For all of the success of Google Apps for Education, its adoption is not always met with completely open arms. Even for those districts or schools that are using Google Apps, the process of moving everything to Google Apps often requires overcoming concerns about the privacy of student data.

The Bennington-Rutland Supervisory Union in Vermont, which provides leadership and support for nine different school districts, is a case in point. BRSU has embraced technology in education, and cloud computing in general. The district was an early adopter of Google Apps for Education.

Nonetheless, access security concerns remained. And as the district implemented additional SaaS applications to support its teachers and staff, they had to address those concerns.

Dan French, the superintendent of BRSU, has found that using myOneLogin Secure Single Sign-On for its teachers and staff alleviates these concerns. myOneLogin provides strong authentication that is easy to deploy, with a single sign-on to all of the schools’ web applications, including Google Apps.

Adding myOneLogin, with its strong authentication capabilities, was key to encouraging the broader use of Google Apps and other cloud applications.  Says French, “With myOneLogin, I feel better about access security for sensitive data in Google Apps. I can be more aggressive about encouraging the further use of Google Apps now that access is locked down with myOneLogin.”

You can read about their deployment on the Google Apps Marketplace at http://solutionsmarketplace.blogspot.com/2010/05/tricipher-and-bennington-rutland.html

Here’s another perspective on the legal liability issues of web application access and account sharing.  The providers of a market intelligence database are suing Goldman Sachs for allegedly stealing intellectual property from its database, through inappropriate sharing of account credentials.

You can read more about the case on Dark Reading: http://www.darkreading.com/database_security/security/attacks/showArticle.jhtml?articleID=224701564

Account sharing is a fact of life at many large businesses that subscribe to a limited number of seats for a paid online service.  With this access protected only by knowledge of an account and password, it is very easy for employees to share access with others either inside or outside the company.

From the service provider perspective, putting proprietary intellectual property behind only a user name and password is tantamount to inviting its dissemination. Service providers need to put their paid intellectual property behind stronger authentication practices or deploy secure federation with enterprise customers.

From the corporate perspective. the account sharing activities of employees can land your company in legal trouble. With no access controls in place for its paid online accounts, a business cannot ensure that its own policies are enforced and followed.  Enterprises need to gain control of online access using online identity and access management tools like myOneLogin. Integrating web application access with enterprise directories reduces the risks of account sharing.

It used to be so simple – you talked to your children about the big items like sex or drinking. The talks weren’t easy, but at least the topics were predictable.

Now parents have to talk to their kids about a whole raft of new issues – including what’s appropriate to post on Twitter or Facebook, and not sharing passwords with friends.

St. Michael’s RC school in the UK uses myOneLogin to protect access to its Google Apps accounts with strong authentication.  You can find the story at http://www.myonelogin.com/Downloads/St_Michaels_Story.pdf.  As a parent, one of the things I love about the story is this: as a by-product of moving to Google Apps for students and staff alike, St. Michael’s is teaching the kids about protecting access to their accounts.

Everyone uses strong authentication at St. Michael’s. The students use a basic second factor to access their Google Apps accounts – knowledge-based questions. But the staff uses stronger second factors, including VeriSign VIP Access for Mobile, which generates temporary one-time passwords on smart phones.  The VIP support has the ‘cool’ factor, as it uses smart phones to generate “secret codes” that self-destruct in only seconds.

Damien Kelly, Head of e-Learning at the school, says that he shows the kids the one-time password from his phone when he logs in, because he knows it will expire in a few moments. A simple login become a teaching moment and he’s emphasizing, time and again, the importance of protecting access to online accounts.  That’s an education that can serve the students well in the future.

Copying, gathering signatures, shipping, filing – the signature process is the ‘last mile’ of putting many business processes online. For  businesses with strict and well-defined approval processes, moving to digital signatures can both save money and accelerate business.

We’ve just announced that we’re offering the TriCipher digital signature solution as an on-demand service in the myOneLogin family. We’re pretty excited about this, as it makes it even easier for businesses to move to digital signatures, with no software to deploy and manage in-house. (We still offer the on-premise version for businesses that want everything happening in their own networks.)

Find out more about the service or watch videos of how it works from http://www.myonelogin.com/signaturebook.html.

The RSA conference is coming up next week – and everyone’s busy planning the sessions they want to attend.

There’s so much going on at RSA, you need a strategy.  If you’re going, we hope you put TriCipher on your list. There are a couple ways to connect with us at RSA:

• Look for one of us wearing a t-shirt with user IDs and passwords on the front
• Set up a one-on-one needs analysis by sending an email to Rory.Quick@TriCipher.com.

Have a cup of joe on us

Sometimes you need a caffeine boost during these conferences. That’s why we’re giving away Starbucks cards to anyone who contacts us at the RSA conference.  Just look for one of our representatives in our password-based t-shirts.  Yep, we’ll get you excited about identity services one way or another!

If you’re going, see you in San Francisco!

Phishing is alive and thriving, according to the recently released report from the Anti Phishing Working Group (APWG).  Unique phishing attacks reported to APWG reached an all time high in Q3 of 2009 – up 10% from the previous record. (Q4 data is not yet available.)

