Symantec VIP’s Strong Cloud Authentication: Review

Symantec’s VIP employs strong multifactor authentication ideologies to bring security to the cloud and beyond

Symantec, through its Validation and ID Protection Service (VIP), is looking to give access control back to administrators at a time when data breaches, hack attempts, stolen data and system attacks are seemingly becoming everyday events.

While the results and damages caused by breaches can vary, there is a common thread behind any type of data compromise – a security failure. Those security failures come in all shapes and sizes, though most start with a failure to adequately control access to a system.

With VIP, Symantec is giving administrators a tool that brings multifaceted authentication back to systems, regardless of whether they are accessed remotely, via the cloud or internally.

VIP is a new take on an old security practice, where a user is expected to have something they know (such as an account name and password combo), as well as something they possess (smartkey, token, keycard). That security ideology has been around for a while, dating back to physical security where someone needed a key to enter a building and then had to check in with a guard.

As a concept, multifactor authentication seems ideal. However, in practice, the process has been a challenge in the IT realm, basically because it is normally complex to administer, expensive to deploy and difficult for end users to adopt. Symantec is looking to cure those pain points with VIP, which brings simplicity and “airtight” security to multifactor authentication.

A closer look at VIP

Symantec on its Website offers the following description for VIP:

“Symantec Validation and ID Protection Service (VIP) delivers cloud-based strong authentication that combines something you know (e.g. a username and password) with something you have (a credential such as a card, token, or mobile phone). VIP helps to protect networks, applications, and data against unauthorised access as part of a comprehensive information protection programme.”

The company’s description hits on two critical points: multifactor authentication and protection from unauthorised access. Those two points tend to be the cornerstone of effective security in a cloud-connected network.

VIP offers a variety of installation scenarios, which are dictated by the current security posture of the network and applications, as well as what virtual private network (VPN) and connectivity technologies are in place. While the mechanics may differ, the overall concept remains the same – offer an access challenge that is not easily forged or subverted – and that is exactly where VIP comes into play.

VIP is broken down into four modules: VIP Access for Mobile, VIP Self-Service, VIP Manager, and the VIP Enterprise Gateway. Those modules are fully integrated and offer secure access for each of their respective security postures.

Getting started with VIP is rather straightforward, thanks to Symantec’s subscription-based model, where the primary authentication mechanism takes place in the cloud as a hosted service. In a nutshell, the way it works is that you sign up for Symantec’s cloud-based authentication service, which works as an intermediary security mechanism between the endpoint and the target system, while adding a security token as the third element of a multifactor security credential.

It is an elegant approach, which eliminates much of the integration challenges found in other multifactor security products. VIP avoids most of those integration challenges by using a Web API to integrate with the network security (such as LDAP and VPN) methodology.

Simple setup

Setup is straightforward. All I had to do was visit the VIP Manager Website and set up credentials for each user who was going to access the network using a token-based log-in. Tokens are available in several different fashions, but software tokens that work with a smartphone or other device may be the most desirable for the majority of businesses. With a “soft token,” an application is installed on the smartphone or portable device, which generates a synchronised code that is used in conjunction with a user name/password challenge.

Think of it this way: A user wants to access an application on the corporate network using the VIP methodology. The user will log on to an access portal, which will ask for the user name and password, as well as a third piece of information, which is a security token, referred to as a security code (or even a one-time password). That code is randomly generated and is sent to the user’s smartphone (or other device) and is valid only for a few minutes.

The user enters that code with his or her traditional authentication elements (user name and password), and the information is validated by the hosted service, which is integrated into the corporate Remote Authentication Dial In User Service (Radius), Lightweight Directory Access Protocol (LDAP) or VPN server. If everything checks out, the user is granted access.

Although it sounds like there are a lot of moving parts involved in the system, it is surprisingly easy to implement. Symantec has provided straightforward configuration wizards, which makes setup a snap, and detailed online documentation and context-sensitive help further make things easy. Symantec also provides automated tools that help users install the token generator application on their smartphones, including support for Apple’s iPhone and iPad via Apple’s App Store.

In other words, Symantec makes things very easy for both administrators and end users, without compromising security. I tested VIP with several devices, including a BlackBerry from Research In Motion, an iPhone, an iPad and a notebook computer, and I experienced no difficulties. I found the client software intuitive and the system easy to manage as a whole.

Guidance through confusion

I encountered some challenges when I integrated the service into my Microsoft Windows 2008R2 Server (64-bit), which was using Active Directory as a primary security mechanism. Here, there was some confusion on how to configure the various security components. However, referring to the deployment guide smoothed out the path to a successful integration.

When deploying VIP, it is important to understand the network infrastructure that you already have in place and how incorporating VIP’s technology will impact the configuration. In most cases, you will need to deploy a Radius server or modify your VPN settings, or make changes to your directory (LDAP) services. However, the included deployment guide offers multiple scenarios, tips and detailed instructions that make the installation straightforward for a networking pro.

Perhaps, the biggest challenge associated with VIP is the plethora of choices available. VIP integrates with a multitude of servers, directories and VPNs, while supporting a vast array of endpoint devices, including Android devices, iPhones, tablets, dedicated key fobs, secureID cards and traditional PCs.

From the end-user perspective, using VIP is quite simple. The only additional chore the end user may have to perform is the installation of the credential software, which is a simple application that generates the temporary security code needed for authentication. That application can be pushed down to the device, delivered via email or, in the case of an Apple product, installed from the App Store. Optionally, the service can be configured to deliver a security code via SMS to a cell phone.

Regardless of the authentication service selected, end users will find VIP easy to use, which promises to provide additional benefits, such as fewer calls to the help desk for password help and a more secure posture for accessing critical information while working remotely.

Conclusions

Symantec’s VIP offers several advantages to organisations looking to improve their security and meet compliance needs. First, no major capital investment is needed to deploy VIP, simply because it is a service that works with most of the technologies already in hand, such as Windows Servers, smartphones, etc.

That goes hand in hand with how easy the service is to deploy, at least compared with traditional hardware-based multifactor authentication systems. For a simple network, deployment can usually be accomplished in a few hours, further helping to reduce costs. What’s more, the system is easy to manage, administer and use, which further reduces operational costs.

All things considered, Symantec VIP proves to be the easiest way to bring multifactor authentication to most any network or cloud service. The integration options are extensive as is the support for existing hardware, while logging and reporting round out the offering, making it a good fit for those driven by compliance needs and enhanced security.

What’s more, the service enhances mobility and brings security to sites that were once difficult to secure, making it a good fit for those looking to use tablets or other devices from satellite offices, without having to invest in on-premises-based security hardware.