Navigating a New WorldBy Samuel Greengard | Posted 2010-10-12 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
Web 2.0 ratchets up capabilities and opportunities, but the open and interactive nature of the technology also creates risks. Security is the foundation of any successful Web 2.0 initiative.
To be sure, navigating security in today’s Web 2.0 world is no simple task. There’s no single approach or one-size-fits-all solution that addresses the tangle of challenges that enterprises face. As a result, it’s essential for organizations to develop a holistic strategy and deploy the right security tools and policies. Minimizing the risk of a breach is paramount. As Accenture’s Phelps puts it: “Web 2.0 creates enormous opportunities that businesses cannot overlook, but it also requires more sophisticated security, as it has dramatically expanded a variety of threats and risks.”
Developing a strategy for coping with Web 2.0 risks is essential. One area that organizations must address is data protection. Says Phelps: “Today’s highly interconnected environment dramatically expands the avenues for data leakage, which is attractive for those looking to exploit systems.”
The heart of the problem is that the line between work and personal life has blurred. When employees participate in social networking sites, they may not realize that they are posting sensitive corporate information. “They might not stop to think about what they’re posting,” Phelps notes. “Moreover, if one member of the group lacks an appropriate privacy setting, the information could be viewed by others.”
A Secure Cloud Environment
Protecting data is a core concern at Huntington National Bank, headquartered in Columbus, Ohio. The regional financial institution, which operates more than 600 branches and 1,300 ATMs in six Midwest states, stores an ever-growing volume of data in the cloud. A primary initiative has centered on using Salesforce.com in a secure cloud environment.
“In the past, we had different departments using different CRM tools, and it was difficult to manage and share data across silos,” recalls Mark Edson, infrastructure manager of Enterprise Desktop and Directory Services. This scattershot approach presented both business and security challenges. “When customers call and [the issue] involves multiple departments, we need to forward the data associated with that customer quickly and securely. In addition, we must adhere to regulatory requirements.”
One of Huntington Bank’s primary concerns was to avoid sharing passwords with the hosted service provider. So, Edson set out to build a system with single sign-on authentication that did not require employees to log in at the hosted site. That meant building a sandbox and designing the logins so that there “wasn’t another set of credentials for associates to remember,” he explains.
Huntington Bank turned to Novell’s Access Manager and relies on Security Assertion Markup Language (SAML) 2.0 to authorize and authenticate data exchanges between security domains. Within three months, the bank had the solution in place.
Today, users log in to Huntington’s internal Web page, and the system pre-authenticates them for the cloud. Access Manager and the bank’s LDAP (Lightweight Directory Access Protocol) directory generate a random 132-bit or longer assertion string. A public and private key is sent to Saleforce.com, and the employee gains entry.
Designing the system required the bank’s IT department to generate code for a new driver that would link Huntington’s HR system and directory services with Saleforce.com. “At no point does the authentication data get sent to the cloud,” Edson adds. “The cloud provider never sees the password and does not have it on file.”
Consequently, there is no way Salesforce.com can access any of the data. What’s more, the system accommodates real-time provisioning, deprovisioning, departmental moves and name changes. When an employee updates information in the HR system, it automatically populates the LDAP directory and Access Manager.
“We are very conscious of our fiduciary duty to protect customer data,” Edson says. “We don’t want to miss the opportunity of Web 2.0, but we also know that we have to make the environment as secure as possible.”