The Business Forum

"It is impossible for ideas to compete in the marketplace if no forum for
  their presentation is provided or available."           Thomas Mann, 1896


Simplifying & Protecting Access to Web-based Applications

Contributed by TriCipher, Inc.

 

Introduction

Software-as-a-Service (SaaS) and myOneLogin

Businesses of all sizes are adopting web-based, hosted applications provided by Software-as-a-Service (SaaS) vendors such as Salesforce.com, WebEx and Google. By using SaaS, businesses benefit from consistent and predictable costs, rapid deployment, and reduced management costs.  But using SaaS introduces data theft and privacy concerns. Users connect over the Internet to vital business applications; the theft of usernames and passwords puts business data at risk. Recently, widely-publicized phishing attacks against Salesforce.com customers illustrated the potential problem. As SaaS deployments increase, so will the phishing attacks targeting them.

For compliance purposes, businesses need to demonstrate the policies protecting access to vital applications. Yet users frustrated with managing multiple password policies may inadvertently defeat security measures and put business data at risk. Strong authentication and application credential management solutions help, but deploying these systems is a major undertaking that erodes the cost/simplicity benefits of SaaS adoption. myOneLogin™ addresses the essential challenge of enhancing security and compliance while simplifying password complexity. A hosted service, myOneLogin combines strong authentication with a single login to multiple web-based applications. Business users connect to the myOneLogin portal using strong authentication, and from there can connect to multiple web-based applications and the enterprise SSL VPN, all with a single, secure login.

Why use myOneLogin?

As a hosted service, myOneLogin reduces the cost of security and compliance, while offering rapid deployment and simplified management.

The business benefits from:

Reduced risk exposure to business data and applications due to insecure, shared or phished passwords

Better management of user accounts and subscriptions using a centralized, online interface

Cost-effective security, deployed as a service with no up-front investment

■ Simplified demonstration of password enforcement for regulatory compliance

■ Reduced help desk time supporting different password policies and forgotten passwords

■ Enhanced license management for SaaS applications; eliminate lost or unused licenses

The business user benefits from:

■ Reduced privacy concerns using strong authentication security

■ Simplicity of a single account and password, rather than managing, changing and remembering distinct passwords for different accounts.

Software-as-a-service providers can also benefit from the myOneLogin service by offering subscribers secure single login to their applications. By meeting strong security and privacy requirements, SaaS providers can increase the adoption of their services.

1. Business grants applications access to the user.

2. User makes a secure connection to myOneLogin

and selects application from the list.

3. myOneLogin logs user into applications.

myOneLogin Service Overview

The myOneLogin service provides a strong authentication and single sign-on infrastructure that addresses online security risks and provides the convenience of a single, secure login. The strong authentication uses multi-part credential and flexible factor technologies from TriCipher™, experts in strong authentication technologies. myOneLogin supports different levels of authentication strength. Businesses can choose the level that best meets their needs, balancing security, cost, risk, and ease of use.

Basic

Two-factor authentication with encrypted browser cookies and mutual authentication. This level offers protection from phishing and password theft.

Intermediate

Two-factor authentication with certificates and mutual authentication. Certificates are more secure than cookies, as they cannot be copied from the machine. This level offers protection from phishing, password theft and man-in-the-middle attacks.

High

The highest level of protection with mutual SSL. The underlying technology is the TriCipher Armored Credential System (TACS), which offers a variety of multi-factor authentication options. (See the TriCipher Authentication Ladder, below.) TACS supports high-volume financial services applications with strong security needs and demanding customers.

The TriCipher technology supporting myOneLogin integrates a range of authentication factors, including passwords, browser cookies/certificates, PCs, portable devices, tokens, smart cards and biometrics, for a complete strong authentication system. All strong credentials provided by myOneLogin support full roaming capabilities; users can be given the appropriate levels of freedom to accomplish a desired security policy.  Using myOneLogin, business users can confidently and securely access their SaaS applications from any computer.

myOneLogin Service Details

The myOneLogin hosted service employs the TriCipher Authentication Gateway (TAG), which powers the service portal where users strongly authenticate their credentials and then log in to SaaS providers. The service is hosted in a SAS 70-compliant data center.

The TriCipher Authentication Gateway (TAG) acts as a services layer for web applications. Using patent-pending technology, it manages the authentication for every level of the TriCipher Authentication Ladder to provide a unified authentication service.

The TAG manages the entire authentication process and verifies the credentials of each user.

The myOneLogin system architecture is designed to enable easy deployment for external SaaS applications as well as internal, web-based applications and enterprise SSL VPNs. The service distinguishes between two categories of SaaS applications, depending on the supported authentication technologies:

SaaS providers such as Google, SalesForce.com and WebEx work with federation standards or provide APIs to support single sign-on and authentication with their services.

We will refer to these applications as Federated Access applications.

Other applications only authenticate with username and password and have not embraced open standards. We will refer to these applications as Legacy Access applications.

myOneLogin supports both types of applications. For federated access applications, it uses the federation standard (such as SAML) or provided API to authenticate the user with the application. For legacy access applications, it uses the userID and password, which are stored and managed securely in the myOneLogin servers.

Regardless of which type of application you are using, myOneLogin elevates the security and reduces the complexity of managing web-based application access by:

■ Providing strong authentication for business users

■ Eliminating the need for business users to set, remember or use application passwords directly

■ Providing the simplicity of a single login for all business applications

Supported Federated Access applications

myOneLogin currently supports the following Federated Access applications:

■ Google Apps

■ SalesForce.com

■ WebEx

The service can easily integrate with other third-party SaaS providers that use federation standards like SAML.

