Ever wonder how large corporations secure access to Cloud and SaaS Apps?  While cloud applications will save you a lot of money you won’t see many large organizations too keen on storing Active Directory passwords in every Cloud application they want to utilize.

So what’s the secret?  It’s something called federation.

Federation basically means you can use cloud services like Google Apps for business and edu, Salesforce.com, Egnyte, Box.com, AON Hewitt, Oracle Business Intelligence, Concur, Kenexa, Aetna, ADP and more while not storing your passwords in their service.  This is no black magic (might seem like it at first though), this is done with standards like SAML 1.1, SAML 2.0, WS-Federation, LTPA and more.

It’s simple providing you have something called an Identity Provider (IdP).  There are many types of IdP products out there ranging from freebies like ADFS (effectively need 8+ ADFS servers and a couple of pairs of load balancers, hire a few consultants for 6 months to get it working) or Shibboleth (better know your vim) to the very expensive ones (Ping, Simplified, Onelogin)

Since you are probably looking for a IdP you should start checking off the features.

1. SAML (Cloud apps) (included)
2. WS-Federation (SharePoint & OWA) (included)
3. OpenID (included)
4. OAuth (included)
5. LTPA (included)
6. FBA (included)
7. External Password Reset (Go ahead and get a phone call with a one time code) (included)
8. Mobile OTP (iOS & Android) (included)
9. Heuristics based two-factor authentication (included)
10. Certificate based two-factor authentication (included)
11. CAC/PIV based two-factor authentication (included)
12. Domain Single Sign On (included)
13. Geographical ACL’s (included)
14. Radius (included)
15. User Account Self-Service (included)
16. Secure Portal (included)
17. Deploys in 1/10th the time of ADFS (yes)
18. Easy to administrator (yes)
19. Developed in the USA (yes)
20. YOU can control everything about the product as it can be deployed inside of your infrastructure  (included)

The main difference that you’ll see with SecureAuth is we have made it easy for you to control access to your VPN’s, SaaS apps, internal apps and mobile apps with SSO or two factor authentication with one product.  Our enterprise customers are tired of point solutions that only deal with a part of the problem.

Take a peek at how we integrate with native mobile apps (Customer video of how this works), Office 365 (video) or Google Apps (video).

Want to know more?  Contact us at sales@secureauth.com or follow this link http://www.secureauth.com/company/contact-us/ and scroll to the bottom where you can fill out  a contact form.

When I was employed at a major gaming company I was charged with finding a better multi factor solution to replace or aging RSA instance. After thinking about this I put together a list of requirements to evaluate all of the vendors that seemed to smell blood in the water and began to circle my initiative. 

Requirement 1

The solution must integrate with multiple user stores easily.

It’s simple, we were replacing RSA because it was too complicated to maintain, extremely difficult to mix ,and match user stores. We had an Active Directory environment with multiple domains and multiple forests. This made the evaluation of any vendor very difficult. We required one solution to handle this with one management interface. One interface is the important fact. We did not want to get into a situation where we would have to maintain separate instances of the solution.

Requirement 2

The solution must handle out-of-band passcode delivery.

In March 2011 RSA was hacked. The hack happened because of the antiquated time-based algorithm that was employed. Since my company was close to a very large DoD contractor (whom was exposed by this hack). It was important our solution would defend against this type of hack. Since our intellectual property was our product, we needed to be faster than the hackers in deploying the solution.

Requirement 3

Licensing must be simple, direct, and flexible.

The dream of most IT manager’s when evaluating a new solution is that the licensing model did not require a Phd to understand. I wanted to make sure that maintenance and support were included with the user licensing pricing. Purchasing the current solution required us to order in bulk numbers through a VAR to keep a discount. This bulk ordering meant that we were sometimes paying for tokens that were not used for months at a time.

Requirement 4

No replication, duplication, or externally facing user store.

Since Sony’s very public PlayStation Network hack my company was very keen to not fall into the same trap. We wanted to ensure that our Active Directory was kept internal. The new solution would not require us to replicate, duplicate, or make the Active Directory exposed to the internet. The goal behind this was to reduce our additional points of audit, and utilize our existing policies and procedures within Active Directory.

Requirement 5

NO end user Application Installation!

