shutterstock_553333903-4-1.jpg

Patented Technologies

Bitglass products are protected by one or more of U.S. Patent Nos. 10,868,811, 10,855,671, 10,757,090, 10,389,735, 10,122,714, 9,769,148, 9,553,867, 9,552,492, and 9,047,480.   Of these, US Patents 10,757,090 and 10,855,671 are fundamental to Access Control and Proxy integration between CASB, Identity Provider and applications, in SAML proxy, ACS proxy and IdP+CASB modes.  These patents date back to 2013, and were granted in 2020.  During the intervening period, these technologies were adopted by all CASB as the gold standard for real-time proxy deployments.   

Prior to adopting these breakthrough technologies, other CASB vendors deployed in phishing mode. Specifically, user login credentials would be entered into a proxy rather than into the IdP, thereby seriously degrading security.  For example, see our blog posts “How to patent a phishing attack," The next major data breach is…” and "First gen CASB goes phishing again."  These methods are now identified and blocked as phishing by leading browsers for popular applications that use native IdP.

The table below summarizes access control technologies patented by Bitglass.

Integration Mode Direct Access to Application Agentless Reverse Proxy Access to Application
SAML Proxy Mode Patented Bitglass Technology Patented Bitglass Technology
ACS  Proxy Mode   Patented Bitglass Technology
Integrated IdP+CASB Mode   Patented Bitglass Technology

The following sections offers details on the patented technologies.


SAML Proxy Mode

In SAML Proxy mode, the CASB is configured as the Identity Provider for the application, and your actual IdP (e.g. Ping, Okta, ADFS, etc) is configured as the Identity Provider to the CASB.   For example, Bitglass supports this mode. In this mode, the CASB sees both successful and failed authentications, and can therefore provide better anomaly detection (UEBA) and Denial of Service protection.  Any SAML IdP can be configured in SAML proxy mode.

The traffic flow diagram for SAML relay mode is as below.

Traffic flow for SAML Relay

 
SAML Proxy Option 1: Direct access to application: covered by Claim 1 of US Patent 10,757,090. 
 

1. A method for improving secure access to application programs, comprising: receiving, by a proxy server, a single-sign-on request from a device for access to an application program, the device directed by an application server to a cloud network location of the proxy server, the proxy server configured to authenticate computer security validation requests for the application program; directing, by the proxy server, the device to an identity provider by sending the device a network location of the identity provider, the identity provider configured to authenticate computer security validation requests for the proxy server, the device communicates directly with the identity provider using the network location of the identity provider, the identity provider redirects the device to the cloud network location of the proxy server with a single-sign-on validation after validation of the single-sign-on request; receiving, at the proxy server, the single-sign-on validation from the device; creating, by the proxy server, a valid identification assertion; directing, by the proxy server, the device to the application server by sending the device a network location of the application server and the valid identification assertion, the device communicates directly with the application server using the network location of the application server and the valid identification assertion, the device thereafter communicates directly with the application server for subsequent accesses to the application program.

 
SAML Proxy Option 2: Access to application via reverse proxy: covered by Claim 7 of  US Patent 10,855,671.
 

1. A method for improving secure access to cloud-based application programs, comprising: receiving, by an identity provider, a single-sign-on request from a user device for access to a cloud-based application program, the user device sends a request for access to the cloud-based application program to an application server and receives the cloud network location of the identity provider from the application server, the identity provider configured to authenticate computer security validation requests for the application program; validating, by the identity provider, the single-sign-on request; in response to validating the single-sign-on request, directing, by the identity provider, the user device to a cloud network location of an application proxy server with a valid identification assertion, the user device thereafter communicates with the application program via a URL rewritten to go through the application proxy server, the URL originally addressed to the application program, the application proxy server not co-located with the application server.
7. The method as recited in claim 1, wherein the identity provider relays the single-sign-on request to a second identity provider for validation.

 

ACS Proxy Mode

In ACS Proxy mode, your actual IdP (e.g. Ping, Okta, ADFS, etc) is configured as the Identity Provider to the application, and the CASB is configured as an ACS proxy to the IdP per the SAML standard.    Only some IdP support ACS proxy and can be configured in this manner, e.g. Ping, OktaOnelogin. Furthermore, in ACS Proxy mode the CASB may not see failed authentication attempts, and therefore cannot effectively detect anomalies to deliver Denial of Service protection. 

The traffic flow diagram for ACS Proxy mode is as below.

Traffic flow for ACS Proxy

ACS Proxy Option 2: Access to application via reverse proxy: covered by Claim 1 of US Patent 10,855,671. 

1. A method for improving secure access to cloud-based application programs, comprising: receiving, by an identity provider, a single-sign-on request from a user device for access to a cloud-based application program, the user device sends a request for access to the cloud-based application program to an application server and receives the cloud network location of the identity provider from the application server, the identity provider configured to authenticate computer security validation requests for the application program; validating, by the identity provider, the single-sign-on request; in response to validating the single-sign-on request, directing, by the identity provider, the user device to a cloud network location of an application proxy server with a valid identification assertion, the user device thereafter communicates with the application program via a URL rewritten to go through the application proxy server, the URL originally addressed to the application program, the application proxy server not co-located with the application server.

 


Integrated IdP + CASB

In this mode, the IdP and the CASB are integrated.  The Bitglass CASB supports this mode, which is just a simplified version of the SAML proxy mode where the IdP and the CASB are integrated.

The traffic flow diagram for Integrated IdP+CASB mode is as below.

Traffic flow for IdP+CASB

IdP+ CASB Option 2:  Access to application via reverse proxy: covered by Claim 1 of US Patent 10,855,671. 

1. A method for improving secure access to cloud-based application programs, comprising: receiving, by an identity provider, a single-sign-on request from a user device for access to a cloud-based application program, the user device sends a request for access to the cloud-based application program to an application server and receives the cloud network location of the identity provider from the application server, the identity provider configured to authenticate computer security validation requests for the application program; validating, by the identity provider, the single-sign-on request; in response to validating the single-sign-on request, directing, by the identity provider, the user device to a cloud network location of an application proxy server with a valid identification assertion, the user device thereafter communicates with the application program via a URL rewritten to go through the application proxy server, the URL originally addressed to the application program, the application proxy server not co-located with the application server.