Had a great week last week – talking Google and SecureAuth from San Francisco to Houston to Atlanta to Ft Lauderdale.

The bottom line question is:

If Google Apps is such a complete package, why do I need SecureAuth?

Well – let me help..

I created a Google/SecureAuth Matrix to help understand when SecureAuth is needed.

And…

Since it’s a blog – put it in easy question/answer form:

Q:    I need 2-Factor authentication but why do I need SecureAuth, Google offers 2-Factor, right?

A: Google’s 2-Factor allows user’s to opt-in, opt-out.   It is a GREAT feature for users deployed in environments where the company doesn’t offer SecureAuth – but the user wants security.   But this should NOT be confused with ENTERPRISES who have to meet security compliance measures (PCI DSS, FFIEC, NCUA,  HIPAA/HITECH, etc) authentication regulations.

These (and other) authentication regulations require a NON-OPTIONAL 2-Factor authentication – e.g. a system that FORCES the user to conduct 2-Factor.   SecureAuth is this solution for Google.

Q:    So if I want to use Google Apps for resources/apps that have to meet compliance standards – I should use SecureAuth?

A: Yes –   SecureAuth meets all the authentication regulations  (PCI DSS, NCUA, FFIEC, SOX, GLB, etc).    It’s one of the primary reasons enterprise deploy SecureAuth – to take advantage of the wonderful applications that Google offers – and still meet the regulatory compliance measure.

Not just for authentication but for:

• User Lifecycle Management
• Data Store Management
• Authentication Flexibility
• Logging

Q:  I love Google Apps, its so amazing with all its growing functionality – but i don’t want to issue my users a new ID – can SecureAuth help?

A: Exactly.   This is exactly the point of the SecureAuth solution. (See diagram.) SecureAuth utilizes existing the existing datastore – and thus the user does NOT have know/remember their, new, Google ID.

Image #1: SecureAuth utilizes the existing enterprise directory (AD and other) for both internal SSO and external 2F authentication.

Q:    OK – but do these users now have a new password?

A:   NO!  No new password is needed!

This is the whole point of the SecureAuth architecture – the user only has to remember their EXISTING userID/password  (most often, but not restricted, to Active Directory)- and NOT learn/remember the Google ID/password.

Q:   OK – so if I can use my existing Active Directory – can’t I just use the AD domain logon ID – and not have my users log in again, at the browser?

A: Yes.   SecureAuth is uniquely architected to utilize the EXISTING domain logon – if the user has logged into the enterprise domain – the user does NOT need to log in again.   SecureAuth picks up the user and logs the user directly into Google.   (With no prompt.)

Q:   Does that mean I have to put something on my AD Domain Controller?  My AD admin has already told me – that he finds those solutions kludgy and will possibly break my audits?

A: SecureAuth for Google is uniquely designed to PLACE nothing on the AD.   No components, no modifications.     It’s the only solution cloud or appliance based that the AD admins approve of of AD IWA SSO.  (That’s what the “desktop SSO feature” is called – Active Directory IWA [Intergrated Windows Authentication])

Q:   Ok – so you got my internal users covered – what about external – what are my authentication options?

A: Great question.   That’s where SecureAuth excels.   Not only can it ENFORCE a User/ID Password (for AD or other) – but it also can enforce a 2-Factor authetnication, based on the secutrity requirements of YOUR enterprise.

SecureAuth is what Gartner refers to as a V.A.S.   (Versatile Authentication Service).   SecureAuth authentication comes standard – with these authentication mechanism – BUILT IN:

• SMS OTP
• Telephony OTP
• E-Mail OTP
• Knowledge Based Authentication (KBA/KBQ)
• Static PIN
• X.509
• CAC Cards
• YubiKey
• Password

Q:   Yes – but i need 2-Factor,  but more importantly, I can’t have a high friction experience for my users – like a SMS call every time.

A: SecureAuth is a revolutionary multi-technology that does NOT require users to understand how to conduct a 2-Factor authentication. (SecureAuth User Authentication Experience).

