Customers utilizing SecureAuth® Identity Enforcement Platform are already mitigating this risk from outside attackers for their ASP.NET applications.  Customers who have integrated their ASP.NET applications with SecureAuth® Identity Enforcement Platform are thwarting attackers who wish to utilize this attack by forcing strong bilateral authentication that authenticates both the user and the server before communication is allowed to the ASP.NET application.  Because the attackers are unable to communicate to the customer’s ASP.NET applications, such as Microsoft SharePoint 2010, the risk of this vulnerability has been mitigated from the unauthorized users.

In fact, SecureAuth is the only “Authentication Provider” that provides strong authentication for Microsoft SharePoint 2010 that is token-less, non-phishable, authenticates both the user and the server , easy to deploy, and does not require any agent, proxy, or VPN to be installed.

Contact us to find out about what people are calling the “Game Changer” when it comes to a strong authentication and true identity enforcement that is also a 2-Factor, Web Single-Sign-On, and Identity Management solution that is low cost and easy to deploy.

SecureAuth believes in a defense-in-depth strategy and recommends that you patch this vulnerability once a patch is released.

More information about this vulnerability and work around can be found at:

Microsoft Security Advisory (2416728)

Scott Guthrie’s Blogs: Important: ASP.NET Security Vulnerability and Frequently Asked Questions about the ASP.NET Security Vulerability

Microsoft SharePoint Team Blog

CVE-2010-3332

RSA and VeriSign Partner on Cloud-Based OTP Service

http://www.rsa.com/press_release.aspx?id=10462

This is an interesting response to MultiFactor Corporation’s cloud solution.   Having RSA and VeriSign try to tweak and then reposition what many view as cumbersome, old, expensive technology as “cloud-based” is validation of SecureAuth and our vision.  However, the problem is that their joint solution delivers primarily on buzz words while keeping the hassles and challenges that users want to be free from.  SecureAuth was designed from its inception on modern web architecture to provide its customers true browser-based, strong, secure access without the cost and burden of special hardware or client software.   

According to the headline on the joint press release, the new arrangement “allows channel partners to offer users managed, shared authentication to access multiple Websites”.   It appears that you will need every user to own and carry an RSA SecurID token to access VeriSign VIP which then can be configured by their partners to let you into other “participating” websites.   What’s left out are enterprise applications and networks (VPNs).  Additionally, users still need to type in little numbers from a plastic token or fat mobile phone application every time they log-in.  

Quote from the release:  “The alliance of two powerhouses with the integration of RSA SecurID technology into VIP will strengthen their combined market leadership and work to increase the collective clout of both VeriSign and RSA”.   We hope to keep our customers happy with an innovative product and good service, rather than wielding clout.   Sounds like they want to keep customers locked into a lucrative, albeit dying, OTP cash cow business for both of them. 

If you are truly interested in a two factor authentication and identity solution that has been designed to meet enterprise cloud security needs, please allow MultiFactor to show you what our customers know:  There is a better alternative to RSA SecurID and VeriSign.  Of course, we also can offer the same, singular solution for secure websites, web applications, enterprise applications, identity management systems, IPSec VPNs and SSL VPNs.

In the next post we’ll explore how these dinosaurs are responding with their own SecurID token alternatives.   RSA calls it the “RSA Decision Tree”.  For those willing to give up more security and flexibility, they’ll go a bit easier on the price. 

Good article in IBD http://tiny.cc/Cloud246 back in June I came across discussing the growth of cloud computing from a business perspective.  Cloud security seems to be one of the few concerns restraining the rapid adoption.  We see ourselves as an enabler which mitigates security while retaining the promise of low cost and flexibility of cloud computing.  

 Quote from Investor’s Business Daily, June 9, 2009:

“Cloud computing’s growth is outpacing the industry overall. Global revenue from cloud services is expected to jump 21% this year to $56.3 billion from $46.4 billion, says market-tracker Gartner. It sees sales of more than $150 billion in 2013.

These (business) efforts highlight the growing acceptance of cloud computing, even as executives concede concerns remain.

There are downsides, perhaps led by technical issues in integrating cloud computing with an existing network. Some critics also question reliability and whether users lose some control over security.”

That last sentence is the key to MultiFactor’s SecureAuth value proposition.  SecureAuth automatically enforces identity policy already built into an enterprise’s existng directory.  The administrator retains total control over access to cloud applications while securing those cloud applications from unauthorized access.