This document describes how you can use the services of One Identity Starling 2FA to authenticate the sessions of your privileged users with One Identity Safeguard for Privileged Sessions (Safeguard for Privileged Sessions).
One Identity Safeguard for Privileged Sessions (Safeguard for Privileged Sessions) controls privileged access to remote IT systems, records activities in searchable, movie-like audit trails, and prevents malicious actions. Safeguard for Privileged Sessions is a quickly deployable enterprise device, completely independent from clients and servers — integrating seamlessly into existing networks. It captures the activity data necessary for user profiling and enables full user session drill down for forensic investigations.
Safeguard for Privileged Sessions acts as a central authentication gateway, enforcing strong authentication before users access sensitive IT assets. Safeguard for Privileged Sessions can integrate with remote user directories to resolve the group memberships of users who access nonpublic information. Credentials for accessing information systems can be retrieved transparently from Safeguard for Privileged Sessions's local credential store or a third-party password management system. This method protects the confidentiality of passwords as users can never access them. When used together with Starling (or another multi-factor authentication provider), Safeguard for Privileged Sessions directs all connections to the authentication tool, and upon successful authentication, it permits the user to access the information system.
Safeguard for Privileged Sessions can interact with your Starling account and can automatically request strong multi-factor authentication for your privileged users who are accessing the servers and services protected by PSM. When used together with One Identity Starling 2FA, Safeguard for Privileged Sessions prompts the user for a second factor authentication, and upon successful authentication, it permits the user to access the information system.
The integration adds an additional security layer to the gateway authentication performed on Safeguard for Privileged Sessions. If the Starling 2FA App is installed on the user's device (smartphone, tablet, and so on), the user can generate a one-time password on the device. This will be used for the authentication to the One Identity platform. This way, the device turns into a two-factor authentication token for the user. The one-time password is changed after a few seconds.
ISO 27001, ISO 27018, SOC 2, and other regulations and industry standards include authentication-related requirements, for example, multi-factor authentication (MFA) for accessing production systems, and the logging of all administrative sessions. In addition to other requirements, using Safeguard for Privileged Sessions and Starling helps you comply with the following requirements:
PCI DSS 8.3: Secure all individual non-console administrative access and all remote access to the cardholder data environment (CDE) using multi-factor authentication.
PART 500.12 Multi-Factor Authentication: Covered entities are required to apply multi-factor authentication for:
Each individual accessing the covered entity’s internal systems.
Authorized access to database servers that allow access to nonpublic information.
Third parties accessing nonpublic information.
NIST 800-53 IA-2, Identification and Authentication, network access to privileged accounts: The information system implements multi-factor authentication for network access to privileged accounts.
Figure 1: How Safeguard for Privileged Sessions and Starling 2FA work together
A user attempts to log in to a protected server.
Safeguard for Privileged Sessions receives the connection request and authenticates the user. Safeguard for Privileged Sessions can authenticate the user to a number of external user directories, for example, LDAP, Microsoft Active Directory, or RADIUS. This authentication is the first factor.
If gateway authentication is successful, Safeguard for Privileged Sessions connects the Starling service to check which authentication methods are available for the user. Then Safeguard for Privileged Sessions requests the second authentication factor from the user.
For OTP-like authentication methods, Safeguard for Privileged Sessions requests the one-time password (OTP) from the user, and sends it to the Starling service for verification.
For the Starling push notification method, Safeguard for Privileged Sessions asks the Starling service to check if the user successfully authenticated on the Starling service.
If multi-factor authentication is successful, the user can start working, while Safeguard for Privileged Sessions records the user's activities. (Optionally, Safeguard for Privileged Sessions can retrieve credentials from a local or external credential store or password vault, and perform authentication on the server with credentials that are not known to the user.)
In order to successfully connect Safeguard for Privileged Sessions with Starling, you need the following components.
A valid Starling subscription that permits multi-factor authentication.
Your users must be enrolled in Starling and their access must be activated. To create a new user account, log on to Starling, navigate to the Users tab and click Add.
The users must install the Starling mobile app.
To configure Starling 2FA Authentication in your product, you have to provide the Subscription Key that is available on the Starling 2FA Dashboard. To do this, log on to your Starling account. Navigate to Dashboardand click Subscription Key.
A One Identity Safeguard for Privileged Sessions appliance (virtual or physical), at least version 5 F1.
A copy of the Safeguard for Privileged Sessions Starling plugin. This plugin is an Authentication and Authorization (AA) plugin customized to work with the Starling multi-factor authentication service.
Safeguard for Privileged Sessions must be able to access the Internet (at least the API services). Since Starling is a cloud-based service provider, Safeguard for Privileged Sessions must be able to access its web services to authorize the user.
The connection also requires the API Key.
Depending on the method you use to authenticate your users, your users might need Internet access on their cellphones.
Safeguard for Privileged Sessions supports Authentication and Authorization plugins in the RDP, SSH, and Telnet protocols.
In RDP, using an AA plugin together with Network Level Authentication in a Connection Policy has the same limitations as using Network Level Authentication without domain membership. For details, see "Network Level Authentication without domain membership" in the Administration Guide.
In RDP, using an AA plugin requires TLS-encrypted RDP connections. For details, see "Enabling TLS-encryption for RDP connections" in the Administration Guide.
The Safeguard for Privileged Sessions Starling plugin is available as-is, free of charge to every Safeguard for Privileged Sessions customer from the Plugin Page. In case you need any customizations or additional features, contact firstname.lastname@example.org.
You can use the plugin on Safeguard for Privileged Sessions 5 F5 and later. If you need to use the plugin on Safeguard for Privileged Sessions 5 LTS, contact email@example.com.
To find out more about Safeguard for Privileged Sessions, visit the One Identity page.
For a detailed tutorial about how to connect your Starling account with Safeguard for Privileged Sessions, see Starling Multi-Factor Authentication - Tutorial.