Protect Legacy Apps and IoT From Credential Abuse With RSA and Palo Alto Networks

Nov 29, 2017
4 minutes

Implementing multi-factor authentication across an entire organization can be an odyssey. During this odyssey, legacy apps and IoT are like mythological sea monsters because they often steer authentication projects off course or even sink them altogether.

Legacy apps and IoT disrupt authentication projects because they rarely support standards-based authentication protocols. Therefore, if organizations want to protect legacy apps and IoT devices from credential-based attacks, they either need to update these resources or block access to them altogether.

Updating legacy apps to support multi-factor authentication can be a costly and time-consuming process. App developers must learn the application’s architecture to ensure that their new authentication methods will not break the application’s functionality. If organizations have dozens or even hundreds of legacy apps, updating all of them to support multi-factor authentication can be a Herculean task. Updating IoT devices is often impossible because organizations rarely develop them internally or have the ability to update IoT software. In some circumstances, organizations cannot even change the default passwords of IoT devices.

RSA and Palo Alto Networks Team Up to Protect Legacy Apps and IoT

RSA and Palo Alto Networks have collaborated to simplify the deployment and management of multi-factor authentication by enforcing it at the network level. Now, joint customers can protect legacy apps and IoT – as well as mainframe servers, networking equipment, custom apps, SCADA systems and much more – from credential abuse, without needing to manually update these resources.

Our next-generation firewall integrates with RSA SecurID Access to enforce multi-factor authentication before granting access to applications and systems. The next-generation firewall acts as an authentication gateway for web or thick-client applications, interfacing with RSA SecurID Access to validate credentials.

Because the next-generation firewall provides policy-based enforcement at the network level, organizations do not need to update their existing applications and systems to support multi-factor authentication.

By provisioning multi-factor authentication with RSA and Palo Alto Networks, organizations can prevent credential abuse, such as an attacker using stolen credentials to access sensitive resources. Even if the attacker manages to compromise an endpoint, multi-factor authentication can confine the attacker to the compromised endpoint. If the attacker attempts to move laterally with stolen credentials, multiple login failures can alert security staff to the intrusion and ensure the attacker is booted out of the network.

Extending Protection to Isolated Networks

Organizations often segment sensitive networks from the internet to address security and compliance requirements. However, if these organizations use a cloud-based identity management service, they cannot easily deploy multi-factor authentication to isolated networks because applications in the isolated networks cannot connect to the identity management service to verify credentials.

If organizations use a Palo Alto Networks next-generation firewall to segment isolated networks from separate, internet-connected networks, then they can extend RSA SecurID Access modern multi-factor authentication methods to isolated networks using the joint offering.

If users attempt to access protected applications in the isolated network, either from a “jump server” in the internet-connected network or from a host in the isolated network, the next-generation firewall can enforce multi-factor authentication before granting access. Since the next-generation firewall proxies all authentication requests, it can connect to the RSA SecurID Access authentication service to verify credentials before allowing users to access protected applications.*

Live Demonstration at Gartner IAM Summit 2017

RSA is demonstrating the Palo Alto Networks and RSA integration at Gartner Identity and Access Management (IAM) Summit 2017 in Las Vegas, Nevada, this week. Visit RSA booth 501 to check out the integration in action.

To learn more about the partnership, read the RSA and Palo Alto Networks Partner Brief or view the announcement “RSA Expands Its Technology Ecosystem to Transform Authentication.”


* Note that the firewall must be deployed in-line between users and protected applications to prevent users from circumventing access controls.

Subscribe to the Newsletter!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.