Can one security solution protect two very different people?
FYI, this story is more than a year old
Picture two people. David heads up IT Security at PennyTech, a large insurance organisation. The other, an insurance broker named Andrea, works for the same firm. In their daily lives they experience different challenges. They have different goals, different needs, and from a security perspective, totally different levels of access at PennyTech.
Andrea is a go-getter, constantly busy and a bit forgetful. She’s always in touch with customers and friends with her trusty iPhone welded to her hand. For work, she needs rapid and continuous access to Salesforce, email, calendar and the firm’s various internal web-based ordering systems.
David’s a classic 9-to-5 executive. He is in constant meetings, often relating to education and justification for IT Security. Overseeing IT budgets, audits and security, David needs instant visibility into how and where his users are accessing PennyTech’s sensitive information. He is currently overseeing an internal audit, so he must manage several contractors, all of them combing through the company IT systems. Recently, there were areas where David could not provide them with requested reports for Salesforce access in Andrea’s division. David is also challenged by the business itself, asking for more powerful apps that can make the business more efficient but use less costly infrastructure. David is considering taking internal apps into cloud and getting rid of his perimeter excepting the most sensitive assets.
These two folks’ daily lives could not be more different. Andrea clearly needs more access and mobility. David needs to address Andrea’s needs, but with serious caution. Andrea’s only encounter with security is the authentication token she carries around. She’d rather have one on her phone. David must balance her desire for easy access with security and compliance needs.
Firms like RSA Security sell solutions that balance the need for compliance, easy access and protecting core internal assets. RSA Authentication Manager, for example, is a token-based solution. The solution also includes a “risk engine” which allows web applications to be protected without tokens. For most organisations with a clearly defined perimeter access (such as a VPN or secure gateway), SecurID has been great for both David and Andrea. Software-based tokens can be sent out automatically to smartphones too, and David is considering a pilot for Andrea’s group.
Organisations choose RSA’s Authentication Manager for elevated access to internal assets, closing off the perimeter and being able to prove it (say, for David’s pesky auditors). The platform allows organisations to choose between a variety of token types (hardware fobs, software on mobile or even SMS or risk-based alone). This diversity of choice has seen the solution succeed for more than 25 years in the security industry! Think of Gerald, an external auditor who needs to access PennyTech’s IT systems temporarily. David doesn’t want to give him a token permanently, so the SMS option works great here.
Yet the need for protecting cloud is a challenge. Andrea needs more and more apps, and needs them fast. David is hampered here, as SecurID or other token solutions haven’t traditionally translated naturally for cloud applications. Yet, security is a priority for critical insurance and customer information.
RSA has answered this challenge with a product called RSA Via Access. RSA Via Access is a new cloud-hosted security access solution that provides a centralised portal for users in which to sign into their cloud applications. This is coupled with an authentication app on the user’s phone, prompting them for various types of authentication to prove their identity, according to a PennyTech defined policy.
In this example, Andrea could sign into Salesforce with her fingerprint (with Apple’s TouchID technology). In David’s world he’s now got centralisation of cloud apps. This enhances visibility and reporting, but also provides a clearly-defined path for access and security for everyone.
The best part about RSA Via Access is how it can use an existing RSA SecurID (Auth Manager) deployment. Since RSA Via Access has a token built into it, traditional SecurID-protected assets can use that. It’s a two-way street however, as RSA Via Access could use David’s software tokens as an option when protecting cloud apps like Salesforce.
With Via tokens used on-premise and SecurID tokens in cloud, or a mixture of the native Via Access authentication methods like fingerprints and others, the path is clear. David protects his investment in tokens, while enabling a smooth transition to cloud users like Andrea.
In summary, with RSA Authentication Manager, strong authentication happens inside the organisation. With RSA Via Access, it happens everywhere. It’s a world where the Davids, the Andreas and even those pesky auditors are all happy.