Who should read this paper:
IT, security managers, and executives who use legacy on-premise two factor authentication solutions and are considering a switch to another provider’s solution for two-factor authentication should read this document. This solution brief offers advice about gauging the security of a new solution, understanding the ease of deployment and management, choosing the right strategy for migration, and measuring the total cost effectiveness of a new solution.
A Symantec Advisory Guide Migrating to Symantec™ Validation and ID Protection Service
1. A Symantec Advisory Guide
Migrating to Symantec™ Validation and
ID Protection Service
Who should read this paperWho should read this paper
IT, security managers, and executives who use legacy on-premise two-
factor authentication solutions and are considering a switch to another
provider’s solution for two-factor authentication should read this
document. This solution brief offers advice about gauging the security of
a new solution, understanding the ease of deployment and
management, choosing the right strategy for migration, and measuring
the total cost effectiveness of a new solution.
SOLUTIONBRIEF:
MIGRATINGTOSYMANTEC™VIP
........................................
4. Introduction
Your organization can’t afford to gamble with the security of its sensitive data. A major responsibility for your organization is to guarantee
protection of confidential business and customer data, whether stored or transmitted within your enterprise, or used in collaboration with
remote workers, customers, suppliers, business partners, and any other authorized destination of the extended enterprise.
As enterprise environments continue to evolve, IT organizations will need the ability to deliver strong authentication across an increasingly
diverse array of use cases and user populations. Unfortunately, organizations’ legacy on-premise authentication solutions fail to provide
either the flexibility or the cost-effectiveness to deliver this protection. For those organizations, Symantec™ Validation and ID Protection
Service (VIP) offers a broad and flexible strong authentication solution to address their authentication needs, both now and in the future.
This Symantec advisory guide is for IT managers, security managers, and executives who are considering replacing a legacy on-premise two-
factor authentication solution. It provides you with three reasons why your organization can migrate with confidence to Symantec VIP.
Foremost, Symantec is a global leader in security and its strong authentication service will protect your sensitive data from unauthorized
access. Symantec’s cloud-based solution is far easier to deploy and manage, which eliminates a big burden on your security staff and users.
Finally, Symantec is more cost effective. Based on a three-year total cost of ownership study between Symantec VIP and RSA SecurID® with
5,000 credentials, Symantec costs 33 percent less than the RSA on-premise solution. Symantec’s one-time purchase and deployment costs
are just 8 percent of projections
1
. Similar savings are realized when migrating from other on-premise solutions. Details and related migration
issues are covered below.
Symantec authentication is secure
SSymantec is a leading provider ofymantec is a leading provider of
sstrong authenticationtrong authentication
• Symantec is one of the top 5 vendors of
strong authentication in the world
2
with
over 400,000 clients worldwide
• Over 18 million Symantec VIP credentials
under management
• Over 30 million validations per month
• Leveraged by over 1,200 enterprises
Symantec is a global leader in providing security, storage, and systems management solutions to
help consumers and organizations secure and manage their information-driven world. Symantec
VIP is a cloud-based strong authentication service that enables enterprises to secure online
access and transactions, help achieve compliance, and reduce fraud risk. It combines two of the
three factors, something a user knows (such as a user name and password), something a user is
(such as a fingerprint), or something he or she possesses (such as a unique six-digit security
code that changes every 30 seconds and is generated by a card, token, or mobile phone)
or through token-less risk-based authentication.
Symantec VIP
1-
2-
"Two-Factor Authentication: A Total Cost of Ownership Viewpoint" White Paper, July 2015, Symantec
IDC August 2014: Worldwide Identity and Access Management 2013 Vendor Shares
Migrating to Symantec™ Validation and ID Protection Service
A Symantec Advisory Guide
1
5. Designed and operated fDesigned and operated for sor strong securittrong securityy
• Track record – For 18 years, Symantec has protected critical Internet infrastructure from attack including DNS root servers and security
root keys.
• Key generation and storage – Symantec VIP keys are generated with a hardware security module, and are encrypted in an Oracle®
database with AES.
• Physical security – Symantec VIP cloud operations are housed in a Tier 4 data center facility – physically and logically separated
from Symantec's corporate network; dual-control personnel are required to access sensitive key management and signing functions.
Trusted employee background checks are required for secure access.