You can find the report at http://www.antiphishing.org/reports/apwg_report_Q3_2009.pdf

Are people getting smart about phishing? Yes, but the attacks seem to be getting smarter, and more targeted.  More than half of the reported attacks targeted the financial services industry, with the payment services industry next in line with 26%.

It’s no time to be complacent. Protect your accounts with strong authentication, which foils phishing attacks.

(Disclosure: TriCipher is a corporate sponsor of APWG, but did not contribute to the report.)

It’s the time of the year to make predictions and top 10 lists for the coming year. So, we’re going to make an easy one – SaaS will continue to gain widespread adoption from business of all sizes. And Google Apps in particular will continue to make headway – although we suspect that a bevy of innovative competitors will make themselves known as well.

We’re not really sticking our necks out here.  Gartner put Cloud Computing at the top of its ‘Top 10 Strategic Technologies for 2010‘ list. Everyone is calling for 2010 to be the year of SaaS and cloud computing – except for those who particularly enjoy being naysayers.

In talking to customers, we are finding that one major obstacle in the road to SaaS is the concern about security.  In general, we think that companies like Google and Salesforce can probably do a better job securing and protecting their data than the average organization. They have resources to apply to the problem, and their businesses depend on their ability to secure customer data.

So most of the security concerns are probably overstated. However, access security is something that falls outside of the SaaS solution, and is in general the weakest point. 2009 saw several password-based attacks. Twitter was the target of several high-profile attacks – most recently, someone apparently exploited poor password procedures for the service hosting Twitter’s DNS to redirect users to a malicious site. Ouch.

So, if 2010 is the year SaaS becomes mainstream, it must also be the year that businesses everywhere get serious about protecting SaaS access with strong authentication. We hope that’s true – that this year we start shutting down the password-based attacks against businesses and everyone can feel a little more secure using SaaS applications to run their businesses.

Happy New Year to all.

You thought the Salahi gate-crashing incident was bad? It’s certainly not the only case of breaches in federal government security.

The CDW-G 2009 Federal Cybersecurity Report published recently revealed a high occurrence of cybersecurity incidents in federal government. The one that caught our eye was this:

44%of Federal IT professionals have seen an employee post a password in a public place (for example, on a sticky note in their office) in the last 12 months.  (You can read the full report at http://webobjects.cdw.com/webobjects/media/pdf/Newsroom/2009-CDWG-Federal-Cybersecurity-Report-1109.pdf)

We’d guess that this is the result of password policies that mandate that employees set strong passwords, and reset them often. These policies can actually end up eroding security if they make it too difficult for people go about their daily work.

How many of us could really handle creating unique passwords that include at least one uppercase character, one non-alphanumeric character, are more than nine characters –and then changing them every two weeks?

People are delightfully predictable – and that’s what attackers count on. If it’s hard to set up remember those passwords, we either have to improve our memories or make them easy to retrieve. Guess which one most of us will pick?  I put my money on the sticky note!  Federal government employees aren’t any different than most of us in that respect.

You can read a discussion of the report and its findings in Government Technology at http://www.govtech.com/pcio/articles/734387?id=734387&full=1&story_pg=1.

Yesterday Conformity and TriCipher announced the integration of myOneLogin with the Conformity SaaS management solution.

Combining Conformity’s SaaS management and automated provisioning with myOneLogin Secure Single Sign-on creates a compelling solution for businesses that rely on SaaS.

But the story highlights something even bigger—the expanding ecosystem of solutions that help businesses manage SaaS with the same levels of security, control and governance that they had with internal applications.

SaaS has come of age in the business world, and a new ecosystem is developing around it to help businesses manage and integrate SaaS into their operations. TriCipher and Conformity are both part of that growing ecosystem, and by combining forces we strengthen and expand the options available to companies relying on SaaS applications.

As businesses grapple with how to handle social media, they are also asking questions about security. Are social networking sites like Facebook and Twitter actually eroding security for business applications?

In and of themselves, social networking sites typically are pretty secure. But they are inherently more susceptible to phishing attacks than other types of sites. This is due to the layer of trust built into social networks.  If you get a direct message that seems to be from a trusted friend, you are more likely to believe it and click on its link than if it is from a Nigerian prince.  That’s just human nature.

However, the question remains whether social networks affect security beyond their own applications. The answer is a qualified yes – not because they are inherently insecure but because they help attackers exploit a major weakness in our standard operating procedures today: sharing passwords between accounts.

Faced with dozens of accounts and passwords to remember, we tend to use the same ones across many accounts. That’s the reason that attackers are targeting Twitter and Facebook accounts.

Says Suzanne Choney in the MSNBC article on the topic, “It’s not so much that a crook wants to read why you’ve written on Twitter, or start posting your tweets. Rather, criminals are looking to see if your account information is the same for other accounts, including those for banks, where the reward for such phishing is more lucrative.”

So the fault lies not with social networks themselves, but with the plethora of accounts that we’re asking people to remember (and perhaps the limitations of human memory and patience).   That’s why secure single sign-on is increasingly a business necessity.

Like it or not, your business users today are on social networks.  According to the Forrester Report “The Broad Reach of Social Technologies“, half of US adults online participate in social networks like Facebook. Yep, your business users are there already.  So don’t make them share credentials with the web accounts they use for your business – give them secure single sign-on instead.