The Risks

It is quite a leap of faith for a company to trust a 3rd party like Pseudo-Nym to help manage their employees’ access to SaaS services. SaaS vendors provide critical and time sensitive services. Having a 3rd party involved in some way is a concern. The 3rd party could pretend to be an employee and access critical SaaS providers. The 3rd party could have a service outage at a critical moment and could go out of business.

While all true, Pseudo-Nym Managed Credentials significantly decrease existing risks with SaaS services and do not introduce new risks.

Impersonating Subscribers

First, Pseudo-Nym cannot in any way pretend to be a corporate Subscriber of our service or enable anyone else to impersonate a subscriber.

That is because subscribers of our service, employees of our corporate clients, create, control and protect their encryption keys. Those encryption keys are created in the technical environment of the Subscriber and are always within their control. While part of the encryption key is shared with Pseudo-Nym – that allows us to provide a management service – Pseudo-Nym does not have the entire key. The Subscriber and Corporate Client keeps part of the key exclusively in their control. As a result, Pseudo-Nym cannot copy or duplicate the encryption keys of our Subscribers and we cannot impersonate our Subscribers.

In fact, theoretically, no one can impersonate a Subscriber. Fundamentally, Pseudo-Nym Managed Credentials are 2048 bit encryption keys. Those encryption keys are unique – no two keys are the same.  No matter how many keys Pseudo-Nym manages, every key is unique. Pseudo-Nym does not have the unique encryption key or the information necessary to impersonate any single employee of any firm that uses our service.

Service Outage

Pseudo-Nym provides two services: key registration, so we can manage your credentials, and credential validation so SaaS providers know the current status of a credential before allowing access.

Key registration is typically not time sensitive. While obtaining a credential is important, it does not typically require immediate action. If a service outage occurred when obtaining a credential, it is expected a delay of a few hours or even a day would not be a significant problem.

Of course, validating the credential at logon is extremely time sensitive. When accessing a SaaS provider with a Pseudo-Nym managed Credential, the SaaS vendor is obligated to validate the credential before allowing access. If our service is unavailable, the SaaS vendor will not be able to confirm the credentials validity. At that moment, there are several options. First of all, its important to note that the end user has already been identified and authenticated using their Pseudo-Nym managed credential. That takes place within the web browser and web server without any involvement of Pseudo-Nym. After a successful logon, the validity check is an extra step to confirm the status of the credential.

After the Pseudo-Nym Managed Credential has been accepted and IF the validation process is unavailable, the SaaS vendor has a few choices. They can deny access until service is restored. This would obviously limit their liability of inappropriate access but also cause some customer dissatisfaction, but it is an option. They could allow access and accept the risk that the credential is stolen and being used by an unknown third party. This would be at the discretion of the SaaS vendor based on the services they provide. Lastly, the SaaS vendor could require their legacy authentication technologies as a replacement of the validation service. An email to a corporate address or a text to a phone should confirm the employee is still employed by their firm.

While there is some risk associated the Pseudo-Nym Management Service, the benefits associated with our service clearly outweigh those manageable risks.