1. Authentication

2. Authorization

3. Auditing

Problems with standard AAA (RADIUS) authentication:

• No flexibility in workflow
• Restricts enterprise to out-dated authentication methods (SecurID, tokens, etc.)

• No way to pass identity to SaaS / PaaS providers
• SaaS providers do NOT support RADIUS  (Seem image #2)

The 4th “A” – Identity “Assertion”

1. Authentication
2. Authorization
3. Auditing
4. Assertion (Identity Assertion)

What is needed:

1.  A flexible Authentication solution

• That Supports multiple authentication methods
• Whatever auth method enterprise chooses

2.  That “Asserts” the identity…

• Securely
• Repeatably
• Without APIs

Please come by the SecureAuth booth @ the RSA Conference – Moscone Center, Booth #217 – or contact us – and we’ll map a solution to your requirements.

IT admins face the explosion of apps, specifically cloud apps (like Google, Salesforce, Concur, Workday, SuccessFactors) – and need a way to manage these products.

And by manage – i mean:

• Conduct Authentication
• Allow Single-Sign-On (web user experience)
• Utilize a single account (enterprise data store)
• Log the authentication

Image #1: SecureAuth centrally manages authentication and identities for users – including 2-Factor, SSO, federation and logging.

Centralized Management

SecureAuth is the revolutionary all-purpose tool for the enterprise that centralizing the functionality for several key IT domains:

• Access Control for Network Access
• Access Control for Web Access
• Access Control for Cloud Apps
• 2-Factor AuthenticationWeb/SaaS Portal
• Identity Management of Enterprise UsersLogging of authentication

SecureAuth is able to become this centralized management tool – because of its powerful multi-tenanted architecture that allows it to create 100 distinct policies to manage the various enterprise resources.

Access Control for Web Access:

Admins can consolidate the access controls of their web resources – in a single platform, SEcureAuth.   Web resources can include J2EE, .NET, Microsoft Sharepoint, IBM WebLogic, Oracle WebSphere and other platforms – all which can be collated into a single authentication portal.

Images #2: SecureAuth centrally authenticates on-premise Web Applications.

Access Control for Network Access:

Admins can centralize authentication access control for their various network VPN and gateway devices in a single, consolidated tool – creating different for access policies for different users  utilizing similar or differentiating authentication mechanisms all supported from the same SecureAuth platform.

Images #3: SecureAuth centrally authenticates on-premise VPN/Gateway devices.

Access Control for Cloud Apps:

SecureAuth can also collate an ever growing number of SaaS solutions solutions and provide access to enterprise users coming from the intranet and extranet.   SecureAuth can provide centralized access control to these apps, including managing the authentication, the workflow and the logging.    The key to the secureAuth solution is that it utilize on-premise IDs  (Active Directory) for acces to these cloud Apps.

Image #4: SecureAuth centrally authenticates and provides SSO for Cloud Applications.

2-Factor Authentication

SecureAuth centrally allows enterprise to control 2-Factor authentication to the VPN, WEb, Cloud Apps.     A unique SecuerAUth realm can be created for each resource, with a differentiating authenticaiton policiy.   SecureAuth authentication can be configured to utilize SMS, Telephony, E-Mail, KBA/KBQ, Help Desk, Password and X.509v3 Certificates.

Image #5: SecureAuth is a VASP  (a “Variable Authentication Service Platform”).  SecureAuth supports X.509, SMS, Telephony, E-mail OTP, KBA/KBQ (Knowledge-Based-Questions), Static PIN, Yubikey and Password.

Web/SaaS Portal:

The enterprise portal can be hosted on the SecureAuth solution.   All access controls, including 2-Factor are built into the portal.  In addition, the web single-sign-on between the on-premise web applications and SaaS applications is all constructed and managed throught the SecureAuth administration tool.   SecureAuth can also integrate this web/SaaS sso to pre-existing portals.

Image #6: SecureAuth is a revolutionary 2-Factor, portal – built-in with full authentication and SSO between internally and external apps.   Fully compatible for all devices.

Identity Management for Enterprise Users:

SecureAuth is able to provide centralized identity managment tools for both internal  and external users.   In addition, these tools can be delegated to both users and enterprise admins – according to pre-existing user groups.   These tools include:

• Identity Provisioning
• Profile Enrollment (1st time use)
• 2-Factor password Reset
• User Profile Management
• 2-Factor Password Reset
• Administration Management of User Accounts

All of these policies are accessible from user internally and external located – but enforcement of the policies can all be sent to one of more centralized datastores.

