CyberSafe Limited: Delivering Enterprise-Class Secure Single Sign-On and User Authentication

CIO VendorTim Alsop, CEO
At the 2012 SAP SAPPHIRE NOW and ASUG Conference in Orlando, Tim Alsop, CEO of CyberSafe, embarked on an innovative marketing ploy to capture the attention of the many SAP customers and partners attending the event. He made custom room keys for conference hotels, showing CyberSafe’s logo and listing their products’ key benefits. Alsop’s intention was to highlight the importance of a “single” key to enter the guests’ room and link this to the need to have a “single” set of credentials for authentication and single sign-on. This was an interesting way to associate the need for a single credential with CyberSafe, whenever a guest used their room key.

The company was originally known as CyberSafe Corporation, founded in 1991 as a global security software vendor providing Kerberos-based single signon. Then, in 2001, the software assets of the company were acquired through a UK management-team buyout. Alsop’s drive and vision has provided firm direction since then. “After the buyout, we quickly found that our products were being purchased by many SAP customers who wanted to integrate their SAP application user authentication with Microsoft Active Directory. Therefore we decided to focus on this market,” says Alsop, whose exceptional IT and software development expertise steered him to explore the marketing and business side of CyberSafe, which led to the decision to focus on the SAP customer market, bringing about a major differentiation for the company.

“We were the first company to offer a commercial Kerberos-based security product,” says Alsop. The Kerberos protocol is popular for securing multi-tier application architectures, especially when components of the application reside on different operating systems. It was introduced into the Windows operating system by Microsoft in 2001 and since then it has become even more strategic and widely adopted. Alsop continues by saying, “Our TrustBroker products use our own Kerberos libraries, and our background and experience with this protocol allow us to make full use of its many features in our products. The products can leverage over two decades of Kerberos and Microsoft Active Directory expertise for authentication and key management, lowering costs and delivering exceptional return on investment.

A Single Credential for Every SAP User

When it comes to SAP applications, CyberSafe allows the users to authenticate using their Microsoft Active Directory credentials, recognizing that users within most companies already have such credentials as they are used to logon to the company network, email, intranet, and other business applications. The desire of most companies is for each user to have only a single credential to remember and this is usually their Active Directory credential. “We are allowing users to carry on using their Active Directory credentials when they logon to the SAP applications, and this can be done in two ways—either they log into their workstation or device using.

"The TrustBroker products typically cost 40 percent less than similar products from other vendors

Active Directory credentials then when they logon to an SAP application they won’t see any sign-on screen, popularly known as ‘Single Sign-On’ (SSO); or they can be prompted for Active Directory credentials during every SAP application logon, or only for certain applications, and we refer to this as ‘Multiple Sign-On’ (MSO),” says Alsop.

With SSO, a user can log on once, without being prompted to log on again when they enter the applications. SSO arrives with various benefits including significant cost savings, since the user spends less time waiting for the help desk to reset passwords, and higher user productivity, since the user spends less time getting frustrated trying to remember the correct credentials.

The need for SSO with SAP applications is greater, when compared to other applications, since each SAP system normally requires the user to enter a different username and password and often there are many SAP systems being used by an end user with each requiring different credentials. Also, some SAP systems have multiple clients, so a user might have an identity in more than one client within the same system, with each having a different password. Consequently the number of credentials each user has to remember can be significant enough to cause a lot of frustration and have very high cost implications.

However, as Alsop pointed out, “Sometimes the CIO or CSO may be concerned about SSO because users’ of critical business applications can logon to their workstation and if they then leave it unattended, someone else may logon to the applications assuming their identity. This is particularly important for users of SAP HR or Finance applications, with the potential damages being far greater than for less critical applications. This is where the CyberSafe TrustBroker multiple sign-on (MSO) feature is specifically designed to help, as users still only need a single credential and all of the benefits of SSO are still achieved, but if the user leaves their workstation unattended then another user will not be able to log onto the SAP applications.” The CyberSafe strategy is to offer flexibility and innovation in all products, and their experience in the industry has shown that SSO doesn’t meet the needs of every user or company. “The MSO feature can also be used on shared or kiosk workstations, be enabled only for certain users, applications or workstations, but it can also be applied to everybody if a customer prefers every user to use the same method of logon,” says Alsop.

Cost Management and Increasing User Productivity

The complexity and criticality of modern business applications demands that the applications have multiple layers of security in order to protect authenticated business data from imminent vulnerabilities, so it cannot be accessed by people that shouldn’t have access. Specifically, for enterprises using SAP applications, the business critical data is stored in a database and therefore on servers in the company’s data center or in a private cloud. Clearly, this data needs to be protected.

If users have access to a large number of SAP systems and applications, they will normally have many credentials to remember. The difficulty of managing multiple credentials often means that users resort to writing them down, so there is potential for one user to find the redentials of another.
“If the users only have one credential to remember, it will be a stronger redential, won’t need to be written down, and will be much harder for somebody else to discover. The security of the company’s business data will be improved if each user has a single unique identity and a single credential. We have found that the need to reduce the number of credentials a user has to remember is already widely recognized by businesses and is of major concern; that’s where our TrustBroker products help. Some companies think that it will be expensive, time consuming and complex to implement such products, but often this is not the case,” says Alsop.

