Transcript: Unified Secure Access - The way of the future?

This transcript is from a PodTech.net podcast at:
http://www.podtech.net/home/technology/1358/unified-secure-access-the-way-of-the-future

Michael Johnson - PodTech
This is Michael Johnson and welcome to another of the Podcasts for F5 Networks series. Today, we're going to be talking about Unified Secure Access and Is it the way of the future? We have a couple of guests on today. Ken Salchow, who is the Technical Marketing Manager for Core Products for F5 Networks and also Abby Guha, who is the Product Marketing Manager for RSA's Authentication Technologies, a division of EMC. Welcome both of you to the Podcast.

Ken Salchow - F5 Networks
Thank you.

Abby Guha - RSA Authentication Technology
Thank you.

Michael Johnson - PodTech
We're going to start with you Ken to explain exactly what Unified Secure Access means and how is it different from Network Access Control which we talked about before in previous Podcasts?

Ken Salchow - F5 Networks
Okay, so Unified Secure Access is actually part of F5's Unified Access and Application Delivery Methodology. So, it's a kind of a whole approach to how to secure and deliver applications to users. So, in today's world there are two big things that are driving information technology. The first is Data Center Consolidation which is being driven by compliance mandates and cost saving initiatives, and the second is the increasing mobility of the average worker. Many of them are in the office, on the road or working from home at any given moment on any given day. Now, these two drivers are making people realize that it's not viable anymore to have Remote Access Policies and Local Access Policies. It just presents too many possibilities for mistakes to be made and it's simply too inefficient and costly. So, Unified Access is all about removing that artificial boundary between what a local user is and what a remote user is and applying the exact same access policy to both groups. An access policy that can be dynamically adapt to where the user is and it can be applied universally. So, this is well different from Network Access Control or Generic NAC because NAC is really only relevant for local access where organizations actually own the switches and routers that you plug into. In that scenario, it's a really great edition to security but it still leaves out the remote user because when you're a remote user you're plugging into switches and routers that are either owned by you at your home or by the local coffee shop that you are accessing the Internet from. So, with NAC you still end up with two different policies for remote users versus local users and two different ways to handle that access. And so that doesn't really solve the top level problem.

Michael Johnson - PodTech
Okay, now you've established that for remote users a secure access to the network just pretty important but why did customers need Unified Access? What's the need for that?

Ken Salchow - F5 Networks
Right, so I already mentioned the first one which is, what defines a remote user versus a local user. For my job I'm actually remote most of time, I work from my home office. However, every month I'm incorporate and I'm plugged into local network. So, how do we define what a remote user is and a local user and shouldn't we have different security policies based on those two different things? But shouldn't we have them in a unified manner, a policy that actually understand whether I'm local or remote and changes the policy allows me to access the network in one way? Secondly, a lot of organizations are realizing that the same security they apply to remote users like Encrypting Technologies, so using a VPN to access the corporate network. It's just as important as on the LAN as it is in the WAN. So, if you're trying to do compliance or you're trying to ensure that private data stays private, if it across in clear text on the Local Area Network, there is a good chance that people who aren't supposed to be seeing it, could still see it. So, why don't we use the same kind of technologies that we use across the public infrastructure across the Internet, what if we use those internally as well to encrypt that data. So, the same thing applies, why aren't we using the same access policies, why aren't we applying the same security for the internal users as the external users? And that's even a bigger question because most of us known for a long time that most security incidents are actually perpetrated by employees, their internal people not Internet users. And so it really seems silly to have extra security on the outside when they're coming across the Internet and less security on the inside when they're internal users when the internal users are the ones that are more dangers.

Michael Johnson - PodTech
So, how to sustain with compliance, we've got of lot of government regulations out there around data security, we've got Sarbanes-Oxley, HIPAA, Senate Bill 1386 and more, how does this relate to compliance issues?

Ken Salchow - F5 Networks
Well, yeah, compliance is really driving IT today, isn't it? And mandates and regulations seem to continue to grow and mount everyday. So, really when it comes down to compliance, the biggest thing that people really have to do is prove that they are compliant. So, you don't go through a checklist, you could say, we did this, we did that, we did the other thing but unless you have some assurance that you can actually implement those policies that they are actually being used, you really can't prove it your compliant and you're still going to have problems. So, it's a lot simpler to show that you are applying the same policy, the same compliance template to every user if you only have one policy to apply to all users regardless of whether they're remote or they're local. If you have two of them, now you have to coordinate vogues and you have to bring data together from different sources and frankly, it's a little bit too complex, errors are going to be made and you're going to miss something. So, really Unified Access is really an attempt to make it easier to actually comply to some of these mandates.

Michael Johnson - PodTech
That falls right into talking about authentication, which is kind of the underlying, the subtext or what you've been talking about this whole time, that ability to really identify that user beyond the reasonable doubt that seems like a real key factor for Unified Access. Can you talk about that a little bit?

Ken Salchow - F5 Networks
Well, yeah I mean you hit it right on the head, Unified Access is all well and good, having a great policy that you're sure of, that does exactly what you wanted to do, can adapt dynamically to where the users coming from or what type of device they're doing or what kind of information they're trying to access, all of this stuff is really great. But, it all falls apart if you can't even figure out who the user is. If you have no assurance that person on the other hand of that connection is really the person they are, then you might as well just pack up and go home, there's no point even have all this other stuff.

Michael Johnson - PodTech
Well, let's talk about a little bit further about authentication with Abby Guha again, she is the Product Marketing Manager for RSA's Authentication Technologies, it's a division of EMC. Abby can you try them and here, we've been talking about authentications, passwords are obviously the most common authentication mechanism that's use. Now, aside from mighty policies that require them to be sort of either complex or changed on a regular basis, how does RSA prefers strengthening that factor, that part of Unified Access?

Abby Guha - RSA Authentication Technology
Sure, Michael. Just following from what Ken mentioned earlier, one of the key elements that ultimately supports the overall success of Unified Access strategy is really being able to verify the identity of the user and being able to determine with a pretty high level of confidence, the trustworthiness of the identity credential that the user is presenting. And this is generally difficult to do the when the key user authentication mechanism involves passwords, even those passwords that are more complex and are changed regularly based on some of these policies on the back end. And we've found that passwords are just generally not socially engineered to support security best practices mainly because it's difficult to follow security best practices when password management involves posted notes, writing down key passwords in Word or Excel files, in previous slides, I've been guilty of doing that myself and also the scenario where passwords are very easily shared and you've got multiple end users sort of sharing this one password to get into some critical information and applications. So, RSA's approach to strengthening Unified Access is to enable organizations to determine with a pretty high level of assurance that the user is in fact who they claim to be and also to ensure that the user is the same user across a variety of applications, and this is basically done through Strong Authentication or Two-Factor Authentication where a user provides two pieces of information to identify themselves as suppose to just one in the case of simple password. So, these two things would be something they know, for example, a PIN number that they would know and something they have such as an authenticator, also often referred to as tokens and these tokens generate a new code every 60 seconds, which we referred to as a one-time password. And so, the user with a combination of these two pieces of information, the PIN and this ever changing code that only that user would uniquely have, through those two pieces of information, it's a much more thorough in rigorous authentication process while keeping the user experience very simple.

Michael Johnson - PodTech
Well, let's expand a little bit more about Authentication Systems. You are mentioning sort of Two-Factor Authentication Systems. Key Fob tokens are probably the most common of those. How do you see Two-Factor Authentication changing?

Abby Guha - RSA Authentication Technology
Some examples of where we see Strong Authentication going and Two-Factor in particular include, for example, the growth of software authenticators. So, it is a software version of hardware authenticators that we are already familiar with or there you have key fob tokens that you have mentioned earlier. And these software authenticators are basically deployment of strong two-factor authentication as a software implementation and offer that the same convenience and security that these hardware authenticators do, but now instead of someone carrying two devices around, for example, the key fob and a mobile device that they maybe using. Now, you can just load an authenticator in a software format right on to a mobile device. So, you can run strong authentication right off of your PDA or off of your mobile phone. So, that's one query where we are seeing a lot of interest and organization is definitely starting to appreciate the benefits of from the user perspective and maybe just carrying one strong authentication device. What we are also seeing is that there is an increase in demand for multi-function authenticators such as, USB Authenticator or token, and not only can this sort of connected token generate a new code every 60 seconds but can also store Windows user names and passwords and digital certificates on the device. So, all the end user would have to do is, come in, connect the authenticator to their machine or to their PC's USB Port and then the user's identity credentials are pulled right off of the authenticator, and so their first factor might be their key in a PIN number and then their digital certificate is just sucked right out of the USB Authenticator and those of the two pieces of information that the user provide.

Michael Johnson - PodTech
Okay so, we've established that Unified Access security is greatly improved by some of these two-factor authentications but what other benefits would a company have by deploying say, RSA's technology in conjunction with it's Unified Access plan?

Abby Guha - RSA Authentication Technology
Strong Authentication is a key way to ensure the integrity of the end user's identity and then subsequently strengthen the Unified Access approach that a company is adopting. And RSA also offers other technologies that help organizations bring in security best practices to protect their employees or key stakeholders, online identities and other things just digital assets or intellectual property, and ultimately the goal is to round out their Unified Access plan. I'd alluded to digital certificates earlier and Digital Certificates Solutions are certainly a great way to support this effort within the Unified Access context by associating a user or a device with a digital certificate. So, RSA's Digital Certificates Solutions can really support an organization's effort to round out their Unified Access plan because with digital certificates you can associate a user or a device with the digital certificate and this just further enhances the level of trust between business transactions.

Michael Johnson - PodTech
So, we still have on the line Ken Salchow from F5 Networks. Ken, do you want to wrap this up and have any closing comments that you'd like to establish here?

Ken Salchow - F5 Networks
Yeah, thanks. Really, I just wanted to put in that what RSA provides for this whole Unified Access approach is really important and that's why we're so excited to partner with RSA on this. Their strong security solutions allow us to really identify who those users are, which really enables the whole Unified Access approach and some of the other things that Abby mentioned things like, digital certificates also allow us to do some fun and interesting things as far as changing the type of security we apply based on whether the users on a corporate asset or their home computer. So, RSA's technology really allows us to really explore the horizons of what Unified Access really means to us. So, we're really excited about that.

Michael Johnson - PodTech
That was Ken Salchow, Technical Marketing Manager for Core Products at F5 Networks. We were also joined today by Abby Guha, Product Marketing Manager of Authentication Technologies for RSA, a division of EMC. To find out more about Unified Access, check out F5's website at www.f5.com/unifiedaccess. I'm Michael Johnson.