Image #7: SecureAuth has built-in identity Management:  User Profile On-Boarding, 2-Factor Password Reset, User Self-Management and Help Desk User Management.

Logging of Authentication:

SecureAuth provides the enterprise a centralized facility to log all access to SecureAuth protected resources – regardless if the resources are VPN, Web or Cloud resources.    SecureAuth can send the “who, what, where and when” of logging in the format the enterprise requires – both text and syslog format.  SecureAuth can send the syslog files to an on-premise SIEM (Syslog Information Event Management) server – or an office premise SIEM.   Secureauth also supports a GUI interface to cloud SIEM, Loggly.

Image #8: SecureAuth provides full logging of all authentication – be it VPN, Web or SaaS.

Come Feb 27th to March 2nd, thousands of us – including myself, will be at the Moscone Center in scenic San Francisco for the RSA Conference, 2012.    (SecureAuth will be front row in the exhibit center, Booth #217.)

The job of many of you – at this event – is to:

• Map the requirements your company has around:
  • Identity Management
  • Access Management
  • Cloud Apps Access Control
  • Web Apps Access Control
  • VPN Access Control
  • 2-Factor Authentication
  • Mobile, BYOD Support
• To the Vendors at the event

Well…

You can either:

• Fill your shopping cart  (See Industry Competitive Matrix)
• Or “Check Out” with SecureAuth

Image #1: SecureAuth is a multi-functional, multi-tenanted authentication solution that combines the functionalities that previously required the “cobbling” of products from multiple vendors.

The breakdown of the functionalites is very revealing.   (See image #2, below).   Traditional vendors simply provide horizontal solutions that require enterprises to combine the functionalities together for a full soluiton.   It is these integrations which tend to tend to run up cost and create security weaknesses in the architecture.   Because SecureAuth is a single solution, cost is lower – and the security posture in augmented.

Image #2: SecureAuth combines the functionality required for Web, VPN, Cloud and Mobile Security into a single platform.  (Click for full-size image)

Please come by the Secureauth booth @ the RSA Moscone Center, Booth #217 - or contact us – and we’ll map a solution to your requirements.

—
Garret Grajek is CTO and a  co-founder of SecureAuth.    SecureAuth is a single appliance solution that delivers configurable 2-Factor  and SSO authentication for Web, VPN and SaaS based solutions.

But, one downside to using any application in the cloud is the fact that without something like SecureAuth in place, your corporate policies concerning password age & complexity literally fly out the window.

So, let me tell you what an above average user is guilty of.

NEVER changing my Google Apps password.  That’s right, since I’ve been with SecureAuth I’ve never once changed my Google Apps password…  Not only that but when I came on board, do you think I made a complex password that’s totally unique?  nope…  It’s so similar to my mail password it’s ridiculous.

Why would someone who’s very technical do this?  Because I’m busy, you probably are too.  If you’re one of the few people that utilize a password safe you’ve probably tried more than 2 different products and spent well over 40 hours fiddling with it during your use, it might be time well spent but that’s only if you actually have the time.

Think to yourself, how many times have you changed your password to your personal email account?  I’m betting just about never unless you had a scare of some sort.  We’re busy people and by nature we won’t make a change to something like a password unless we’re forced to.  Now, the list of companies that have had their Google corporate email exposed to the world becausesomeone was able to guess the password is very very long.  Why worry about being next?  Give us a call and we’ll show you how to shore up your security to SaaS applications.

BRB, changing my Google Apps password!

So, how can you ensure your CEO won’t have his email exposed to everyone in the world because he fell prey to the Man in the Middle?  it’s actually very simple when you use SecureAuth.  We’ve understood the need for not just 2-Factor authentication but also protection against Man in the Middle attacks from the onset.  We’ve done the work to ensure you can easily decide exactly which webserver you want to trust.

Figure 1. SecureAuth allows you to easily trust 1 SSL point

So there you have it, we all know it’s dangerous out there and events like this just prove it.

Keep in mind that SecureAuth is not only the first product that allows for 2-Factor location based authentication to internal and SaaS applications but we were the first and still the only product that allows for this level of granular control of what your end users will validate against.

Take a minute to contact our sales department for a demonstration of this functionality.  Sales@gosecureauth.com

SecureAuth and Support of BYOD (Including Amazon Kindle demo)

Enterprises are both:

• Encouraging users to use their own devices (For Cost Cutting)
• Being demanded to support End User devices (For Ease-of-use, Convenience)

The Concept of enterprises:

• Supplying all client side devices
• Locking down all client side devices

Well – is fantasy.

