User Authentication for Software-as-a-Service (SaaS) Applications White Paper

Transcription

1 User Authentication for Software-as-a-Service (SaaS) Applications White Paper User Authentication for Software-as-a-Service (SaaS) Applications White Paper Page 1 of 16

2 DISCLAIMER Disclaimer of Warranties and Limitations of Liabilities The product is provided on an 'as is' basis, without any other warranties, or conditions, express or implied, including but not limited to warranties of merchantable quality, merchantability of fitness for a particular purpose, or those arising by law, statute, usage of trade or course of dealing. The entire risk as to the results and performance of the product is assumed by you. Neither we nor our dealers or suppliers shall have any liability to you or any other person or entity for any indirect, incidental, special or consequential damages whatsoever, including but not limited to loss of revenue or profit, lost or damaged data of other commercial or economic loss, even if we have been advised of the possibility of such damages or they are foreseeable; or for claims by a third party. Our maximum aggregate liability to you, and that of our dealers and suppliers shall not exceed the amount paid by you for the Product. The limitations in this section shall apply whether or not the alleged breach or default is a breach of a fundamental condition or term, or a fundamental breach. Some states/countries do not allow the exclusion or limitation or liability for consequential or incidental damages so the above limitation may not apply to you. Copyright No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of VASCO Data Security Inc. Trademarks DIGIPASS & VACMAN are registered trademarks of VASCO Data Security. All other trademarks or trade names are the property of their respective owners. VASCO reserves the right to make changes to specifications at any time and without notice. The information furnished by VASCO in this document is believed to be accurate and reliable. However, VASCO may not be held liable for its use, nor for infringement of patents or other rights of third parties resulting from its use. User Authentication for Software-as-a-Service (SaaS) Applications White Paper Page 2 of 16

3 CONTENTS 1. Overview Objective Intended Audience The Market How did we get here? Customer Authentication: Security Background Market factors Attacks and Defenses VASCO Delivery Platforms (Channel) Solutions Conclusion User Authentication for Software-as-a-Service (SaaS) Applications White Paper Page 3 of 16

4 1. OVERVIEW 1.1 OBJECTIVE The objective of this white paper is to help educate the reader on the critical components in which authentication solutions are applied within Business to Business (B2B) applications. B2B applications, or more commonly referred to as Software-as-a-Service (SaaS) providers, are one of the fastest growing markets in which authentication is being deployed. The authentication for SaaS applications and its users contain a number of aspects that are unique and worth discussing from both a security and business perspective. 1.2 INTENDED AUDIENCE This paper is written for decision makers who use a SaaS application or are responsible for building and supporting a SaaS application. The ideal reader is looking to better understand how authentication and security will affect his/her users experience. 1.3 THE MARKET Today s SaaS providers encompass a complete spectrum of applications including: Real estate Pharmaceuticals Legal & intellectual property Engineering CRM & ERP e-learning & education Healthcare Enterprise Content Management User Authentication for Software-as-a-Service (SaaS) Applications White Paper Page 4 of 16

5 In addition, the authentication of hosted systems is not singularly limited to providers of the application itself. Certainly, this is a critical component to address, but the market can be broken into three key segments: SaaS Providers SaaS providers are organizations who provide an application or service over an online channel. SaaS providers are focused on insuring that their application, data, and functions they provide to their customers, are safe and secure. SaaS users SaaS users are customers of outsourced software who access critical applications and data over an online channel. SaaS users must be confident that the provider s critical applications and data they access are safe. Operational Portals Operational portals are web applications that are built by an organization to provide access to internal systems or processes to external users. Operational portals must insure that the applications, data, and functions they provide are secure and the users who access their systems are properly authenticated. Each segment represents unique challenges and opportunities. A particular challenge that has emerged over the last few years is that of deploying effective and efficient security. One aspect of security that has become critical to the success of online applications is that of authentication. Authentication can be best defined as The process of determining whether someone [or something] is, in fact, who [or what] it is declared to be. Essentially, we must insure the person who is accessing our application is who they say they are! In the physical world, this is quite easy to do. We can validate a passport or a driver s license and once a person has been authenticated - we can usually recognize them quite easily in the future. User Authentication for Software-as-a-Service (SaaS) Applications White Paper Page 5 of 16

