05.5.2016 - The Way to a Hacker’s Heart: Insecure Passwords

insecure passwords People use “bad” passwords — no, these passwords aren’t swear words — for two reasons: They’re easy to come up with and easy to remember. Bad, or weak, passwords are passwords hackers find hilariously simple to crack. Examples of laughingstock passwords are: ...

04.20.2016 - More Reliability and Security for Your Enterprise

Optimal IdM has been providing innovative and quality identity management solutions and services since 2005. With The OptimalCloud, we are able to offer our clients a comprehensive cloud federation and single sign-on solution that is way ahead of the competition. Not only can The OptimalCloud be completely customized to meet the unique needs of our clients, but it is available at an affordable flat monthly fee instead of a pricey per user, per month cost. Most importantly, The OptimalCloud offers a higher level of security than other solutions, with its dedicated private cloud and custom synchronization options. If that isn’t enough, Optimal IdM has recently achieved its SSAE 16, SOC 2, Type I compliance certification ensuring its clients an even higher level of reliability and security for their identity data. ...

04.7.2016 - Get Out of the Authentication Business Part 2

In last weeks blog post, “Get Out of the Authentication Business (Part 1)” we discussed how managing the authentication process, including protocols, trusts, certificates, assertions, encryption and signing is a tedious and time consuming process. Not only that, but there is an ongoing and growing cost to continue to maintain the infrastructure of a Federation service. You are a cloud application vendor, and I am sure, an expert in your space the same way we are experts in authentication and federation services. Read below to find out why The OptimalCloud is the best solution for your cloud federation and authentication needs. ...

03.31.2016 - Get Out of the Authentication Business Part 1

More and more vendors are taking what they classically sold as an on premise solution and delivering their applications via the cloud.  While this makes a lot of sense both for the vendors as well as their customers, it does introduce a problem with authenticating users.  With the on premise solutions, they likely used Windows Integrated authentication for web applications to seamlessly log the customer’s users into their web application or they simply authenticated using the customers on premise Active Directory. ...

01.27.2016 - Why You Need TOTP

Static Passwords Alone, Are A Thing of the Past. Gone are the days where a username and password alone are secure enough for an organizations sensitive data.Static passwords can easily be cracked or stolen, leaving your sensitive information vulnerable to hackers or unauthorized users. The worst part about that is you don’t even know that a password has been compromised until it’s too late. Vulnerabilities can even create headaches for managers as the weak authentication can leave users unaccountable for their actions. Another issue with static passwords is, let’s be honest, it’s hard to remember all the different passwords you have for all of the different accounts that you need to access. Forgotten passwords create not only a hassle for you, but also a lot of extra time wasted by your helpdesk or IT department that should be spent on more important issues. ...

01.18.2016 - Kerberos, The Three Headed Dog of Identity

The Kerberos authentication protocol is one of the most widely used protocol in today’s enterprise networks. Yet there is still a lot of confusion about it. The main goal of Kerberos is to enable application authentication without the need to transmit user passwords. Kerberos is another name for the three headed hound that guarded Hades in Greek mythology. Most of us in the US know the mythical beast by the name Cerebos. The mythological Kerberos was the offspring of Echidna and Typhon and was captured by Heracles as one of his twelve labors. The protocol Kerberos was the offspring of MIT’s project Athena and was captured by Microsoft in Windows 2000. Microsoft operating systems have supported Kerberos ever since, but the relationship has often be a rocky one (but that’s a story for another time). What does all this have to do with identity, federation, and directories? ...

01.5.2016 - It’s So Meta (data)

One of the key enabling technologies in Federation is Metadata. In the early days of SAML (yes there was a SAML 1.0) one of the more difficult aspects of setting up a federation relationship was exchanging signing certificates and unique identifiers. This often involved emailing public certificates and URNs back and forth, and in some cases, multiple times. In SAML 2 the problem got even worse because in addition to the sign on endpoints from SAML 1.0, there were now sign off endpoints to consider as well as more bindings. ...

12.17.2015 - LDAP Migrations Made Easy – Part 2

LDAP iconIn LDAP Migrations Made Easy – Part 1, we discussed several common migration challenges dealing with schema,  paging and Directory System Agents (DSA’s) that can easily be avoided by using a Virtual Identity Server. In this post we will cover several other challenges involving Directory Information Trees (DIT’s), Access Control Lists (ACL’s) and password migration and how to overcome them with the end result being an efficient, seamless and secure migration. ...

12.10.2015 - That Synching Feeling I Get From Cloud SSO

Single Sign-On is all the rage these days.  Organizations are looking to ease the hassles and expenses related to user passwords.  Single sign-on (SSO) is a user authentication process that permits a user to enter one name and password in order to access multiple applications.  This can help reduce the number of calls to a help desk for access issues, thereby reduce the operating cost for the organization.  The latest market trend is to take this a step further and leverage external companies for SSO.  By using products that offer SSO as software as a service (SaaS), an organization can greatly reduce the expense related to the management of these integrations. However, when an organization moves their SSO infrastructure into “the cloud” there are new risks to be considered. sinking feeling definiton ...

12.2.2015 - Bridging the OAuth2/SAML2 Divide, Part 2

In Bridging the OAuth2/SAML2 Divide, Part 1, we talked about how an identity broker can be used to bring OAuth2 and OpenID Connect into a SAML2 federated environment. We talked about how Optimal Federation and Identity Services (OFIS) can be used as a federation proxy to bridge OAuth2 and OpenID Connect to a SAML2 identity provider without requiring user identity information to be synced to the cloud. Let’s dive deeper into this and look at some of the important details. SAML-OAuth Divide First, unless you only have one identity provider you will need to have a means of determining where the user needs to go to for authentication. For the passive side of OAuth2 and Open ID Connect that is pretty straightforward. When the user is first redirected to the identity broker for authentication he is prompted to select the identity provider to be proxied to. Once the user enter selects the identity provider he is forwarded to that identity provider for authentication. This is referred to as Home Realm Discovery (HRD). ...

Tags

  • The database in which all of your organization’s sensitive identity data is stored.
  • A digital ledger in which digital transactions are recorded chronologically and publicly.
  • Securely managing customer identity and profile data, and controlling customer access to applications and services.
  • The means of linking a person's electronic identity and attributes, stored across multiple distinct identity management systems.
  • A legal framework that sets guidelines for the collection and processing of personal information of individuals within the EU.
  • The policy-based centralized orchestration of user identity management and access control.
  • An authentication infrastructure that is built, hosted and managed by a third-party service provider.
  • A security system that requires more than one method of authentication from independent categories of credentials to verify the user's identity for a login or other transaction.
  • A global provider of innovative and affordable identity access management solutions. 
  • Managing and auditing account and data access by privileged users.
  • Tools and technologies for controlling user access to critical information within an organization.
  • An authentication process that allows a user to access multiple applications with one set of login credentials.