The solution must be easy for the end users and require NO application installation. We did not want to limit our end users mobility and choice of device. The best solution would be one that can easily integrate with ANY device. Our end users require the freedom of choice, while our security team required strict regulatory compliance. A very difficult balance to find in a solution, but one that we required.

Why we went with SecureAuth

1. The solution must integrate with multiple user stores easily.

Answer: SecureAuth allowed us to connect all of our domains and forests within one instance of the solution. We could even add our customers and external developers user store which was a SQL database.

2. The solution must be able to handle out-of-band passcode delivery.

Answer: SecureAuth allows the end user to choose from a list of administratively assigned 2 factor options. This meant we could enforce an out-of-band SMS and Voice OTP for more sensitive services. While still using email, KBA, and contacting the Help Desk for other services.

3. Licensing must be simple, direct, and flexible.

Answer: SecureAuth gave us a User Cost with a Yearly true-up, and an appliance cost. This covers the maintenance, support, and SMS/Voice charges. I was able to give my director these two numbers. We were then able to parse them with ease for our presentation to the CIO.

4. No replication, duplication, or externally facing user store.

Answer: SecureAuth stores all of the identity information within the user store. This meant that SecureAuth made our AD the sole source of identity for all of our users! No administration, or help desk was required to ensure this happened. SecureAuth’s self-service portal allowed the end user’s to enter there information with ease.

5. NO end user Application Installation!

Answer: SecureAuth works with ANY device that has a modern web browser. It secures the identity and the device in multiple ways. Heuristics, certificate delivery, and encrypted tokens are just a few ways SecureAuth is able to work with ANY device securely. We could not afford to support every new operating system and ensure that our solution would have an application ready at the time our users began purchasing the new devices. SecureAuth allowed us to securely identify our end users devices no matter what they were.

In the end, I fell in love with the SecureAuth product. After 20+ years of working for IT Fortune 100 enterprise’s I resigned from the TPS report’s.

Please contact us for more information!

—

Bradd Schick is a Sr. Sales Engineer of SecureAuth. SecureAuth is a single appliance solution that delivers configurable 2-Factor and SSO authentication for Mobile, Web, VPN and SaaS based solutions.

From Wikipedia

Heuristic (pron.:/hjʉˈrɪstɨk/; or /hyoo-ris-tik/; Greek: “Εὑρίσκω”, “find” or “discover”) refers to experience-based techniques for problem solving, learning, and discovery.

…heuristic is a technique designed for solving a problem more quickly when classic methods are too slow, or for finding an approximate solution when classic methods fail to find any exact solution…

Let’s talk about classic methods of strong authentication for a minute.  Every since my mother got her first ATM Card in remote Wasilla, AK I’ve been interested in strong authentication.  We all knew the older guys who carried around SecurID tokens in the 90′s and our friends to the north are more than familiar with CRYPTOCards.

Remember when Biometrics were the rage?  How long did we, as geeks spend enrolling fingerprints into the computer only to tell the first person we did a demo for to ‘wait, let me try it one more time’.

SecureAuth ushered in a different take on strong authentication, we made it transparent to the end user.  It’s an amazing thing to have a PCI/HIPPA compliant method of strong authentication that doesn’t get in the way of the end user.

Well now the amazing development team at SecureAuth has created a Heuristics engine inside of SecureAuth IdP.  That’s right, there’s something you might or might not know about what you’re using to browse this very page right now.  Your browser has a totally unique fingerprint that we can see from the server side.

What we do is allow your user to validate their identity in a manner which which you’re comfortable with (answer a question, enter a PIN, get a phone call, etc…) and after that’s been done we take a fingerprint of their browser and store it.

When that user connects to the resource again, we simply compare the fingerprint, if it matches they are off to the races, if you an admin has revoked it or if the fingerprint doesn’t match we simply re-validate the user.

You can choose the weight of client variables

SecureAuth’s 1-Touch revocation included of course!

So there you have it, you can now provide strong authentication without any client side components, no phone calls, no tokens, just smiles on your users faces.

Want to know more?  Contact us at sales@secureauth.com or follow this link http://www.secureauth.com/company/contact-us/ and scroll to the bottom where you can fill out  a contact form.

We’ve read the blogs about how the addition of two-factor authentication wouldn’t have prevented the AP Twitter attack.  It’s amazing that even here in 2013 most simply think of two-factor authentication as just another thing a user enters on screen.  Just a few more digits for you to input after your password or something.

