NEXUS The RSA Security Identity Management System

Size: px
Start display at page:

Download "NEXUS The RSA Security Identity Management System"


1 THE NEXUS IDENTITY WHITE MANAGEMENT PAPER SYSTEM NEXUS The RSA Security Identity Management System A Technical Vision for Identity and Access Management WHITE PAPER The RSA Security Identity Management System, code name NEXUS, is a unified approach by which RSA Security s industryleading authentication and authorization technologies can be easily implemented and commonly managed. NEXUS encompasses every consideration that must be addressed in a comprehensive enterprise identity and access management solution. Building around the core existing RSA Security identity and access management technologies that are currently in use around the globe we have identified and mapped a development path to deliver an integrated identity and access management solution. This white paper is for informational purposes only. RSA Security makes no warranties, expressed or implied, in this document. customers. The information contained in this white paper represents the current view of RSA Security s future plans for this technology. It is possible that those plans could change due to changing market conditions including, among other

2 TABLE OF CONTENTS I. EXECUTIVE SUMMARY II. INTRODUCTION: IDENTITY AND ACCESS MANAGEMENT OVERVIEW III. BUSINESS REQUIREMENTS IV. THE VISION A. Identity Authority Services 1. Authentication Methods 2. Authentication Policies 3. Credential Management 4. Authentication and Attribute Assertions 5. Session Management B. Access Authority Services 1. Authorization Methods 2. Authorization Assertions 3. Single Sign-on (SSO) C. User Management Services 1. Centralized User Management 2. Delegated Administration 3. Self-service 4. Workflow 5. Provisioning D. Network & Application Integration Services 1. Developer Toolkits 2. Application Programming Interfaces (APIs) 3. Data Abstraction Layer (DAL) 4. Web Agents 5. Non-Web Agents 6. Web Services 7. Microsoft.NET 8. Partner Product Interoperability E. Identity Management System Services 1. Availability, Performance and Scalability 2. NEXUS Component Security 3. Operating System Security 4. Central Configuration 5. System Monitoring 6. Logging & Auditing 7. Reporting V. CONCLUSION: THE WAY AHEAD ABOUT RSA SECURITY APPENDIX: GLOSSARY

3 I. EXECUTIVE SUMMARY A significant change in the need for and deployment of e-security technologies in complex enterprise environments is taking place. Combining point solutions for authentication and authorization within a single system that enables centralized user management, this new concept has been termed identity and access management. As a leading provider of authentication and authorization tools and technologies, RSA Security is uniquely positioned to develop the vision for such a comprehensive system and to make it real. The purpose of this white paper, then, is to describe in some technical detail NEXUS, the RSA Security Identity Management System. NEXUS encompasses five distinct components: a shared user management system, an identity authority (providing authentication services), an access authority (providing authorization services), network and application integration capabilities and a common server framework that seamlessly connects the various operations and components of the system as a unified whole. In summary, NEXUS is a powerful and comprehensive solution for organizations requiring the strongest protection possible for their network resources and confidential business information. The system ensures that users are who they claim to be and that they have efficient access only to those resources for which they have permission. At the same time, NEXUS simplifies administration, contributing to lower cost of ownership, increased revenue from online business and greater control over an organization s e-security capabilities, all the while remaining, where necessary, within compliance. II. INTRODUCTION: IDENTITY AND ACCESS MANAGEMENT OVERVIEW Managing digital identities is about intelligently using these identities to achieve business goals such as increasing revenue, improving customer satisfaction and reducing costs. In conducting business online, an organization can only use identities that are trusted. An effective identity and access management solution establishes trust in an organization s online environment. Who users are (authentication) and what users can do (authorization) are tightly coupled and routed in the ability to manage the full life cycle of a digital identity (user management) from creation and maintenance to termination as well as enforce organizational access policies. These components are critical to the success of an organization s identity and access management solution. Identity and access management will play an extremely critical role in the advancement of e-business as a primary mode of operation. As a result, this technology will transform the way that organizations deploy security. This transformation to identity and access management could revolutionize e-business, allowing organizations to use digital identities to contribute real value to their business. NETWORK AND APPLICATION INTEGRATION AUTHENTICATION WEB ACCESS MANAGEMENT PROVISIONING USER MANAGEMENT An Overview of Identity & Access Management DATA STORAGE 1

4 ENTERPRISE A TODAY S E-BUSINESS ENVIRONMENT Today s identity infrastructure can be difficult to manage for both administrators and users. III. BUSINESS REQUIREMENTS NEXUS is designed to address the following business requirements: ENTERPRISE B Cost-effectively manage identities and access rights for a growing number of applications and users Seamlessly connect users and applications across business boundaries Establish and maintain trust in user identities and perform cost-effective credential life cycle management Flexibly define and enforce security policies for varying business requirements, with a single infrastructure to manage them Extend the infrastructure beyond users to support web Services authentication and authorization requirements While NEXUS is currently in develop-ment, many of its components are in use today and development paths have been mapped for the remainder. In fact, RSA Security today offers a range of industryleading e-security solutions that are uniquely managed and provide a high degree of inter-operability. The vision behind NEXUS, therefore, is a logical and necessary next step in the evolution of these powerful solutions. Having created this award-winning family of solutions, RSA Security is uniquely qualified to develop the integrated framework that offers enterprises unparalleled security and usability. TOMORROW S E-BUSINESS ENVIRONMENT The identity and access management infrastructure of the future makes it easier to manage identities while simplifying sign-on for users Application Platform (J2EE) Remote Access VPN 2

