A Symantec Advisory Guide Migrating to Symantec™ Validation and ID Protection Service

A Symantec Advisory Guide

Migrating to Symantec™ Validation andID Protection ServiceWho should read this paperWho should read this paper

IT, security managers, and executives who use legacy on-premise two-factor authentication solutions and are considering a switch to anotherprovider’s solution for two-factor authentication should read thisdocument. This solution brief offers advice about gauging the security ofa new solution, understanding the ease of deployment andmanagement, choosing the right strategy for migration, and measuringthe total cost effectiveness of a new solution.SO

LUTIO

N B

RIEF:

MIG

RATIN

G TO

SYMA

NTEC

™ V

IP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Content

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Symantec authentication is secure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Designed and operated for strong security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Safer as token seed records are kept private . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Symantec is easier to deploy and manage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Faster setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Easier to deploy credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Lowers administrative burden. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Symantec is more cost effective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Next steps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Free Trial . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Migrating to Symantec™ Validation and ID Protection ServiceA Symantec Advisory Guide

Introduction

Your organization can’t afford to gamble with the security of its sensitive data. A major responsibility for your organization is to guarantee

protection of confidential business and customer data, whether stored or transmitted within your enterprise, or used in collaboration with

remote workers, customers, suppliers, business partners, and any other authorized destination of the extended enterprise.

As enterprise environments continue to evolve, IT organizations will need the ability to deliver strong authentication across an increasingly

diverse array of use cases and user populations. Unfortunately, organizations’ legacy on-premise authentication solutions fail to provide

either the flexibility or the cost-effectiveness to deliver this protection. For those organizations, Symantec™ Validation and ID Protection

Service (VIP) offers a broad and flexible strong authentication solution to address their authentication needs, both now and in the future.

This Symantec advisory guide is for IT managers, security managers, and executives who are considering replacing a legacy on-premise two-

factor authentication solution. It provides you with three reasons why your organization can migrate with confidence to Symantec VIP.

Foremost, Symantec is a global leader in security and its strong authentication service will protect your sensitive data from unauthorized

access. Symantec’s cloud-based solution is far easier to deploy and manage, which eliminates a big burden on your security staff and users.

Finally, Symantec is more cost effective. Based on a three-year total cost of ownership study between Symantec VIP and RSA SecurID® with

5,000 credentials, Symantec costs 33 percent less than the RSA on-premise solution. Symantec’s one-time purchase and deployment costs

are just 8 percent of projections1. Similar savings are realized when migrating from other on-premise solutions. Details and related migration

issues are covered below.

Symantec authentication is secure

SSymantec is a leading provider ofymantec is a leading provider ofsstrong authenticationtrong authentication

• Symantec is one of the top 5 vendors of

strong authentication in the world2 with

over 400,000 clients worldwide

• Over 18 million Symantec VIP credentials

under management

• Over 30 million validations per month

• Leveraged by over 1,200 enterprises

Symantec is a global leader in providing security, storage, and systems management solutions to

help consumers and organizations secure and manage their information-driven world. Symantec

VIP is a cloud-based strong authentication service that enables enterprises to secure online

access and transactions, help achieve compliance, and reduce fraud risk. It combines two of the

three factors, something a user knows (such as a user name and password), something a user is

(such as a fingerprint), or something he or she possesses (such as a unique six-digit security

code that changes every 30 seconds and is generated by a card, token, or mobile phone)

or through token-less risk-based authentication.

Symantec VIP

1-

2-"Two-Factor Authentication: A Total Cost of Ownership Viewpoint" White Paper, July 2015, SymantecIDC August 2014: Worldwide Identity and Access Management 2013 Vendor Shares


1

Designed and operated fDesigned and operated for sor strong securittrong securityy

• Track record – For 18 years, Symantec has protected critical Internet infrastructure from attack including DNS root servers and security

root keys.

• Key generation and storage – Symantec VIP keys are generated with a hardware security module, and are encrypted in an Oracle®

database with AES.

• Physical security – Symantec VIP cloud operations are housed in a Tier 4 data center facility – physically and logically separated

from Symantec's corporate network; dual-control personnel are required to access sensitive key management and signing functions.

Trusted employee background checks are required for secure access.

• Certifications and compliance – PCI DSS (payment card industry data security standard), SSAE 16/SOC 2, WebTrust™ for Certificate

Authority, and federal government PKI.

• Service management – Strict change control processes are used for all IT services. Incident management processes and procedures are

applied including regular "fire drill" exercises.

