One Identity Safeguard for Privileged Sessions 6.0 LTS - Starling Two-Factor Authentication- Tutorial

One Identity Safeguard for Privileged Sessions:

One Identity Safeguard for Privileged Sessions (SPS) controls privileged access to remote IT systems, records activities in searchable, movie-like audit trails, and prevents malicious actions. SPS is a quickly deployable enterprise device, completely independent from clients and servers — integrating seamlessly into existing networks. It captures the activity data necessary for user profiling and enables full user session drill down for forensic investigations.

SPS acts as a central authentication gateway, enforcing strong authentication before users access sensitive IT assets. SPS can integrate with remote user directories to resolve the group memberships of users who access nonpublic information. Credentials for accessing information systems can be retrieved transparently from SPS's local Credential Store or a third-party password management system. This method protects the confidentiality of passwords as users can never access them. When used together with Starling 2FA (or another Multi-Factor Authentication (MFA) provider), SPS directs all connections to the authentication tool, and upon successful authentication, it permits the user to access the information system.

Integrating Starling 2FA with SPS:

SPS can interact with your Starling 2FA account and can automatically request strong Multi-Factor Authentication for your privileged users who are accessing the servers and services protected by SPS. When used together with Starling 2FA, SPS prompts the user for a second factor authentication, and upon successful authentication, it permits the user to access the information system.

The integration adds an additional security layer to the gateway authentication performed on SPS. If the Starling 2FA App is installed on the user's device (smartphone, notebook, smartwatch, and so on), the user can generate a One-Time Password (OTP) using the device. This will be used for the authentication to the One Identity platform. The one-time password is changed after 60 seconds.

Meet compliance requirements

ISO 27001, ISO 27018, SOC 2, and other regulations and industry standards include authentication-related requirements, (for example, Multi-Factor Authentication (MFA) for accessing production systems, and the logging of all administrative sessions). In addition to other requirements, using SPS and Starling 2FA helps you comply with the following requirements:

• PCI DSS 8.3: Secure all individual non-console administrative access and all remote access to the cardholder data environment (CDE) using MFA.

• PART 500.12 Multi-Factor Authentication: Covered entities are required to apply MFA for:

  • Each individual accessing the covered entity’s internal systems.

  • Authorized access to database servers that allow access to nonpublic information.

  • Third parties accessing nonpublic information.

• NIST 800-53 IA-2, Identification and Authentication, network access to privileged accounts: The information system implements MFA for network access to privileged accounts.

In :

• A valid Starling 2FA subscription that permits multi-factor authentication.

• Your users must be enrolled in Starling 2FA and their access must be activated. To create a new user account, log on to Starling, navigate to the Users tab and click Add.

• The users must install the Starling 2FA Mobile app.

• To configure Starling 2FA Authentication in your product, you have to provide the Subscription Key that is available on the Starling 2FA Dashboard. To do this, log on to your Starling account. Navigate to Dashboardand click Subscription Key.

In SPS:

• A One Identity Safeguard for Privileged Sessions appliance (virtual or physical), at least version 5 F11.

• A copy of the SPS Starling 2FA Multi-Factor Authentication plugin. This plugin is an Authentication and Authorization (AA) plugin customized to work with the Starling 2FA multi-factor authentication service.

• SPS must be able to access the .

  The connection also requires the API Key.

• Depending on the method you use to authenticate your users, your users might need Internet access on their cellphones.

• SPS supports AA plugins in the RDP, SSH, and Telnet protocols.

• In RDP, using an AA plugin together with Network Level Authentication in a Connection Policy has the same limitations as using Network Level Authentication without domain membership. For details, see "Network Level Authentication without domain membership" in the Administration Guide.

• In RDP, using an AA plugin requires TLS-encrypted RDP connections. For details, see "Enabling TLS-encryption for RDP connections" in the Administration Guide.

Availability and support of the plugin

The SPS Starling 2FA Multi-Factor Authentication plugin is available for download as-is, free of charge to every SPS customer from the Starling Two-Factor Authentication plugin for Safeguard for Privileged Sessions page. In case you need any customizations or additional features, contact our Support Team.