One of the biggest concerns to come out of our cybersecurity prediction series was topic of application security.  Rife with poor security practices, plenty of mal-intent actors out there and plain old insufficient architecture, it is pretty clear just how widespread this actually is.  Then you add in the amount of talent, tools and the expenditure it takes to deal with a problem like this and the problem should start to look really bad.  Web apps are everywhere and while there’s a number of new products out there built to take these challenges on, things are still developing.  One company, Authentic8, is a new data security startup from the guys who started Postini.  They’ve conceived a new way to protect businesses with highly sensitive data in these very situations by “recasting the browser”.  Authentic8 founders Scott Petry and Ramesh Rajagopal were available for a briefing introducing the product, and we later spoke with a customer of theirs, Thomas Main president at IPS.

Let’s frame the problem and answers a little bit better.  For many, the tools of the trade on their workstations is heavily dependent on the browser.  Today, the browser is often the portal for a number of web-based apps and that makes these apps a pretty significant target.  The kinds of things that can happen at the browser level are several – there’s an attack vector based on security flaws in the browser itself that can be attacked, there are man-in-the-middle attacks, phishing attacks and so on.

Authentic8 is changing all of that by moving the goalposts.  The service removes the browser from the picture completely so that threats that come from this browser-app vector are no longer the threat that they once were.  The result is a dramatic improvement in security status.  Users connect to apps that are centrally provisioned and connect to virtual browser sessions so that all web code is kept off the device.  All data transmission is encrypted by default and that on its own makes it a solid upgrade in most environments.  Malicious code and browser-based security attempts hit Authentic8’s servers and leaves the client systems alone.  The product is early on, but they’ve rolled out Mac, Windows and iPad agents that can be deployed in minutes to hours.  They’ve seen big uptake in financial services, healthcare and other markets that are security-conscious.

Case in point – International Process Solutions

Intro

Manufacturers in regulated industries such as pharmaceutical and bio-tech need to provide documentation, test results and maintenance records as part of their ongoing regulatory compliance processes.   International Process Solutions (IPS) provides instrumentation, calibration and process-control services to these manufacturing facilities, helping them support FDA audits, to report on the status of their operations, and to comply with the FDA’s Good Manufacturing Practices.   IPS collects customer data and synthesizes it with their own proprietary content in order to keep these manufacturers current.

What problem were you trying to solve?

Sharing this sensitive data has been a delicate issue for IPS.  The reports that IPS generates include both customer-specific data and IPS proprietary test and validation procedures.   In order to maintain control and confidentiality of the data, IPS processes had been optimized around hard-copy data exchange.  IPS wasn’t able to deliver an on-demand model while maintaining access restrictions and revision management.  In a world defined by web-based apps, user controlled passwords, and BYOD, IPS decided that holistic security and control was un-realistic for them to deliver.

When IPS learned about Authentic8, IPS recognized it as a way to publish its data securely.  Now, IPS gives its customers access to their data and our procedure documentation through Authentic8, which allows IPS to maintain control of its data, even if IPS can’t control the device they’re using.  In short, Authentic8 lets IPS protect its data, even on devices they don’t control.

How did the deployment work?

There were three aspects of the deployment process

1 – Making sure IPS web apps functioned within Authentic8

2 – Locking IPS apps to only accept connections from Authentic8

3 – Setting up policies to control access to the data

IPS tested its web apps using Authentic8 and found compatibility testing to be a non-event.  Authentic8 is based on the latest Firefox build, and IPS apps are straightforward web front-ends to the database.  There were no issues using the app from PCs, Macs or iPads.

IPS needed to block any connection from a browser other than Authentic8, so Authentic8 provided IPS with a range of IP addresses for their servers, and IPS whitelisted those in its firewall and blocked connections from any other IP.

Since Authentic performs a robust validation of users and machines, IPS benefits from their multi-factor authentication and just accept the incoming sessions.  It freed the IPS team from developing network-level and app-level security controls.

Once everything was locked down, IPS needed to set up user policies to restrict their access to just their data.  Authentic8 lets IPS define policies on a per-user or per-group basis.  IPS is able to control which machines they can access from, and whether they can download or just view their reports.  This has given IPS much better control over its data – nothing downloaded or cached on untrusted machines.

What is life like after deployment?

Rolling out Authentic8 to users has been straightforward.  IPS customers have a better experience with IPS, accessing their data on-demand rather than through hard copy exchange.  IPS has benefited as well.  Obviously its printing and distribution costs are lower, but it also gained increased control over its data.  IPS can set policies limiting data access and data download, giving it server-side control of data that might be sensitive.  The reporting data in to the Authentic8 Admin Console gives IPS visibility into who is accessing its apps, from what machines, and what kind of activity they’re performing.

With this pedigree of having sold off Postini to Google in 2007 for $625 million, success appears to be in the cards again.  The founders of Authentic8 have introduced a service that seems somewhat familiar; offloading the burden of this security threat as they had once done with email spam and virus, and protecting a largely unmanaged threat in the enterprise today.

photo credit: marsmet545 via photopin cc