The Remote Access Revolution: Practical Solutions for the Enterprise Dean Ocampo, CISSP, Check Point Software Manager, Web Security Product Marketing Steve Neville, Entrust, Inc. Sr. Manager, Identity Products & Solutions April 5, 2006 Agenda • The Realities of Remote Access Today • Check Point: A Comprehensive Solution for Remote Access • Changes in the Strong Authentication Market • Entrust IdentityGuard—A Practical Revolution in Action • Customer Case Study • Conclusion & Questions © Copyright Entrust, Inc. 2005 The Rise of Work Anywhere • 2005 Statistics* – 45.1M Teleworkers – 26.1M 1+ day/week – Average 3.4 locations • Drivers** – Recruiting Incentive – 2nd only to salary – Rising Gas $$ * American Interactive Consumer Survey, Dieringer Group © Copyright Entrust, Inc. 2005 **Robert Half International The Rise of Work Anywhere Large Offices Branch Offices Full-Time Teleworker Road Warriors Part-time Teleworkers Day Extenders Extranet Partners © Copyright Entrust, Inc. 2005 • 45.1M @ Home • 24.3M @ Client/ Customer • 20.6M @ Car • 16.3M @ Vacation • 15.1M @ Outside • 7.8M @ Train/Plane *American Interactive Consumer Survey, Dieringer Group Work Anywhere Endpoint Diversity Add more remote users beyond current 20 percent Day Extenders • Email • Basic applications • Home computer Less technical employees Partners Reduce remote access support costs Browser based; no client maintenance Less end user complexity Additional access options Teleworkers • Email • Applications • Company computer Access from home PC, corporate PC, Internet kiosk Intranet • Email • Applications • Files Extranet • Portal • Applications • Files © Copyright Entrust, Inc. 2005 Mobile workers • Email • Basic applications • Company computer or public computer Extranet access •Partner computers Anywhere Challenges Security • With IPSec you knew who was coming in Firewall, antivirus + “Spyware is no longer just an annoying pest swarming home CompanyPartner PCs; rather, it has evolved into owned PC PC a serious enterprise security • With SSL VPN you don’t threat.” (usually) Access Agreement – IDC Worldwide Spyware 2004-2008 Forecast and Analysis (Nov. 2004) Company- Employee owned PC home PC © Copyright Entrust, Inc. 2005 Partner PC Public Internet kiosk Completely unmanaged/unsecured Regulations Governing Information Risk Management Basel II HIPAA EU Directive PCI/CISP FISMA Safeguarding Sensitive Information California SB GLBA Sarbanes-Oxley EU 8th Directive Internal Controls & Governance © Copyright Entrust, Inc. 2005 80% of time involved in compliance is spent on IT-related tasks (IDC) Key Regulation Commonalities and Check Point Solutions Requirement Check Point Solutions Site-to-Site IPSec VPNs, Remote Access IPSec VPNs, Access management Remote Access SSL VPNs (VPN-1, Edge, Connectra) Transmission security IPSec, SSL, TLS, DES, 3DES, L2TP, etc. Authentication Policy management User/Pass + OPSEC partners for strong Authentication Unified Security Architecture (SmartCenter) Malicious software protection Integrated Intrusion Prevention and End Point Security (Integrity, Application Intelligence, Web Intelligence) Intrusion detection and blocking Integrated Intrusion Prevention (Application Intelligence, Web Intelligence) Security Auditing Cross-Product Reporting & Monitoring (Eventia Reporter) Incident handling Cross-Product Event Correlation (Eventia Analyzer) © Copyright Entrust, Inc. 2005 Check Point Secure Remote Access Solutions SmartDefense Service SmartCenter Large Offices VPN-1 Site-to-Site IPSec VPN Branch Offices Edge VPN-1 Full-Time Teleworker Remote Access Road Warriors Integrity SecureClient IPSec VPN SSL Network Extender Part-time Teleworkers Remote Access Connectra Web Portal (Clientless) Day Extenders SSL VPN Connectra Extranet Partners Eventia Reporter Eventia Analyzer Strong Authentication & Entrust IdentityGuard A Practical Revolution in Action The need for stronger authentication… ? • • • • Customer database Sales forecasts HR records Etc… • Pressure to make more information available to employees anywhere, anytime • Need to balance access with corporate and regulatory compliance (PCI, SOX, HIPAA, etc…) © Copyright Entrust, Inc. 2005 Legislation Example: Payment Card Industry (PCI) Data Security Standard • Payment Card Industry (PCI) Data Security Standard • Formerly Visa CISP • Applies to anyone who deals with cardholder data • Audit requirements and financial penalties for non-compliance First Data Corp. reports 