""With that session being secure, the next thing is you have to answer the question 'Who is this user?',"" says De Leon. ""Is this user who they say they are?"" This step in the process is the authentication, allowing Cygnifi users to access applications with a single sign-on. But Cygnifi also provides services through third parties and their portals and needed to make sure that some users did not need to re-authenticate during their sessions. With the Saecos engine the users identity is automatically re-authenticated at each application for security throughout the session. ""If a user signs onto a bank's portal, then they click through to the Cygnifi service and there's a behind-the-scenes authentication of that person to Cygnifi so they don't have to log in again,"" says DeAddio.
The next component necessary to the security of Cygnifi's site and services was an authorization product. ""After the user is authenticated, the next step is to say what this user can do,"" says De Leon. For the authorization, Cygnifi utilizes Seacos' Authorization Facility to define what services and functions a user can perform. But once again, Cygnifi often private labels its services to other financial institutions, which, in turn, offer those services through their own sites and portals. In this case, the authorization function becomes a sort of administration function for the institutions to define which users can do what. ""You end up with this network of connections between the end user and the final company, so how do you authenticate and authorize along that network of connections?"" asks De Leon. ""Saecos supports what we call multi-tiered e-relationships.""
At this point, the administration function or the authentication and authorization of end users is performed through Cygnifi, but Saecos is in the process of developing a delegated administration module. ""The Cygnifi administrator should not be administrating users of other firms, an administrator at that site should be doing that. So the module will delegate those pieces of administration to the appropriate level,"" says De Leon. As DeAddio puts it, ""The institutions would like to administer and set up and take down and configure users themselves without having to get Cygnifi in the loop."" The administration module will also allow Cygnifi to scale its products and services even more in the future. ""This way we don't have to build up a huge client services division here to manage lots of engagements,"" notes DeAddio. He expects that the administration module will be rolled into the production environment and available for use in June or July. Additionally, Saecos is developing a security monitoring infrastructure piece for Cygnifi.
Saecos is also continuing to act as a ""security mentor"" for Cygnifi to review and monitor its security. Recently Cygnifi developed what it is calling a ""keep alive"" mechanism to keep different windows alive while users are using the Cygnifi services. ""A customer has asked us for this, so while they're using the Cygnifi service in one Internet window, they want to make sure that their session doesn't expire in another window because it needs to look like one playground for the user,"" explains DeAddio. ""If one part expires and the other doesn't, the site starts to look inconsistent."" In this case, Cygnifi designed the mechanism and sent it to Saecos for a security review and any opinions or suggestions to improve the mechanism before Cygnifi incorporates the component. DeAddio re-emphasizes the importance of security for an ASP offering such as Cygnifi and describes the security measures it has undertaken as not only defensive, but as a ""selling tool"" for the risk management solutions provider. ""We feel it's one of the things that sets us vastly apart from any of our competitors in the ASP space,"" he adds. ""This is one of our selling points, we take security extremely seriously and the bar we set for ourselves is above any industry standard that has been defined.""