrates with externalIdPs (Including OKTA, Shibbolethand Azure). Because Duo can putMFA on anything you’ll be morelikely to be compliant against NIST,GDPR.Duo requires an on-premcomponents for SSO to cloud apps.Duo is a feature-rich MFA solutionthat competes directly to Okta’sAdaptive MFA.Duo is not an IdP or IdaaS.Almost all integrations requiremanual configurations.Products: Duo Access Gateway (SAML/SSO) - an IdP that verifies authentication requests against an on-premises orcloud identity database (MS AD, OpenLDAP, SAML IdP, OpenID connect) Duo Auth Proxy (Radius/LDAP) - Allows application integration with Duo cloud to enable 2FA for apps thatsupport RADIUS or LDAP Duo Network Gateway (Web/SSH) -Detect user & device context for internal HTTP/S and SSH apps
Duo Product ArchitectureDuo AccessGatewayCloud Apps[SAML/SSO]Web/SSH(Duo NetworkGateway)AccessDeviceVPN, VirtualDesktop, etc.UserorDuo AuthProxy[Radius/LDAP]Primary Auth(AD, Azure-AD,LDAP, etc.)Duo Integrated(azure-ad, rdp,ssh, Windows,app, api, etc)MFADeviceDuo Cloud AManagementDeviceVisibilityUserPolicyDevice PolicyCheck 2019 Cisco and/or affiliates. All rights reserved. CONFIDENTIAL INFORMATION PROPERTY OF DUO SECURITY, INC.
Duo MFA for VPN
SSO MFO vendors (Microsoft Azure)VendorOverviewProsConsMicrosoft's Azure AD tightintegration with Windows ServerActive Directory and Office 365.Azure AD also offers the lowestentry-level pricing for handlingmulti-factor authentication, andoffers advanced toolsets formanaging identities and the cloudapps used by your organization.Best-in class integration withWindows Server Active Directory.Tight integration with Microsoft'sarray of cloud services. IdentityProtection allows for securitypolicies based on Big Data andmachine learning. ConditionalAccess.Limited security policies comparedto SSO specific products. Somecompetitors have better integrationwith third-party directories andSaaS platforms. Advanced reportingcapabilities only available inPremium pricing tiers.Limited second factor choices anddoes not provide its own soft tokenMulti-Factor Authentication comes as part of the following offerings:Azure Active Directory Premium or Microsoft 365 Business - Full featured use of Azure Multi-FactorAuthentication using Conditional Access policies to require multi-factor authentication.Azure AD Free or standalone Office 365 licenses - Use pre-created Conditional Access baseline protectionpolicies to require multi-factor authentication for your users and administrators.Azure Active Directory Global Administrators - A subset of Azure Multi-Factor Authentication capabilities areavailable as a means to protect global administrator accounts.
Azure MFA for VPN
SSO MFO vendors (RSA SecurID)VendorOverviewProsConsStrong MFA solution. Very strongon-prem story.Supports the widest variety offactors. Full self-service portal.Hybrid architecture, risk-basedauthentication Assurance Levels,Policies, and Applications. . Levels ofauthentication (Low, Medium andhigh). machine learning algorithms,combining several contextualfactors, to assess user risk based onanomaly detectionRSA requires an on-premcomponents for SSO to cloud apps.400 integrations documentedRSA is not an IdP or IdaaS.Almost all integrations requiremanual configurations.