5 Mindful of these factors, we also established a set of guiding principles for the development of this system, including: Ensuring interoperability with both J2EE and Microsoft.NET environments Providing simple and flexible user and policy management Developing a common infrastructure for securing users, applications and transactions. RSA Security has leading discrete e-security solutions today, and the unparalleled experience and expertise needed to combine them tomorrow, providing our customers with a migration path to address critical security needs as they emerge over time. IV. THE VISION The components of NEXUS, as they are presented in this white paper, are as follows: a. Identity authority services b. Access authority services c. User management services d. Network and application integration services e. NEXUS system services A. Identity Authority Services The ability to establish trust in identities begins with authentication. With nearly 20 years experience in the authentication of people, devices and transactions, RSA Security is positioned as the acknowledged leader in the authentication market. NEXUS is designed to provide a centralized authentication service that offers simplified enrollment and credential management throughout the enterprise. The system supports a range of authentication methods and enables enterprises to provide centralized life cycle management of those credentials over time. Authentication Methods Every company has a need to manage multiple authentication methods, based either on the nature of the applications being protected, or on the diversity of the user base and the varied permissions that must be assigned. NEXUS authentication service provides a standard interface to an extensible set of authentication methods, including RSA SecurID authenticators and smart cards, passwords, RSA Mobile access codes and RSA Keon (X.509) digital certificates. In addition, the system will support other non- RSA Security authentication alternatives, such as Microsoft Passport, Kerberos and biometrics. NEXUS authenticates some of these methods natively, while others are proxied to an external authentication engine or service. RSA SecurID software is a leading solution for two-factor authentication and an integral component of NEXUS. RSA SecurID software is used with authenticators ( tokens ) and an authentication server, which is the management component of the RSA SecurID solution. Used to verify authentication requests and centrally administer authentication policies for enterprise networks, the authentication server is built upon an enterprise-class, multiprocessor architecture, capable of handling millions of users per server and up to thousands of simultaneous authentications. NEXUS also provides administrators with extensive configuration options for password management. These include setting minimum and maximum password sizes, requiring the use of at least one non-alphabetic character, the ability to exclude certain characters from passwords as well as certain common passwords and defining the lifetime of a password. The system also maintains a history of the last n (an administrator-defined number) passwords for each user to prevent password reuse. In addition, NEXUS generates and stores cryptographic key material. A common mechanism is provided to generate random numbers to seed number pairs to be used as public and private keys. In addition, the system creates and manages the required two symmetric keys: the encryption key that is used for encrypting sensitive data stored in a repository; and the context-signing key that is used to cryptographically protect the authentication assertions generated by the system. Such broad support for leading trusted authentication methods can reduce administrative, management and deployment costs by making it easier for enterprises to deploy multiple authentication credentials that best serve the diverse needs of different users access a wide variety of applications and resources in large organizations. Authentication Policies Authentication policies describe the requirements placed on a user when authenticating. A policy may be associated with a user, resource, system or any other object where authentication requirements are managed. When a user logs on to a resource, that resource sends an authentication request to an authentication broker on the back-end. The broker has access to policy data and user records. Acting essentially as a traffic cop, the authentication broker checks the policy data and sends the logon data either to the back-end or a proxied authentication system, where its validity is checked. Responses are sent back to the application, which either allows the user to proceed or denies the user access. 3

