Compromised and stolen credentials remain the main threat to corporate data. Remote access via VPN is the most vulnerable method of access, due to compromised employee credentials. The need for flexible and extremely easy to implement two factor authentication (“2FA”) has become crucial for organizations of all sizes. Another weak link in remote access, beyond user authentication, is generated by connecting to organizational insecure and vulnerable end-points. It is not uncommon that when accessing the network using a VPN through a personal device, any vulnerability existing on that device can quickly become a security hole in the entire network’s protection. To address the heavy challenges of securing remote access, organizations should look for solutions that are cost-effective and provide a cohesive approach for all aspects of access security: compromised credentials, lost or stolen devices and access from insecure endpoints.
Meet Portnox CLEAR – cloud-based access control for VPN
Portnox CLEAR is a Security Software-as-a-Service (SaaS) cloud platform that delivers continuous, on/off-premises risk monitoring and access control to all organizational endpoints. It assigns each connecting device a risk score (similar to a credit score), dynamically assesses the threat they may pose to your network and enforces access control actions in real time. Portnox CLEAR can be used in many flexible ways to authenticate user remote access by VPN providing a unique combination of access control by authentication (Active Directory or Open LDAP), strong factor validation and end-point cyber risk assessment (“risk-based access”).
Portnox CLEAR™ Unique Two-Factor-Authentication Solutions
As part of its entire cloud-based NAC offering, Portnox CLEAR offers a unique approach to 2FA for VPN. 2FA is a method of computer access control in which access is granted only if two separate pieces of evidence are presented to the authentication mechanism – typically, knowledge (something the user knows, such as his username and password), and possession (something the user has, such as a security token).
Conventional 2FA solutions, however, completely ignore the device that is requesting remote access. Portnox CLEAR, on the other hand, can offer device authentication via its device enrollment mechanism. Devices that install the Portnox AgentP application and have been enrolled in the organization are uniquely recognized and are, therefore, continuously monitored and tracked.
The two elements in Portnox’s unique 2FA solution are the typical knowledge (user credentials) coupled with a unique possession (the enrolled device), ensuring that security is offered on two levels: authentication of the user himself and authentication of the device. Stealing a user’s credentials is useless if the device requesting access is not enrolled; and stealing an enrolled device is of no use if the credentials are not available.
Portnox device authentication is offered in two formats: One-Time-Password (OTF) 2FA and Portnox AgentP 2FA.
In this solution, the AgentP application on the enrolled device acts as a soft token by implementing the HMAC-Based OTP algorithm. It generates an OTP upon demand and, together with the user’s username and password, the app allows that specific device access to the organization’s remote network.
As Portnox knows which AgentP generated the OTP, the supplied OTP is the method of authenticating the device; while the supplied credentials are the method for authenticating the user.
Portnox AgentP 2FA
In this solution, a call back mechanism is utilized, relying on the fact that each deployment of AgentP on a device is uniquely recognized. When a user tries to log in by VPN with his credentials, CLEAR calls back the specific AgentP on the device requesting access, to verify that the device is the one it claims to be.
Because Portnox knows that the requesting device is an enrolled device, callback is the method for authenticating the device; while the supplied credentials are the method for authenticating the user.
Portnox CLEAR end-point risk assessment and access policy
Portnox CLEAR offers pervasive and context-aware risk assessment for VPN clients to address attempts by unsecured, vulnerable devices to access the corporate network:
- Real-time pervasive monitoring of any device, mobile and laptop, on and off the corporate network
- Monitoring changes in hundreds of parameters, analyzing security posture and known-vulnerabilities of end-points
- Analyzing and correlating to multiple context attributes
- Taking historical observations into account
- Calculating cyber risk score and making access decisions based on this score
CLEAR customers have flexible, granular control of risk assessments and risk actions thought CLEAR Access Policies. Access Policy allows organizations to define the exact level of acceptable risk and compliance standards for end-point devices that are acceptable in their enterprise.
This blog was written by Portnox.
Portnox is the manufacturer of Next generation Network Access Control (NAC), that can assist you in protecting your network including your VPN.Portnox CLEAR offers many other capabilities for real-time access control and risk assessment as part of its entire SaaS offering, which is fully subscription based and does not require deployment of any on-premise software or appliances. With its Fall-2016 release, Portnox CLEAR demonstrates again its leadership and unparalleled innovation as already recognized by the latest award from Frost and Sullivan.