by Rebeca | Apr 4, 2016 | soffid
Soffid ESSO, as any other enterprise single sign on, needs to store the password in a way that can be used by applications, and this requirement implies that password should be stored in either clear text or reversible encryption algorithms, making them vulnerable to insider attacks.
To prevent any risk regarding any unlikely insider attack, Soffid has a highly sophisticated mechanism to protect your system passwords, as well as allowing enteprise single sign on module to know the password value when it is required. . To get this done, Soffid creates a RSA private key for each synchronization server. The key is stored locally on the server, and the public key is stored on the database.
Once the keys are stored, every process that needs to encrypt a password must do it once for each synchronization server public key. Then, if we have two synchronization servers, as on the image next to this lines, when Soffid sets a password for any user, the password will be stored twice. The first one will be encrypted using the first RSA public key and the second one will be encrypted using the second RSA key.
This mechanism guarantees that only a synchronization server will be able to decrypt the password, using the password version that was encrypted using its own public key.
By default, private keys are stored on file system, and protected by a secret word. The backup of this private keys and the configuration file that contains the secret word should be placed on different devices than the Soffid database backup.
To achieve the top security level, a HSM module can be used. Provided that the HSM module has a PKCS#11 interface, synchronization server will use it to use the private key that is stored on it. In such a way, you can get the best trust level on your passwords confidentiality.
by Rebeca | Jan 5, 2016 | Uncategorized
Password stress is a common problem on small and big companies. The advent of cloud applications has increased the number of user names and passwords that an average user has to manage.
Soffid provides a complete single sign on mechanism, able to get rid authentication dialogs in a easy, efficient and secure fashion.
Password syncronization
Soffid IAM is able to synchronize user passwords, so that users can use the same password for every application or only a subset of them, despite the user name could be different in some of them. In this way, the number of issues related to password usage is dramatically reduced. Additionaly, Soffid provides two complimentary products to avoid users from wasting time entering user names and password, increasing their produtivity.
Enterprise Single Sign On (ESSO)
ESSO module is installed in desktop devices using Microsoft Windows or Ubuntu Linux. ESSO is able to enter the passwords needed for each application on behalf of the user. To get it, administrator is to configure dialog detection patterns as well as credential injection rules. This way, when a password is required, Soffid will immediately enter user name and password on behalf of the user. Only when the user is granted more than one account on an application, Soffid ESSO will request the user to select one of the granted accounts.
Web Single Sign On (WSSO)
WSSO module is installed in the network as an additional web server, acting as a bridge between users and actual applications. It uses the same technology as ESSO to inject user name and password in web applications. As no software is to be installed on the user device, it is suitable for smartphones, tablets or any other device where ESSO cannot be installed. As a live sample of this technology, Soffid developer area grants access to four independent applications. Soffid WSSO is connected to PHPBB, Drupal, Jira and Confluence, alllowing any people to register itself as well as using federated identities from Google, Facebook or Yahoo to access seamlessly to any of them. When the user closes the session, it will be closed on the four applications at once.
El estrés de las contraseñas es un problema habitual en pequeñas y grandes empresas. El advenimiento de las aplicaciones en la nube no ha hecho sino incrementar el número de nombres de usuario y contraseñas que un usuario medio debe utilizar.
Soffid proporciona un completo mecanismo de single sign on, capaz de eliminar los diálogos de autenticación de una forma fácil para el usuario a la vez que eficiente y segura.
Sincronización de contraseñas
Soffid IAM sincronizará las contraseñas del usuario, de tal forma que el usuarios puedan utilizar la misma contraseña en todas o casi todas las aplicaciones, independientemente de que el nombre de usuario pueda ser diferente. De esta forma se reduce de forma importante el número de incidencias derivadas del uso contraseñas. Adicionalmente, Soffid dispone de dos productos complementarios para conseguir que el usuario no deba perder tiempo reintroduciéndola, incrementando su productividad:
Enterprise Single Sign On (ESSO)
El módulo ESSO se instala en los equipos de escritorio con Microsoft Windows o Ubuntu Linux y es capaz de introducir las contraseñas necesarias en cada aplicación. Para ello, el administrador configurará los patrones de detección de las aplicaciones así como las reglas de inyección de contraseñas. De esta forma, cuando sea requerida la introducción de contraseñas, Soffid actuará introduciendo las contraseñas en nombre del usuario. Sólamente cuando el usuario disponga de más de una cuenta para una aplicación, se le solicitará que seleccione la cuenta a utilizar.
Web Single Sign On (WSSO)
El módulo WSSO se instala en la red como un seridor web más, haciendo de puente entre los usuarios y las aplicaciones reales. Utiliza la tecnología desarrollada para el módulo ESSO para inyectar usuarios y contraseñas en las aplicaciones web. Al no requerir su instalación en los equipos clientes, es ideal para soluciones que requieran el acceso desde dispositivos móviles u otros tipos de dispositivos donde el ESSO no es instalable. Como ejemplo ilustrativo de la funcionalidad WSSO, puede acceder al área de desarrolladores de Soffid. Consta de cuatro aplicaciones independientes conectadas mediante WSSO: PHPBB, Drupal, Jira y Confluence. El módulo permite qualquier persona puede registrarse o utilizar sus credenciales de google, facebook o yahoo para acceder de forma transparente a cualquiera de las cuatro aplicaciones. Al cerrar la sesión, se cerrará la sesión de las cuatro aplicaciones de forma simultánea.
by Rebeca | Dec 8, 2014 | Uncategorized
This slideshow features five important lessons learned and key takeaways from recent data breaches for businesses that want to protect themselves from similar disasters, as identified by Mark McCurley, senior information security advisor of IDentity Theft 911, a leading provider of personal-touch identity management solutions, identity theft recovery services, breach services and data risk management solutions for businesses.
Complete article by ItBusinessEdge
by Rebeca | Oct 20, 2014 | News
Companies are no longer tolerant of security-and-compliance teams telling them they cannot go to the cloud. The benefits of cloud technologies are too many to ignore in a business strategy: commodity pricing, flexible scaling, low staff needs, and (for SAAS) a rent-to-own model.
Risk teams must learn how to adapt to the cloud environment, which means changing how they measure and respond to risk in cloud situations. Risk leaders who refuse to make this change are likely to find themselves irrelevant in their organization, suffering not only career immobility but also standing on the sidelines as they watch their company take on increasing risk with little or no care for mitigation.
Complete article by Isaca
by Rebeca | Oct 8, 2014 | News
Stolen account credentials played a part in the recent Target Corporation payment card data breach. With approximately 40 million customers’ credit and debit card information exposed, stolen credentials from a third party vendor highlighted the weak security that often surrounds internal passwords.
A recent report from Clearswift in fact found that 58% of all data security threats come from the extended enterprise (employees, ex-employees and trusted partners).
Reaction to this news included Dr Anton Chuvakin, research director for Gartner Inc. He said that enterprises are bound to encounter attacks using legitimate stolen credentials, regardless of the proactive security measures put in place to ensure credentials are safe.
Complete article by IsDecisions
