Leverage your Symantec VIP investment with Centrify
Many organizations already use Symantec VIP to provide MFA authentication assurance to control access to web applications and/or network systems. I wrote an article a while back that explains how you can extend Symantec VIP to provide MFA in conjunction with Centrify Infrastructure Services at server login and privilege elevation. This allows you to centralize non windows identities to Active Directory and use VIP to authenticate users for specific server related tasks.
Now I want to show you how organizations can extend Symantec VIP to provide MFA to web applications and infrastructure resources that use the Centrify Identity Platform as their policy engine. This allows organizations to use Centrify for single sign on, enterprise mobility management, and privileged identity management but also leverage their investment in Symantec VIP to provide MFA when logging on to the Centrify portal or checking out a privileged account.
For example, for an AD user logging into the Centrify end user portal, he/she would be challenged with Symantec VIP as shown below:
The first authentication method is going to ask the user to provide the access code on his/her VIP token:
The second authentication will validate the user's Active Directory, Centrify Directory, or LDAP directory password. Once completed, the user will be taken to the user portal page.
The authentication profile leverages the Centrify policy to authenticate the user with her VIP token first, then prompt for her AD password. This prevents an attacker from locking out the end user's Active Directory account by ensuring that the user has possession of VIP token before allowing the user to enter her AD password.
This shows one example of how an organization can leverage a Centrify policy while still making use of Symantec VIP for MFA. Taking this further, organizations can use Centrify to configure specific rules for when they want to MFA a user with Symantec VIP, and/or the organization can use the Centrify analytics engine to make a user behavioral risk decision based on machine learning to decide when to MFA the user with Symantec VIP.
The benefits of this approach are that the organization can leverage a very powerful access policy engine throughout the enterprise and make context based decisions on whether to authenticate with Symantec VIP for MFA. Additionally, this enables an organization to make use of Centrify without having to rip and replace their existing Symantec VIP solution and re-issue MFA tokens to all end users.
To see more information on how to integrate the two Centrify and Symantec solutions to provide this functionality, please see the How-To article in this series (coming soon).
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.