End user are able to access the internet, not just from the millions of Apple iOS devices - but  from everything from bubble-wrap Android Phones bought at Walmart (See Image #1),  Amazon Kindle devices for $175 (See image #2) – even including the Nintendo Wii gaming devices  (See Image #3).

Image #1: Android Smart Phones, with full app and browser ability can now be purchase in buble waps at Walmart.

Image #2: Amazon Kindle Fire, at a whopping $199 – are legitimate wifi-enabled, browser based device  – ready for corporate work – when protected by SecureAuth.

Image #3: Even the wonderful Nintendo Wii, is a legitimate member of the internet – and can be protected by SecureAuth.

If It’s Impossible to control the EXPLOSION of Client Devices – what is IT to do?

Control Access to your resources.    The laws/regualations around IT have not changed – just becasue their are browsers on bubble-wrap devices and gaming tools.

All the same rules/guidances are in tact – Enterprises must still follow the 3 A’s of IT Security:

• Authentication
• Authorization
• Audit

It does not matter – if the user came from a Apple Air or a Android HTC or Lenovo laptop.  The enterprise must still show:

• Which user accessed the resource?
• What authentication mechanism was utilized?
• Why the user was allowed the priviledged  (Authorization)?
• When the user was given access?

The world has changed – And change is Good!

But we need to have the tools to manage/collaborate with the change.   Not only has their been a (wonderful) explosion of client devices – their has also been an explosion of enterprise resources.

It’s NOT enough to put up a gateway around the perimeter!!

The modern IT environment requires access at the following (3) accss points:

1. Enterprise-Hosted Applications
2. Gateway/VPNs
3. Cloud-Based Resources

This is the modern IT world – users need to be able to get to these resources – with whatever device they choose to use.

Image #4: SecureAuth becomes the authentication mechanisms that validates the user identity, regardless of device – and then provides access to the corporate resource.

Don’t Authenticate the Device – Authenticate the User!

This is the SecureAuth mantra!   You are being asked by the regulations (PCI DSS, NCUA, FFIEC, HIPAA/HITECH, CJIS) to identify the user and then allow access.   This is EXACTLY what SecureAuth is capable of doing.

SecureAuth uses flexible authentication mechanisms, mixed, matched – any way you choose, to allow access:

• From Any Device
• To Your Web, Gateway and Cloud Resources

SecureAuth supported authentication mechanisms include:

• SMS
• Telephony
• X.509
• E-mail OTP
• KBA/KBQ
• Help Desk
• Password

All based on your enterprise-held identities – meeting all compliance criterias.  It’s a new world – and the new world is good.    Happy Wii’ing!

And contact us – to learn how to protect your corporate resources – in BYOD wordl.

—
Garret Grajek is CTO and a  co-founder of SecureAuth.    SecureAuth is a single appliance solution that delivers configurable 2-Factor  and SSO authentication for Web, VPN and SaaS based solutions.

SecureAuth and Support of BYOD (Including Amazon Kindle demo)

Remote Users

Giving access to remote users has become a pressing issue since more than ever companies are having their employees work from home or on the road with mobile devices. Today users have the ability to open up a IPad and show a presentation to people on the fly. That is why Enterprises have to secure these mobile devices but have found that it isn’t easy to do one never the less to deploy17,000 Google email accounts to mobile users.  This has become an even more of an issue since 2011 showed us that many organizations that don’t use bilateral authentication were being breached.

Image #1: Enterprises are wrestling with (2) types of Remote Acesss:  (1) to the enterprise and (2) to the cloud.   SecureAuth helps with both.

SecureAuth secures your remote users through your directory and gives them secure access to your gateway, web, cloud and mobile environment. Then SecureAuth logs the event in a syslog or text. SecureAuth wanted to make the process as seamless to the user as possible but also wanted to utilize the strength of X.509v3 certificates to reduce the risk of unauthorized access, phishing and password attacks. In addition allows your remote users to meet audit compliance like PCI, HIPPA, FFIEC, NCUA, CJIS.

With a number of organizations going to Google Apps, everyday thousands of companies go with Google. SecureAuth developed auto-profile provisioning for IOS devices allowing SecureAuth to verify a user though AD put a randomized password in the correct Google Domain at the same time store it in your IOS AcitiveSync profile. This allows the user to securely sync his Google email to his IOS device.