Supported Legacy Access applications

myOneLogin can support any web-based application that uses standard, forms-based authentication (user ID and password). We can provide a current list of legacy access applications that have been pre-certified, and can easily support new applications based on customer needs.

For these applications, myOneLogin uses a password escrow approach. The service maintains the passwords according to password policies. Business users do not even need to know the individual accounts and passwords, reducing the risk of password theft or loss.

How It Works

Before users can access their SaaS applications using myOneLogin, the administrator performs a one-time configuration, defining the applications that the business users can access.

For example, assume a business wants to provide access to Salesforce.com and WebEx (Federated Access) and to the internal HR portal (Legacy Access). The administrator updates the mapped, federated userIDs for WebEx and Salesforce to the myOneLogin management portal, and the individual credentials for the HR portal.

In many cases the administrator can provide fixed, shared accounts. The credentials for the shared account are never exposed to the business user, who connects to the application by clicking a button from the myOneLogin portal. myOneLogin sends the credentials in the background. This prevents users from walking out with valuable credentials when they change jobs or employers.

The first time any new user connects to the service, myOneLogin provides the user a strong 2-factor credential. A one-time activation key is sent to their corporate email (as provided by the administrator) or delivered via another mechanism, such as phone or SMS. When the business user provides the authentication key, the myOneLogin service sends the strong authentication credential. (Note that this authentication process only happens the first time the business user connects to myOneLogin, unlike IP-based authentication that makes mobile users authenticate each time they connect from a new location.)

Once users connect to myOneLogin, they are presented a portal page, displaying the SaaS service that they can now access with a single click.

■ If they are connecting to Federated Access applications such as Salesforce.com or WebEx, they gain access using an API or a federation standard like Security Assertion Markup Language (SAML).

■ If they are connecting to a Legacy Access application like the HR portal, myOneLogin sends the credentials to the backend service and the user is signed on.

Example: Connecting to WebEx with myOneLogin

When an authenticated users clicks the WebEx button, myOneLogin initiates the connection to the WebEx application.

1. The user signs on to the myOneLogin service using a strong two-factor credential.

2. The user is shown a list of web-based applications like WebEx. The user clicks on the WebEx button to get access to WebEx.

3. The myOneLogin.com service generates a SAML response that contains the authenticated user’s username. In accordance with the SAML 1.1 specification, this response is digitally signed with the myOneLogin service’s public and private keys.

4. The myOneLogin service encodes the SAML response and returns that information to the user’s browser. The myOneLogin service then redirects the user’s browser to do a SAML POST to the WebEx SAML consumer URL for that particular customer. This SAML POST includes JavaScript on the page so that the SAML is automatically submitted to WebEx.

5. WebEx’s SAML Consumer URL verifies the SAML response using the myOneLogin service’s public key. If the response is successfully verified, the user gets access to the WebEx application and logs in.

Administering myOneLogin

The myOneLogin service gives businesses a centralized user management screen for adding and revoking users and user rights to SaaS applications. Administrators login securely using strong authentication to myOneLogin before they can perform administrative tasks.

■ Typical user management activities include adding, modifying, deleting, disabling, resetting users and adding mapped user credentials for SaaS applications.

■ Typical application management activities include adding or removing SaaS applications and adding/removing users from SaaS applications.

Reporting

The myOneLogin service provides a dashboard for reporting user access to SaaS applications. Application usage reports help businesses track application usage and simplify license management.

Logging

myOneLogin provides each customer with an individual audit and compliance report that can be downloaded periodically. Tamperproof audit logs aid compliance efforts.

Operations

The underlying TriCipher technology, managed by TriCipher, is a high-performance, highly secure technology in a redundant, scalable implementation.

Summary

myOneLogin helps businesses leverage the full benefits of SaaS applications by protecting access to applications while reducing the cost and complexity of managing multiple accounts and passwords for business users. The myOneLogin login cannot be phished or stolen, as it depends on strong, two-factor authentication. And business users do not need to worry about forgetting, misplacing, or resetting the passwords to the applications they rely on for everyday activities. myOneLogin manages and maintains all passwords, securely and transparently.

The myOneLogin service relies on powerful, proven authentication technologies from TriCipher. As a hosted service, myOneLogin provides all of the convenience and reduced cost of ownership of the SaaS applications it supports. Businesses can extend the myOneLogin service to protect access to internal web-based applications and enterprise SSL VPNs as well.


Visit the Authors Web Site

Website URL:

 http://www.myonelogin.com/

Your Name:
Company Name:
E-mail:

Inquiry Only - No Cost Or Obligation

 


 3D Animation : red star  Click Here for The Business Forum Library of White Papers   3D Animation : red star
 


Search Our Site

Search the ENTIRE Business Forum site. Search includes the Business
Forum Library, The Business Forum Journal and the Calendar Pages.


Disclaimer

The Business Forum, its Officers, partners, and all other
parties with which it deals, or is associated with, accept
absolutely no responsibility whatsoever, nor any liability,
for what is published on this web site.    Please refer to:

legal description


Home    Calendar    The Business Forum Journal     Features    Concept    History
Library     Formats    Guest Testimonials    Client Testimonials    Experts    Search
News Wire
     Join    Why Sponsor     Tell-A-Friend     Contact The Business Forum


The Business Forum

Beverly Hills, California United States of America

Email:  [email protected]

Graphics by DawsonDesign

Webmaster:  bruceclay.com
 


© Copyright The Business Forum Institute 1982 - 2011  All rights reserved.