85 percent of affected companies have yet to meet PCI standard requirements … © Copyright Entrust, Inc. 2005 Implement Strong Access Control Measures Purchase & Deployment Investment Traditional Candidate Technologies Biometrics Smartcards Tokens IT Security Extensibility Authentication Only Digital Certificates Inert Tokens Passwords Authentication Strength © Copyright Entrust, Inc. 2005 Authentication, Encryption, Digital Signatures Increasing Req. For Security The Authentication Challenge – One Size Does Not Fit All Remote Access (Executives, Sensitive Data) Remote Access (Avg. User) Desktop Login Onsite Web Transaction Type © Copyright Entrust, Inc. 2005 Enterprise authentication requires a range of capabilities Addressing the Authentication Challenge: Entrust IdentityGuard Purchase & Deployment Cost $ Biometrics Smartcards Tokens Digital Certificates Passwords Authentication Strength © Copyright Entrust, Inc. 2005 Entrust delivers: • Multi-factor strong authentication platform • Flexible, risk-based solution • Easy to use and support • Inexpensive to deploy Range of Risk-Based Strong Authentication • Policy-based authentication allowing single authentication layer to meet multiple business requirements – Per transaction, per user, per application, per LOB… Machine Auth Grid Auth Out-of-Band Authorized set of workstations Grid location challenge and response One-time-passcode to mobile device or phone Knowledge Auth Scratch Pad Auth Challenge / response questions One-time password list © Copyright Entrust, Inc. 2005 Extensible Across the Enterprise Remote Access: IP-SEC & SSL VPN, RAS, Citrix Microsoft Windows Desktops (including Microsoft Outlook Web Access) AnyUser ****** © Copyright Entrust, Inc. 2005 Extranet Entrust IdentityGuard: Platform Summary • Multi-factor authentication platform – Range of authenticators – Based on FIPS-validated cryptography – Stand-alone or layered • Easy to use and support – Easy to use options – No software or hardware to deploy • Inexpensive to deploy – Fraction of the cost of traditional options – Seamless integration with leading remote access vendors © Copyright Entrust, Inc. 2005 http://www.entrust.com/cost-meter/ Check Point & Entrust IdentityGuard Certified Integration Check Point VPN-1 NGX IP-SEC User Radius Internet Standard Radius Server SSL User Check Point Connectra NGX Repository LDAP / Active Directory Database © Copyright Entrust, Inc. 2005 Customer Case Study: Large US Financial Service Provider $ Customer Challenge: • Required cost-effective option for strong authentication to replace expensive RSA tokens • Absolute requirement for rapid integration with current Check Point VPN-1 for remote access • Need to fit within existing and new network topology Solution: • Certified integration of Entrust IdentityGuard with Check Point VPN-1 • Leveraging grid authentication option © Copyright Entrust, Inc. 2005 $ Customer Case Study: Large US Financial Service Provider Key Customer Success Criteria: • Certified integration (OPSEC certified, Entrust Ready) • Initial & ongoing cost—fraction of the cost of RSA tokens, allowing for initial full replacement and plan to expand to many new users, still at a lower TCO! • Ease of integration—configuration only integration via Radius (Microsoft IAS) Check Point VPN-1 NGX Microsoft IAS Internet IP-SEC User MS Active Directory © Copyright Entrust, Inc. 2005 Why Entrust & Check Point? We are Security Specialists… • Check Point- 100% of the Fortune 100 • Check Point- 98% of the Fortune 500 • Check Point- ~ 100,000 Customers • Entrust- #12 of 600+ security software companies • Entrust- Industry pioneer and leader, with 500 employees and 90 patents • Entrust- Best in class service and support, and integration with leading technology vendors © Copyright Entrust, Inc. 2005 Check Point & Entrust: A Remote Access Revolution © Copyright Entrust, Inc. 2005 $ Purchase & Deployment Cost Combined solution delivers: • Integrated security for diverse, anywhere access • Strong VPN and Authentication Partnership • Easy to use and support multi-factor authentication • Inexpensive to deploy Biometrics Smartcards One-Time-Password Tokens l a on iti d a Tr Passwords Authentication Strength Thank You! The Remote Access Revolution: Practical Solutions for the Enterprise Dean Ocampo, CISSP, Check Point Software Manager, Web Security Product Marketing Steve Neville, Entrust, Inc. Sr. Manager, Identity Products & Solutions April 5, 2006