6 However, when dealing in the online world, it is not so easy to establish this connection. Providers and vendors have both come up with a number of different methods and techniques to perform a virtual authentication. Most readers will recognize some or all of the various types of authentication which can be broken down into three areas: 1) Single-factor authentication: Commonly known as username and password, Single-factor authentication includes something you know which is an ID and/or password). Single factor authentication is ideal for low risk applications where cost is a major factor and the security of compromised passwords is not a high priority. 2) Two-factor authentication: Two-factor authentication includes something you know (a password) and something you have (phone, token, card). Two-factor authentication is ideal to secure applications where the total cost of ownership (TCO) is the primary cost factor and the info users are accessing is of a sensitive nature. This can include personal information, patent information, health records etc. 3) Three-factor authentication: Three factors of authentication include something you know (a password), something you have, and something you are (biometric). Three-factor authentication is ideal to secure physical access to sensitive locations or the most sensitive information. Cost is a small concern. Any application that is accessed over a remote channel will require some form of user authentication. In this short paper, we will attempt to align the business drivers in making the decision to determine the role authentication will have on the security of these users. User Authentication for Software-as-a-Service (SaaS) Applications White Paper Page 6 of 16

7 1.4 HOW DID WE GET HERE? There have been a number of converging factors that have driven the need for stronger authentication within SaaS applications. Many of these factors have happened over the past few years and continue to evolve today. Such variables include an increase in regulation, the advancement of more decentralized computing (i.e. Cloud computing), and the emergence of mobile devices and platforms. In addition, companies who provide online applications are driven to provide systems and applications that are more robust and available from any place and at any time to satisfy today s demanding users. These combined factors have opened new opportunities and new risks. In fact, we can look over the past few years and the stages that have led to today, to help determine the role authentication will have in the future: 1. The financial market successfully extends applications to the Internet. e-banking for both commercial and retail customers improves efficiency and convenience to both users and the bank and today s consumers and businesses are now dependant on ebanking. ebanking becomes the first customer interfacing application to reach widespread adoption. 2. Remote employee access becomes generally accepted. The mobile workforce is introduced and employees gain access to applications, databases, and sensitive information over virtual private networks (VPN) and web applications. The authenticity of the user becomes suspect and two-factor authentication is introduced to secure access to systems and networks. 3. Organizations move to more decentralized operations and a virtual working model. Off shore development, home offices, and international operations all combine to drive more distributed computing, applications, and access from anywhere and at any time. SaaS is introduced to reduce capital expenditures, improve productivity, and work effectively in a mobile world. 4. An increase in regulatory focus for fraud and security impacts financial institutions and businesses. Secure access and protection of sensitive information becomes a requirement. Mandates under FFIEC, PCI, HIPAA, SOX, and others, drive decision makers to secure sensitive information and user access. 5. Fraud and evolving attacks begin to undermine the trust in the system. The combination of the (a) inherent insecurity of the Internet and remote access; (b) the proliferation of the [cheap] PC, and (c) broadband access give online fraud a platform to attack users. User Authentication for Software-as-a-Service (SaaS) Applications White Paper Page 7 of 16

8 6. High Tech and Low Tech attacks evolve into an industry. Phishing attacks become common. Viruses, Trojans, and key loggers increase and education is ineffective to combat these attacks. Today s decision makers must now weigh security, regulation, and the need to extend applications and improve functionality as they plan for the future. And for organizations that provide a customer interfacing application, the authentication and security of their users becomes critical to the short and long term viability of the organization. The remainder of this paper will illustrate the basic philosophy of securing customers, the fraud attacks and defenses used to combat them, and the different client platforms and channels which are used to gain secure access. User Authentication for Software-as-a-Service (SaaS) Applications White Paper Page 8 of 16

9 2. CUSTOMER AUTHENTICATION: SECURITY BACKGROUND First, it is best understood that securing customers is very different from securing internal employees. Whereas internal employees are a captive and controlled audience that can be forced and/or required to use a specific security mechanism, customers are fickle and have the right to choose which services or products they use. Therefore, adding security to any service will have an impact on the customer. This is a fact that must always be considered when choosing, educating, and deploying a security solution to end-users. VASCO is a security company first - focused on authentication but will have to strike a balance between security and user acceptance. To use a simple analogy, VASCO believes that using strong locks properly is critical to the success of the application. As an authentication provider, VASCO simply harnesses and listens to market information to build solutions to secure tomorrows users. In doing so, VASCO has built products under a family concept which means all solutions (past, present, and future), methods (passive or active security), and platforms are interoperable with one another to insure the constant balance of cost, security, and user acceptance is met. 2.2 MARKET FACTORS With fraud on the rise worldwide and with the natural progression to offer more goods and services online security will become even more important in the future. Either decision makers and/or application owners will improve the level of security for their users or the applications they provide, will be limited. Essentially, it can be concluded that something will need to give. Trends and technology come and go but in the end, a company will need to secure users of its services properly or it risks losing customers. To do so, authentication must be looked at as a philosophy and not as a product. It is not for one entity to say this is good authentication and this is poor. In fact, it is up to the decision maker that best understands his/her customer base to determine the level of authentication required today what they expect the level of authentication to look like a year from now and where they expect it to go in the future. Only with an understanding of this long view, can VASCO truly offer [good] advice on how a user should be secured. The long view must answer the following questions: 1. Who are the company s customers today what are they able to access what is the risk? 2. What services are planned to offer to them tomorrow? User Authentication for Software-as-a-Service (SaaS) Applications White Paper Page 9 of 16

