15 years after Presidential Savings Bank opened their online bank for customers and we are still being forced to use single factor authentication schemes that just don’t protect us.  Recently you might have read about the £675000 depleted from unsuspecting customers bank accounts as a result of Malware on their systems, what’s important to note is that a large percentage of these computers were fully patched with up to date Anti-Virus.

So, how can the SecureAuth® Identity Enforcement Platform squash these types of exploits?  Bilateral authentication, why just authenticate the Portal you’re logging into, that’s only half of the equation when dealing with online banking and online stock accounts.  SecureAuth® can enroll, register and validate remote computers, it is the only tokenless, non-phishable authentication solution for web authentication that strongly authenticates the end-user and the web server, in an easily deployable manner.

If you’d like to learn more about SecureAuth and how we can make your life easier please reach out, we’d love to speak with you.

I am now involved in a lot of dialogue where enterprises are being asked to implement 2-Factor authentication for existing applications.   Given that many of these systems have been around for years, let alone decades – with legacy infrastructures like Siebel, SAP, PeopleSoft, Oracle, etc – the idea of just retrofitting a 2-Factor authentication system into these architectures, is downright daunting.

Let me introduce SecureAuth for F5 Big-IP authentication, to solve this dilemma.

Take you typical IT infrastructure, oversimplified, of course.  (See image #1)

SecureAuth Solves Integration 2-Factor Authentication – at “The Edge”

Image #1: Typical IT infrastructure, serving up web and file servers to external users.

Now if we want to integrated multi-factor authentication, we usually insert the authentication in either (1) of (2) places:

1. The VPN
2. The Web Server directly.

The VPN has the advantage of being a single point of contact for the external users and can provide SSO and authorization capabilities to both web and non-web content.   Thus SecureAuth sells a lot of 2-Factor authentication at this domain.

But the disadvantage has been the cost of VPN licenses – which are usually conducted on a concurrent basis.   And thus, if an enterprise is looking at a B2B or B2C deployment of the content, then the cost has been prohibitive.

The current solutions for this  – is to conduct the 2-factor authentication directly at the web tier.   This has the advantage of not including additional licenses to conduct the 2^nd factor authentication.

This is great but then their has been 2-disadvantages here:

1)       Many security team members do not want authentication to occur at the web level

2)      Many legacy web applications are extremely difficult to integrate into, to provide a seamless 2-Factor experience.

Now being a web-guy, I can blog about these above (2) points for pages – but I will stand by my assertion that both of those are both prevalent viewpoints – with legitimate, real-world empirical evidence to back both statements.

So what is the answer?

How does an enterprise meet the ever growing 2-Factor authentication requirements on very important and very expensively developed web applications?

Look at  image #2 – for an enticing solution to the problem.

SecureAuth Solves Integration 2-Factor Authentication – at “The Edge”

Image #2: SecureAuth can integrate with the F5 Big-IP Traffic Manager, “at the Edge” and apply a security-compliant authentication

The SecureAuth solution, with its unique design of a built-in web server, is capable of being redirected from the F5 Big-IP traffic manger, if the user does not have a valid BigIP session ticket.   SecureAuth unique design allows SecureAuth to:

• Register the user w/ a 2-Factor Credential
• Validate the credential if necessary

SecureAuth uniquely is capable of conducting both the credential registration (X.509 v3 or other) and validating the 2^nd factor as well.   The 2^nd Factor can be:

• X.509 v3 Certificates
• SMS Text Messages
• Telephony Messages
• E-Mail OTP
• PIN OTP
• KBA
• Help Desk

It’s an amazingly flexible and easy to integrate solution.  And its solves the issues that enterprises are struggling with – 2-Factor authentication to their high value and high volume applications.

—
Archived Webinar:   SecureAuth and F5 – 2 Factor at the Edge

—

Garret Grajek, CTO of SecureAuth Corporation

SecureAuth unveiled its world-unique “Identity Enforcement Platform” at the Cloud Identity Summit in Keystone, Colorado yesterday.

First of all, hats off to Ping Identity for putting on a great forum for discussion.   And yes, it’s called the Cloud Identity Summit – but if you have any interest in:

• Federating Authentication
• Conducting host and|or SaaS SSO
• Provisioning Users
• Providing collaborative authorization
• Understanding the standards  and how they tie together (SAML, OAOTH, SPML, OpenID, WS-*)

This forum is worth it’s weight in gold.   The heavy hitters like Eric Sachs from Google and Vittorio Bertocci from Microsoft (Azure|WIF) were present.