• Certifications and compliance – PCI DSS (payment card industry data security standard), SSAE 16/SOC 2, WebTrust™ for Certificate
Authority, and federal government PKI.
• Service management – Strict change control processes are used for all IT services. Incident management processes and procedures are
applied including regular "fire drill" exercises.
• Systems and security monitoring – Symantec has a dedicated 24 hours a day, seven days a week network operations center; external
global monitoring of critical services; daily vulnerability scans; host-based and network-based intrusion detection systems for monitoring
systems, applications and network; and SSL and S/MIME for encrypted communications.
SafSafer as toker as token seed records are ken seed records are kepept privt privateate
The security of two-factor authentication is dependent on a shared secret, called a seed, that is embedded in each token and deployed to a
server responsible for providing applications with validation services. This seed controls the generation of new one-time passwords (OTP),
and any exposure of this shared secret to a third party would allow that third party to masquerade as an authorized user.
Implementation of legacy on-premise two-factor authentication solutions require communication of token seeds to the administrator; at
deployment, an administrator must manually download and associate the token's seed record within the on-premise validation server.
Exposure of this shared secret creates an additional risk. Symantec VIP handles these steps automatically, so the token seed is not made
available to the administrator and doesn't exist outside of either the token or the Symantec VIP infrastructure. These are significant reasons
why Symantec VIP is more secure than legacy on-premise approaches to delivering two-factor authentication.
Symantec is easier to deploy and manage
The two key concerns most customers have when migrating from a legacy authentication solution are minimizing capital expenditure and
disruption in end-user productivity. This section focuses on the latter. Symantec has developed two technical migration strategies that may
be adapted to your organization’s architecture and security requirements. Typically, migration will occur over a period of time as legacy
tokens expire, or in waves of users by geographic location or business function. Other situations will require a rapid migration for the entire
enterprise. In most cases, migration from a legacy solution to Symantec VIP may require a period of time where both the legacy solution and
Symantec VIP operate in parallel.
Spectrum of open credential options
The essence of cost and complexity in a two-factor authentication system hinges on token devices and software – both for their acquisition
and deployment, and for subsequent management. Proprietary tokens associated with some legacy authentication solutions are, like so
many sole-source products, more expensive to acquire. Spikes in demand (such as the current wholesale replacement of millions of tokens)
may also trigger delays in the supply chain.
Migrating to Symantec™ Validation and ID Protection Service
A Symantec Advisory Guide
2
6. Symantec VIP offers several options for credentials including a token-less risk-based authentication option, mobile credentials, and a variety
of hardware tokens. Symantec VIP tokens are based on an open standard, following the Reference Architecture published by the Initiative for
Open Authentication (OATH). By using open Symantec VIP tokens, your enterprise will receive these benefits:
• Reduced deployment costs by simplifying component integration, allowing validation to occur as a network utility
• Reduced deployment costs by enabling sharing or re-use of authentication devices with multiple websites or applications
• Avoiding vendor lock-in to credential devices
• Broader choice of suppliers of credentials for flexible, best-in-class solution deployment
Symantec VIP credential options
How Symantec VIP deployment is easier
FFasaster setupter setup
Symantec VIP uses either a registered smartphone or your existing enterprise directory for the user’s first factor (device or password). This
capability simplifies end-user onboarding, training, and administrative overhead. Unlike legacy on-premise authentication approaches,
Symantec VIP does not require a dedicated server to integrate with your enterprise applications. Instead, Symantec VIP uses a lightweight
and completely stateless gateway that can run as an additional process on an existing server platform.
Easier to deploy credentialsEasier to deploy credentials
Symantec VIP's integrated platform lets you deploy multiple tokens or select the authentication method depending on user and application
requirements. Symantec VIP offers a variety of options including a token-less risk-based option that uses device ID and behavior analytics to
authenticate legitimate users without changing their logon experience. In addition, VIP offers a free, downloadable mobile credential that
supports more than 900 mobile devices. This allows end users to use their mobile device to receive the second factor (one-time password),
and eliminates the need to maili physical tokens to these users. For an even simplier option VIP Access Push can be used on the mobile
device to authentication with one-tap to verify the request - eliminating the 6-digit code. Finally, the ulimate in convenience uses biometrics
to authentication with just a fingerprint, eliminating not only the 6-digit code but also the password for online applications.