6 Method Chaining. Some resources might require more than one authentication method to be successfully employed in order to gain access. This is known as method chaining. Administrators can select which and how many authentication methods are required for a particular resource. When a user attempts to logon, the application processes each method individually and then requests the authentication service to validate the next method in the chain. Furthermore, an administrator could specify that either of the two different authentication credentials is acceptable -- this is particularly useful when an organization migrates its users from passwords to a stronger form of authentication. Graded Authentication. In a situation where a resource requires a chain of authentication methods to be successfully deployed in order to gain access, it can be useful to assign relative strength to each method. For example, a digital certificate stored on a smart card may be graded the most secure method, a password the least secure and a RSA SecurID token might be somewhere in between. Furthermore, different methods can be graded identically. Administrators are able to assign and alter the relative strength of all authentication methods used within the system. The benefit of this capability is that if a user does not have a particular credential (either because it hasn t yet been provisioned or because in most instances the user would not need it) he or she could substitute a credential with the same grade and still gain access. Credential Management Credential is a generic term for any authenticator that establishes identity for controlling access to protected resources and applications such as a token, digital certificate or password. Credential management includes control over the full life cycle of credentials (creating, maintaining and terminating), provisioning the credentials to users (typically, each authentication method has its own form of credential provisioning) and verification, whereby the system is always checking to ensure that the right user is using the right credential and that the credential is still valid. NEXUS provides a centralized framework for assigning and provisioning credentials to users that control access to enterprise applications and resources. Rather than creating and issuing individual credentials for each resource, the system supports the ability to use a single credential for all RSA Security and third-party applications on the enterprise network. Therefore, when an employee leaves and his or her credential needs to be revoked, it can be done with a single operation rather than having to delete separate credentials for each resource to which he or she had access. For a digital certificate, NEXUS performs real-time checks to ensure that the certificate being transmitted through the system in fact belongs to the person who sent it, and that it has not expired or been revoked. Administrators can renew an expired certificate through the same common user interface from which all credential management functions can be managed. In addition, credential verification can also refer to other credentials such as passwords and RSA SecurID token codes which must be authenticated before the user is validated. Authentication and Attribute Assertions An assertion is a declaration of fact. In NEXUS, web servicesbased assertions are used as real-time, session-limited credentials that provide federated identity to users as they traverse through internal and external web-based resources. The OASIS standards body defines three kinds of security assertions: authentication (who a user is), authorization (what a user can do) and attribute (including role, user group and other identity profile values) that can be passed between applications. When a user authenticates him- or herself at an application or URI and then tries to logon to a subsequent application or URI, that resource requests proof of authentication. That proof is an assertion. NEXUS uses industry standard SAML (Security Assertion Markup Language) assertion. A SAML assertion is a message that confirms the user s original successful authentication. With native SAML support and RSA Security s leadership role in developing the Liberty Alliance standard for federated identity, NEXUS possesses exceptional capabilities for providing secure access to trusted identities across a broad range of internal and external resources. Session Management A session represents the period of time after a successful user authentication until logout from a web-based resource. A user may access any number of applications or URIs during that time, yet it still counts as a single session. Administrators may choose to set policies around sessions to ensure security and optimize network bandwidth. For example, a session could have a maximum lifetime say, five hours, at the conclusion of which the session would be automatically terminated (although the system could prompt the user to re-authenticate within a certain short window of time in order to extend the session and maintain productivity). Administrators can also set a maximum number of concurrent sessions per user, as well as a maximum period of inactivity before the session is terminated. NEXUS supports the ability to specify which user properties/attributes should be published to the HTTP header upon successful authentication. This functionality is available on a per-application or resource basis and extends the 4

7 existing user property functionality by increasing the granularity of when and where user property information is published. This provides enterprises with ease of integration and customization within their environments. By passing the specific properties in the headers, applications can utilize the information for easier integration and to deliver additional personalization capabilities. The data can now also be segregated, for example, so that one application receives a user s Social Security Number, while another application may receive his or her job title. B. Access Authority Services By defining and enforcing online access polices that map to an enterprise s business policies, access management technology can extend an organization s reach while offering the protection required whenever information is made available on, or transmitted over, the public Internet. RSA Security s web access management solution, RSA ClearTrust technology, is an integral part of NEXUS. With RSA ClearTrust software driving the authorization component of the framework, this solution is able to provide varied levels of authorization from yes/no access to a URI, file or application, all the way down to fine-grained authorization of J2EE resources. Authorization Methods NEXUS solution offers three distinct methods of delivering authorization services, which define and manage the permissions granted to specific users seeking to access web and non-web resources from both internal and external systems. These methods are known as entitlements, Smart Rules (of which there are two kinds: conditional and transactional) and role-based access control (RBAC). Entitlements. Basic entitlements explicitly allow or deny access to a specific resource. Entitlements can be assigned to individual users or to groups of users. They are fixed, meaning that a given user either does or does not have permission to access a resource under any condition. For users granted basic entitlements, the system can respond with only two values: allow (the user is authorized) or deny (the user is not authorized). Conditional Smart Rules. More complex than entitlements, conditional Smart Rules work by defining a user attribute (such as location, role or account balance) and an accompanying value (such as Boston, VP status or higher, or account balance greater than $1,000) and attaching them to a resource or application. For example, a customer with an account balance of $100,000 will be granted access to a Silver Member section of a web site, whereas a customer with an account balance of $10,000 will be denied access to this section. In a situation where both entitlements and Smart Rules are employed, entitlements always take precedence. The system supports three types of conditional Smart Rules Deny, Allow and Require and processes them in that order. Require means that multiple conditions apply; once one is satisfied, the system automatically checks the next one in the series. For example, a URI could be associated with these two Smart Rules: Allow if State=CA, Deny if Age<21. As a default function, the system will deny access when policy conflicts occur. Therefore, an 18-year-old user from California will be denied access because of his or her age, and the system will not evaluate the State property because Deny is processed before Allow. On the other hand, a 22-year-old from Oregon will be able to pass the first Deny rule but the system will look for the next Require rule before deciding whether or not to grant access. Because the next property, Oregon, does not meet the Allow condition, and the system is set to deny access when policy conflicts occur, access is denied. Transactional Smart Rules. Transactional authorization involves the ability to fill in the values of an authorization decision with data from a variety of sources request parameters, external databases, customer code, user attributes, environmental factors, web services requests, etc. The idea is to simplify what could otherwise be a highly complex string of conditions. For example, instead of a rule where a requested charge is less than $1,000 if the user has a platinum card or less than $500 if the user has a gold card and if the expiration date is prior to January 1, 2006, transactional authorization removes the actual values and is expressed instead as requested charge is less than credit limit. Role-based Access Control (RBAC). Role-based access control (RBAC) grants rights and permissions to roles rather than to individual users. Users acquire the rights and permissions by being assigned to appropriate roles. By grouping users in this way, RBAC can provide significant security management efficiencies. In implementing RBAC, an enterprise must first define all of the roles within the organization and the permissions attached to each role. Each role is a class of users who have similar access rights. Each individual is assigned to one or more roles and receives the rights associated with the assigned roles. The permissions not only allow or deny access to a particular web-based resource or application, but also delineate all of the possible activities the role could undertake once the user has obtained access such as viewing, creating, editing, signing, releasing, amending, copying and archiving a file. 5