• Systems and security monitoring – Symantec has a dedicated 24 hours a day, seven days a week network operations center; external

global monitoring of critical services; daily vulnerability scans; host-based and network-based intrusion detection systems for monitoring

systems, applications and network; and SSL and S/MIME for encrypted communications.

SafSafer as toker as token seed records are ken seed records are kepept privt privateate

The security of two-factor authentication is dependent on a shared secret, called a seed, that is embedded in each token and deployed to a

server responsible for providing applications with validation services. This seed controls the generation of new one-time passwords (OTP),

and any exposure of this shared secret to a third party would allow that third party to masquerade as an authorized user.

Implementation of legacy on-premise two-factor authentication solutions require communication of token seeds to the administrator; at

deployment, an administrator must manually download and associate the token's seed record within the on-premise validation server.

Exposure of this shared secret creates an additional risk. Symantec VIP handles these steps automatically, so the token seed is not made

available to the administrator and doesn't exist outside of either the token or the Symantec VIP infrastructure. These are significant reasons

why Symantec VIP is more secure than legacy on-premise approaches to delivering two-factor authentication.

Symantec is easier to deploy and manage

The two key concerns most customers have when migrating from a legacy authentication solution are minimizing capital expenditure and

disruption in end-user productivity. This section focuses on the latter. Symantec has developed two technical migration strategies that may

be adapted to your organization’s architecture and security requirements. Typically, migration will occur over a period of time as legacy

tokens expire, or in waves of users by geographic location or business function. Other situations will require a rapid migration for the entire

enterprise. In most cases, migration from a legacy solution to Symantec VIP may require a period of time where both the legacy solution and

Symantec VIP operate in parallel.

Spectrum of open credential options

The essence of cost and complexity in a two-factor authentication system hinges on token devices and software – both for their acquisition

and deployment, and for subsequent management. Proprietary tokens associated with some legacy authentication solutions are, like so

many sole-source products, more expensive to acquire. Spikes in demand (such as the current wholesale replacement of millions of tokens)

may also trigger delays in the supply chain.


2

Symantec VIP offers several options for credentials including a token-less risk-based authentication option, mobile credentials, and a variety

of hardware tokens. Symantec VIP tokens are based on an open standard, following the Reference Architecture published by the Initiative for

Open Authentication (OATH). By using open Symantec VIP tokens, your enterprise will receive these benefits:

• Reduced deployment costs by simplifying component integration, allowing validation to occur as a network utility

• Reduced deployment costs by enabling sharing or re-use of authentication devices with multiple websites or applications

• Avoiding vendor lock-in to credential devices

• Broader choice of suppliers of credentials for flexible, best-in-class solution deployment

Symantec VIP credential options

How Symantec VIP deployment is easier

FFasaster setupter setup

Symantec VIP uses either a registered smartphone or your existing enterprise directory for the user’s first factor (device or password). This

capability simplifies end-user onboarding, training, and administrative overhead. Unlike legacy on-premise authentication approaches,

Symantec VIP does not require a dedicated server to integrate with your enterprise applications. Instead, Symantec VIP uses a lightweight

and completely stateless gateway that can run as an additional process on an existing server platform.

Easier to deploy credentialsEasier to deploy credentials

Symantec VIP's integrated platform lets you deploy multiple tokens or select the authentication method depending on user and application

requirements. Symantec VIP offers a variety of options including a token-less risk-based option that uses device ID and behavior analytics to

authenticate legitimate users without changing their logon experience. In addition, VIP offers a free, downloadable mobile credential that

supports more than 900 mobile devices. This allows end users to use their mobile device to receive the second factor (one-time password),

and eliminates the need to maili physical tokens to these users. For an even simplier option VIP Access Push can be used on the mobile

device to authentication with one-tap to verify the request - eliminating the 6-digit code. Finally, the ulimate in convenience uses biometrics

to authentication with just a fingerprint, eliminating not only the 6-digit code but also the password for online applications.


3

LLowers adminisowers administrative burdentrative burden

With Symantec VIP, the enterprise administrator no longer needs to import token seed records for each batch of tokens, or distribute

software token seeds to end users. An out-of-box self-service portal allows end users to activate their tokens without requiring IT

administrative assistance.

Two strategies for migration

To illustrate the migration process and deployment options, the following sections present how an organization would effect a seamless and

simple migration from an existing RSA SecurID installation. However, this migration process could be applied to any legacy on-premise two-

factor authentication solution.