The paradigm of authentication is:

• It must be secure
• It must be seamless to the user

SecureAuth does this through browser based walk-thru authentication, and advanced PATENTED crypto-authentication.

The 2-Factor is:

• Non-Phishable
• Resist DNS attacks
• And…
• Seamless to the users

Q:      You haven’t said anything about SSO to other apps?

A:    You haven’t asked.

Q:   I have other SaaS (Concur, Salesforce) Apps – can SecureAuth help?

A:  Yes – SecureAuth for Google provides TRUE web SSO between multiple SaaS apps – the user does NOT need to log on again.   And can conduct, first – an internal authentication – or an external authentication.

Image #2: SecureAuth provides SSO into Google and other SaaS applications, in addition…

Q:   I have on-premise Web Apps (ASP.NET, IBM WebSphere, Oracle WebLogic – I would like SSO into – can SecureAuth help?

A:  Yes – SecureAuth provides TRUE web SSO between Google and on-premise web applications.  In a secure manner that doesn’t require extra proxy components.

Image #3: SecureAuth also provides SSO into the legacy on-premise applications for Google deployments.

Q:    OK – SaaS SSO and Web SSO – do I have to build my own portal?

A: No – that’s the coolest thing about SecureAuth 6.2 – it has a portal built in for both Web and SaaS SSO.

It is the only SSO appliance that has built in:

• Web/SaaS Portal
• SAML Support  (1.1, 2.0)
• OpenID Support
• OAUTH Support
• Microsoft FBA Suport
• Sharepoint Support
• IBM LTPA Support
• WebService Authenticaiton Support
• And:
  • 2-Factor Authentication
  • Password Reset
  • User Self-Management
  • Help Desk Support

Image #4: SecureAuth has a built-in SaaS/Web SSO portal for Google and other apps.

Q:    What about mobile – does SecureAuth do anything for my mobile users?

A: Yes – SecureAuth solves the (2) hardest problems for mobile users:

• Deployment
• Security

Secureauth is able to provision the mobile user with:

• Google ID
• Google Domain
• Google Password

Without the user or the enterprise knowing the Google ID or password.   It’s a really amazing solution that Google is recommending to their customers.

Image #5: SecureAuth provision the iOS device with the user’s Google ID and Password and at the same time provisions the ID/Password at Google – for a painless helpdesk free iOS provisioning process to Google.

–

It’s really a very powerful story – SecureAuth Google – and we highly recommend you contact us to learn more.

—

Garret Grajek is CTO and a co-founder of SecureAuth. SecureAuth is a single appliance solution that delivers configurable 2-Factor and SSO authentication for Web, VPN and SaaS based solutions.

Thank you to all of our customers and partners for making 2011 another record year for SecureAuth Corporation. We added over 100 of the biggest names in business and government to our customer list last year and Q1 is already busier than ever. Stay tuned for major product announcements in a few weeks at the RSA show that will broaden our Cloud and Mobile platform even more.

For details visit:
   SecureAuth Closes 2011: Fourth Consecutive Year of Record Growth

It was an honor to be invited and present, in person, for the newly annointed #1 Google Authorized Reseller in the world – Cloud Sherpas.

 

Image #1 – The assembled Cloud Sherpas team for their 2012 Sale kick-off.

Cloud Sherpas is the enterprise Google reseller – and now a worldwide reseller.  With expansion across the U.S. and Asia Pacific through aggressive acquisitions.    Cloud Sherpas is truly poised to be the major player in Google integrations, across the globe.

And that’s why Cloud Sherpas became and early partner of SecureAuth – for the purpose of integrating and deploying security minded and enterprise level customer.