8 Administrators can also create hierarchical categories of subclasses within a role. For example, an intern might be a subclass of a general role physician. A disability nurse case manager might be a subclass of a general role case manager. RBAC enables enterprises to implement inheritance from subclasses to general classes of roles. In this way, if a change is made to the authorizations granted to all subclasses such as intern, attending and consultant, then all related general classes such as physician automatically receive that change as well. Authorization Assertions Just like the authentication and attribute assertions discussed earlier, authorization assertions are SAML-based messages. Agents that interface with the authorization system and the web server relay these messages back and forth. The web server, which is closest to the user, is known as the policy enforcement point (PEP). The PEP sends a message to the system, where there resides a policy decision point (PDP) that in effect says, A user is trying to access a resource, please make a decision to allow or deny access. The PDP then makes the decision by checking the rules it uses to protect the resource against the information passed to it within the SAML authorization assertion. Single Sign-on (SSO) Single sign-on (SSO) is a high-value benefit of most identity and access management solutions. With SSO, users can securely navigate across multiple applications, sites and domains, including partner and affiliate sites, by authenticating only once per session. SSO makes access to web-based resources in multiple domains more efficient and less frustrating for the end-user, significantly improving the web experience and user productivity. This is especially beneficial when the user is a customer or a partner. Equally important, by reducing reliance on multiple user names and passwords which are hard to remember SSO eliminates a weak link in your security strategy and reduces support costs related to password administration. Various technologies are employed to accomplish SSO. NEXUS interoperates with multiple forms of security, including SAML tokens, RSA SecurID tokens, passwords, digital certificates, Kerberos and others to ensure authenticity. This information takes the form of trusted statements called security assertions about any user or application that has been assigned a digital identity. Other important emerging standards supported by NEXUS are Liberty Alliance which provides for federated identities, thereby enabling subsequent applications to trust identities that have been authenticated previously in the same session and Microsoft.NET Passport. RSA Security has played a leadership role in developing and shaping key standards and protocols for web services, including SAML, Liberty Alliance and WS-Security. RSA Security is working to bridge federated identities between Liberty Alliance and Microsoft.NET to enable seamless interoperability applications. C. User Management Services A key goal of NEXUS is to provide a common look and feel, shared web interface and common administration capabilities across RSA Security products. The various aspects of common user management and administration are described below. Centralized User Management With centralized user management, administrators can add and edit users and groups that are recognized by all installed RSA Security products. NEXUS enables users and user attributes that are common to all RSA Security products (as well as product-specific attributes) to be managed via the common management interface. The following list, while only a sampling, is an example of the range of user attributes common to all RSA Security products: First name and last name User identifier address Account enabled/disabled Start date and end date (for temporary users) Access time (time of day and days of the week that the user can authenticate) Number of consecutive bad login attempts allowed (before user is locked out of the system) User administrative role (if assigned) Rather than enter all this information and more for each user and each application, administrators are able to manage and share a single user profile across the full spectrum of installed applications (as well as RSA Security products installed at a later time, if and when an enterprise chooses to expand its identity and access management solution). 6

