CA cloud service measures security risk, keeps out riff-raff

CA cloud determines level of authentication needed to access corporate apps

CA Technologies today announced its cloud-authentication service now features advanced controls to let customers more effectively control who gets into corporate applicaitions.

CA Technologies today announced its cloud-authentication service now features advanced controls to let customers more effectively control who gets into corporate applications.

The CA Advanced Authentication Cloud Service offers risk-based scoring that ties the strength of the authentication needed to the specific application the user wants to do after initial logon. For instance, a simple password might be deemed sufficient for some applications such as e-mail, while stronger two-factor authentication might be required when trying to access more sensitive information, such as a payroll application.

IN PICTURES: Hot products from RSA 2011

"When you hit a URL, it will check how you authenticated against a risk core," says Lina Liberti, vice president of marketing at CA, about the software-as-a-service. The initial way that the user gained access to some corporate resources via the service may be deemed not fully sufficient to gain access to other resources and the user may be prompted to provide a stronger type of authentication.

The service is based on the Arcot technology that CA acquired late last year, which has now been integrated into CA's SiteMinder Web authentication product and service. Previously, the Arcot technology working in conjunction with SiteMinder would only offer a "yes" or "no" guidance on authentication by the user, not a risk score related to all the activities the user wants to do after online authentication.

In addition, CA announced its cloud authentication service now supports what's called "tagless" device identification which allows the service to uniquely identify a device -- whether it's a PC or smartphone or anything else -- via fingerprint method based on collecting device data. The tagless device identification method does not depend on use of cookies or agents, however.

"It's basically taking a snapshot of the machine, like a machine DNA," says Liberti, saying the technique CA has developed works on "anything that has a chip on it." The underlying idea is that the user is associated with the device and that identification information can be registered and used as part of the risk-based scoring approach. In addition, CA says it has developed apps for mobile smartphones that allow them to be used for one-time passwords based on the CA Arcot OTP technology.

Learn more about this topic

CA buys Arcot for cloud authentication technologies 

CA extends identity management to Salesforce.com 

What security technologies will be hot at RSA this year?

From CSO: 7 security mistakes people make with their mobile device
Join the discussion
Be the first to comment on this article. Our Commenting Policies