An Elegant Approach

 

It is an elegant approach, which eliminates much of the integration challenges found in other multifactor security solutions. VIP avoids most of those integration challenges by using a Web API to integrate with the network security (LDAP, VPN, etc.) methodology.

Setup is straightforward. All I had to do was visit the VIP Manager Website and set up credentials for each user who was going to access the network using a token-based log-in. Tokens are available in several different fashions, but software tokens that work with a smartphone or other device may be the most desirable for the majority of businesses. With a "soft token," an application is installed on the smartphone or portable device, which generates a synchronized code that is used in conjunction with a user name/password challenge.

Think of it this way: A user wants to access an application on the corporate network using the VIP methodology. The user will log on to an access portal, which will ask for the user name and password, as well as a third piece of information, which is a security token, referred to as a security code (or even a one-time password). That code is randomly generated and is sent to the user's smartphone (or other device) and is valid only for a few minutes. The user enters that code with his or her traditional authentication elements (user name and password), and the information is validated by the hosted service, which is integrated into the corporate Remote Authentication Dial In User Service (RADIUS), Lightweight Directory Access Protocol (LDAP) or VPN server. If everything checks out, the user is granted access.

Although it sounds like there are a lot of moving parts involved in the system, it is surprisingly easy to implement. Symantec has provided straightforward configuration wizards, which makes setup a snap, and detailed online documentation and context-sensitive help further make things easy. Symantec also provides automated tools that help users install the token generator application on their smartphones, including support for Apple's iPhone and iPad via Apple's App Store.

In other words, Symantec makes things very easy for both administrators and end users, without compromising security. I tested VIP with several devices, including a BlackBerry from Research In Motion, an iPhone, an iPad and a notebook computer, and I experienced no difficulties. I found the client software intuitive and the system easy to manage as a whole.

I encountered some challenges when I integrated the service into my Microsoft Windows 2008R2 Server (64-bit), which was using Active Directory as a primary security mechanism. Here, there was some confusion on how to configure the various security components. However, referring to the deployment guide smoothed out the path to a successful integration.

When deploying VIP, it is important to understand the network infrastructure that you already have in place and how incorporating VIP's technology will impact the configuration. In most cases, you will need to deploy a RADIUS server or modify your VPN settings, or make changes to your directory (LDAP) services. However, the included deployment guide offers multiple scenarios, tips and detailed instructions that make the installation straightforward for a networking pro.

Perhaps, the biggest challenge associated with VIP is the plethora of choices available. VIP integrates with a multitude of servers, directories and VPNs, while supporting a vast array of endpoint devices, including Android devices, iPhones, tablets, dedicated key fobs, secureID cards and traditional PCs.

From the end-user perspective, using VIP is quite simple. The only additional chore the end user may have to perform is the installation of the credential software, which is a simple application that generates the temporary security code needed for authentication. That application can be pushed down to the device, delivered via email or, in the case of an Apple product, installed from the App Store. Optionally, the service can be configured to deliver a security code via SMS to a cell phone.

Regardless of the authentication service selected, end users will find VIP easy to use, which promises to provide additional benefits, such as fewer calls to the help desk for password help and a more secure posture for accessing critical information while working remotely.

Conclusions

Symantec's VIP offers several advantages to organizations looking to improve their security and meet compliance needs. First, no major capital investment is needed to deploy VIP, simply because it is a service that works with most of the technologies already in hand, such as Windows Servers, smartphones, etc.

That goes hand in hand with how easy the service is to deploy, at least compared with traditional hardware-based multifactor authentication systems. For a simple network, deployment can usually be accomplished in a few hours, further helping to reduce costs. What's more, the system is easy to manage, administer and use, which further reduces operational costs.

All things considered, Symantec VIP proves to be the easiest way to bring multifactor authentication to most any network or cloud service. The integration options are extensive as is the support for existing hardware, while logging and reporting round out the offering, making it a good fit for those driven by compliance needs and enhanced security.

What's more, the service enhances mobility and brings security to sites that were once difficult to secure, making it a good fit for those looking to use tablets or other devices from satellite offices, without having to invest in on-premises-based security hardware.