The immediate outcome of migration is parallel two-factor authentication systems; these keep legacy tokens in operation until they’re retired

while enabling Symantec VIP credentials to smoothly take their place. Two migration strategies will get you there in different ways. Option A

preserves the same user experience, so nobody will notice a change for secure access. Option A requires extra administrative work to achieve

user transparency. Option B requires the new Symantec VIP user to use a different virtual private network (VPN) profile, but eases the

administrative burden of migration. The options are briefly explained below; for technical and administrative details, see our white paper,

“Migrating to Symantec VIP: Technical Migration Strategy.”

Option A: No change to user experience; more administration

Single VPN server RADIUS enabled, legacy authentication server with RADIUS enabled

Option A: RADIUS enabled in Legacy Authentication Server

Option A uses the credential migration feature of the VIP Enterprise Gateway. Symantec VIP requires Remote Authentication Dial-In User

Service (RADIUS) support to implement this feature. The migration feature allows the enterprise to gradually move users and their tokens

from legacy tokens to Symantec VIP without users noticing any system changes or imposing new procedures for authentication.

To implement Option A, your team will need to configure the legacy authentication server to enable RADIUS support. That server becomes a

delegation server. Authentication requests without a Symantec VIP credential are routed to the delegation server for validation. With this


4

scenario, your enterprise will not have to deploy an additional VPN profile or entry point – nor will users have to learn any new procedures for

access. However, this deployment option does require you to have RADIUS enabled on your legacy on-premise authentication server; if you

don't wish to undertake modifications to your server's configuration, see Option B below for an alternative deployment option.

Option B: Minor change to user experience; less administration

Single VPN server RADIUS enabled, legacy authentication server with no change, and second VPN profile added to existing

enterprise VPN gateway

Option B does not require RADIUS support for the legacy on-premise authentication server. However, your organization will need to configure

an additional VPN profile for the VPN gateway for use with Symantec VIP credentials. End users with legacy credentials will continue using

the existing VPN profile until they transition to Symantec VIP credentials. When the migration is completed, you will decommission the

original VPN profile.

With this option, users with new Symantec VIP will need to be told or trained to use the new profile. Depending on the circumstances, some

individuals might experience initial disruption in gaining secure remote access. The advantage of Option B is your team will not need to

reconfigure the legacy authentication server to enable RADIUS. Some organizations may thus view Option B as beneficial, for it enables the

technical team to focus on implementing the new authentication solution instead of devoting additional effort to maintaining the old

technology.

Option B: Extra VPN profile added to enterprise VPN gateway

Symantec is more cost effective

Total cost of ownership (TCO) for two-factor authentication must account for all the costs associated with planning, procuring, deploying, and

owning the solution. Symantec has created a TCO study comparing the Symantec VIP Service with an RSA SecurID on-premise

authentication solution for a deployment of 5,000 one-time password credentials deployed to secure remote access to corporate resources

over a 3 year period.3

3- Symantec, “Two-Factor Authentication: A Total Cost of Ownership Viewpoint” (2015).


5

TCO study calculations and assumptions

The model below assumes that an organization deploys 5,000 credentials to their users (1,250 hardware and 3,750 software), 25% of whom

are remote and require shipping. Of the hardware tokens deployed, 10% will requirement replacement annually. List prices are used

for software license fees, infrastructure, hardware and software tokens costs; and current rates for staffing. It assumes the same unit cost for

Symantec assumptions

• Enterprise deploys Symantec™ VIP

Access for Mobile for 75% of end users,

absolving it of the need to staff up for

credential distribution for those users.

Mobile credentials are the most popular

option.

• Two servers per site (for redundancy and

failover) and one disaster-recovery server

co-located (VIP Enterprise Gateway is

lightweight and stateless requiring a less

costly server)

• One full-time-equivalent (FTE) project

manager, but administrator costs lower

by 30%

• 10% of issued tokens are lost or broken

annually

RSA assumptions

• Enterprise deploys mobile phone

software tokens for 75% of end users

(seed file managements still required)

• Two servers per site (for redundancy and

failover) and one disaster-recovery server

co-located (more costly servers required

to guarantee performance of proprietary

database engine)

• One full-time-equivalent (FTE) project

manager and one full-time administrator

• 10% of issued tokens are lost or broken

annually

• Hardware and software tokens are

renewed once during the 3 year period

• 20% of software license fees as recurring

software maintenance fee

shipping to remote users for both Symantec and RSA hardware tokens, regardless of whether it is

the initial purchase, replacement, or renewal. It also assumes that the unit cost at the time of

initial purchase for hardware and software tokens is the same as at the time for replacement

(and renewal for RSA).