9 Consistent Administration GUI. A consistent, web-based graphical user interface (GUI) that provides a single launching point for all RSA Security applications installed on the system provides platform independence and zero footprint for the administrative client. The administrative user interface supports extensions that allow multiple installed RSA Security products to automatically share the common GUI. Delegated Administration Rather than require a single administrator to control all access functions for a system, RSA Security s delegated administration model enables divisions, departments and other entities to manage users and groups within their domain. An administrative group is a collection of objects (including users, groups, servers, applications and properties) owned by a single administrative domain and managed by a dedicated administrator (who also is part of that group). An organization can create as many administrators as it requires, each can create subadministrators as well as a super administrator who can view, add, edit or delete any object in the system, regardless of the administrative group that owns the object. There can be a granularity of roles assigned to administrators at different levels in the hierarchy as well. Providing the ability to delegate administrative tasks is central to a scalable architecture. The delegated administration model allows administrators to manage users and groups from a single location across their authentication and access management infrastructure. Key benefits of this model include reduced administration costs, improved ease of use and increased security. Self-service Just as delegated administration provides efficiencies by enabling a network of administrators to manage finite domains within an enterprise s implementation, user selfservice helps to reduce some of the burdens on administrators and IT staff by empowering users to perform a limited range of tasks by themselves. Some of these activities include: requesting access to enterprise applications; account creation for RSA Security products such as the RSA SecurID, RSA ClearTrust and RSA Keon solutions; accessing and making changes to their profiles (such as updating address or phone number); changing their own passwords or RSA SecurID PINs; lost smart card recovery and accessing online help. Users would not be able to add, view, edit or delete information outside of their own user records, because the system would control and limit their ability to access that information based on their role and the privileges assigned to that role (see Role-based access control in the Access Management section). Workflow NEXUS also includes an account and credential creation workflow system that reduces administrative costs by automating the credential deployment process, traditionally a time-intensive burden on administrators. Instead of requiring IT staff to contact resource owners and employee managers, the workflow technology distributes the request either automatically or through designated levels of approval to securely grant access and ensure fast, cost-effective rollout of authentication credentials. Approval workflow allows approvers to review pending request lists, review pending request detail and approve or deny requests. It also allows administrators to set up file configurations for workflow approvals (approval chain with escalation chains or automatic no approval) and set up e- mail templates for communication with end users and approvers. Robust support for escalations, multiple approvers, notifications and more is provided to enable sophisticated workflow that maps to an enterprise s unique business processes. Provisioning Provisioning refers to deploying digital identities and access rights based on business policies for employees, business partners and customers across multiple applications and resources. This must be done accurately and securely at the outset in order to reduce problems down the line. Automatically assigning, maintaining and revoking these identities and rights should be a centralized function. NEXUS includes automated provisioning capabilities for all RSA Security components of the system including RSA ClearTrust software, RSA SecurID tokens, passwords, RSA Mobile access codes and RSA SecurID Passage smart card solutions. Provisioning is also extended to RSA Keon digital certificate management technology for full life cycle credential management, including issuance, validation and revocation of X.509 credentials. Identities managed within NEXUS can also be provisioned to non-rsa Security applications through RSA Secured Partner solutions, such as Thor Technologies Xellerate secure enterprise provisioning product, which is tightly integrated with NEXUS. D. Network and Application Integration Services To be truly comprehensive, NEXUS must integrate the functions of trusted identity and access management with an organization s existing and future enterprise technologies and infrastructure. Enterprises want to leverage and protect their investments in solutions ranging from VPN, CRM and HR application servers to supply chain management systems linked to portals, web 7

10 servers and other network and back-office systems. NEXUS is designed to effectively integrate heterogeneous enterprise systems with the security technologies that keep them safe. Developer Toolkits RSA BSAFE software is embedded in more than one billion products, including web browsers, enterprise software, wireless devices, commerce servers, systems and VPN products. Built to provide implementations of standards such as SSL, S/MIME, WTLS, IPSec PKCS, WS-Security, XML and SOAP, RSA BSAFE toolkits can save developers time and risk in their development activities, and give them the strong security that comes only from a decade of proven, robust performance. Stringent testing by RSA Security ensures that all RSA BSAFE software implementations are interoperable. NEXUS is built using the RSA BSAFE tools to implement security and industry standards. This permits other standards-based applications to interoperate with NEXUS, allowing enterprises to extend their investment in existing and future IT infrastructure. Application Programming Interfaces RSA Security has developed a robust set of application programming interfaces (APIs) that enable enterprises to quickly and easily develop custom applications that provide the integrated functionality they need for their heterogeneous environment. There are currently five sets of API libraries, which leverage popular programming languages and can be written in C, Java and DCOM: Administrative APIs, which allow developers to create applications to manage users, resources and entitlements Runtime APIs, which can be used to develop applications that communicate directly with the system s authorization servers web server extension APIs, which extend the functionality of web server agents during authentication and authorization processing OS-level APIs, for developing custom authentication modules for Windows and UNIX applications Pre- and post-processing hook APIs, which enable developers to trigger functions either before or after a specified event Data Abstraction Layer (DAL) NEXUS uses industry-standard design patterns to implement access to data stored in a repository. NEXUS is configurable to allow access to data from multiple types of repositories including directories, relational databases and others through its data abstraction layer (DAL). Native connections to the data repositories are supported through the use of industry standards such as LDAP and SQL. While RSA Security has a broad range of expertise in developing and unifying the various elements of NEXUS, the company relies exclusively on its large network of RSA Secured technology partners for the data store component of the solution. All user and group information entered in the system are maintained in an LDAP data store or a Java Data Base Connectivity (JDBC)-compliant database. We leverage our close relationships with trusted third-party providers of directory services and storage products to ensure interoperability with the framework s data storage subsystem, which provides standards-base schema and mapping for LDAP and relational database storage. By supporting multiple types of data repositories, RSA Security s solution has the flexibility to offer organizations the ability to leverage their existing investment in directory server and database technology. Web Agents NEXUS integrates with web servers and web application servers through the use of web agents. Web agents enforce security policies configured into the system by bundling details of an authentication or information request, taking it to the server on which the relevant policy resides and then delivering the deny or approve response back to the application from which the request was initiated. Common web agents for all security and enterprise applications are provided so enterprises only have to deploy a single filter on their servers. Enterprises then are able to utilize that infrastructure with whichever RSA Security authentication or authorization tools they need, when they need them. RSA Security web agents are currently being developed for each specific target environment. They utilize standards where appropriate (e.g. J2EE, Microsoft.NET) and take full advantage of the native services offered by the target platform for maximum efficiency and interoperability. Non-Web Agents While more and more enterprise systems are now webbased, the predominance of virtual private networks (VPNs) and the need to secure routers, firewalls and operating systems such as Microsoft Windows and UNIX operating systems means that the non-web environment remains a 8

