For all of the success of Google Apps for Education, its adoption is not always met with completely open arms. Even for those districts or schools that are using Google Apps, the process of moving everything to Google Apps often requires overcoming concerns about the privacy of student data.

The Bennington-Rutland Supervisory Union in Vermont, which provides leadership and support for nine different school districts, is a case in point. BRSU has embraced technology in education, and cloud computing in general. The district was an early adopter of Google Apps for Education.

Nonetheless, access security concerns remained. And as the district implemented additional SaaS applications to support its teachers and staff, they had to address those concerns.

Dan French, the superintendent of BRSU, has found that using myOneLogin Secure Single Sign-On for its teachers and staff alleviates these concerns. myOneLogin provides strong authentication that is easy to deploy, with a single sign-on to all of the schools’ web applications, including Google Apps.

Adding myOneLogin, with its strong authentication capabilities, was key to encouraging the broader use of Google Apps and other cloud applications.  Says French, “With myOneLogin, I feel better about access security for sensitive data in Google Apps. I can be more aggressive about encouraging the further use of Google Apps now that access is locked down with myOneLogin.”

You can read about their deployment on the Google Apps Marketplace at http://solutionsmarketplace.blogspot.com/2010/05/tricipher-and-bennington-rutland.html

Here’s another perspective on the legal liability issues of web application access and account sharing.  The providers of a market intelligence database are suing Goldman Sachs for allegedly stealing intellectual property from its database, through inappropriate sharing of account credentials.

You can read more about the case on Dark Reading: http://www.darkreading.com/database_security/security/attacks/showArticle.jhtml?articleID=224701564

Account sharing is a fact of life at many large businesses that subscribe to a limited number of seats for a paid online service.  With this access protected only by knowledge of an account and password, it is very easy for employees to share access with others either inside or outside the company.

From the service provider perspective, putting proprietary intellectual property behind only a user name and password is tantamount to inviting its dissemination. Service providers need to put their paid intellectual property behind stronger authentication practices or deploy secure federation with enterprise customers.

From the corporate perspective. the account sharing activities of employees can land your company in legal trouble. With no access controls in place for its paid online accounts, a business cannot ensure that its own policies are enforced and followed.  Enterprises need to gain control of online access using online identity and access management tools like myOneLogin. Integrating web application access with enterprise directories reduces the risks of account sharing.

It used to be so simple – you talked to your children about the big items like sex or drinking. The talks weren’t easy, but at least the topics were predictable.

Now parents have to talk to their kids about a whole raft of new issues – including what’s appropriate to post on Twitter or Facebook, and not sharing passwords with friends.

St. Michael’s RC school in the UK uses myOneLogin to protect access to its Google Apps accounts with strong authentication.  You can find the story at http://www.myonelogin.com/Downloads/St_Michaels_Story.pdf.  As a parent, one of the things I love about the story is this: as a by-product of moving to Google Apps for students and staff alike, St. Michael’s is teaching the kids about protecting access to their accounts.

Everyone uses strong authentication at St. Michael’s. The students use a basic second factor to access their Google Apps accounts – knowledge-based questions. But the staff uses stronger second factors, including VeriSign VIP Access for Mobile, which generates temporary one-time passwords on smart phones.  The VIP support has the ‘cool’ factor, as it uses smart phones to generate “secret codes” that self-destruct in only seconds.

Damien Kelly, Head of e-Learning at the school, says that he shows the kids the one-time password from his phone when he logs in, because he knows it will expire in a few moments. A simple login become a teaching moment and he’s emphasizing, time and again, the importance of protecting access to online accounts.  That’s an education that can serve the students well in the future.

Phishing is alive and thriving, according to the recently released report from the Anti Phishing Working Group (APWG).  Unique phishing attacks reported to APWG reached an all time high in Q3 of 2009 – up 10% from the previous record. (Q4 data is not yet available.)

You can find the report at http://www.antiphishing.org/reports/apwg_report_Q3_2009.pdf

Are people getting smart about phishing? Yes, but the attacks seem to be getting smarter, and more targeted.  More than half of the reported attacks targeted the financial services industry, with the payment services industry next in line with 26%.

It’s no time to be complacent. Protect your accounts with strong authentication, which foils phishing attacks.

(Disclosure: TriCipher is a corporate sponsor of APWG, but did not contribute to the report.)

It’s the time of the year to make predictions and top 10 lists for the coming year. So, we’re going to make an easy one – SaaS will continue to gain widespread adoption from business of all sizes. And Google Apps in particular will continue to make headway – although we suspect that a bevy of innovative competitors will make themselves known as well.

We’re not really sticking our necks out here.  Gartner put Cloud Computing at the top of its ‘Top 10 Strategic Technologies for 2010‘ list. Everyone is calling for 2010 to be the year of SaaS and cloud computing – except for those who particularly enjoy being naysayers.

In talking to customers, we are finding that one major obstacle in the road to SaaS is the concern about security.  In general, we think that companies like Google and Salesforce can probably do a better job securing and protecting their data than the average organization. They have resources to apply to the problem, and their businesses depend on their ability to secure customer data.

So most of the security concerns are probably overstated. However, access security is something that falls outside of the SaaS solution, and is in general the weakest point. 2009 saw several password-based attacks. Twitter was the target of several high-profile attacks – most recently, someone apparently exploited poor password procedures for the service hosting Twitter’s DNS to redirect users to a malicious site. Ouch.

So, if 2010 is the year SaaS becomes mainstream, it must also be the year that businesses everywhere get serious about protecting SaaS access with strong authentication. We hope that’s true – that this year we start shutting down the password-based attacks against businesses and everyone can feel a little more secure using SaaS applications to run their businesses.

