Maximize your Symantec VIP investment with Centrify
Many organizations are using Symantec VIP to provide MFA (multi-factor authentication) services for identity assurance, but (often times) their use cases are narrow in scope. For example, MFA may only be used at VPN Login or for a specific application login. I want to demonstrate how organizations can maximize their investment in Symantec VIP to provide MFA Everywhere by combining it with the Centrify Identity Platform. This includes MFA for web applications, server login, workstation login, privilege elevation, password checkout, and more. The key is to use the Centrify Identity Platform as the policy engine that drives MFA when needed. This empowers organizations to use a single source of policy to drive MFA Everywhere and take advantage of having a single platform to provide identity assurance for single sign-on, enterprise mobility management, and privileged identity management. Not only does this maximize the investment in their existing MFA solution (Symantec in this example), but it also allows them to leverage centralized administration, reporting, and risk-based analytics to drive logical access across the enterprise.
In our example below, we will leverage Symantec VIP to provide MFA to a web-based application. Additionally, I wrote an article a while back that explains how you can extend Symantec VIP to provide MFA in conjunction with Centrify Infrastructure Services (formerly known as Centrify Server Suite) at server login and privilege elevation. This solution allows you to centralize non-windows identities to Active Directory and use Symantec VIP to provide identity assurance for specific server related tasks.
Let us take a look at the high-level overview of what this looks like for the end user. If you would like to skip ahead to the setup, go to part II of this blog here.
When an Active Directory user logs into the Centrify end user portal, he/she would be challenged with Symantec VIP as shown below:
The first authentication method is going to ask the user to provide the access code on his/her VIP token:
The second authentication will validate the user's LDAP directory password. We're using Microsoft Active Directory in our example. Once completed, the user will be taken to the user portal page.
The order of authentication (i.e. challenging for LDAP password second) can be controlled by policy. Challenging for the one-time passcode from the Symantec VIP token first prevents an attacker from locking out the end user's Active Directory account by ensuring the possession of the Symantec VIP token before allowing the user to enter her Active Directory password. It is a handy policy to have for an internet facing web application.
This is just one example of how an organization can leverage a Centrify policy while facilitating MFA with an MFA provider of their choice. Taking this further, organizations configure adaptive authentication rules and take advantage of the Centrify machine learning analytics engine to dynamically decide when a user's access is risky before challenging for MFA.
The benefits of this approach are that the organization can leverage an enterprise-wide access policy engine and make context-based decisions on when to authenticate with Symantec VIP for MFA. Additionally, this enables an organization to Centrify without having to rip and replace their existing MFA provider and re-issue MFA tokens to all end users. This approach will maximize your investment for any MFA provider that can integrate to 3rd party solutions using standards like RADIUS and SAML federation.
To see more information on how to integrate the two Centrify and Symantec solutions to provide this functionality, please see the How-To articles in this series:
Part II - Configuring Symantec VIP
Part III - Configuring Centrify
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.