If you have remote users that are using mobile devices that are not secure, call today. We can have you up and running by the end of next week so take advantage of or free proof of concept before it is to late.

SecureAuth Webinar:  Google Devices – iOS Provisioning

Had a great week last week – talking Google and SecureAuth from San Francisco to Houston to Atlanta to Ft Lauderdale.

The bottom line question is:

If Google Apps is such a complete package, why do I need SecureAuth?

Well – let me help..

I created a Google/SecureAuth Matrix to help understand when SecureAuth is needed.

And…

Since it’s a blog – put it in easy question/answer form:

Q:    I need 2-Factor authentication but why do I need SecureAuth, Google offers 2-Factor, right?

A: Google’s 2-Factor allows user’s to opt-in, opt-out.   It is a GREAT feature for users deployed in environments where the company doesn’t offer SecureAuth – but the user wants security.   But this should NOT be confused with ENTERPRISES who have to meet security compliance measures (PCI DSS, FFIEC, NCUA,  HIPAA/HITECH, etc) authentication regulations.

These (and other) authentication regulations require a NON-OPTIONAL 2-Factor authentication – e.g. a system that FORCES the user to conduct 2-Factor.   SecureAuth is this solution for Google.

Q:    So if I want to use Google Apps for resources/apps that have to meet compliance standards – I should use SecureAuth?

A: Yes –   SecureAuth meets all the authentication regulations  (PCI DSS, NCUA, FFIEC, SOX, GLB, etc).    It’s one of the primary reasons enterprise deploy SecureAuth – to take advantage of the wonderful applications that Google offers – and still meet the regulatory compliance measure.

Not just for authentication but for:

• User Lifecycle Management
• Data Store Management
• Authentication Flexibility
• Logging

Q:  I love Google Apps, its so amazing with all its growing functionality – but i don’t want to issue my users a new ID – can SecureAuth help?

A: Exactly.   This is exactly the point of the SecureAuth solution. (See diagram.) SecureAuth utilizes existing the existing datastore – and thus the user does NOT have know/remember their, new, Google ID.

Image #1: SecureAuth utilizes the existing enterprise directory (AD and other) for both internal SSO and external 2F authentication.

Q:    OK – but do these users now have a new password?

A:   NO!  No new password is needed!

This is the whole point of the SecureAuth architecture – the user only has to remember their EXISTING userID/password  (most often, but not restricted, to Active Directory)- and NOT learn/remember the Google ID/password.

Q:   OK – so if I can use my existing Active Directory – can’t I just use the AD domain logon ID – and not have my users log in again, at the browser?

A: Yes.   SecureAuth is uniquely architected to utilize the EXISTING domain logon – if the user has logged into the enterprise domain – the user does NOT need to log in again.   SecureAuth picks up the user and logs the user directly into Google.   (With no prompt.)

Q:   Does that mean I have to put something on my AD Domain Controller?  My AD admin has already told me – that he finds those solutions kludgy and will possibly break my audits?

A: SecureAuth for Google is uniquely designed to PLACE nothing on the AD.   No components, no modifications.     It’s the only solution cloud or appliance based that the AD admins approve of of AD IWA SSO.  (That’s what the “desktop SSO feature” is called – Active Directory IWA [Intergrated Windows Authentication])

Q:   Ok – so you got my internal users covered – what about external – what are my authentication options?

A: Great question.   That’s where SecureAuth excels.   Not only can it ENFORCE a User/ID Password (for AD or other) – but it also can enforce a 2-Factor authetnication, based on the secutrity requirements of YOUR enterprise.

SecureAuth is what Gartner refers to as a V.A.S.   (Versatile Authentication Service).   SecureAuth authentication comes standard – with these authentication mechanism – BUILT IN:

• SMS OTP
• Telephony OTP
• E-Mail OTP
• Knowledge Based Authentication (KBA/KBQ)
• Static PIN
• X.509
• CAC Cards
• YubiKey
• Password

Q:   Yes – but i need 2-Factor,  but more importantly, I can’t have a high friction experience for my users – like a SMS call every time.

A: SecureAuth is a revolutionary multi-technology that does NOT require users to understand how to conduct a 2-Factor authentication. (SecureAuth User Authentication Experience).

The paradigm of authentication is:

• It must be secure
• It must be seamless to the user

SecureAuth does this through browser based walk-thru authentication, and advanced PATENTED crypto-authentication.

The 2-Factor is:

• Non-Phishable
• Resist DNS attacks
• And…
• Seamless to the users

Q:      You haven’t said anything about SSO to other apps?

