StoneBlog.stonesoft.com

In a recent post we discussed the debated topic of BYOD, allowing at same time freedom of using your preferred device to get things done and loss of control from IT administrators about level of trust of connecting devices.

There is, however, another related discussion causing quite some eInk to be spilled: MDM or Mobile Device Management.

According to Wikipedia, MDM is all about software to secure, monitor, manage and support mobile devices deployed across mobile operators, service providers and enterprises.

One important aspect of an MDM strategy is controlled access to corporate data and applications.
Because devices with a low level of “trustability” could represent a risk and a threat to enterprise security.

Stonesoft SSL VPN, part of the A2Cloud solution, supports ability to identify connecting devices.

And once you know what is the preferred device (BYOD) of a given user or group of users, you can use this information to restrict, allow or deny access to specific resources in a dynamic and flexible fashion.

Customers are enamored of this feature for the incredible customization it offers; because the concept of  device in SSL VPN is not only physical.
A device could be identified by its OS, by the browser it uses to access to SSL VPN, by the URL called and numerous other parameters.

This gives back to IT  and Security Administrators the control they need to assist BYOD and MDM strategies with a proper, agile level of security.

written by RoarinPenguin - 230 views \\ tags: BYOD, cloud computing, MDM, Mobile Device Management, Security, security in the cloud

BYOD. An acronym, a promise, a new IT paradigm empowered by Cloud Computing wave. BYOD stands for Bring Your Own Device. And it means you should have freedom to use the most convenient client device to get things done. Things like accessing corporate data and applications. In your private, public or hybrid cloud.

But BYOD means also an issue… and quite a big one. Loss of control from IT about how trustable is the client device you choose to get things done.
And from security perspective, this is a relevant concern.
The upcoming version of Stonesoft SSL VPN, part of the A2Cloud solution, makes BYOD a viable path.

Continue reading »

written by RoarinPenguin - 459 views \\ tags: a2cloud, Bring Your Own Device, BYOD, cloud computing, Secure Authentication, SSL VPN

By now, you likely have seen the news regarding the breach of RSA’s authentication tokens and the possibility of a long-term security compromise of SecurID. While the exact cause of the attack is still being determined, one thing is for certain: companies need to re-evaluate the security of remote access to their networks.

Not surprising, we have received numerous inquiries from customers about our approach to securing remote access.
Additions to the StoneGate SSL VPN remote access solution are already in development and we’ve expedited the release of our new authentication server to offer customers multiple authentication methods for securing remote access to critical data and applications across the network.

The new StoneGate Authentication Solution combines SSL-VPN and authentication server capabilities with other deployed authentication methods that can be pushed to any remote device. Our multi-factor authentication will convert the need for archaic, awkward, unusable hardware tokens into ergonomic, easy to implement and manage software tokens, or even a one time password (OTP) via text message to every mobile phone.

Highlights of the StoneGate Authentication Solution include:

• Secure remote access grant access to any application, including cloud-hosted
• Complete integration of multiple authentication methods, including StoneGate MobileID and SMS-based authentication
• Easy access to detailed user and log data to monitor access in real-time and proactively spot security concerns across the network
• The availability of geo-location information and reporting to increase awareness about remote access trends and threats
• Complete incident management capabilities, from identification and resolution to mass deployment of updates – all of which occurs from a single management console.

Are you reviewing your current strategy for remote access security? Should you be?
If so, the StoneGate Authentication Solution is an alternative to traditional solutions (such as token-based methods) that is more cost-effective, less complex and most importantly, more secure.

written by admin - 981 views \\ tags: cloud computing, rsa, Security, StoneGate Authentication Solution, StoneGate Mobile Text, StoneGate MobileID

…or, in other words: how secure should be your access to the cloud?

It really does not matter if private or public, but as stated multiple times the authentication process is the key and the main enabler for cloud computing to happen.

And it seems that now the call for action is rapidly growing.

Stonesoft is offering state of the art StoneGate SSL VPN to secure the access to the cloud, with powerful yet flexible and easy to use authentication methods to grant the maximum level of security when accessing your data in the cloud.

Please note that often the need is not for a brand new shiny authentication method, since combining powerful existing ones could also be an efficient solution… or what do you think?

Please let us know your opinion with comments…

written by RoarinPenguin - 1,609 views \\ tags: cloud computing, combination, secured access to the cloud, strong authentication

First post of this new 2011, together with my best wishes for a happy new year.

In a recent post I illustrated how to configure StoneGate SSL VPN to perform ticket-based Single-Sign-On to SalesForce.com.

The interesting benefit of the solution is to keep secure authentication at home while granting secure authenticated access to SalesForce application in the cloud.

The solution described in that post, although powerful and secure, lacks a little bit in usability because the user must first login to StoneGate SSL VPN application portal, click the SalesForce application icon and voilà, he’s in.

This post details how to use Device Definition in StoneGate SSL VPN to improve greatly the overall usability, to reach a quicker and smoother result while keeping the security at maximum level.

Device Definition allows to detect a specific type of connecting device based on patterns identified in HTTP request such as Agent, OS, URL requested, path, etc.
We can therefore define a device type in Manage System – Device Definition based on the URL requested as shown below:

This will ensure that URL request for https://salesforce.mydomain.tld are treated differently from others, according to configuration in Manage Resource Access – Global Resource Settings – Client Access.

We will configure the Device Definition to point to specific pages for authentication and, once authentication is successful, straight to SalesForce with ticket-based Single-Sign-On.

We can retrieve the needed links (Authentication Page and Welcome/Application Page) by looking at default login menu on StoneGate SSL VPN Access Point and “building” the application link as described below.

Open the StoneGate SSL VPN Access Point page and move mouse over the authentication method, then copy the links to authentication methods to retrieve the authentication page link you are interested in (in the example StoneGate Password).

About the application links, supposing that your Web Resource to access SalesForce with Ticket-SSO is called MySalesForce, then the direct link to application will be:

https://sslvpn.mydomain.tld/https/MySalesForce

To define the Client Access parameters for Device Definition, we just need to strip from URL above the host part. We will have therefore:

Authentication link (Default Page): /wa/auth?authmech=StoneGate%20Password

Application link (Welcome Page): /https/MySalesForce

We can finally configure Device Definition Client Access in Manage Resource Access - Global Resource Settings - Client Access - Add Device Settings… as shown below:

Click Add to finalize the configuration.

Last thing to do is to add a DNS A or C record to point to StoneGate SSL VPN system when this URL is requested, to route correctly the requests.

The resulting configuration is that StoneGate SSL VPN will intercept the URL and, because of the Device Definition configuration, it will first direct the user to the authentication page configured and once authentication is performed it will allow straight access to SalesForce using Ticket based Single-Sign-On.

Secured Access to the Cloud, keeping Authentication at Home

written by RoarinPenguin - 1,731 views \\ tags: authentication, cloud computing, salesforce.com, Single Sign-On, sslvpn, stonegate

StoneGate SSL VPN is a perfect solution for granting secure access to the cloud.

One of the preferred authentication methods, used standalone or in conjunction with others to strengthen the authentication process, is authentication based on digital certificates.

This movie shows the various powerful and flexible options offered by StoneGate SSL VPN to implement an excellent level of secure authentication when accessing to applications in the cloud using digital certificates.

Secure Access to the Cloud! Simplified!

written by RoarinPenguin - 1,044 views \\ tags: authentication, cloud computing, digital certificate, sslvpn

Recent discussions about Cloud Computing and security standards it should grant, and about psychological barriers which are slowing down adoption (although less than in the past) focus attention on a fundamental aspect: security of the access.

The countless advantages of a data center “in the cloud” are well described in the streams of ink and… eInk spilled about it.
However, too often the angle is to illustrate flexibility, low impact on maintenance process, ad hoc performances, ubiquitous access… forgetting a key aspect when talking about access to sensitive data and applications.

Hence the question is: if a CIO accept to move corporate IT into the cloud – trusting SLA and security standards of the service provider – which part of the process should be “bomb-proof”?

The answer is too often neglected: Access! Or, better, security level and strength of the access process!

Authentication systems considered “state of the art” such as OTP sent via text message have been recently questioned because of Man in the middle type of attacks, vanishing the whole security measures.
How should you react to the growing threats, strengthening the overall process?

The answer is contained in an historical quote: Divide and Conquer.

Divide concerns the combination of authentication and identity validation systems (each one featuring a good implicit strength level) to create a barrier to protect access; and make this barrier almost impossible to penetrate unless valid credentials are provided.

StoneGate SSL VPN is an Identity and Management (IAM) system featuring over 25 different authentication methods, both native and/or interoperating with existing backend systems in the enterprise. Completes by security posture validation and trace removal at the end of the session, the solution give secure and authenticated access the applications available to a certain user in a given context.

The interesting possibility is the ability to combine multiple instances of the same or different authentication methods to grant an exponential raise of the overall authentication process strength.
For example, let’s consider four authentication methods:

• One time password delivered via SMS
• One time password generated with StoneGate MobileID
• Certificate authentication with client certificate protected by passphrase
• Native Active Directory authentication.

Each of these methods features a good security level (password variability, number of factors in authentication, difficulty of extraction of protected information).

The security level could be maximized if IAM system would allow to combine the four authentication methods, since overall strength and number of factors would be multiplied.

Therefore access to a particularly important application or to special sensitive data could be protected by supersafe authentication schema, such as:

• type in a username and fixed password, OTP will be sent to phone via text message
• present a valid passphrase-protected digital certificate, stored on a smartcard or token
• insert a OTP generated using MobileID free client software, installed on a different device from the one you are using to access
• type in your Active Directory username and password

By combining this process to security context validation (such as antivirus state and check of serial numbers of client HW components) it is possible to reach an unbeatable strength in the authentication and access process, enabling access to the cloud with a security levels accepted by the most demanding customer, without sacrifying (too much) usability of the process itself.

Cloud Computing. Secured!

written by RoarinPenguin - 1,349 views \\ tags: access security, authentication, cloud computing, sslvpn

Cloud Computing is one of the most frequent buzzwords heard in these days. You may think it is the next big thing as it seems to be recognized as the new paradigm for the IT of any kind of an organization – from small to large, from the private to the public sector, private and stock-listed companies alike.

However, Cloud Computing is not hassle-free, and you can waste lot of time speculating about privacy, data protection, security and possible misuses.

Continue reading »

written by RoarinPenguin - 1,460 views \\ tags: access, authentication, cloud computing, security in the cloud, SSL VPN, virtual appliance

Cloud computing is cool, sexy and maybe here to stay.

But as recently stated by Bruce Schneier, it is a matter of trust.

And trust is not only involving the service provider, it is impacting the connecting user also and naturally the strength of authenticated and validated access.

Hence SSL VPN technologies have a key role, and StoneGate SSL VPN is a very interesting solution to look at from this perspective.

Authentication is genetically part of our solution thanks to support of advanced and sophisticated techiques such as MobileID, federation, OATH and other numerous technologies.

An easy one to implement, already documented some time ago, is StoneGate SMS.

Continue reading »

written by RoarinPenguin - 1,646 views \\ tags: access, authentication, cloud computing, trust