10 3. What are the risks? From fraud? Disgruntled employees? 4. Will regulation impact the company or the application? 5. Can the company implement a solution today that will help protect the user tomorrow? 6. How are the users educated today? How will this happen tomorrow? The authentication we choose to implement from these answers is then based on a compromise between three points of a triangle (1) the level of security (2) total cost of ownership (TCO) and (3) user acceptance. As way of example, static passwords have a low TCO and high user acceptance, but they have very low security. Biometric devices have very high security but they are expensive and may have severe user acceptance issues. Hardware authenticators (tokens) have high security, but there is an expense associated with their implementation. As a company looks to make decisions that impact its customers, it must take both the triangle and the long view into consideration. In fact, the decision a bank makes and the product the bank implements is not the end solution it is merely another step. 2.3 ATTACKS AND DEFENSES The use of username and password schemes to authenticate users has become increasingly risky. Although many SaaS and web applications utilize standard username and password schemes, these schemes are based on static information and are insecure by nature. Username and passwords are easy to guess, crack, hack, and steal. Often, passwords are reusable over other applications and over a long period of time. Dynamic information is much more secure than static information. Dynamic information is much more difficult to hack or steal and if stolen, it is only good for a period of time. Dynamic information drastically reduces the risk of someone gaining access to information that they are not allowed to access. The combination of dynamic information with a physical device further increases the level of security as a fraudster must have the physical device and know a password to gain access. This is the fundamental premise behind strong, two- factor authentication. Something you know (password) + something you have (device) + dynamic information = strong authentication. User Authentication for Software-as-a-Service (SaaS) Applications White Paper Page 10 of 16

11 The fraud market has begun to shift over the past year and the threats of attacks have shifted from simple password/social attacks based on phishing and pharming - to actual account theft from various social, technical, and low tech fraud. Password attacks can be fairly simple to defend against and by deploying dynamic passwords, educating customers, and verifying the host application, we can do a good job in mitigating our risks. Dynamic passwords or one-time passwords are a fantastic defense against phishing, pharming, and Trojan Horses. Validation of the use of one-time passwords can be seen with phishing attacks on Salesforce.com users and their recommendation to use one-time password technologies. For SaaS organizations that are looking to promote access and/or transfer of information, transaction thefts, or man-in-the-middle-attacks (MITM), have added an element of sophistication onto the fraudster s attack. It is no longer acceptable to insure that only the user and the site he accesses is protected SaaS organizations must now begin to look in how to secure any transaction or transfer of information. Providing and verifying the signature of a transaction becomes more important today but the approach that you take is even more important when considering the long view as cited earlier. In fact, today we are still dealing with social attacks (phishing, pharming) and derivatives of these attacks User Authentication for Software-as-a-Service (SaaS) Applications White Paper Page 11 of 16

12 (real-time phishing). When discussing MITM attacks, we are essentially talking about tomorrow s issue. User Authentication for Software-as-a-Service (SaaS) Applications White Paper Page 12 of 16

13 This further illustrates the point that what is decided today, has a big impact on tomorrow. VASCO s solution for MITM is to combine two-factor authentication with an electronic signature (esignature). Essentially, an electronic signature takes pieces of information specific to the transaction (e.g. account information from both parties and the dollar amount) and generates a unique value based on these factors. This value is used to validate the transaction. If a third party changes the information (e.g. changes the account information) the unique value will not match and the fraudulent transaction can be avoided. The act of generating and verifying an esignature can be as active or passive as the user requires and can used within pharmaceutical, legal, educational, and business applications that transfer and update information over an online channel. As a conclusion, VASCO provides a complete portfolio of channels to deliver dynamic passwords used to replace static passwords. This is typically done when users need to access sensitive information through a remote channel like a phone or web application. VASCO also secures transactions by taking multiple fields of a transaction and creating a unique signature on the transaction. The verification of this signature insures the transaction is not compromised. User Authentication for Software-as-a-Service (SaaS) Applications White Paper Page 13 of 16

