Member Article

Authentication must be an integral part of applications

Through the strategic partnership with Norwegian Promon, VASCO’s new President and Chief Operating Officer Scott Clements has put his mark on this security specialist soon after taking office. Promon provides Runtime Application Self-Protection (RASP) technology which allows safe operation to be fully integrated into mobile apps. “I think that’s the future,” Clements said in an interview at VASCO’s headquarters in Wemmel, near Brussels. “Only then will ‘trust’ become an integral part of an application.” Hence Clements would like VASCO to not profile itself so much as ‘the authentication company’, but more importantly as ‘the trust company’.

Considerations For many people active in the world of IT security, VASCO Data Security is still the company that became great thanks to hardware tokens. In the Netherlands, Rabobank is one of its clients, but the list of international customers is much longer and reaches as far as Japan and the United States. In fact, more than half of the world’s top 100 banks rely on VASCO security solutions. Clements is the first to suggest that while such a strength in hardware solutions is nice, it could also be a handicap. As a former Strategy Officer, he was responsible for defining the company’s strategy and this item was - naturally - one of his major concerns.

Clements added: “The position of VASCO is actually quite interesting. We have always had a clear focus on authentication for the banking sector. We also have, of course, clients in healthcare and other industries. But we can especially be of service through the knowledge we have gained in the financial sector with processing large numbers of (privacy) sensitive transactions. That is an excellent basis for further growth.”

Software authentication However, Clements, who lives in Zurich, sees the fame that the company had with hardware tokens, as an advantage. He considers the hardware to be a shell in which authentication oriented software is running. In recent years, the company has also made this technology available to clients in the form of software, like products such as DIGIPASS for Apps.

“In my view, VASCO is therefore not so much moving from hardware-based security solutions to software-based technology. What I think is much more important, is the way we help clients to increasingly integrate authentication into the actual application code. The question is: do we want to apply authentication in providing a user access to an application or a mobile app? Or do we want security - call it: IAM - to be an integral part of an app? Any business or government will have to answer this individually. But what is important for us, is that we are able to offer all these solutions.”

Runtime Application Self-Protection Participation in Promon is, therefore, an important step for VASCO. “Promon provides RASP technology,” says Clements. “It is used by the app to protect itself. It incorporates security into the core of the app, which naturally offers serious advantages over older security models. Those usually assume that the app or application is protected by a separate layer or module. The application code itself is purely focused on functionality; security is then added to this, but not integrated. That’s one reason why we see so many security incidents. If a cyber criminal manages to get through the security layer, then he has a free hand and he can have his way with the otherwise unprotected application code. An app that is protected by RASP technology can be used in any environment, even an unsafe one. Think of public Wi-Fi networks at airports and the like. Because the application code itself is protected, even if one manages to get access to the app, you still cannot abuse the functionality.”

APIs Fully integrating IAM technology into the application code is one of the most promising solutions that Clements identifies for the current problems in the field of IT security. However, there are also other occasions where the app builder or an internal IT department has little or no knowledge of RASP. Or rather prefers to leave the good management of authentication in the hands of an expert. In such cases Clements foresees the emergence of authentication focused APIs (Application Programming Interface). “The same technology that we use for our hardware-based IAM solutions and for RASP applications, can also be made available to customers as a service.”

eSignLive Clements, however, does point out that it is still very early for these types of solutions. “Our R&D people are looking into this very actively, but APIs are still offering quite a few other challenges, all related to ‘trust’. One of which is, for example, documenting APIs. When one uses an API for something as crucial as authentication, one wants to be very sure that the chosen API actually does perform what is claimed by the developer. In other words, can I, as a developer, trust a particular API? How do we realise this ‘mutual reliance’? Through certification? Through documentation? The reputation of the API provider? This will lead to the formation of ‘trust ecosystems’ by parties working together a long time. That is one of the reasons why I find the long relationship of VASCO with banks, so important - even if it is based on hardware tokens: you trust each other.” Incidentally, through its acquisition of Silanis, VASCO now offers eSignLive. This is a cloud solution for electronic signatures. eSignLive is also available as an API.

Authentication as a Feature For Clements, it is certain that authentication will increasingly become a feature of apps and applications in the near future. “That makes the market for entertainment and gaming very interesting for us as well. The business model of these types of applications is often based on in-game purchases.

However, anyone who is on his phone on the train playing a game and who wants to make such a purchase, is by definition in an unsafe environment. Our technology is ideally suited to ensure that purchases in such environments can still be done in a safe and - quite importantly - flexible way.“

Clements expects considerable growth for VASCO over the coming years: “We are able to apply our technology and experience very well in a number of new market segments, but at the same time we want to grow in the segment of software authentication solutions. This growth will continue in the coming years. This will be based on both organic growth and growth through acquisitions. VASCO is financially very healthy and has more than sufficient cash in the bank to perform well-chosen acquisitions. That is exactly why I previously called our current situation so interesting; we are in an excellent position with hardware, we have R&D facilities in Bordeaux and Cambridge, among other places, where we are working on very interesting technology and we are expanding our position as a trust-supplier step by step.”

This was posted in Bdaily's Members' News section by Pete Jackson .