11 highly critical area for e-security solutions. Furthermore, some enterprises such as those in the financial industry may require more proprietary systems, while others prefer to develop their own homegrown enterprise applications. Either way, companies need the same secureyet-convenient access for their non-web resources as they do for web-based systems especially in instances where users require remote access. RSA Security s approach to this need will be two-fold: by offering OS-level agents for non-web resources and by working with RSA Secured partners to develop APIs for third-party products such as VPNs. These solutions will enable users to employ the same credential and password to access multiple non-web resources what we call a consistent sign-on experience. Web Services Web services, which can be defined broadly and simply as application-to-application transactions, are an important aspect of the total solution. The requirements of federated identity, the proliferation of XML-based standards and protocols and the need for interoperable credentials and policies that cross application, division and corporate boundaries are at the heart of NEXUS. Even though web services involve application-driven interactions, as opposed to human-driven, trusted application identities are still required. The system secures web services by enabling distributed management of authentication and authorization within a heterogeneous environment. With web services, there are two security-related foci: protecting the application being used as a web service and protecting the web service transactions themselves. There are numerous ways to do this. In the first instance, protecting the application, the framework would deploy RSA Security s leading authorization technology, the RSA ClearTrust solution, which limits resource and application access to properly authenticated and authorized identities that have been granted appropriate rights. Web services security is supported by RSA ClearTrust software through implementation of the WS-Security standard. To protect the transactions, WS-Security and SAML are used to ensure that Simple Object Access Protocol (SOAP) messages are not tampered with. SOAP is the messaging protocol that allows web service applications to talk to each other. SAML is an XML-based language that enables web services to exchange information relating to authentication and authorization. Microsoft.NET RSA Security understands the central role that Microsoft technology plays in most large enterprises. Through extensive agent support and application integration, our solutions interoperate with key Microsoft products including the Windows 2003 operating system, Internet Information Services (IIS) Web server and Active Directory. This makes it easy for an enterprise to add RSA Security products to its Microsoft assets as part of a unified enterprise solution for identity and access management. Microsoft s commitment to web services is embodied in the Microsoft.NET product line. Microsoft.NET offers extensive security capabilities that can be leveraged by developers and security vendors to provide enterprises with the levels of trust and assurance that web services demand. Capitalizing on these capabilities, NEXUS enables enterprises to implement unified, scalable identity management solutions that technologies, non- Microsoft web services technologies and traditional infrastructures. RSA Security works closely with Microsoft to ensure interoperability between NEXUS and the new generation products. That collaboration extends across three of the four major components of platform: web services,.net servers and development environment. For example, NEXUS secures web services by accepting Microsoft Passport authentication statements and serving as a web services authorization engine. NEXUS will also offer deep integration with Windows.NET servers (including key data servers, connectivity servers and business application servers) and Microsoft web servers and business applications. In addition, RSA Security will offer fully developer support so that XML web services applications can leverage the RSA Security solution. Functionality includes support for Visual C#.NET, the WS-Security specification and ASP.NET and J2EE session management interoperability. Partner Product Interoperability Partnering and product interoperability are critical to our ability to provide a complete solution. RSA Security has a long and successful history of partnering with industry leaders and innovators. Ours is the most mature oldest and largest technology partner program of its type. We leverage that partnering expertise with NEXUS to ensure that every need is addressed. 9

12 Providing these capabilities requires strong partnerships with enterprise vendors and close relationships with customers, both of which are hallmarks of RSA Security. Through the RSA Secured technology partner program, we conduct extensive testing and certification to ensure that third-party systems are interoperable with RSA Security technologies and make implementation guides publicly available to enable faster deployment of an enterprise s solution. Aside from the stringent interoperability testing and certification process, a key differentiator of the RSA Secured technology partner program is our contractual insistence on providing mutual customer support. If technical assistance is ever required, enterprises will always have someone to call. E. Identity Management System Services NEXUS is built upon a common framework composed of Java-based building blocks that provide much of the tools and functionality needed for a comprehensive and interoperable authentication and authorization system. This common framework eliminates the need to install and manage separate infrastructures for each RSA Security product. Rather, all products tie into and operate from a common set of functions and capabilities. A description of these functions and capabilities follows. Availability, Performance and Scalability Clustering and data replication, which ensure availability by eliminating single points of failure, and load-balancing are intended to be handled by the underlying application server. However, NEXUS subsystems can be deployed in a cluster ensuring NEXUS services are seamlessly and continuously available. NEXUS conforms strictly to the J2EE standards and can be deployed in various commercial application server environments. While clusters are implemented in local area networks (LANs), data replication allows for systems geographically distributed in wide area networks (WANs) to be secured and managed by NEXUS. Clusters of local areas act on distributed replicated data, providing high availability for mission-critical applications. This system offers high performance and scalability to address the current and future needs of complex, heterogeneous environments. NEXUS Component Security Creating a truly secure identity and access management system requires more than just protecting application servers. The communication between the various components must be secure and sensitive information stored in the file system must also be protected. Intercomponent security protects information as it is passed between NEXUS components and RSA Security applications. NEXUS is designed to allow enterprises to configure different inter-component security methods between the various components. These include shared secret (or symmetric) encryption, anonymous SSL and mutually authenticated SSL. Shared Secret Encryption. Shared secret (or symmetric) encryption is used to protect the sensitive information in NEXUS single sign-on (SSO) cookie. Shared secret encryption is required if you are using SSO and it is always enabled, regardless of whether or not SSL is used. The SSO cookie is always encrypted when passed over the network. To ensure that the SSO cookie is only encodable and decodable by trusted NEXUS components, each application server agent and access authority service provider must have a valid key generated by NEXUS. This key must be presented to the NEXUS key server before the client can obtain the current encryption/decryption key for the cookie. Anonymous SSL. All data exchanged between NEXUS components can also be encrypted using Secure Sockets Layer (SSL) encryption technology. Before transmission over the network, the data is encrypted using anonymous SSL. Anonymous SSL means that neither the client nor the server is required to present a certificate in order to authenticate itself. The particular SSL modes vary from one component to another, but 128-bit encryption is always used for messages sent across the network. Authenticated SSL. Communications between NEXUS components can be secured using authenticated SSL. In this mode, each NEXUS component must present its digital certificate when contacting another component, allowing that component to verify the other s identity. To activate SSL communications, the various agents must be configured within the system to use authenticated SSL and each component must have access to the key store containing both its certificate and the trusted Certificate Authority s (CA) certificate. Operating System Security Authentication credentials (passwords, tokens, certificates, etc.) stored in the system must be protected and file permissions on NEXUS directory tree should be very tightly controlled. Administrators should only grant access to the few individuals or groups that absolutely need it; otherwise, administrators alone should have access to the configuration files. 10

13 User Passwords. Passwords are among the several forms of authentication that NEXUS users may utilize. In order to reduce the likelihood of password theft, all passwords stored in NEXUS data stores are hashed, meaning that they are converted into strings of seemingly random characters. Given a character hash, there is no way to retrieve the original human-readable password. SSO Cookie Security. The SSO cookie can be protected on the client in the following ways: NEXUS can be configured to treat the cookie as a session cookie (rather than as a persistent cookie). This way, the cookie is stored in browser memory only, rather than on disk. This helps prevent intruders from retrieving a cookie from a user s computer for later use. NEXUS application server agents can be configured to check the source of each incoming cookie. To allow this, the cookie is labeled with the IP address of the machine (where the user s browser is running) for which the cookie was created. Each time the user cookie is used to request another resource, the agent will check that the request originated at the IP address for which that cookie is valid. This means that only the requesting client machine can use the cookie created for that client. NEXUS software can enforce validity periods for cookies. With this feature, each cookie becomes unusable after a determined period of inactivity. For example, this is helpful when a user logs into an NEXUS-protected resource and then leaves his or her computer. By setting a short expiration period, administrators can minimize the window of time during which another person could assume the existing session. The cookie has a maximum lifetime that forces a reauthentication when the time threshold is exceeded. Administrators can set the maximum lifetime for a user s session. The time-out settings, both for maximum lifetime and inactivity, are set on a per web server basis. In addition, application servers can also be configured to run with SSL encryption turned on, so that cookies are encrypted (along with all other communications) between the web browser and application server. Centralized Configuration Centralized configuration enables administrators to manage the various components in NEXUS particularly the web agents and application server agents that contain configuration files from a single location. Rather than manually editing these files using a text editor, administrators are able to use a centralized utility to easily manage configuration files throughout the system. With NEXUS, configuration information is centrally managed and accessible through the administration GUI and APIs. System Monitoring NEXUS provides a standard interface to support monitoring requirements via the Simple Network Management Protocol (SNMP) and can function as an SNMP agent. The SNMP agent runs as a service that responds to requests from third-party SNMP managers and sends SNMP trap notifications to SNMP managers for reporting and notification. The agent provides the following capabilities: Accesses runtime information to monitor attributes available on NEXUS Accesses NEXUS domain configuration information Subscribes for notifications generated by NEXUS for monitoring or logging events Supports configurable, log-based, enterprise-specific SNMP trap notifications In the SNMP management framework, a resource is said to be manageable if SNMP requests can obtain information about the values of its attributes, or can modify the values of such attributes. SNMP management software calls manageable attributes objects and arranges them in a hierarchy of information known as a Management Information Base (MIB). Each object in the MIB has an object identifier (OID), which the manager uses to request the object s value from the agent. Logging and Auditing Logging and auditing capabilities enhance an enterprise s security by providing the records required to review and meet security policy and compliance requirements. The NEXUS logging subsystem implements a framework for the centralized creation, storage and life cycle management of logs. Audit logs are used by administrators to maintain records of system activity, and are used to monitor administrative operations, application service fulfillment and significant error conditions. All system events are logged to a central logging repository for secure storage and easy retrieval. The logging repository is configurable and can be one of many formats: a flat file, Microsoft Windows NT event log or UNIX syslog. In addition, a tamper-proof secure log is kept, by which audit events are signed and time-stamped. Administrators can specify a log file name, set message priority (either Informational, Warning, Error, or Fatal), select which critical events are to be logged and perform other management and archival actions. 11