Here at SecureAuth we created a mechanism that not only validates the end user (every run of the mill two-factor system does this) but also validates something called the SSL termination point (something no other two-factor system does).

What is the SSL Termination point?  To put it simply it’s the resource you’re trying to authenticate to.

When a user authenticates to a resource like Google Apps, Oracle Business Intelligence, Office 365, Egnyte, F5 or Juniper VPN’s and even OWA or Sharepoint they will be re-directed to SecureAuth for authentication (target redirect is amazing).  This means that SecureAuth is what a user has to authenticate to in order to gain access to the application.

So your SecureAuth appliance is the SSL Termination point.  Cool, but is it anything more than a phrase?

Yes, after we’ve authenticated the users 2nd factor we force the client to identify the web resource it’s trying to authenticate against.  If the servers SSL certificate matches what an administrator says the SSL Termination point should be then bingo, the user gets access.

If not, we tell the user there’s a mismatch.  Simple? Yes it is.  What’s we’ve done is take the user out of the equation.  Users can be phished, web-servers that are looking at public keys of server certificates?  Not so much…

 Want to know more?  Contact us at sales@secureauth.com or follow this link http://www.secureauth.com/company/contact-us/ and scroll to the bottom where you can fill out  a contact form.

The latest cloud hack was LivingSocial.   According to PCMag.com:

Cyber-attackers recently breached LivingSocial’s systems and illegally accessed customer information for more than 50 million users, LivingSocial said. Users need to change their passwords immediately.

All Clouds are NOT created equally

What this hack shows (and the others – see image #1 below), is that all clouds are NOT created equally.    Enterprises need the cloud because of the flexibility, scalability and functionality – the cloud brings.    Unfortunately – there are NO standards on how:  the passwords are stored, how the passwords are encrypted and how password access is controlled.

Image #1:   Hackers, many of them organized and well funded, are targeting the service providers for identity information.

What’s The Objective?   Identity Information

The objective of these attacks is often the password information.     What’s important to note – is that the hacked service provider, e.g. Facebook or Twitter is often NOT the “target” attack site.   The hackers know that most users tend to:

• Re-use their IDs
• Re-use their Passwords

The ultimate score is to pull 50M id’s and passwords from a LivingSocial or Evernote site.    (See Image #2)

Image #2:   In insecure enterprise environments, users are allowed to keep their passwords in EACH of the service providers – allowing hackers to attack the weak cloud sites to obtain identity information.

What is an Enterprise to do?   (To Stop the Cloud Hacks)

An enterprise should retain the identity information in a secure locale – and then SSO from this locale.

Q:   Why do the hackers attack the big (ID) vaults?

A:   Because that is where the identities are!

So given, that some enterprises are NOT securing the identies that well.   And given, that these service providers are being probed by the hackers – for the explicit purpose of finding the weak security systems.

And that the flexibility and scalability of the cloud is FAR TOO GREAT to pass up – what is the enterprise to do?   Especially, those enterprises who have to meet security guidelines like PCI DSA, FFIEC, FFIEC, HIPAA/HITECH, etc.

These enterprise NEED to become identity providers – and secure their OWN identity data.   (Please see image #3)

Image #3:   SecureAuth IdP provides enterprise secure identity management and single password functionality for multiple resources – all secured by the holding enterprise..

SecureAuth IdP – Meets the Cloud Identity Problems – For the Enterprise

SecureAuth IdP addresses all of the key problems enterprise are facing with cloud identities including

• Centralized Identity Control

  • Single User Store
  • Single Password

• SSO to All Enterprise Resources

  • Cloud Apps
  • Web Apps
  • Network Apps
  • Mobile Apps

• Configurable Authentication

  • UserID / Password
  • UserID / Password +  2-Factor
  • SMS, Telephony, X.509, USB Key, NFC Prox Card, E-mail OTP,  Static PIN, Help Desk, Kerberos and Others

• Logging and Accounting

  • Built-in Report Server
  • Or send authN/AuthZ events to your log server

• Mobile Support

  • Native Mobile App SSO
  • 2-Factor to mobile Apps
  • SSO from enterprise directory
  • X.509 delivery to mobile

–

The “LivingSocial” attack – should never happen to your ENTERPRISE.    Contact SecureAuth - and we’ll help insure it does not.

