Businesses of all sizes are adopting web-based, hosted applications provided by Software-as-a-Service (SaaS) vendors such as Salesforce.com, WebEx and Google. By using SaaS, businesses benefit from consistent and predictable costs, rapid deployment, and reduced management costs.  But using SaaS introduces data theft and privacy concerns. Users connect over the Internet to vital business applications; the theft of usernames and passwords puts business data at risk. Recently, widely-publicized phishing attacks against Salesforce.com customers illustrated the potential problem. As SaaS deployments increase, so will the phishing attacks targeting them.

For compliance purposes, businesses need to demonstrate the policies protecting access to vital applications. Yet users frustrated with managing multiple password policies may inadvertently defeat security measures and put business data at risk. Strong authentication and application credential management solutions help, but deploying these systems is a major undertaking that erodes the cost/simplicity benefits of SaaS adoption. myOneLogin� addresses the essential challenge of enhancing security and compliance while simplifying password complexity. A hosted service, myOneLogin combines strong authentication with a single login to multiple web-based applications. Business users connect to the myOneLogin portal using strong authentication, and from there can connect to multiple web-based applications and the enterprise SSL VPN, all with a single, secure login.

As a hosted service, myOneLogin reduces the cost of security and compliance, while offering rapid deployment and simplified management.

■ Reduced risk exposure to business data and applications due to insecure, shared or phished passwords

■ Better management of user accounts and subscriptions using a centralized, online interface

■ Cost-effective security, deployed as a service with no up-front investment

■ Simplified demonstration of password enforcement for regulatory compliance

■ Reduced help desk time supporting different password policies and forgotten passwords

■ Enhanced license management for SaaS applications; eliminate lost or unused licenses

■ Reduced privacy concerns using strong authentication security

■ Simplicity of a single account and password, rather than managing, changing and remembering distinct passwords for different accounts.

Software-as-a-service providers can also benefit from the myOneLogin service by offering subscribers secure single login to their applications. By meeting strong security and privacy requirements, SaaS providers can increase the adoption of their services.

1. Business grants applications access to the user.

2. User makes a secure connection to myOneLogin

and selects application from the list.

3. myOneLogin logs user into applications.

The myOneLogin service provides a strong authentication and single sign-on infrastructure that addresses online security risks and provides the convenience of a single, secure login. The strong authentication uses multi-part credential and flexible factor technologies from TriCipher�, experts in strong authentication technologies. myOneLogin supports different levels of authentication strength. Businesses can choose the level that best meets their needs, balancing security, cost, risk, and ease of use.

Basic

Two-factor authentication with encrypted browser cookies and mutual authentication. This level offers protection from phishing and password theft.

Intermediate

Two-factor authentication with certificates and mutual authentication. Certificates are more secure than cookies, as they cannot be copied from the machine. This level offers protection from phishing, password theft and man-in-the-middle attacks.

High

The highest level of protection with mutual SSL. The underlying technology is the TriCipher Armored Credential System (TACS), which offers a variety of multi-factor authentication options. (See the TriCipher Authentication Ladder, below.) TACS supports high-volume financial services applications with strong security needs and demanding customers.

The TriCipher technology supporting myOneLogin integrates a range of authentication factors, including passwords, browser cookies/certificates, PCs, portable devices, tokens, smart cards and biometrics, for a complete strong authentication system. All strong credentials provided by myOneLogin support full roaming capabilities; users can be given the appropriate levels of freedom to accomplish a desired security policy.  Using myOneLogin, business users can confidently and securely access their SaaS applications from any computer.

■ SaaS providers such as Google, SalesForce.com and WebEx work with federation standards or provide APIs to support single sign-on and authentication with their services.

myOneLogin currently supports the following Federated Access applications:

■ Google Apps

■ SalesForce.com

■ WebEx

The service can easily integrate with other third-party SaaS providers that use federation standards like SAML.

myOneLogin can support any web-based application that uses standard, forms-based authentication (user ID and password). We can provide a current list of legacy access applications that have been pre-certified, and can easily support new applications based on customer needs.

For these applications, myOneLogin uses a password escrow approach. The service maintains the passwords according to password policies. Business users do not even need to know the individual accounts and passwords, reducing the risk of password theft or loss.

Before users can access their SaaS applications using myOneLogin, the administrator performs a one-time configuration, defining the applications that the business users can access.

For example, assume a business wants to provide access to Salesforce.com and WebEx (Federated Access) and to the internal HR portal (Legacy Access). The administrator updates the mapped, federated userIDs for WebEx and Salesforce to the myOneLogin management portal, and the individual credentials for the HR portal.

In many cases the administrator can provide fixed, shared accounts. The credentials for the shared account are never exposed to the business user, who connects to the application by clicking a button from the myOneLogin portal. myOneLogin sends the credentials in the background. This prevents users from walking out with valuable credentials when they change jobs or employers.

The first time any new user connects to the service, myOneLogin provides the user a strong 2-factor credential. A one-time activation key is sent to their corporate email (as provided by the administrator) or delivered via another mechanism, such as phone or SMS. When the business user provides the authentication key, the myOneLogin service sends the strong authentication credential. (Note that this authentication process only happens the first time the business user connects to myOneLogin, unlike IP-based authentication that makes mobile users authenticate each time they connect from a new location.)

Once users connect to myOneLogin, they are presented a portal page, displaying the SaaS service that they can now access with a single click.

■ If they are connecting to Federated Access applications such as Salesforce.com or WebEx, they gain access using an API or a federation standard like Security Assertion Markup Language (SAML).

■ If they are connecting to a Legacy Access application like the HR portal, myOneLogin sends the credentials to the backend service and the user is signed on.

When an authenticated users clicks the WebEx button, myOneLogin initiates the connection to the WebEx application.

1. The user signs on to the myOneLogin service using a strong two-factor credential.

2. The user is shown a list of web-based applications like WebEx. The user clicks on the WebEx button to get access to WebEx.

3. The myOneLogin.com service generates a SAML response that contains the authenticated user�s username. In accordance with the SAML 1.1 specification, this response is digitally signed with the myOneLogin service�s public and private keys.

4. The myOneLogin service encodes the SAML response and returns that information to the user�s browser. The myOneLogin service then redirects the user�s browser to do a SAML POST to the WebEx SAML consumer URL for that particular customer. This SAML POST includes JavaScript on the page so that the SAML is automatically submitted to WebEx.

5. WebEx�s SAML Consumer URL verifies the SAML response using the myOneLogin service�s public key. If the response is successfully verified, the user gets access to the WebEx application and logs in.

The myOneLogin service gives businesses a centralized user management screen for adding and revoking users and user rights to SaaS applications. Administrators login securely using strong authentication to myOneLogin before they can perform administrative tasks.

■ Typical user management activities include adding, modifying, deleting, disabling, resetting users and adding mapped user credentials for SaaS applications.

■ Typical application management activities include adding or removing SaaS applications and adding/removing users from SaaS applications.

The myOneLogin service provides a dashboard for reporting user access to SaaS applications. Application usage reports help businesses track application usage and simplify license management.

myOneLogin provides each customer with an individual audit and compliance report that can be downloaded periodically. Tamperproof audit logs aid compliance efforts.

The underlying TriCipher technology, managed by TriCipher, is a high-performance, highly secure technology in a redundant, scalable implementation.

Disclaimer

The Business Forum, its Officers, partners, and all other
parties with which it deals, or is associated with, accept
absolutely no responsibility whatsoever, nor any liability,
for what is published on this web site.    Please refer to: