Upload
ca-technologies
View
918
Download
0
Embed Size (px)
Citation preview
Case Study: Implementing CA Strong Authentication in 30 days
Steve Garippo
Security
Societe Generale
Director, Client Services
SCT10S
@stevegarippo
#CAWorld
2 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
© 2015 CA. All rights reserved. All trademarks referenced herein belong to their respective companies.
The content provided in this CA World 2015 presentation is intended for informational purposes only and does not form any type
of warranty. The information provided by a CA partner and/or CA customer has not been reviewed for accuracy by CA.
For Informational Purposes Only
Terms of this Presentation
3 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Abstract
By leveraging 90 percent standard out-of-box functionality and coordinating their efforts with supplemental support from CA Services, we deployed multifactor authentication to protect their clients’ online identities and assets in 30 days.
Steve Garippo
Societe Generale
Director, Client Services
4 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Agenda
WHERE WE CAME FROM
WHERE WE ARE NOW
RECOMMENDED SESSIONS AND DEMOS
WHAT WE DID
POST IMPLEMENTATION CONSIDERATIONS
SUMMARY & TAKE AWAYS
1
2
3
4
5
6
5 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Company Overview
Business– SG Americas Securities, LLC is a Futures Commission Merchant that
services institutional traders including; OEM manufacturers, food production companies, middle market suppliers, fund managers, and Introducing Brokers.
– We have membership in numerous exchanges globally.
Ownership– SG Americas Securities, LLC is wholly owned by Societe Generale, one
of the largest European financial services groups.
6 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
The Past…2011
We were using a single factor credential to authenticate users: user ID/password
We are in highly regulated markets and recognized the need for enhanced security
After market research and product comparisons, we narrowed our selection to – CA Technologies
– RSA Security
7 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
The Selection…
We knew RSA– we used SecureID tokens for remote access (VPN) for internal users.
– But, we did not want to burden our users with hardware-based tokens.
We selected CA Technologies because– CA Auth ID was transparent to end users
– No change in user login experience
– Risk analysis was included in authentication process
– The device being used was fingerprinted and analyzed
– Multiple options to increase authentication if login seemed risky
8 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
The Deployment…
We had two options to deploy the solution– On-premise, or
– In the cloud.
For expediency, we chose to deploy in the cloud (CA AOK)
In terms of integration, we needed a plugin to Oracle Access Manager, CA Services developed this for us– This was challenging as we were straddling a 32-bit and 64-bit
environment, but the CA resource had it working in a week.
9 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Customers Workstation WebSphere Portal
Oracle Access Manager
Plugin
CA AOK
Active Directory
CA Auth ID
The Architecture…
“In the first year, we had an issue with a physicalswitch in the CA network, but with AOK cloudHigh Availability and Disaster Recovery, we never noticed an outage.”
10 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Where we are now…
Business– Our web facing customer portal was due for upgrade. Technologies
and UI experience.
Technology Upgrade– Rewrote application using TC Server
– Switched to Oracle database (from SQL Server)
– Migrated off Oracle Access Manager to CAS
– AOK subscription about to expire…what to do?
11 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Our relook at Multi-Factor Authentication…
The CA AOK service was very stable but had a few drawbacks– Did not use its own multi-factor authentication for admins
– Dependency on CA Cloud Operations to make changes
– Cost and time to make changes
When comparing pros and cons, we decided to stay with the CA Advanced Authentication solution, but bring it on-premise.
12 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
CA AdvancedAuthentication
Customers WorkstationTC Server CAS
Plugin
Active Directory
CA Auth ID
The New Architecture…
“Users and their credentials remained unchanged.We launched the new on-premise CA AdvancedAuthentication in 30 days. This implementationdoes not customer service in any way.”
13 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
The Migration from Cloud to On-Premise…
Options– We do it all by ourselves
– We engage CA Services to do entire implementation
– Joint project
We opted to do a joint project because, we wanted to– leverage our own technical expertise with the solution
– Use CA expertise where critical (CAS integration, architecture review)
This option turned out to be perfect fit for us.
14 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
TITLE M T W R F M T W R F M T W R F M T W R F
Design & Install
What we did…
Activities Performed
– Defined plan and reviewed timing with CA Services
– Downloaded software and setup test environment
– Ran scripts to setup solution database on Oracle
Oracle database was setup ahead of time.
Week 1
15 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
What we did…
TITLE M T W R F M T W R F M T W R F M T W R F
Design & Install
Configuration
Week 1
Week 2
Activities Performed
– Senior architect from CA came onsite
– Configured the AA Flow Manager
Here we made compromises and used OOTB vs custom flows for quicker TTV
– Configured Security Question capture as part of enrollment process
– No IVR or SMS in the first release
16 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
What we did…
TITLE M T W R F M T W R F M T W R F M T W R F
Design & Install
Configuration
Description Here
Week 1
Week 2
Week 3
Activities Performed
– Fine tuning the Flow Manager with our own CSS and pages
– Integrated solution with CAS (using CA Services)
CA had team working on an adapter this since week 1
– Integrated solution with Active Directory for initial enrollment
17 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
What we did…
TITLE M T W R F M T W R F M T W R F M T W R F
Design & Install
Configuration
Description Here
Description Here
Week 1
Week 2
Week 3
Week 4
Activities Performed
– Fine-tuned the CSS and CAS integration
– Architected the HA and DR environments
– Fully functional implementation in UAT validation
18 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Post Implementation Considerations
Bringing CA Advanced Authentication on-premise was a good decision
We decided against SMS and IVR, but both can be added as desired in the future
We used standard Q&A questions, perhaps allowing customers to enter their own
questions may have been more user-friendly
We opted to use CAS, but required custom integration, should consider CA SSO
(fka Siteminder)
Perhaps user IDs should be email address (pros and cons)
19 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Summary…
Take Aways– Using OOTB processes and features led to quicker TTV, including: Flow
manager; Personal assurance images; Security questions
– Selecting Q&A over Out-of-Band OTP over SMS/IVR for Step-Up Authentication
– Leveraging CA Services for Design Validation and Key Integrations
Future Considerations– Improved Reporting Capabilities
– Implementing federation capabilities
20 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Recommended Sessions
SESSION # TITLE DATE/TIME
SCT25TPreventing Data Breaches with Risk-Aware Session
ManagementWed. Nov 18 at 2:00 pm
SCT31T Knock, Knock…The Internet of Things Wants to Come In Wed. Nov 18 at 3:45 pm
SCT05S Roadmap: CA Advanced Authentication and CA SSO Wed. Nov 18 at 4:30 pm
SCT24TMobile Risk Analysis: Take Your Mobile App Security to
the Next Level Thurs. Nov 19 at 1:00 pm
SCT21T Enable Omnichannel with Security and API Management Thurs. Nov 19 at 2:00 pm
21 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Must-See Demos
Protect Against Fraud & Breaches
CA Advanced Auth
Security Theater
Engage Customers
CA SSO
Security Theater
Innovation – IoTSlot Car
CA AA, APIM
Security Theater
Secure Omni-Channel Access
CA AA, APIM, SSO
Security Theater
23 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
For More Information
To learn more, please visit:
http://cainc.to/Nv2VOe
CA World ’15