Please contact us for more information!

—

Garret Grajek is CTO and a co-founder of SecureAuth. SecureAuth is a single appliance solution that delivers configurable 2-Factor and SSO authentication for Mobile, Web, VPN and SaaS based solutions.

As a IT Security company, SecureAuth encourages all activities to increase internet security.  And the recent announcement of the Microsoft 2-Factor Authentication for Microsoft accounts is in the right direction.

What Microsoft 2-Factor Verification Brings:  User Control

This is the basis of the Microsoft offering.   Delivering optional added security (see image#1) to the host of Microsoft accounts.    These accounts include:  Windows PC, Xbox, Outlook.com, SkyDrive , Skype, Office and others.

 Image #1:   Microsoft has added 2-Factor authentication to its user accounts

What Microsoft 2-Factor Verification Lacks:  Enterprise Control

What the offering lacks is functionality for the  enterprise to determine and ENFORCE the authentication per user and user groups.   This administrative control is imperative to the enterprise.  Enterprises need to be able to FORCE their users to utilize specific types of authentication, for the purpose of meeting explicit regulatory guidelines, such as PCI DSS, NCUA, FFIEC, HIPAA/HITECH, etc.

These regulations stipulate specific enterprise policies that the enterprise is required to enforce around identity authentication, these include:

• Retention, storage, access of user credentials
• Explicit mandates on required authentication mechanisms  (SMS, Telephony, X.509, token, etc)
• Enforcement of specific groups (authorization controls)
• Logging of user authentication  (Who, What, Where, When of authentication)

In addition, Microsoft 2-Factor validation does not pretend to be a SSO mechanisms between resources, certainly not the non-Microsoft resources that an enterprise may deploy.

SecureAuth IdP delivers:  Enterprise Control and User SSO

Where the Microsoft 2-Factor comes in short, namely Enterprise Control and User SSO, Securauth IdP meets the demand.

Enterprise Control

This is one of the major reasons for SecueAuth’s 500+ happy customers.    Enterprises utilize SecureAuth IdP to enforce their security policies, including:

• Type of Authentication:
  • SMS, Telephony, X.509, NFC Proxy, USB Key, E-mail OTP, PIN, Help Desk, KBA, AD SSO, OATH token
• Workflow:
  • Authentiction can vary on location, previous actions including prior log-ons
• Authorization:
  • Based on enterprise controlled groups and policies
• Logging:
  • Full reporting and auditing abilities of all authentications

The reason for this, is the manner in which SecureAuth IdP operates.   It enforces authentication on all the resources it secures – centralizing the authentication under enterprise control.   (See image #2)

 Image #2:   SecureAuth IdP allows the enterprise to secure its resources, Microsoft and others – and enforce configurable authentication

User SSO

SecureAuth provides another great benefit to the enterprise – user SSO between disparate resources:

• Web  (Sharepoint, ASP.NET, WebLogic, Oracle, J2EE)
• Network (Citrix, Cisco, F5, Juniper)
• SaaS  (Office 365, Google, Salesforce, Workday, Conur, ADP, etc)
• Mobile (Windows, Android, iOS)

Enterprise can not only provide secure 2-Factor to their customers – but ease of use, via SSO.   (See Image #3)

Image #3:   SecureAuth provides user SSO to Web, Network, SaaS and Mobile resources.

Please contact us for more information!

—

Garret Grajek is CTO and a co-founder of SecureAuth. SecureAuth is a single appliance solution that delivers configurable 2-Factor and SSO authentication for Mobile, Web, VPN and SaaS based solutions.

A common question for us here at SecureAuth is “Hey is SecureAuth FedRAMP certified?”.

The short answer is that since we can put our appliance in your infrastructure there is no need for SecureAuth IdP to achieve FedRAMP certification.  Why is this solution so popular in the Federal market?

Because we enable agencies to easily enable Single Sign On AND multiple modes of two-factor authentication for Cloud/SaaS application, Mobile applications, enterprise applications and even your VPN’s.

Boil it down and what you’ll  find is we have the only application that allows for:

• SSO from internal computers
• Two-factor authentication from a kiosk
• Two-factor authentication using a CAC/PIV card
• Two-factor authentication using our patented process
• Mobile two-factor authentication

All with 1 single URL, from an appliance that you control and manage, not something that you share with a bunch of other customers.