Which is why the forum was such a perfect place for SecureAuth to dialogue its “Identity Enforcement Platform” – the only solution at the show that was able to:

• Pull the identity from the enterprise datastore (AD, LDAP, SQL, etc)
• Conduct either:
  • Secure Desktop SSO (Intranet)
  • Secure 2-Factor Authentication (Extranet)
• Pass the identity on to:
  • Hosted Web Apps (Microsoft, IBM, J2EE)
  • VPNs
  • SaaS applications  (SalesForce, Google Apps, Postini, etc)
• And provide:
  • SSO between resources
  • Policy based group authorization

SecureAuth – Identity Enforcement Platform

Figure #1: SecureAuth is an “Identity Enforcement Platform”, leveraging identities from the enterprise and enforce to 1) Internal Applications, 2) VPNs and 3) Cloud applications.

It really was fun.   Many people at the show knew SecureAuth as a multi-factor authentication solution – but where unaware of SecureAuth’s other capabilities.  (Which had existed since 2008, but was just a matter of messaging.)

Fun stuff.    And a great place to dialogue the solution.

SecureAuth’s, CTO,  Tom Stewart (photo #1, photo #2), presented to the entire audience at lunch – and, really knocked it out of the park.   Great preso (check out some of his fun images) and great reception to the message.  (Booth was deep for 2 hours after his great lunch overview)

Figure #2 – Tom Stewart details SecureAuth’s “Identity Enforcement Platform” to the              Cloud Identity Summit 2010 audience

All the best – and look forward to any direct conversations!

–
Garret Grajek, CTO of SecureAuth  Corporation

Was asked to do a webinar the other day on SecureAuth’s (the company and product) perspective on SaaS.

It was a good exercise.

It forced me to think why SecureAuth starting using SaaS, as part of the product since 2005.   That’s right, we at Secureauth not only believe in SaaS as something that SecureAuth can protect (Google, Salesforce, Azure, Postini) but has been an integral part of our product since 2005.

SecureAuth believe in SaaS, because:

• SaaS saves infrastructure support for:
  • Personnel
  • Network Infrastructure
  • Application Infrastructure

The SecureAuth model, is to enable secure SaaS deployments by connecting a SecureAuth authentication appiance on-premise and connecting to an enterprise’s native data store.   From there SecureAuth is able to utilize the native identities (for B2E, B2B and B2E) and enforce these identities for both on-premise web sites and SaaS applications.   (See Figure #1)

Figure #1 – SecureAuth is installed on-premise to conduct a secure 2-Factor SSO authentication to SaaS applications.

The SecureAuth architecture gives (4) distinct advantages to the SaaS utilizing enterprise:

1.   Utilizes On-Premise User Store

2.   Conducts On-Premise Authentication

3.   Enables Enterprise Integration (SSO)

4.   Facilitates Logging/Auditing

The benefits of these (4) aspects are as follows:

1.   On-Premise User Store:

• Single ID/Password
• No user credential syncing
• No user credential migraion

2.   On-Premise Authentication

• Enable enterprise to configure authentication per SaaS resource
• Can adjust to relevant guidelines  (FFIEC, HIPAA, NCUA, PCI DSS, etc)
• Not tied to SaaS vendor supported authentication solutions

3.  Enterprise Integration

• SSO into both SaaS and on-premise web applications
• Can also authenticate VPN solutions
• Desktop, internal SSO available as well

4.    Logging/Auditing

• SaaS authentication is audible with SecureAuth
• Tracks which users authenticated to which SaaS application and when
• Can be integrated to syslog, SIEM equipment

For these  (4) reasons, SecureAuth is the “right” way to do SaaS.  It enables an enterprise to securely deploy multiple SaaS based applications and integrate them into an enterprise infrastructure.

–
Garret Grajek, CTO of SecureAuth  Corporation

SecureAuth strong authentication platform enables SSO across SaaS, Web and VPN resources

—
Webinar:  SecureAuth – Cloud SSO in-a-snap, July 15th

—

Enterprises struggle with creating a common authentication experience across their disparate SaaS, Web and VPN resources.   This is mainly the fault of the authentication solutions – which up to now, where unable to abstract themselves from the application.    Most 2-factor authentication solutions require an enterprise to integrate cumbersome APIs.  (See figure #1, below)

Traditional Methods for Authentication Require Multiple Solutions

Figure #1 – Current Authentication Infrastructure, multiple data stores, multiple authentication types

SecureAuth is different.

SecureAuth is a stand-alone authentication appliance that integrates with both SaaS and web applications without APIs and extensive coding.   SecureAuth creates an SSO experience for end users by abstracting the authentication from the resource .   These resources can be a secure corporate network, a Microsoft, IBM, J2EE or a cloud applications such as Google Apps and Salesforce.com.    SecureAuth is a secure web application itself, secure sessions may be kept active for a specified time period, allowing  for strongly authenticated users to access multiple resources at once using a single secure session.

