Thursday, July 28, 2016

RSA SecurID Access

Last week, RSA announced the release of RSA SecurID Access. RSA SecurID Access starts with the RSA SecurID solution at its heart and it combines the feature of the old RSA VIA Access.

By the way, the whole VIA Access product line is now rebranded under SecurID Access.

The plus point is the Multifactor Authentication (MFA) Service to protect cloud and SaaS applications with a variety of mobile optimized authentication methods, which include push notifications, biometrics and FIDO coupled with Identity Assurance.

Identity Assurance is similar to the commonly known Adaptive Risk Authentication, except Identity Assurance currently is not able to track history of users' profiles.

The engineer who demonstrated to me was expecting me to respond with a "Wow! This is innovative!".

But ... I saw something like this few years ago - Salesforce + ForgeRock = Salesforce Identity Connect and ForgeRock Releases Breakthrough Identity Bridge for Cloud Service Providers.

Architecturally, this is nothing new to me.


Thursday, July 14, 2016

Authentication - MFA and Risk AuthN

I came across an article on Multi-factor Authentication: Best Practices for Securing the Modern Digital Enterprise from Ping Identity Office of the CTO.

There is this nice diagram illustrating the various authentication mechanism.

1. Something you know (for example, a password or a PIN). 
2. Something you have (for example, a mobile phone or a token). 
3. Something you are (for example, a fingerprint or other biometric data).

Generally, combining multiple authentication factors results in a higher Level of Assurance (LoA) that the individual attempting to authenticate is actually the individual in question. Because even if one of the factors has been compromised, the chances of the other factor also being compromised are low. 
Authentication mechanisms can also be distinguished by whether they use the same channel where the user accesses the application, or a separate channel that’s dedicated for authentication.

In the market today, there is yet another type of authentication which is picking up traction - Risk Authentication.

I have this nice diagram from CA Risk Authentication data sheet.

CA Risk Authentication can detect suspicious activity for consumer and enterprise online services without burdening users. This multi-channel risk assessment solution transparently detects and prevents fraud before losses occur.

This usually works together with MFA solutions for Step-Up Authentication.

Technical aside, what's the business case for using MFA and Risk Authentication?

Compliance regulations and industry guidelines are increasing their emphasis on stronger authentication to protect data. Organizations do not want to deploy overbearing authentication systems that require repetitive user interaction because of the negative affect on user experience, which impacts both the adoption of online services and customer loyalty 
The overall challenge is to detect and block fraudulent activity before losses occur with minimal impact to users.


Monday, July 4, 2016

Data Access Governance

Walking the ground helps to keep me abreast of the latest "wants" from customers, especially the ministries. There seems to be a need for Data Access Governance (DAG), in particularly unstructured data.


In most ministries these days, there are a lot of Microsoft SharePoint deployments and File Sharing is mostly using Microsoft technology. Thus there is a serious gap in knowing who has what access to which files/documents.

Currently, RSA, SailPoint and Dell One Identity have DAG features in their Governance offering.


Friday, July 1, 2016

Quick look at SSO through the ages

I found this article few days back... An interesting map of the road I have travelled so far... :)

Let’s take a quick look at SSO through the ages.
  • It started with password synchronization, but that soon became too cumbersome, too labor-intensive, and required too much integration to be a true ”enterprise” solution. 
  • Next we had the concept of enterprise SSO where all credentials were stored and the appropriate fields were automatically filled in when login was required. But ESSO doesn’t leverage more modern SSO concepts and is still difficult to implement and manage. 
  • Finally we arrived at “true” SSO for Windows with the advent of Active Directory (AD), where a single account and a single credential provides universal access without any synchronization or form-filling. The problem is it only works for Microsoft stuff or things that you can get to play nice with AD, leaving many critical systems out in the cold. 
  • Today we have the concept of federation, which is “true” SSO for web applications, but only if those applications talk the right standards, leaving lots of legacy web applications and all thick client apps out of the equation.

Never ending story if there is no common standard. By the way, there won't be any common standard in an ideal world. Contradicting? Yes, my take.