Information Security

Defending the digital infrastructure


Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

SaaS Offering Handles SSO

TechFocus: New Password Hell?

New Password Hell?
Proliferation of software-as-a-service offerings spawns new issues.

The software-as-a-service (SaaS) model pervades business, reducing management headaches and cutting infrastructure and maintenance costs. It's so pervasive that authenticating to multiple Web-based applications raises its own issues, as users and admins struggle with multiple passwords to Internet applications and security problems like password cracking, phishing and man-in-the middle attacks.

One possible solution is yet another SaaS offering. TriCipher, which launched TACS (TriCipher Armored Credential System) a couple of years ago to provide strong, easy-to-deploy authentication for environments serving thousands of users. Its myOneLogin service leverages TACS' scalability to provide secure authentication and single sign-on (SSO) for multiple Web apps.

WebEx is among the SaaS providers supported out-of-the-box (Salesforce. com and Google Apps are among the headline business apps, and TriCipher recently added consumer applications including Amazon, Yahoo, PayPal and eBay), but any application with an API can be plugged in. Once app integration--say, an online car rental or travel service--is done for one customer, myOneLogin will support it for all.

"In the past, WebEx was more of a data conduit for real-time meetings, not a data store per se, but as we expand our collaboration portfolio, and launch WebEx Connect, the WebEx platform will evolve into a rich repository for data and applications, shared across users from multiple companies. Once you go into that realm, it's extremely useful to layer security," says Bharath Rangarajan, director of product management at WebEx.

The heart of the service is the TACS appliance (see Information Security review, January 2006). One part of the authentication is stored on the TACS appliance, the other with the user.

TriCipher offers three levels of security. Basic utilizes browser cookies, and Intermediate uses certificates. High is based on TriCipher's Identity Protection Tool, in which myOneLogin prompts the user for strong authentication, including tokens, smart cards and biometrics.

Companies can enroll users in batch file uploads or Active Directory integration for larger organizations that require dynamic provisioning and deprovisioning, and the policy controls that directory services provide.

"We see a market opportunity for improved security and convenience for users of SaaS applications," says Jon Brody, TriCipher VP. "We deliver better authentication but don't focus the conversation on it. We get a tremendous roll of the eyes when we ask about managing multiple IDs and passwords. Customers buy us for convenience but get security."

"Solutions such as myOneLogin enable people to get in and get on with business," says WebEx's Rangarajan. "We view ease of administration and usability as critical not only by customers but our own partners as well."

Article 1 of 14

Dig Deeper on Single-sign on (SSO) and federated identity

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Information Security

Access to all of our back issues View All