Case Study: Implementing CA Strong Authentication in 30 Days

Case Study: Implementing CA Strong Authentication in 30 days

Steve Garippo

Security

Societe Generale

Director, Client Services

SCT10S

@stevegarippo

#CAWorld

2 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD

© 2015 CA. All rights reserved. All trademarks referenced herein belong to their respective companies.

The content provided in this CA World 2015 presentation is intended for informational purposes only and does not form any type

of warranty. The information provided by a CA partner and/or CA customer has not been reviewed for accuracy by CA.

For Informational Purposes Only

Terms of this Presentation


Abstract

By leveraging 90 percent standard out-of-box functionality and coordinating their efforts with supplemental support from CA Services, we deployed multifactor authentication to protect their clients’ online identities and assets in 30 days.

Steve Garippo

Societe Generale

Director, Client Services


Agenda

WHERE WE CAME FROM

WHERE WE ARE NOW

RECOMMENDED SESSIONS AND DEMOS

WHAT WE DID

POST IMPLEMENTATION CONSIDERATIONS

SUMMARY & TAKE AWAYS

1

2

3

4

5

6


Company Overview

Business– SG Americas Securities, LLC is a Futures Commission Merchant that

services institutional traders including; OEM manufacturers, food production companies, middle market suppliers, fund managers, and Introducing Brokers.

– We have membership in numerous exchanges globally.

Ownership– SG Americas Securities, LLC is wholly owned by Societe Generale, one

of the largest European financial services groups.


The Past…2011

We were using a single factor credential to authenticate users: user ID/password

We are in highly regulated markets and recognized the need for enhanced security

After market research and product comparisons, we narrowed our selection to – CA Technologies

– RSA Security


The Selection…

We knew RSA– we used SecureID tokens for remote access (VPN) for internal users.

– But, we did not want to burden our users with hardware-based tokens.

We selected CA Technologies because– CA Auth ID was transparent to end users

– No change in user login experience

– Risk analysis was included in authentication process

– The device being used was fingerprinted and analyzed

– Multiple options to increase authentication if login seemed risky


The Deployment…

We had two options to deploy the solution– On-premise, or

– In the cloud.

For expediency, we chose to deploy in the cloud (CA AOK)

In terms of integration, we needed a plugin to Oracle Access Manager, CA Services developed this for us– This was challenging as we were straddling a 32-bit and 64-bit

environment, but the CA resource had it working in a week.


Customers Workstation WebSphere Portal

Oracle Access Manager

Plugin

CA AOK

Active Directory

CA Auth ID

The Architecture…

“In the first year, we had an issue with a physicalswitch in the CA network, but with AOK cloudHigh Availability and Disaster Recovery, we never noticed an outage.”


Where we are now…

Business– Our web facing customer portal was due for upgrade. Technologies

and UI experience.

Technology Upgrade– Rewrote application using TC Server

– Switched to Oracle database (from SQL Server)

– Migrated off Oracle Access Manager to CAS

– AOK subscription about to expire…what to do?


Our relook at Multi-Factor Authentication…

The CA AOK service was very stable but had a few drawbacks– Did not use its own multi-factor authentication for admins

– Dependency on CA Cloud Operations to make changes

– Cost and time to make changes

When comparing pros and cons, we decided to stay with the CA Advanced Authentication solution, but bring it on-premise.


CA AdvancedAuthentication

Customers WorkstationTC Server CAS

Plugin

Active Directory

CA Auth ID

The New Architecture…

“Users and their credentials remained unchanged.We launched the new on-premise CA AdvancedAuthentication in 30 days. This implementationdoes not customer service in any way.”


The Migration from Cloud to On-Premise…

Options– We do it all by ourselves

– We engage CA Services to do entire implementation

– Joint project

We opted to do a joint project because, we wanted to– leverage our own technical expertise with the solution

– Use CA expertise where critical (CAS integration, architecture review)

This option turned out to be perfect fit for us.


TITLE M T W R F M T W R F M T W R F M T W R F

Design & Install

What we did…

Activities Performed

– Defined plan and reviewed timing with CA Services

– Downloaded software and setup test environment

– Ran scripts to setup solution database on Oracle

Oracle database was setup ahead of time.

Week 1


What we did…


Design & Install

Configuration

Week 1

Week 2


– Senior architect from CA came onsite

– Configured the AA Flow Manager

Here we made compromises and used OOTB vs custom flows for quicker TTV

– Configured Security Question capture as part of enrollment process

– No IVR or SMS in the first release


What we did…


Design & Install

Configuration

Description Here

Week 1

Week 2

Week 3


– Fine tuning the Flow Manager with our own CSS and pages

– Integrated solution with CAS (using CA Services)

CA had team working on an adapter this since week 1

– Integrated solution with Active Directory for initial enrollment


What we did…


Design & Install

Configuration

Description Here

Description Here

Week 1

Week 2

Week 3

Week 4


– Fine-tuned the CSS and CAS integration

– Architected the HA and DR environments

– Fully functional implementation in UAT validation


Post Implementation Considerations

Bringing CA Advanced Authentication on-premise was a good decision

We decided against SMS and IVR, but both can be added as desired in the future

We used standard Q&A questions, perhaps allowing customers to enter their own

questions may have been more user-friendly

We opted to use CAS, but required custom integration, should consider CA SSO

(fka Siteminder)

Perhaps user IDs should be email address (pros and cons)


Summary…

Take Aways– Using OOTB processes and features led to quicker TTV, including: Flow

manager; Personal assurance images; Security questions

– Selecting Q&A over Out-of-Band OTP over SMS/IVR for Step-Up Authentication

– Leveraging CA Services for Design Validation and Key Integrations

Future Considerations– Improved Reporting Capabilities

– Implementing federation capabilities


Recommended Sessions

SESSION # TITLE DATE/TIME

SCT25TPreventing Data Breaches with Risk-Aware Session

ManagementWed. Nov 18 at 2:00 pm

SCT31T Knock, Knock…The Internet of Things Wants to Come In Wed. Nov 18 at 3:45 pm

SCT05S Roadmap: CA Advanced Authentication and CA SSO Wed. Nov 18 at 4:30 pm

SCT24TMobile Risk Analysis: Take Your Mobile App Security to

the Next Level Thurs. Nov 19 at 1:00 pm

SCT21T Enable Omnichannel with Security and API Management Thurs. Nov 19 at 2:00 pm


Must-See Demos

Protect Against Fraud & Breaches

CA Advanced Auth

Security Theater

Engage Customers

CA SSO

Security Theater

Innovation – IoTSlot Car

CA AA, APIM

Security Theater

Secure Omni-Channel Access

CA AA, APIM, SSO

Security Theater


Q & A


For More Information

To learn more, please visit:

http://cainc.to/Nv2VOe

CA World ’15

http://cainc.to/Nv2VOe

http://bit.ly/1wbjjqX