Migrating to Symantec™ Validation and ID Protection Service
A Symantec Advisory Guide
3
7. LLowers adminisowers administrative burdentrative burden
With Symantec VIP, the enterprise administrator no longer needs to import token seed records for each batch of tokens, or distribute
software token seeds to end users. An out-of-box self-service portal allows end users to activate their tokens without requiring IT
administrative assistance.
Two strategies for migration
To illustrate the migration process and deployment options, the following sections present how an organization would effect a seamless and
simple migration from an existing RSA SecurID installation. However, this migration process could be applied to any legacy on-premise two-
factor authentication solution.
The immediate outcome of migration is parallel two-factor authentication systems; these keep legacy tokens in operation until they’re retired
while enabling Symantec VIP credentials to smoothly take their place. Two migration strategies will get you there in different ways. Option A
preserves the same user experience, so nobody will notice a change for secure access. Option A requires extra administrative work to achieve
user transparency. Option B requires the new Symantec VIP user to use a different virtual private network (VPN) profile, but eases the
administrative burden of migration. The options are briefly explained below; for technical and administrative details, see our white paper,
“Migrating to Symantec VIP: Technical Migration Strategy.”
Option A: No change to user experience; more administration
Single VPN server RADIUS enabled, legacy authentication server with RADIUS enabled
Option A: RADIUS enabled in Legacy Authentication Server
Option A uses the credential migration feature of the VIP Enterprise Gateway. Symantec VIP requires Remote Authentication Dial-In User
Service (RADIUS) support to implement this feature. The migration feature allows the enterprise to gradually move users and their tokens
from legacy tokens to Symantec VIP without users noticing any system changes or imposing new procedures for authentication.
To implement Option A, your team will need to configure the legacy authentication server to enable RADIUS support. That server becomes a
delegation server. Authentication requests without a Symantec VIP credential are routed to the delegation server for validation. With this
Migrating to Symantec™ Validation and ID Protection Service
A Symantec Advisory Guide
4
8. scenario, your enterprise will not have to deploy an additional VPN profile or entry point – nor will users have to learn any new procedures for
access. However, this deployment option does require you to have RADIUS enabled on your legacy on-premise authentication server; if you
don't wish to undertake modifications to your server's configuration, see Option B below for an alternative deployment option.
Option B: Minor change to user experience; less administration
Single VPN server RADIUS enabled, legacy authentication server with no change, and second VPN profile added to existing
enterprise VPN gateway
Option B does not require RADIUS support for the legacy on-premise authentication server. However, your organization will need to configure
an additional VPN profile for the VPN gateway for use with Symantec VIP credentials. End users with legacy credentials will continue using
the existing VPN profile until they transition to Symantec VIP credentials. When the migration is completed, you will decommission the
original VPN profile.
With this option, users with new Symantec VIP will need to be told or trained to use the new profile. Depending on the circumstances, some
individuals might experience initial disruption in gaining secure remote access. The advantage of Option B is your team will not need to
reconfigure the legacy authentication server to enable RADIUS. Some organizations may thus view Option B as beneficial, for it enables the
technical team to focus on implementing the new authentication solution instead of devoting additional effort to maintaining the old
technology.
Option B: Extra VPN profile added to enterprise VPN gateway
Symantec is more cost effective
Total cost of ownership (TCO) for two-factor authentication must account for all the costs associated with planning, procuring, deploying, and
owning the solution. Symantec has created a TCO study comparing the Symantec VIP Service with an RSA SecurID on-premise
authentication solution for a deployment of 5,000 one-time password credentials deployed to secure remote access to corporate resources
over a 3 year period.
3
3- Symantec, “Two-Factor Authentication: A Total Cost of Ownership Viewpoint” (2015).
Migrating to Symantec™ Validation and ID Protection Service
A Symantec Advisory Guide
5
9. TCO study calculations and assumptions
The model below assumes that an organization deploys 5,000 credentials to their users (1,250 hardware and 3,750 software), 25% of whom
are remote and require shipping. Of the hardware tokens deployed, 10% will requirement replacement annually. List prices are used
for software license fees, infrastructure, hardware and software tokens costs; and current rates for staffing. It assumes the same unit cost for
Symantec assumptions
• Enterprise deploys Symantec™ VIP
Access for Mobile for 75% of end users,
absolving it of the need to staff up for
credential distribution for those users.