RSA architecture
Factors supportedWhatauthenticationmethods aresupported?-OKTA Verify-Voice Call Authentication-U2F Security Key (FIDO)-Windows Hello-Duo-On-Prem MFA-Email authentication-Custom TOTPauthentication-SMS Authentication-Google Authenticator-WebAuthn (FIDO2)-YubiKey-Symantec VIP-Security question-IdP t/Topics/Security/MFA.htm-U2F tokens-Phone Callback-Mobile passcodes (HOTP,TOTP)-Duo Push-Biometrics-SMS passcodes-Bypass codes-Hardware tokens-Mobile OTP-Phone Callback-RSA Push-Wearables (smartwatch)-Biometrics-Face ID-Proximity-SMS-FIDO keys-Hardware token-Software token-Password-Security questions-Email address-Microsoft Authenticatorapp-OATH Hardware token-SMS-Voice call-App passwords
Mobile applicationsDoes the productsupportauthenticationapps foriOS/Androiddevices? (GoogleAuthenticator?Proprietary app?)Are other devicessupported?(Apple Watch,Android Wear)Okta Mobility Management(OMM)For the proprietary app:-iOS 7.1 or higher-Android 4.0 or higher-Apple Watch is supported-Google Authenticator /Okta-MobilityManagement-OMMKnowledge-HubDUO Mobile:Duo Mobile works on everydevice - includingsmartwatches. Use yourApple Watch to receivelogin requests on yourwrist, and authenticate onyour iPhone, iPad or AppleWatch. Duo Mobile for iOSalso supports Touch ID, anadditional layer of securityto verify your users’identities.Duo Mobile works withApple iOS, Google Android,Palm, Windows Phone 7,Windows Mobile 8.1 and10, and J2ME/Symbian.Download Duo Mobile foriPhone or Duo Mobile forAndroid - they both supportDuo Push, passcodes andthird-party TOTP accounts.RSA SecurID:The RSA SecurIDAuthenticate App can serveas the one authenticator forall of your authenticationneeds. It supports pushnotification, mobile OTPand biometrics, andprovides secure access toboth cloud-based and onpremises applications fromall major mobile platforms,including iOS, Android andWindows Phone.Microsoft Authenticator:The Microsoft Authenticatorapp provides an additionallevel of security to yourAzure AD work or schoolaccount or your Microsoftaccount.The Microsoft Authenticatorapp is available for Android,iOS, and Windows Phone.
Contextual access managementCan differentauthenticationmethods beapplied based oncriteria such asrole, application,location, othercriteria? If so, doesthis functionalitycost extra? If itdoes, how muchextra?Identity Provider Routing Adaptive Authentication & Seamless IdentityYes, Microsoft highlyPolicy Enforcementrecommends AdministratorsRules:AssuranceIdentity Provider (IdP)Set policies to grant or block Uses machine learningenable users to select morethan the minimum requiredrouting rules enable you to access attempts by identity algorithms, combiningdirect end users to identity or device and based onseveral contextual factors, number of authenticationcontextual factors such as to assess user risk based on methods in case they do notproviders based on theuser's location, device, email user location, networkhave access to one. Profilesanomaly detection.domain, attributes, or the address ranges, biometrics, Risk Level is calculatedcan be created based onapp they are attempting to device security and more. based on Context (Network, user groups and job roles.access. (This feature is also Requires Duo AccessLocation, Behavior, Country,License.known as IdP Discovery,Agent, Browser), Userbecause these routing rules https://duo.com/product/ad (Admin, Executive,allow Okta to discover which aptive-authentication-and- Employee), Resourceidentity provider to usepolicy-enforcement(Classified, Public, I.P.Data)based on this context.)!!! There are limitations tent/Topics/Security/Identity Provider Discovery.htm
Supported applicationsInstitution-hosted YES (Using anagent)VPNsYESYESYESRDPYES (Using anagent)YESYESYESYESYESYESYESSSHYESYESYESYESBanner SSOYESLinux PAMNOYESYESYESPrivilleged accessmanagementsystems (Cyberark,Thycotic SecretServer)Cyberark and Thycotic are CyberarkCyberarkYEShttps://duo.com/docs/cyber https://community.rsa.com/ .okta.com/part arkcommunity/products/securi kd/blog/2018/11/08/privileg apps/cyberark-samlhttps://www.okta.com/reso https://duo.com/docs/thyco ed-access-the-poster-child- n-mfaapps/?keywords thycotic&pThycoticage 204https://community.rsa.com/docs/DOC-104894VDI (VMWare,Citrix)
Microsoft's Azure AD tight integration with Windows Server Active Directory and Office 365. Azure AD also offers the lowest entry-level pricing for handling multi-factor authentication, and offers advanced toolsets for managing identities and the cloud apps used by your organization. Best-in class integrati