Give us a call and we will be glad to walk you through how easy it can be to manage access to your internal and external applications!

To learn more  about SeccureAuth IdP you can download this whitepaper , listen to this webinar or you can just contact us. we will tell you more.

Identity Provider (see Image #1) integration can be complex, no Provider is trouble free so what you need is a provider who responds to your individual enterprise needs.

Image #1:   SecureAuth IdP provides SSO and 2-Factor to all your enterpise resources including:  Web Apps, Network Devices, Cloud Apps and Mobile Apps.

Enterprises Need a Responsive Partner for IdM Projects

When you run into an issue, what is needed, is a  company that will respond quickly.

SecureAuth Is that Company!

Working with a Prospect Customer today, we ran into an issue.    I reported the issue in the Morning, by early afternoon - the problem was identified, a Manual resolution was provided, and will be addressed in the very next release.

What this tells our Prospect is that we are a company that will Listen when someone tells us we have an issue.   SecureAuth  Sales, Sales Engineering,Support and Engineering teams will React to resolve that issue, quickly and Efficiently.

—

To learn more  about SeccureAuth IdP you can download this whitepaper , listen to this webinar or you can just contact us. we will tell you more.

All the best!

—
Paul Brady is a Sr. Sales Engineer of SecureAuth. SecureAuth is a single appliance solution that delivers configurable 2-Factor and SSO authentication for Mobile, Web, VPN and SaaS based solutions.

“SecureAuth’s admin console is Web-based and perhaps the least attractive of all the products we tested”

Yea, they were talking about SecureAuth IdP…  You know what they say, it’s not about how tough it is to knock you down but how many times you get back up.

So we went and got a makeover!

Before:

Image#1: This is the GUI during the time of the Network World test.

Now, SecureAuth IdP, v.6.6.1:

Image #2: And this is us now, Secureauth GUI updated in 6.6.1 – released 04/05/2013

Our pages are now dynamic, fresh and minty!  We really do appreciate the feed back Mr. David Strom and we’re looking forward to a rematch.

—

Chris Hayes is Chief Solutions Architect for SecureAuth. SecureAuth is a consolidated solution that delivers configurable 2-Factor and SSO authentication for Mobile, Web, VPN and SaaS resources.

There’s been a lot of writing about OAUTH 2.0 – especially around mobile SSO and mobile security.

Some vendors touting that support of OAUTH 2.0 gives them the WHOLE mobile SSO story.    This is contradicted by stories of people including a founding member of OAUTH leaving the standard body  (RE:   Eran Hammer OAUTH 2.0 and the Road to Hell).   Eran goes as far to say that OAUTH 2.0 was hijacked by the consultant and other developers to  ”provide a whole new frontier to sell consulting services and integration solutions“.

As with most things IT – the truth for IT people just trying to implement SSO and 2-Factor  to native mobile apps, is somewhere in between.

OAUTH 2.0 Defines Token Passing – But Not Much Else

The real gripe against OAUTH is that is that it is written so nebulously that it lacks the specifics to insure interchangeability and is inherently insecure because of lack of digital token signing and other security mechanisms such as session timeout.     (See image #1)

Image #1:   Lack of Security and Interchangeability have left some founding members of OAUTH dissatisfied with  the protocol.   (Credit: Eran Hammer-Lahav)

 So where can I go to get the full Mobile SSO Story?  SecureAuth IdP

For real IT people – with a job to do – protocol bashing becomes annoying.   The job is to get the job done.   And this case the job is utilize a protocol for the sake of identity passing (and 2-Factor when necessary) to mobile apps.

This is where SecureAuth IdP comes in.

SecureAuth IdP can utilize OAUTH – but more importantly has the necessary features that extend OAUTH 2.0 and create a practical solution for mobile SSO and mobile security that the world is seeking.  (See image #2)

Image #2:   SecureAuth IdP for Mobile completes the OAUTH 2.0 Mobility SSO Story.

Learn more from  the SecureAuth Video…

SecureAuth IdP for Mobile – Mobile SSO and 2-Factor

Or please contact us for more information!

—

Garret Grajek is CTO and a co-founder of SecureAuth. SecureAuth is a single appliance solution that delivers configurable 2-Factor and SSO authentication for Mobile, Web, VPN and SaaS based solutions.