In addition, SecureAuth abstracts user data from an enterprise’ existing user datastore, multiple applications can be securely accessed with a single log-on, using common credentials.  SecureAuth is architected differently than typical authentication solutions. 

Specifically, SecureAuth is capable of passing more than a binary “go/no go” response to the protected resource.   User group data can be securely passed for authorization and provisioning purposes.

SecureAuth Solves Cross Resource (SaaS, Web, VPN) SSO Authentication

Figure #2 – SecureAuth allows a user (1) to obtain SSO to disparate resources.   These include VPNs (2), Microsoft ASP.NET applications (3), Oracle Applications (4), IBM WebSphere and other web applications (5), as well as SaaS applications including Google Apps (6)  and SalesForce.com(7)  and other SaaS applications (8).   All of these policies can be configured at the SecureAuth authentication appliance (9).   The user information can all be derived from a single user store  (AD,LDAP, SQL, etc) (10).

SecureAuth was designed to leverage a single, pre-existing datastore (AD, LDAP, SQL, etc)  of user information.  There is no synchronization of a proprietary database.  Instead, SecureAuth grants secure, 2 factor authentication based on data accessed real-time from the directory of record.  The enterprise administrator owns the user data and remains in full control of access to all resources.  End users have the ability to access any application which they have rights to from any client platform which is allowed under the enterprise’ security policy.
 
SecureAuth is configurable to allow for strong authentication into various types of applications.  By enabling multiple instances via a simple administrator’s interface, SecureAuth will pass several types of  authentication tokens, depending on the application.  Other solutions by contrast require applications to be modified to accept authentication or federation schemes.  SecureAuth uses standard authentication tokens to keep integration trivial by comparison.  

The end result:  access to any application, within the enterprise, or out in the cloud, is controlled by the enterprise and is protected by the strongest 2 factor authentication available.

–
Webinar:  SecureAuth – 2-Factor SSO Across Web and SaaS applications, July 15th
–
Garret Grajek, CTO of MultiFactor Corporation

SecureAuth has the unique ability to not only secure Google Apps, but also provide secure AD-based authentication into Postini Services. This provides the enterprise the advantage of:

• Secure Postini Access
• SSO from Google E-mail

Quick question:   How do you (or your users) access your spam filter?  I asked around the office and most just shrugged with that, “Nice question, Security boy – but I have a day job to attend to.”

Exactly – workers have day jobs and can be bothered with:

• Multiple log-ons
• Multiple URLs
• Multiple Authentication mechanism

SecureAuth provides the users the ability to:

• Use their AD credentials to log in  Postini
• Use the authentication from Google to log in to Postini
• Allow enterprises to use their portal page for the SSO links  (See figure #1)

Figure #1: SecureAuth enables enterprises to provide secure SSO between 1) Google E-mail and  2) Postini applications.

Once the user has executed a SecureAuth authentication to any resource, be it Google Apps, SalesForce, .NET, WebSphere or any other secureAuth resource, the user can then click an enteprise-hosted Postini link and obtained the Postini resource (See link #2)

Figure #2: Users, via SecureAuth are allowes secure SSO to Postini.

If that isn’t enough, SecureAuth allows the enterprise to create a whole set of different policies for the Positini admins.   Once again, the credentials are set off enterprise active directory.   SecureAuth allows the enterprise to configure the strength of authentication (for both users and admins) to include:

• X.509 v3 Certificates, SMS, Telephone, E-Mail, PIN, KBA and help desk

Once the admin is authenticated by SecureAuth the admin user is redirected to Postini with full admin access (see figure #3).

Figure #3 – SecureAuth can conduct a 2-Factor, SSO authentication for Postini admins based on the active directory (or other directory) based at the enterprise.

–
Webinar: Securing Google Apps with SecureAuth, June 10th
–
Garret Grajek, CTO of MultiFactor Corporation

Webinar: Securing Google Apps with SecureAuth,  June 10th

—

After some extensive travel that did me everywhere from Google’s office in London, an Identity conference in Munich and the finally the Google I|O Show in San Francisco – something became obviously clear to me:

Enterprises should federate their applications, not their identities.

At the identity conference there were the standard hand-wringing conversations about the “trust” around letting a 3rd party own the identities.  And then there was the conversations around how to take those identities and leverage them to the relevant resources, both internal and external. Of course, what trumped all ideas/theories – was how to meet regulatory acceptance – when, the fact is, you as the enterprise, don’t actually own the identity.

Well, I have a simple answer:    Don’t.

Seriously.

• Don’t federate your identities
• Don’t push your identities to someone else
• Don’t “trust” someone else to host your identities
• Don’t synch your identities to some one else

So what’s the solution, then?

Federate your applications, not your identities.

