RSA announced Monday that its SecurID two-factor authentication hardware and software can now integrate with Microsoft Windows Active Directory Federation Services (ADFS) 2.0. Come December, the two-factor authentication system will also work with Citrix Receiver, a universal client that allows virtual applications and data to be delivered to any type of device.
Integrating EMC-owned RSA's SecurID with Microsoft's ADFS will provide users of cloud applications built on Office 365--including Microsoft Exchange services--and Microsoft Azure with more secure, two-factor authentication, including centralized user authentication and authorization capabilities, as well as single sign-on and strong authentication for a range of corporate networks and cloud services.
"The integration with Microsoft Active Directory Federation Services [gives] secure access to things like Office 365 and cloud and Web applications," said Sam Curry, CTO of the identity and data protection group at RSA, in an interview. "Active Directory has become in many ways the de facto directory in most organizations and ADFS gives you the ability to take that up to the cloud level." Likewise, the integration with Azure means that SecurID can provide Microsoft's infrastructure-as-a-platform service with a layer of trusted authentication.
In short, the move will allow businesses to take their existing directory information and use it to verify identities and access levels for cloud applications. "Active Directory is usually the directory of choice--it's the definitive source of who's an employee," said Curry. "We help to verify that the person is the person they really claim they are."
[The very people charged with overseeing enterprise security may make you vulnerable to attack. Are Your IT Pros Abusing Admin Passwords?]
So-called federated identity--storing user identities and access levels in multiple locations, but with the ability to call on them collectively as a service, for example to validate access to a cloud-based application--isn't a new concept. But federated identity isn't yet in wide use. "We've been talking about identities and federation--they're not new ideas--but we've been waiting for them to arrive everywhere," said Curry. "My analogy is hybrid cars. It's not that everyone hasn't heard of them, but achieving ubiquity with them, that would be a big deal."
One big upside of the ADFS and SecurID integration, he said, will be that going forward, Azure developers will be able to build applications that easily call SecurID authentication as a service. "Because this is all open and extensible, you can program to it. SAML, WS-Federation, they'll be able to consume identities from ADFS."
RSA said the integration is available, for no extra fee, for all SecurID users. "Frankly, if a customer buys into RSA, they buy our products for strong authentication, and so they can be certain it's going to work with everything they want it to work with. And we think that the new wave of technologies from Microsoft and Citrix is what people will want to integrate with."
In terms of Citrix Receiver, RSA said that adding SecurID authentication will provide measurably better security for users of the virtual application delivery environment. With Citrix Receiver, "unfortunately, most people are using things like usernames and passwords, which can be broken fairly easily," said Curry. "In the old world, you actually had to steal someone's machine, which was pretty difficult. With client/server computing, you had to fake having their machine. But in the new world, you just have to fake out their session."
A study released last week by Ponemon Institute points to the cloud security issues that many businesses still face. Notably, the survey of about 1,000 people found that only 35% of IT personnel and 42% of compliance officers think that their cloud infrastructure services are properly secured. Respondents reported using the following types of cloud infrastructure: Amazon EC2 (49%), Windows Azure (47%), Goggle App Engine (45%), RackSpace (38%), GoGrid (30%), and Terremark (28%).
In other RSA security news, last month the company released a set of software development kits (SDKs) to give mobile application developers tools for integrating their applications with SecurID, as well as RSA's Adaptive Authentication products.
Interestingly, developers can use the RSA SecurID mobile SDK to have their applications call strong authentication, but in the background. That is, they can require users to enter their username and password, but also have their application call--automatically, without the user having to intervene or even know it's happening--a SecurID software token running on the mobile device. RSA said that the functionality has already been put to use in Citrix Receiver, Juniper JUNOS Pulse, and VMware View technology.