Mobile credentials are the most popular
option.
• Two servers per site (for redundancy and
failover) and one disaster-recovery server
co-located (VIP Enterprise Gateway is
lightweight and stateless requiring a less
costly server)
• One full-time-equivalent (FTE) project
manager, but administrator costs lower
by 30%
• 10% of issued tokens are lost or broken
annually
RSA assumptions
• Enterprise deploys mobile phone
software tokens for 75% of end users
(seed file managements still required)
• Two servers per site (for redundancy and
failover) and one disaster-recovery server
co-located (more costly servers required
to guarantee performance of proprietary
database engine)
• One full-time-equivalent (FTE) project
manager and one full-time administrator
• 10% of issued tokens are lost or broken
annually
• Hardware and software tokens are
renewed once during the 3 year period
• 20% of software license fees as recurring
software maintenance fee
shipping to remote users for both Symantec and RSA hardware tokens, regardless of whether it is
the initial purchase, replacement, or renewal. It also assumes that the unit cost at the time of
initial purchase for hardware and software tokens is the same as at the time for replacement
(and renewal for RSA).
Conclusions of the TCO study
Symantec VIP delivers significantly lower TCO than the RSA SecurID on-premise approach by 33 percent. The key number for migration is up-
front first year costs for licensing, hardware tokens, infrastructure, deployment, and management. Based on the above scenario, Symantec
Migrating to Symantec™ Validation and ID Protection Service
A Symantec Advisory Guide
6
10. VIP one-time costs are about 8 percent of the legacy on-premise approach. Organizations should expect to experience similar savings when
migrating from other on-premise solutions.
Migrating to Symantec provides greater value
Other Symantec solutions for
protecting your data
Security
• Security Management
• Endpoint Security
• Messaging Security
• Web Security
Information Risk & Compliance
• IT Compliance
• Discovery & Retention Management
• Data Loss Prevention
Infrastructure Operations
• Endpoint Management
• IT Service Management
• Endpoint Virtualization
Business Continuity
• Disaster Recovery
• High Availability
• Virtualization Management
• Green IT
http://www.symantec.com/business/
products/categories.jsp
• Strong two-factor authentication from the global leader in security
• Significantly lower costs, especially for hardware tokens and staffing
• Free, easy-to-use software credentials and token-less option provide significant cost savings
• Single, integrated platform supports changing authentication requirements and layered
security, using risk-based authentication, for multiple devices depending on user and
application types
• Flexible models enable you to create a customized solution for your business—OTP, token-
less, or passwordless options
• Leverage existing technology investments (directory, database, single-sign-on servers, etc.)
• Fully scalable
• Open versus proprietary—more credential choices and no vendor lock-in
• Continuous innovation in devices, both in cost and functionality (secure storage, endpoint
security, etc.)
• Out-of-the-box self-service portal allows end-user activation and management of tokens
• Cost-effective tokens—no token renewal fees and no shelf decay
Next steps
Symantec VIP provides your organization with three compelling reasons for making the switch
from your legacy on-premise authentication solution. Symantec VIP not only protects your
sensitive data, it's also far easier to deploy and manage than legacy solutions, thus reducing the
burden on your security staff and users. Finally, Symantec VIP is more cost effective. With these,
your organization can migrate in confidence to Symantec two-factor authentication.
Free Trial
As a next step, we invite you to a free 60-day trial of Symantec VIP. During the trial, you will experience how easy two-factor authentication is
to deploy as a cloud-based service, and how convenient mobile credentials are for end users. Your trial includes:
• A free Symantec VIP account for 60 days
• Unlimited, free credentials for VIP Access for Mobile
• Deployment of the VIP Enterprise Gateway to provide simple integration between Symantec VIP and your VPN, or other RADIUS-enabled
application
• Shared authentication across multiple applications and websites such as eBay, PayPal, E*TRADE, and other VIP Network Members
Ask your Symantec sales representative for more information about the free trial or visit go.symantec.com/viptrial.
Migrating to Symantec™ Validation and ID Protection Service
A Symantec Advisory Guide
7