Conclusions of the TCO study

Symantec VIP delivers significantly lower TCO than the RSA SecurID on-premise approach by 33 percent. The key number for migration is up-

front first year costs for licensing, hardware tokens, infrastructure, deployment, and management. Based on the above scenario, Symantec


6

VIP one-time costs are about 8 percent of the legacy on-premise approach. Organizations should expect to experience similar savings when

migrating from other on-premise solutions.

Migrating to Symantec provides greater value

Other Symantec solutions for

protecting your data

Security

• Security Management

• Endpoint Security

• Messaging Security

• Web Security

Information Risk & Compliance

• IT Compliance

• Discovery & Retention Management

• Data Loss Prevention

Infrastructure Operations

• Endpoint Management

• IT Service Management

• Endpoint Virtualization

Business Continuity

• Disaster Recovery

• High Availability

• Virtualization Management

• Green IT

http://www.symantec.com/business/

products/categories.jsp

• Strong two-factor authentication from the global leader in security

• Significantly lower costs, especially for hardware tokens and staffing

• Free, easy-to-use software credentials and token-less option provide significant cost savings

• Single, integrated platform supports changing authentication requirements and layered

security, using risk-based authentication, for multiple devices depending on user and

application types

• Flexible models enable you to create a customized solution for your business—OTP, token-

less, or passwordless options

• Leverage existing technology investments (directory, database, single-sign-on servers, etc.)

• Fully scalable

• Open versus proprietary—more credential choices and no vendor lock-in

• Continuous innovation in devices, both in cost and functionality (secure storage, endpoint

security, etc.)

• Out-of-the-box self-service portal allows end-user activation and management of tokens

• Cost-effective tokens—no token renewal fees and no shelf decay

Next steps

Symantec VIP provides your organization with three compelling reasons for making the switch

from your legacy on-premise authentication solution. Symantec VIP not only protects your

sensitive data, it's also far easier to deploy and manage than legacy solutions, thus reducing the

burden on your security staff and users. Finally, Symantec VIP is more cost effective. With these,

your organization can migrate in confidence to Symantec two-factor authentication.

Free Trial

As a next step, we invite you to a free 60-day trial of Symantec VIP. During the trial, you will experience how easy two-factor authentication is

to deploy as a cloud-based service, and how convenient mobile credentials are for end users. Your trial includes:

• A free Symantec VIP account for 60 days

• Unlimited, free credentials for VIP Access for Mobile

• Deployment of the VIP Enterprise Gateway to provide simple integration between Symantec VIP and your VPN, or other RADIUS-enabled

application

• Shared authentication across multiple applications and websites such as eBay, PayPal, E*TRADE, and other VIP Network Members

Ask your Symantec sales representative for more information about the free trial or visit go.symantec.com/viptrial.


7

http://www.symantec.com/business/products/categories.jsp

http://www.symantec.com/business/products/categories.jsp

http://go.symantec.com/viptrial

About Symantec

Symantec Corporation (NASDAQ: SYMC) is an

information protection expert that helps people,

businesses and governments seeking the freedom

to unlock the opportunities technology brings –

anytime, anywhere. Founded in April 1982,

Symantec, a Fortune 500 company, operating one

of the largest global data-intelligence networks, has

provided leading security, backup and availability

solutions for where vital information is stored,

accessed and shared. The company's more than

19,000 employees reside in more than 50

countries. Ninety-nine percent of Fortune 500

companies are Symantec customers. In fiscal 2015,

it recorded revenues of $6.5 billion. To learn more

go to www.symantec.com or connect with Symantec

at: go.symantec.com/socialmedia.

For specific country offices

and contact numbers, please

visit our website.

Symantec World Headquarters

350 Ellis St.

Mountain View, CA 94043 USA

+1 (650) 527 8000

1 (800) 721 3934

www.symantec.com

Copyright © 2015 Symantec Corporation. All rightsreserved. Symantec, the Symantec Logo, and theCheckmark Logo are trademarks or registeredtrademarks of Symantec Corporation or its affiliates inthe U.S. and other countries. Other names may betrademarks of their respective owners.7/2015 21202588-3


http://www.symantec.com

http://go.symantec.com/socialmedia

Technology

A Symantec Advisory Guide Migrating to Symantec™ Validation and ID Protection Service