That simple.  To then enteprise, this means:

• Keep the identities under your control
• No Authentication credential synching
• Don’t break auditor compliance
• Retain identity/authentication/logging control

The solution to this dilema, is SecureAuth – the only federation solution that installs as 2-Factor authentication appliance and provides:

• Integration from your Directory
• Federates the identity to SaaS applications like Google Apps and SalesForce

To then enteprise, this means:

• No Password Synching
• Local Authentication
• Local Logging
• Federated SSO to SaaS applications like Google and SalesForce

And the identities?

You already have the identities!  It’s your Active Directory!  Or your LDAP, or your MS-SQL, or your Oracle database. Why would you migrate those users?   To do so is expensive, fraught with complexities and, also, breaks most regulatory guidances.

SecureAuth Enables Enterprises to Federate Applications

Figure #1: SecureAuth allows Enterprises to retain identities and federate their applications

Please contact us, and well begin to solve end-user problems together.

———
And join us for a MultiFactor/Cloud Sherpas: “Secure Google Apps- AD-to-Google SSO”, Webinar, on June 10th, 2pm EDT.

Garret Grajek, CTO of MultiFactor Corporation

Enterprises know that they should be looking at Google for their applications. (E-Mail, WebSites, Docs, etc).

But the issues has been:

• How to do this and not impact users?
• How to leverage existing user information/accounts?

The solution to this dilema, is SecureAuth – the only solution that installs as an appliance and provides:

• Integration from your Active Directory
• SSO into Google

To then enteprise, this means:

• Seamless User Migration
• No Password Synching
• No Account Synching
• No dual account management

and…

• SSO into hosted web applications and Google Apps
• 2-Factor Authentication to hosted and SaaS Apps
• 2-Factor Password Reset
• 2-Factor User Management
• 2-Factor Help Desk Management

The enterprise can actually enjoy a simple, user authentication, provisioning and recovation of users via the SecureAuth/Google Solution than they can with a home grown system.

But this is only part of the advanatage.   Unhappy users can kill even the best of IT projects. This is where the SecureAuth solution shines.

SecureAuth is the only solution, capable of providing this unique, 2-prong solution to Google connectivity.

• Internal Users:     Simple, “Desktop-to-Google” SSO

• External Users:    Secure, 2-Factor, authentication

It is this dual authentication abilty that is unique to the SecureAuth solution.  Only SecureAuth has the ability to construct a different authentication experience, based on the internet location of the user.   It it important to note – that this solution is not only attractive to users – but infinitely mores secure than contrasting username/password solutions. (See Figure #1 – SecureAuth, Secure SSO Authentication)

Figure #1 – SecureAuth provides both simple “Desktop-to-Google” SSO for internal users, and secure 2-Factor SSO Authentication for external users.

Please contact us, and well begin to solve end-user problems together.

———
And join us for a MultiFactor/Grove Group: “Secure SSO – Desktop-to-Web-to-Cloud”, Webinar, on April 22nd, 10am PDT.

Garret Grajek, CTO of MultiFactor Corporation

One important question:
Q:  Do end users really care where the application is being deployed?
A:   Hardly.

So why should the end user have a “New” experience just because IT decided to save some sheckles on moving the application to an off-site hosting site. They shouldn’t. They don’t . And they don’t have to.

This is the beauty of the SecureAuth breakthrough.

Desktop -> Web -> Cloud SSO

When we as IT people say “SSO” to and end-user, the end-user thinks they just need to log in “once” and never again. Too many cloud vendors play the “shell game” and say, “oh we mean SSO means you just use the same directory – but you still have to log in again”.

SecureAuth is able to provide true SSO: “Desktop->Web->Cloud” SSO.

Really?
Really.

The SecureAuth solution:

• Can obtain the user’s identity from the desktop login
• Check appropriate security policies
• Provide a SSO experience, directly into hosted applications
  • SharePoint / OWA
  • ASP.NET
  • WebSphere
  • Other Web Apps
• And…
• Provide SSO experience, directly into SaaS based applications:
  • Google Apps
    • Google Sites
    • Google Docs
    • Google E-mail
  • Salesforce CRM
    • Salesforce CRM
    • Force.com
  • Other federated sites
    • SAML 1.1, SAML 2.0, OpenID

Most importantly, leveraging the current data store and doing it in a way where there is:

• No credential synching
• No password synching

 Image #1 - Secureauth provides “Desktop -> Web -> Cloud” SSO.

Fun stuff.  Let’s talk and do what, well, we are supposed to do in IT:
Solve end users problems.

Please contact us, and well begin to solve end-user problems together.

———
And join us for a MultiFactor/Grove Group:  “Secure SSO – Desktop-to-Web-to-Cloud”, Webinar, on April 22nd, 10am PDT.

Garret Grajek, CTO of MultiFactor Corporation