A:    You haven’t asked.

Q:   I have other SaaS (Concur, Salesforce) Apps – can SecureAuth help?

A:  Yes – SecureAuth for Google provides TRUE web SSO between multiple SaaS apps – the user does NOT need to log on again.   And can conduct, first – an internal authentication – or an external authentication.

Image #2: SecureAuth provides SSO into Google and other SaaS applications, in addition…

Q:   I have on-premise Web Apps (ASP.NET, IBM WebSphere, Oracle WebLogic – I would like SSO into – can SecureAuth help?

A:  Yes – SecureAuth provides TRUE web SSO between Google and on-premise web applications.  In a secure manner that doesn’t require extra proxy components.

Image #3: SecureAuth also provides SSO into the legacy on-premise applications for Google deployments.

Q:    OK – SaaS SSO and Web SSO – do I have to build my own portal?

A: No – that’s the coolest thing about SecureAuth 6.2 – it has a portal built in for both Web and SaaS SSO.

It is the only SSO appliance that has built in:

• Web/SaaS Portal
• SAML Support  (1.1, 2.0)
• OpenID Support
• OAUTH Support
• Microsoft FBA Suport
• Sharepoint Support
• IBM LTPA Support
• WebService Authenticaiton Support
• And:
  • 2-Factor Authentication
  • Password Reset
  • User Self-Management
  • Help Desk Support

Image #4: SecureAuth has a built-in SaaS/Web SSO portal for Google and other apps.

Q:    What about mobile – does SecureAuth do anything for my mobile users?

A: Yes – SecureAuth solves the (2) hardest problems for mobile users:

• Deployment
• Security

Secureauth is able to provision the mobile user with:

• Google ID
• Google Domain
• Google Password

Without the user or the enterprise knowing the Google ID or password.   It’s a really amazing solution that Google is recommending to their customers.

Image #5: SecureAuth provision the iOS device with the user’s Google ID and Password and at the same time provisions the ID/Password at Google – for a painless helpdesk free iOS provisioning process to Google.

–

It’s really a very powerful story – SecureAuth Google – and we highly recommend you contact us to learn more.

—

Garret Grajek is CTO and a co-founder of SecureAuth. SecureAuth is a single appliance solution that delivers configurable 2-Factor and SSO authentication for Web, VPN and SaaS based solutions.

For details visit:
   SecureAuth Closes 2011: Fourth Consecutive Year of Record Growth

Image #1 – The assembled Cloud Sherpas team for their 2012 Sale kick-off.

Cloud Sherpas is the enterprise Google reseller – and now a worldwide reseller.  With expansion across the U.S. and Asia Pacific through aggressive acquisitions.    Cloud Sherpas is truly poised to be the major player in Google integrations, across the globe.

And that’s why Cloud Sherpas became and early partner of SecureAuth – for the purpose of integrating and deploying security minded and enterprise level customer.

SecureAuth is that solution – and the right solution for enterprises that are trying to INTEGRATE google into their current enterprise.   Whether that means:

• Integration with their current Data Store (AD
• Integration with their current Apps  (.NET, ShaprePoint, WebLogic, etc)
• Integration with their other SaaS apps  (Salesforce, Concur, Workday, etc)
• Integration with their mobile devices

On the last point – SecureAuth was able to impress the extended team (above) with SecureAuth world-unique integration into Apple iOS devices for Google. SecureAuth can provision a user to utilize Google Apps:

• Without the user knowing their Google Domain Name
• Without the user knowing their Google ID
• Without the user knowing thier Google password

And the enterprise does not need ot know the Google password of the user as well.   It’s an amazing integration that has impressed both Cloud Sherpas and Google.   (See YouTube video).

Image #2: SecureAuth showed it’s amazing new Apple iOS Google provisioning product at the event.

But back to our freinds at Cloud Sherpas.

It’s been amazing ride for the founders of Cloud Sherpas,  Michael Cohn, Eran Gil and David Hoff.   (See Eran and David below.) All of us at SecureAuth tip our hats to their amazing work, passion for accomplishment and vision.   Here’s to 2012.

Image #3: Cloud Sherpas founders:  Eran Gil and David Hoff.   (Michael Cohn not in picture.)

—
Garret Grajek is CTO and a co-founder of SecureAuth.   SecureAuth is a single appliance solution that delivers configurable 2-Factor and SSO authentication for Web, VPN and SaaS based solutions.