Startup Bitkoo is releasing as a commercial product identity-management technology developed and deployed by The Walt Disney Co. that it says provides cutting-edge authentication/authorization and auditing/compliance capabilities.
Bitkoo, however, isn’t just taking over commercial development of the technology that Disney calls Keystone. The startup’s founder invented Keystone before leaving Disney.
Doron Grinstein, CEO of Bitkoo, brainstormed the idea and wrote the software for Keystone, which Disney has been using for nearly three years to protect access to many of its critical applications, such as the central reservation system at Walt Disney World in Orlando.
The Burton Group analyst firm last year called Keystone “cutting edge” and featured a Disney presentation on Keystone at its annual Catalyst conference. The firm said Keystone’s ability to move authorization responsibilities away from applications “is one of the goals we have had as an industry for a number of years.”
Now the application, which handles nearly 10 million authorization requests per year at Disney, is available to the public.
Keystone provides a centralized engine that eliminates the need for authorization mechanisms to be built into applications. Applications and Web services written with tools such as Java, .Net, Delphi and COM need only a single line of code to turn their authorization duties over to Keystone.
Keystone’s access controls can be dialed down not only to secure individual applications but also to secure access to specific buttons, text boxes and functions within an application, as well as variables such as what times, from what IP address and under what conditions a user can access an application. In addition, auditing capabilities help organizations manage compliance requirements.
Disney, which is known for the quality of its homegrown technology, said late last year it was looking for someone to take Keystone commercial.
“I went to Disney and said the best place for Keystone is with its creator,” said Grinstein.
That vision includes adding to Keystone 3.0, a new technology he has filed a patent for called “authlets.”
The authlet is a digitally signed piece of authorization data that can be as simple as where the user is located.
The authlets support what Grinstein calls federated authorization, a scenario where authlet information is temporarily stored on a client application or on a Web server via a Keystone client that runs on Apache or Microsoft’s Internet Information Server.
The client temporarily holds the authlets and when their data is needed to confirm access rights to an application or parts of that application the authlet serves it up without the client having to traverse the network.
“This is much faster than going back to the network to see if something is allowed or disallowed,” says Grinstein.
The Keystone server generates an identity assertion, a series of authlets each containing one aspect of the user’s total access information. Keystone digitally signs each authlet and passes the entire assertion to the Keystone client agent.
Keystone passes authentication duties, which validate the user’s identity, through its gateway to existing back-end systems, including Active Directory, LDAP-based directories and CA’s SiteMinder Web access management platform.
A centralized console provides a GUI interface for setting and administering policies on user access, and the database logs every authentication and authorization for future auditing and reporting chores. Besides authorization and authentication services, Keystone has other modules including reporting, provisioning, administration, audit logging and audit reporting.
Keystone is available as an appliance, a virtual machine guest installation, shrink-wrapped software for Windows Server 2003 and a hosted service.