14 3. VASCO DELIVERY PLATFORMS (CHANNEL) VASCO s defenses against the various attacks can be delivered in a variety of different ways. Certainly, the majority of VASCO s customers implement authentication devices to protect their users, but this should not be confused with a limitation. In fact, VASCO s dynamic password, host authentication, and e-signature functionality can all be delivered over almost any platform that is required by a customer. Customers have deployed this technology using faxes, Blackberry, telephone, VRU, mobile phones, SMS, smart cards, software, hardware, etc. There are over 50 different channels that VASCO supports and more are added every day. There are over seven versions of software solutions and several solutions for blind and visually impaired users. When VASCO discusses authentication with clients the delivery platform or channel should be the last piece to consider. Only after understanding the philosophy, the attacks, and defenses, you wish to use, should the mechanism used to implement your approach be discussed. The delivery platform used will have an impact on the security triangle - but it does not necessarily impact the long view. This point is the most crucial as the delivery platform for today is chosen. If the factors as written earlier can be accepted, the discussions on the strengths and weaknesses of the platform you are looking to select can be done with a clearer conscience. This is the point that is most commonly misunderstood. The platform that is delivered is the easy part understanding why a particular platform is chosen, is difficult. A complete list of different platforms can be accessed at SOLUTIONS There are a number of passive and active actions that can be implemented to defend and protect users from online fraud. Many stand up to the rigors of outside regulations and internal policies but the most proven solution in the market has been in use for over a decade and still continues to evolve today. Time-based one-time passwords and electronic signatures have proven to strike the balance between security, user acceptance, and cost more than any other solution. Time-based one-time passwords (OTP), are dynamic passwords that change consistently - making them very difficult to hack or steal. OTP s use three things in order to calculate a secure password: Time A unique secret User Authentication for Software-as-a-Service (SaaS) Applications White Paper Page 14 of 16

15 A secure algorithm When a user wishes to initiate an authentication, he will access his dynamic password via the channel provided. As discussed earlier, the channel can be a mobile device, hardware token, software, or other form factor. The user simply provides a password to access the secure DIGIPASS credential and the device will generate a unique one-time password based on the current time and unique secret of the owner. The password is only good for a specific period of time which makes it far more difficult to hack. Moreover, because the user is required to know a password and have a DIGIPASS, the security is based on twofactors of authentication. As an additional layer of security, electronic signatures can be used to sign a transaction. E- signature is a method used to insure a transaction is not altered or changed without the user s acknowledgement. E-signatures can be used to augment the one-time password to provide a secure solution to combat against phishing, Trojans, and man-in-the-middle attacks. It is based on the same fundamentals as one-time passwords and will use various pieces of information specific to the transaction in order to sign the transaction. This can include specific fields critical to the transfer of information (medical information, personal data, product ID numbers, etc.) If any information is altered during the transition, the client signature will not match the server signature and the transaction will be invalid. First, the user is authenticated using a DIGIPASS credential and dynamic password insuring that someone hasn t compromised the account. Secondly, the user can authenticate the transaction insuring someone hasn t hijacked the session and altered the transaction. Finally, the complete solution is supported by one back-end system. There is no need to purchase separate server solutions to support various users or channels deployed to the client. Integrating client authentication from one scalable back-end infrastructure provides ample security for today s applications and allows for tomorrow s emerging markets and customers. VASCO s approach to build all systems under this family concept has been proven and can be linked to different generations of applications and users. Customers that have started with a simple hardware authenticator (token) can move to a mobile credential or PKI certificate in the future with limited impact on the back-end system. This fact reduces management, help desk, investment in infrastructure and the overall cost of the security system making it possible to invest more into the application provided to the customer. User Authentication for Software-as-a-Service (SaaS) Applications White Paper Page 15 of 16

16 4. CONCLUSION The markets are undergoing drastic change. Increased functionality, distributed computing, fraud, and regulation are all motivating SaaS providers and users of SaaS applications to consider the implications of strong authentication. The acceleration of mobile technology and smart phones will continue to drive the need for authentication security in the future. VASCO has a proven history of securing millions of users over the last ten years and with its DIGIPASS product family, customers can authenticate and sign transactions with software, mobile authentication, hardware devices or any combination. The DIGIPASS solution remains the world s most recognized, reliable, and secure credential used today. To support DIGIPASS, VASCO provides two unique server platforms: 1. VACMAN Controller is a flexible, scalable, and secure API. VACMAN Controller is ideal for e-banking and e-commerce applications, or SaaS providers who wish to embed authentication within their application. With unlimited scalability and rich functionality, VACMAN Controller has become the standard tool for supporting large scale authentication deployments. 2. IDENTIKEY is a flexible, robust, and secure authentication server. IDENTIKEY provides robust authentication support ideal for organizations looking to secure their Business-to-Business applications, internal portals, and access to remote systems. IDENTIKEY supports hardware, software, and mobile authentication. The complete VASCO solution range is designed to strike the balance between security, user acceptance, and Total Cost of Ownership (TCO). As SaaS providers and users of SaaS applications begin to consider the impact of authentication it is important to consider the points that are discussed in this paper. SaaS applications represent what s next to the online channel. Driven by mobile technology, a global economy, and regulation, the security of cloud computing remains dependant on the authenticity of the users who access the system and actions they make over the internet and mobile channel. VASCO remains steadfast in securing today s applications and what is to come tomorrow. User Authentication for Software-as-a-Service (SaaS) Applications White Paper Page 16 of 16