SecureAuth – The Complete STS

Written on March 13, 2011 at 9:06 pm, by Garret

Webinar, 03-17,  Google and SecureAuth present: Google Apps for Education 

Why should I, an IT director/admin, care if SecureAuth is a ”complete STS” – when I don’t even know what an STS is?

Understood !! But the truth of the matter is, you already are doing the functionality of a STS without a tool that’s designed to behave as one.

What is a STS?   And Why Should I Care?

STS stands for “Secure Token Service”.     It’s usually defined in the SaaS  (Software as a Service) space  as a tool that passes an identity, from the enterprise, to an application in a format that the application understands.      But the concept is not restricted to SaaS – and if you are deploying multiple apps, to disparate user groups and roles – you are already doing the job of an STS today – albeit with bailing wire and duct tape.  (See Figure #1)

Figure #1 - Current STS solutions are a kludge of duct tape and bailing wire.   (E.G., the cloud came before we figured out how to securely authenticate to it!)

But Hold  one second!!  Identity acceptance and role differentiation are the job of the applications – that’s their job, right?

I mean – security folks only care what goes on at the permiter and at the L2/L3 layer… right?  If it was 1996 and the only means to set up a secure application was through a set of Firewalls, VPNs, IDS, etc.

Now applications reside wherever it makes practical and economic sense.  

That could be internally- based apps, hosted cloud apps and 3^rd party apps like Google Apps, Postini, SalesForce, Success Factors,  Concur and Oracle On-Demand.

The question then becomes,  How to secure access to all these amazingly powerful apps?  

(Uhm, putting a traditional router at Google and then tying a RADIUS authentication back to your enterprise is not only impractical – it will get you laughed at.)

So what was invented to solve this dilemma?

Federation.    The concept of authenticating the user at your premise  (AD, etc) and then passing a federation “token” out to the application.     (Google does a great job of explaining this here.)

Where does this leave you, the IT enterprise?

Well first of all, your current permiter defense mechanisms  VPNs, Firewalls, IDS, are all useless in this configuration.    

What is needed is a system solution that:

• Is capable of accepting an authentication redirect from a application resource
• Workflow should include 2-Factor   (For PCI, FFIEC, NCUA, HIPAA, etc)
• Map the Identity to a local User Store (AD, etc) 
• Dialogue back to the application (Secure Web Token)
• Log the Event

What is that Called?

What I just detailed above is what an STS should do.    Now there are a lot of tool kits on the market that talk about HOW you can BUILD an STS with their components.

But there is NO other product on the market that delivers:

• An Appliancized web server
• Conducts the web redirects, from the SaaS, VPNs, Web resources,  w/o APIs
• Provides Full Enterprise-IdM functionality  (to AD and others)
• Manages the users   (Create, Modify, 2F Factor Password Reset, Help Desk Admin)
• Conducts a configurable 2F Auth  (SMS, Telephony, X.509, KBA, Pin, Help Desk)
• Asserts the identity to the relevant resource   (VPN, Web, SaaS)
• Logs the Event 

 SecureAuth is the “Complete STS” for Web, VPN and SaaS

Figure #2:   SecureAuth  (1) functions as a 2-Factor STS for the enterprise, pulling the identities from the local user store, AD, (2), and then asserts the idenities to local Web (3), VPN (4) and SaaS (5) resources.  Most importantly, SecurAuth conducts the authentication locally and logs to the enterprise logging resource collector (6).

That’s really all that is required.    Sounds simple (I’m being facicous).  To build this yourself from scratch would take hundreds of man hours.

Or you can call SecureAuth.  In less than a day, we can set this up for you.

Please contact us @SecureAuth and we’ll solve your STS, SSO, Access and Authentication issues.

–

Garret Grajek is CTO and a founder of SecureAuth.    SecureAuth is a single appliance solution to enterprise Identity, Access and Authentication issues.