Compare and contrast this solution to a typical online banking solution in terms of encryption, identification, authentication, authorization, and accounting.

Functionality

Typical Banking

Blacksands SCaaS

Network Access

Exposed - online banking applications operate in the Trust but Verify paradigm.  They connect to the entire world and attempt to filter out bad entities.  They perform authentication / authorization on their network.

Invisible - Dynamic Point-to-Point Encrypted Connections - SCaaS inverts the Trust but Verify, it externally authenticates, authorizes and routes connections.  It identifies Users/Devices prior to making a customer connection.  And then after ID makes point-to-point encrypted connections.

Authentication

Singular - Server-Client Authentication occurs when the server provides the certificate to verify its identity.  The client side identification is left to the application layer. (typical secure website)

Mutual TLS Authentication - both the Client and the Server provide certificates to securely identify themselves prior to negotiating a secure connection.

2FA

Adhoc Solutions - online banking with implement an adhoc solution like re-Captcha or text verification.  This requires integration.  This is also a significant point of ‘customer friction’ as it adds cumbersome steps.

2FA is built into the SCaaS solution and requires no integration.  Because the certificate is considered ‘a thing’ and is local in the OS it has far less customer friction. The password is the second FA.

Authorization

Adhoc - integration is required with a solution like Active Directory to provide User access roles.

SCaaS CAN, but does not require integration with a solution like Active Directory.  Utilizing its own LDAP and SSO SCaaS can easily integrate into application authorizations.

Encryption

SSL / TLS

TLS is superior to SSL.  SCaaS utilizes highest available industry standard EC ciphers.

Device Identification

Secondary Checks - use solutions like cookies or browser/device fingerprinting.  These are temporary and significantly flawed reactive approaches.

The SCaaS certificate is installed in the OS certificate manager.  This is separate from the browser and highly protected by the OS.  This unique certificate is used to identify both the device and the user.

Reporting

Online banking is limited in its visibility into who, what, when, where due to its inability to see beyond the application layer of the OSI.  Online banking will hire forensics experts to attempt to provide greater visibility into their networks.  However, this is a very slow process (months) and imprecise.

SCaaS provides near real-time granular knowledge and control of each connection.  Who is connected, What Services are connected, When the connections occur, and Where the connection originates.