“Some organizations we talk to do not have proper records to identify how many help desk calls have been made by users having password issues. Often we are told that when a company checks their help desk system they are surprised to find a high percentage of incidents are related to passwords, often more than 50 percent,” notes Alsop. “We help companies significantly reduce their costs by decreasing the number of calls to the help desk every time a password needs to be reset,” he adds.Alsop continues, “There are other cost savings, as it is not just about the help desk. The users’ productivity also has a price. Initial time wasted trying to remember their password; followed by more time waiting for the help desk to acknowledge and then to reset it; frustration causes loss of concentration and they’ll take longer to complete their tasks. All this time has a cost.”

A pharmaceutical company having around 100,000 SAP users, decided to measure the cost taking all this into consideration. They used help desk call logs, and also surveyed about 40,000 of the end users. They found that in a month, each user averaged 48 minutes being effected by password related issues. When considering the employee cost per hour, they realized that this productivity loss had a significant associated cost. They achieved a very quick ROI by spending about 3 months deploying the CyberSafe TrustBroker products globally, which has almost eliminated this cost.

CyberSafe in the SAP Community With over a decade of experience in working with SAP security and SSO, Alsop enjoys lending a knowledgeable hand to people facing issues in this particular field. “I often find t hat when I talk to SAP customers about their security and authentication needs, if CyberSafe TrustBroker products are not suited to their needs, or only partially suited, I can recommend other vendors’ products or technology that I am familiar with,” says Alsop.

Being an active participant in multiple SAP related community forums and events, the company is seen as a being knowledgeable in the area of SAP user authentication and SSO.

Strategic Authentication Technology for the Future

The TrustBroker products include support for electronic signature re-authentication, enabling organizations to implement SSO or MSO and to utilize electronic signatures for FDA 21 CFR Part 11 (or similar) compliance initiatives. Alsop suggests, “In the future, compliance or security policy will drive the need for more business applications to support re-authentication, perhaps combined with electronic signatures, or simply to ensure that the user who logged on is the same user who is accessing the application.” When asked whether passwords were sufficient, Alsop replied, “There is growing awareness that stronger methods of authentication are needed, and there is a need to offer multiple methods of authentication and still allow the user to have a single unique identity (managed in an Active Directory domain). The users need to be able to authenticate according to the application needs, using different methods, such as password, biometrics, token devices, or smart cards.”

A Strong Business Model for Now and the Future

CyberSafe adopts a strong business model where there is no need to pay for professional services consultants. “When prospective customers or partners ask us what professional services we provide; we say none and then address their surprise by explaining that our products are specifically designed so they are easy to install and configure. If help is required, there is no additional cost, as the customer only needs to pay for the perpetual software licenses with annual maintenance and support,” quips Alsop. He then continues to explain; “Every customer gets the help they need when they evaluate the products, and guidance on best practices when they are planning deployment. This approach reduces the total cost of ownership for the customer.”

Although CyberSafe doesn’t offer or need to offer professional services to help customers with their products, sometimes an integrator, reseller or consultant partners with CyberSafe to provide complementary services to the customer. T his works well, since the customer gets the help they need (which might be SAP Basis Consultancy, project management, or other services) as well as being able quickly to realize the benefits of the TrustBroker products. The partner also finds that there is no conflict of interest when working with CyberSafe, since CyberSafe doesn’t offer competing professional services to the end customer.

"When prospective customers or partners ask us what professional services we provide; we say none and then address their surprise by explaining that our products are specifically designed so they are easy to install and configure

Today, CyberSafe sells its off-the-shelf security software to a wide range of verticals including banking, retail, hospitals, life sciences, high tech, manufacturing, and many more. “I estimate that a very small number of existing SAP customers within each vertical (maybe as low as 2-3 percent?) have already implemented SSO or similar technologies, leaving a huge potential market as more companies decide that the time is right for them to benefit. We find it is always best to introduce SSO or MSO before users get to suffer the consequences of not having products like ours in place. This is why we work a lot with systems integrators and consultants who are helping SAP customers with their implementations, but we also work with the SAP customer directly when an integrator or consultant is not involved. We are open to doing business in any way that works, as long as the end customer is happy and able to benefit from our products,” says Alsop.

Looking ahead, CyberSafe is committed to remain the SAP customers’ first choice for SAP SSO and MSO, and will continue to enhance their products to support more user authentication methods, devices and applications. They will continue finding ways to make the technology easier for their customers, and making their products even more configurable and flexible without making them complex.



Tim Alsop, CEO

CyberSafe is the original commercial provider of Kerberos-based security solutions, with over two decades of experience.The TrustBroker® products utilize existing Active Directory infrastructure to offer user authentication, encryption, and secure single sign-on (SSO) for SAP business applications

Whitepapers of CyberSafe