SecureAuth is that solution – and the right solution for enterprises that are trying to INTEGRATE google into their current enterprise.   Whether that means:

• Integration with their current Data Store (AD
• Integration with their current Apps  (.NET, ShaprePoint, WebLogic, etc)
• Integration with their other SaaS apps  (Salesforce, Concur, Workday, etc)
• Integration with their mobile devices

On the last point – SecureAuth was able to impress the extended team (above) with SecureAuth world-unique integration into Apple iOS devices for Google. SecureAuth can provision a user to utilize Google Apps:

• Without the user knowing their Google Domain Name
• Without the user knowing their Google ID
• Without the user knowing thier Google password

And the enterprise does not need ot know the Google password of the user as well.   It’s an amazing integration that has impressed both Cloud Sherpas and Google.   (See YouTube video).

Image #2: SecureAuth showed it’s amazing new Apple iOS Google provisioning product at the event.

But back to our freinds at Cloud Sherpas.

It’s been amazing ride for the founders of Cloud Sherpas,  Michael Cohn, Eran Gil and David Hoff.   (See Eran and David below.) All of us at SecureAuth tip our hats to their amazing work, passion for accomplishment and vision.   Here’s to 2012.

Image #3: Cloud Sherpas founders:  Eran Gil and David Hoff.   (Michael Cohn not in picture.)

—
Garret Grajek is CTO and a co-founder of SecureAuth.   SecureAuth is a single appliance solution that delivers configurable 2-Factor and SSO authentication for Web, VPN and SaaS based solutions.

Nothing but big high fives to the SecureAuth extended team.   This time the victory is auto-profile provisioning to Apple iOS devices (iPhone, iPads) for Google e-mail accounts.   Just have to give shout outs to our Director of Network Products, Mark Lambiase and Director of Mobile Products, Allen Quach and lead programmer Will Liu  - just amazing work.

What is auto-profile provisioning for iOS-to-Google?

It’s SecureAuth’s ability to create a Apple iOS e-mail profile on an iPhone/iPad – without the user having to know how.   It’s that simple.

Help desk, across the world are being crushed by calls on how to get their iPhone/iPads configured for e-mail – especially those (wisely) switching over to Google mail. The question is:

Q: How do I instruct my users on their new Google ID and Password, and then configure this into their Apple iPhone or iPad devices?

A: You don’t.

Or more succinctly – you deploy SecureAuth and have SecureAuth do it automatically for your users.   (See image #1)

Image #1: SecureAuth walks the user through an iOS profile provisioning allowing the user to obtain Google E-mail to his iOS device(s).   Workflow: (1) User directs Apple iOS browser to SecureAuth and SecureAuth validates user off enterprise directory.  (2) SecureAuth pushes a random password to both the iOS ActiveSync Profile and to the proper Google Domain , which enables (3) the user to seamlessly  sync his e-mail, via Google ActiveSync.

Bottom Line:

SecureAuth provides a secure, easy to implement and low-friction mechanism for provisioning Apple iOS devices to Google domains.

The advantage is that SecureAuth removes “user error” and support cost associated with a correct set-up of an Apple iOS device.

All the user does is open the browser on an iOS device to SecureAuth, and authenticate at a web page, to connect to their Google mail.  (See image #2)

Image #2: SecureAuth can seamlessly provision an Apple iOS mobile profile for Google Apps users.

Workflow:

1. iPad/iPhone User Opens iOS Browser
2. User enters SecureAuth “iOS Profile Enrollment” URL in the browser
3. User enters (enterprise) Directory ID and (optional) password and (optional) SecureAuth 2nd Factor (SMS, Telephony, etc)

Then, automatically, without user interaction:

• Password is provisioned to iOS device
• Password is synched to Google data store
• iOS e-mail client is now syncing (via ActiveySync) to Google!

Advantages:

• User Never needs to know “new” Google Passwordo Just needs to know enterprise ID.
  • E.G. existing Active Directory ID)
• Enterprise never has to know “new Google Password”
• Enterprise never involved in iOS password provision
• Can limit iOS provisioning to existing enterprise groups
• Can limit number of iOS devices provisioned per user

SecureAuth – Auto iOS Profile Enrollment for Google Accounts

—
Garret Grajek is CTO and a co-founder of SecureAuth.   SecureAuth is a single appliance solution that delivers configurable 2-Factor and SSO authentication for Web, VPN and SaaS based solutions.

