CAP enhances Software as a Service – Password protection

This white paper is one of a series, outlining how CAP is being used to enhance a Software as a Service application.

Keywords:

Cloud, SaaS, Passwords, CDN

The context:

A large retailer is outsourcing their e-commerce application to a third-party provider. This relationship has existed for a long time, however the retailer grew increasingly frustrated with the cost and time involved in enacting any changes to the user experience and the lack of certain features. Adding to the sense of frustration was the fact that any requests were completely at the mercy of the third-party provider.

The solution:

CAP was installed in the Amazon cloud between the end users and the third-party provider to help overcome some of these problems. By taking advantage of the CAP Agent’s built-in adaptive static content caching and ability to act inline in real time with minimum performance impact, the retailer resumed control of their brand and reputation.

Deployment diagram:

Why CAP:

No other product on the market offers a CDN-like capability that also involves enhancing and enriching content on the fly on a massive scale as well as addressing urgent security shortcomings. The retailer needs this capability to have some measure of control over third party software they are otherwise unable to change.

The story:

Shortly before Christmas, social media lit up with indignation when a user posted that the retailer was storing passwords in clear text. This was immediately identified as a major reputational risk and gained the attention of the CEO. An urgent fix was required, but the third-party provider was unable to provide a timeline for a fix and also enacted a software freeze over the holidays.

At the core of the problem was a password recovery option, which would simply send back the original password in an email.

Using CAP, a plan was quickly hatched to resolve the issue:

When a user logs into the system, CAP takes control of the login process and generates an SHA hash of the password. Using a subset of that hash (8 specific characters) a first login attempt will be made. If it fails, another attempt will be made with the actual password the user keyed.

Should the user’s original keyed password work, CAP performs an automatic behind the scenes change of password to the hashed version.

At this stage, the user’s original password is now fully protected.

If the user initiates a password recovery process, the stored hash will now be returned as the password. The user can use this stored hash, but again will automatically have a password change triggered on first login.

The limitations:

This approach involves a gradual change of passwords for all active users. Changing the remaining non-active passwords still required intervention from the third-party provider.

Business benefits:

This change was implemented with CAP, tested and deployed live in less than two days, restoring calm on social media and even applause for the responsiveness of the retailer. This turned a major reputational risk into a social media success.

Rules blocks used:

SHA Hash

Http Invocation