Wednesday, April 2, 2008

Outsource the application. Keep the identities and (strong) authentication

Thomas C Stewart

New interest has been generated lately concerning Software-as-a-Service (SaaS) and federation of identities. SaaS appears (again) to be finally coming of age as does identity federation. It seems now that as both the market for SaaS and identity federation are reaching a new level of maturity, so too is the associated technology. Better SaaS offerings are driving a need for federation while the federation technology itself and identity standards (SAML 2.0, WCF, WS-Security, OpenID, etc) are enabling SaaS to actually function well in real environments.

So now there exists great software that can be trusted to run well and integrate with each other as well as legacy, and a great system to manage access based on identity. If that identity is not established in a strong manner in the first place, however, we’ll not just be letting the fox into the henhouse, but letting him have the run of it. However, both technologies can now enable the enterprise to deploy a “trust” mechanism for both the initial identity creation (authentication) and on-going utilization (sessioning).

This evolution gives new depth to the question: “how does one outsource an application without compromising security?” (and “how would the outsourcing of software affect an enterprise’ regulatory posture?” if the applications involve financial or health care data). One facet of that answer is that application security must start with good authentication. Authentication 2.0 is all about getting to common standards. Federation models, namely SAML 2.0, WCF and OpenID 2.0, have made it possible for enterprises to retain ownership and control the identities and their respective authentication while still having the application itself hosted.

This is the model that is being used in enterprises that deploy SAML 2.0 systems, and is promoted by identity federation and single sign on (SSO) operations like PING Identity, Imprivata, and Passlogix to name a few. There has been renewed focus on federation as a business model best evidenced by recent M&A activity. I am naturally enthused because as federation comes of age, so too must good, usable two-factor authentication. As CFO of a pure-play authentication company, I am feeling like we are somewhere at the crossroads of lucky and good....

Here is how it can work:

The IDs are retained at the enterprise and can be monitored and audited to meet regulatory compliance. The authentication, in this model, is also actually hosted by and at the enterprise. This is an important new scenario – afforded to deploying enterprises by the adoption of technologies such as SAML 2.0 and authentication technologies that actually support this model (like MultiFactor SecureAuth).

Enterprises get the best of both worlds: they retain the original identities and get to select and deploy an authentication technology that actually meets their specific regulatory measures concerning their industry (SecureAuth meets the standards for PCI, FFIEC and HIPAA). Lastly, the applications themselves can be hosted by a trusted application provider. The SaaS vendor should be selected not only for services, high-availability and reliability – but also for its ability to accept a federated authentication assertion.

Copyright 2008. MultiFactor Corporation. All Rights Reserved.