As we are into the 2nd week of the year and most employees are back from their holiday vacations, IT groups are planning and/or prioritizing this year’s projects.  It amazes me over the years working in IT how some IT shops just do not understand security.  I’ve seen desktop groups lock the images down where the users are unable to do their jobs without difficulties, but the locked down images do not stop the bad guys.  I’ve seen IT shops that think IT Security is just about paper policies and processes.  You know who you are you paper tigers.

I’ve always had the philosophy that IT Security done right should enable the users.  Sure there are concepts such as the policy of least privilege.  However, even with the policy of least privilege the users are given the rights they need to do their job, not hinder their job.

One of the sayings I hate hearing most is that IT is just a support cost.  It always comes from the poor managers that do not understand the business of IT.  We’ve all dealt with them, and we all wonder what are they doing working in IT. The main purpose for the business of IT is to make the company more efficient.  Technology is a wonderful thing, and a great work-field to be in.

Technology enables the work force to be more mobile. Security technologies such as SSL VPNs allow customers to securely connect back to the corporate data repositories from anywhere and from most devices.  With the demands from a larger mobile workforce we have seen cloud computing become more prevalent in the enterprises.  Cloud computing enables businesses to be more efficient by reducing the over demanding work loads that are constantly being placed on IT Operations groups.  It also helps enable the users to be more mobile.

However, with these enabling technologies have come new risks.  Not risks from the technologies themselves but with just plain lazy IT shops.  The well designed SaaS apps support federation standards such as SAML, OpenID, Oauth, etc…  Federation standards are great at enabling IT shops manage access to the Cloud/SaaS applications with their existing user data stores.  Federation standards allow the users to not have the need to remember multiple user names & passwords.  But, this is where the laziness comes in. Federation by itself is not secure. IT shops have setup these wonderful enabling technologies with just user names & passwords as single factor of authentication.  I can go on and on about how bad and ineffective user names and passwords alone are.  Instead of hearing it from me, let me quote one of the most successful businessmen of all time.

“Passwords are the weak link,” was said by Bill Gates in his RSA 2006 Keynote address.  Not enough for you?  Then how about this one?  “There is no doubt that over time, people are going to rely less and less on passwords. People use the same password on different systems, they write them down and they just don’t meet the challenge for anything you really want to secure.” That was a statement by Bill Gates back in 2004 for his RSA speach.  Another great statement made by Bill Gates at the Microsoft IT Forum Copenhagen, Denmark in 2004 was, “”A major problem for identity systems is the weakness of passwords. Unfortunately, with the type of critical information (protected by) these systems, we aren’t going to be able to rely on passwords.”

One of my colleagues, here at SecureAuth, would always say last year when we traveled together and came across someone smoking, “Its 2011. Who still smokes?”  Well it is 2012. Who just uses user names and passwords alone?  But there are gotchas with some of the multifactor authentication solutions.  Some of the solutions are financially expensive.  Some haven’t changed their solution since 1997.  Most of them are cumbersome to administrate and maintain with their high administrative overhead.  Most of the solutions are susceptible to phishing and man-in-the-middle attacks. Most of these solutions are a burden to the users.

This is where SecureAuth comes in.  SecureAuth allows you to Securely enable your users’ access to Cloud/SaaS and VPN applications with a cost efficient, easy to use, quick to deploy, and easy to administrate and manage solution.  SecureAuth’s bilateral authentication solution enforces the identity of the user while not being susceptible to the phishing and MITM attacks. When IT Security is done correctly, it enables the users while still protecting the most critical IT asset which is the data.

Check out are upcoming January 19th Webinar 2-Factor SAML – Why SAML is not enough! to see how to securely enable your users access to Cloud/SaaS applications, or contact one of our Sales teams.

Speaking about how wonderful and enabling technology is, this blog was written and published from 36,000′ up in the air.  Millions of users are enabled by SecureAuth to access their corporate data securely. Are yours?

Can’t Sleep?

What are some of the things youp think about when you can’t sleep?  After successfully negotiating my 3 year old daughter back to sleep at some ungodly hour, my brain started turning.  A tiny drop of adrenaline later and I was back to a question that I asked a few of my colleagues earlier in the day.

What is another way to describe federated id’s?  One engineer explained it as the solvent for authentication.  Another colleague simply put, it’s single sign-on to SaaS applications.  And yet another described it is a trusted handshake (SAML, OpenID, OAUTH) between federated resources.  So how does SecureAuth play a role in this concept?

Image #1 – SecureAuth takes the “Scary” out of Federation.

SecureAuth’s STS (secure token service) is a mechanism that parties agree on to pass identities between a resource (android, iPhone, Windows, Mac, Linux) and the intended end point (Salesforce, Google, Concur, SuccessFactors).   SecureAuth provides a single sign-on via SAML, AND it also ensures higher security in the form of 2-factor authentication.  So if you can’t sleep and worry about a security breach, utilize SecureAuth’s identity enforcement platform, and toss those sleeping pills.

Webinar: 2-Factor SAML. Why SAML, alone, is NOT Enough. (Jan 19th, 10am PST)

For the first time a popular smartphone operating system other than BlackBerry has been approved for DOD use!  Looks like Apple’s iOS is still only approved for Pilot programs because of the GPS tracking and inablititly to load 3rd party applications.

While you’re here please check out the first and only 2-Factor solution for the Android platform HERE!

SOURCE

SecureAuth and Android Demo and Security Explanation

SAML by itself – is wonderful.

But:

SAML (by itself)  !=   Security

Let me clarify this position:

Figure #1: SAML by itself, will not solve all sign-on and security issues.

By NO MEANS should the reader take this article as “slight” against SAML.   Absolutely not.

SAML is a bold and necessary means in the establishment of trust-worthy and security-compliant identities across the internet.     SAML is the only widely accepted standard, deployed by major players such as Google, Salesforce, Concur, SuccessFactors, etc – that is cryptographically signed.

But – it’s just a PART of the identity/federation equation.

This is where SecureAuth comes in.

SAML is a mechanism to PASS a trust identity – once the identity is established.  It’s a 1-time, cryptographically signed XML packet.    The information in the packet – is only as good as the authentication that is utilized to establish the identity.

SecureAuth becomes the secure authentication mechanism for the SAML assertion (See image #2).

Image #2: SecureAuth, a member of the OASIS standards consortium for SAML, creates the SAML artifact for the service providers, including cloud resources to consume.

As stated above, SecureAuth can create the SAML assertion for the service provider(s) to consume – regardless if these are on-premise web applications, network gateways/vpns and/or Cloud applications.

In addition SecureAuth conducts:

• Secure Active Directory SSO
• External 2-Factor Authentication
• Web Sessioning SSO between web and SaaS apps
• Identity translation of the (on-premise) directory ID to SAML ID
• Logging of SAML based Authentication

Learn more – by contacting us at SecureAuth – or join us Jan 19th on a webinar on this topic:

Webinar: 2-Factor SAML. Why SAML, alone, is NOT Enough.

—
Garret Grajek is CTO and a co-founder of SecureAuth. SecureAuth is a single appliance solution that delivers configurable 2-Factor and SSO authentication for Web, VPN and SaaS based solutions.

 

 

Let me start by stating the obvious around here, I am not a technologist. But, my role as a salesperson depends on understanding the marketplace. And right now, it is fairly clear that many companies are migrating to the Cloud. How are they successfully doing this? Via SAML (Security Assertion Markup Language) – the go-to protocol for B2B applications.

Don’t take my word for it, come listen to our team whom are ahead of the curve, the brains behind SecureAuth’s ability to provide safe and secure access utilizing SAML 2-factor authentication. Join us by visiting our webinar Jan. 19th.

Happy Holiday!

Webinar:   2-Factor SAML.   Why SAML, alone,  is NOT Enough. (Jan 19th, 10am PST)