Happy New Year to all.

If you needed further evidence that Google Apps is getting good traction in the enterprise, you can find it in the growing ecosystem of enterprise applications targeting Google Apps.

Network World’s recent article, 10 Google Apps Add-Ons for the Enterprise, highlights a few of the growing list of applications that enterprises are using with Google Apps – with myOneLogin heading up the list.

In addition to the strong authentication provided by myOneLogin, the applications covered in this article tackle business-specific tasks like e-discovery, business process workflows, and enterprise content management.

As the ecosystem around SaaS applications like Google Apps continues to grow, the reasons not to adopt SaaS for business applications will dwindle.

Last week, attackers apparently posted over 10,000 Microsoft Windows Live Hotmail passwords on the web on a developers’ website.  Neowin.net broke the story at http://www.neowin.net/news/main/09/10/05/thousands-of-hotmail-passwords-leaked-online

Microsoft has confirmed the story and indicates that it is not the result of a breach on their part—presumably, users were victims of phishing attacks.

You might think the threat is contained – the passwords have been pulled off the site, and HotMail users of simply change their passwords. All better, right?

No – this breach can have ongoing, insidious effects for individuals and businesses alike. Malicious individuals with access to those accounts can exploit opportunities for theft and damage through shared passwords and insecure password reset processes.

Shared passwords.  Everybody does it – we pick a few passwords and use them across many different accounts. Anyone with access to those Hotmail passwords has a pretty good chance at breaking into other accounts owned by those individuals – perhaps even Salesforce or Google Apps accounts hosting their employers’ data.

Password resets.  For too many applications, if you own the email with the application you own the password reset. Even if attackers cannot guess the password for an app, they can reset it to one of their choosing. And if applications send passwords in the clear in email, attackers don’t even have to reset—they can browse through old emails for passwords.

So what should you do? If you’re a Hotmail user, reset your Hotmail password and the passwords for any other accounts that shared the same password.  And if you’re a business, use a service like myOneLogin, with strong authentication, to insulate your business from the potential effects of password breaches like this.

Researchers at the University of California Santa Barbara managed to infiltrate a botnet and observe its operations for 10 days. The published report is available at
www.cs.ucsb/edu/~seclab/projects/torpig/torpig.pdf

The botnet’s apparent objective was obtaining financial information. The researchers observed that the virus used not only passive password monitoring but also active phishing to try to elicit specific financial credential information from its victims.

And it was successful:
• The botnet stole almost 300,000 login credentials during the observation period.
• More specifically, it obtained 8310 accounts at 410 financial institutions.
• 28% of the victims reused credentials between different sites.

The UCSB researchers learned quite a bit about how malicious botnets work. But the rest of us can take away valuable lessons as well.

First, we like to think we’re immune, but we’re not. The victims ranged from students to the CEO of a tech company. One proudly claimed that an antivirus program had cleaned his computer. Clearly antivirus programs don’t work all the time. Roughly 20% of the victims were connecting from publicly-accessible systems.

The biggest lesson is this: business and financial web applications need strong authentication – a second authentication factor in addition to an account and password. It’s simply getting too easy for attackers to discover our passwords and gain access to valuable information in web applications.

One of our customers asked about embedding myOneLogin in an iFrame in Sharepoint, and we thought others might be interested in the answer.

You can embed myOneLogin within an iFrame in SharePoint or any application where you have access to application code. Your iFrame will reference your myOneLogin URL – i.e. https://YOUR-COMPANY.myonelogin.com/…1.0/POST/login. Note that you still need to perform strong authentication in that iFrame to myOneLogin, after which you land in the myOneLogin dashboard in the iFrame. Alternately, you can send the user to your own Sharepoint page using the instructions on our developer site (https://www.myonelogin.com/developer/docs_toolkit.html). If you want the user to go to another SharePoint page (/ssodashboard.aspx) after myOneLogin strong authentication, then the iFrame myOneLogin URL will be https://YOUR-COMPANY.myonelogin.com/…dashboard.aspx).

On this or other SharePoint page you can display your own links for the SSO applications. (Simply take the shortcuts for the myOneLogin application icons and show them on any of your SharePoint pages, see example below.)

If you want to show Expedia or another SSO application on any of your Sharepoint pages, simply show an icon or a link and use the myOneLogin application URL as the value for the “href=” element. For example, if you had Expedia, you can use the following as the “href” value: https://YOUR-COMPANY.myonelogin.com/…h?name=Expedia)

If you want to put your own branding and page content outside the iFrame, we can send you a style sheet for that so that the content within the iFrame is “plain” HTML.

If you have questions, or creative ideas about embedding myOneLogin, let us know.

I just read the article “Phishers get more wily as cybercrime grows” by Diane Bartz for Reuters, profiling the new and creative ways that phishing attacks are escalating. Apparently the newest variant is ’smishing’, which is phishing by SMS text messages. See http://tech.yahoo.com/news/nm/20090417/tc_nm/us_cybercrime_1.

The article quotes Michael Barrett, Chief Information Security Officer at Paypal, saying that phishing “was impacting their view of the safety of the Internet and that it was indirectly damaging our brand.”

Paypal is a company that gets it – that phishing is most definitely their problem. They’ve taken aggressive tactics to block spam emails purporting to come from Paypal.

At TriCipher, we’ve been on the phishing crusade for a while now. We think that one of the best ways online businesses can protect their brands from phishing is by adding strong authentication to access their sites. And we’ve got an easy way for web developers to implement strong authentication without software, using web services calls to our service. See http://www.myonelogin.com/strong_authentication.html for more information.