14 Furthermore, administrators can control how events of different priorities are to be logged. For example, events with the priority of Warning or Informational can be logged to a flat file, while events with the priority of Error can be logged to the Windows NT event log or to the administrator s console. Reporting As the basis for centralized administration and management of user activity, business rules and security policy, NEXUS has the ability to gather, store and protect a wide range of critical information. The system provides centralized logs across all RSA Security solutions to provide one view of complete identity and access management activity. In addition to these logs, NEXUS provides a set of standard reports to document activity. The logs can also be tied into robust third-party reporting tools already in use by enterprises in order to customize the reports in a familiar manner. IV. CONCLUSION: THE WAY AHEAD NEXUS, is a unified approach by which RSA Security s industry-leading authentication and authorization technologies can be easily implemented and commonly managed. Providing a complete set of solutions and functionality enables organizations to easily and cost-effectively expand their e-security capabilities as their needs grow without burdening their network capacities by having to install multiple silo applications. Administration for the full breadth of security technologies purchased is easier to learn and to operationalize, and enterprises have the robust security they need to be more productive, competitive and successful. RSA Security is the only company with the combined experience, expertise and existing technologies needed to conceive, develop and bring to market such an expansive, complete solution in a reasonable time frame. Our reputation for quality, our history as innovators and our commitment to our customers drive our efforts forward and has resulted in a visionary and revolutionary solution for enterprise e-security: NEXUS, RSA Security s Identity Management System. ABOUT RSA SECURITY RSA Security helps organizations protect private information and manage the identities of people and applications accessing and exchanging that information. RSA Security's portfolio of solutions including identity & access management, secure mobile & remote access, secure enterprise access, secure transactions and consumer identity protection are all designed to provide the most seamless e-security experience in the market. RSA Security's strong reputation is built on a history of ingenuity, leadership, proven technologies and more than 15,000 customers around the globe. Together with more than 1,000 technology and integration partners, RSA Security inspires confidence in everyone to experience the power and promise of the Internet. For more information, please visit 12

15 APPENDIX: GLOSSARY Assertion A SAML-based message that provides a real-time session-limited credential. CSF Common Server Framework; implemented in Java using J2EE architecture and the BEA WebLogic application server as the container for the J2EE environment. Credential Any authentication tool that establishes identity and provides access, such as a password, token, smart card or digital certificate. Delegated administration...providing the ability to delegate administrative tasks is central to an architecture that provides scalability, which is required to support enterprise-class and B2B environments Entitlement A basic permission that always takes precedence over a Smart Rule. (see Smart Rule) Failover The automatic substitution of a functionally equivalent system component for a failed one. Federated identity an authenticated identity that is accepted at numerous member applications that have agreed to trust identities authenticated by any one member in a single session. (see Liberty Alliance and Microsoft.NET) J2EE Java 2 Enterprise Edition (Sun) application server LDAP Lightweight Directory Access Protocol Liberty Alliance A standard that provides a set of extensions to SAML for federated identity and session management. Microsoft.NET Microsoft application server platform, which provides a form of federated identity. OASIS Organization for the Advancement of Structured Information Standards RBAC Role-Based Access Control; includes principal, permission, role, rule, resource. Instead of assigning basic entitlements to individuals, all users belong to groups; privileges are connected to roles or groups. SAML Security Assertions Markup Language Smart Rules Conditional entitlements, which take three forms: Deny, Allow and Require. (see Entitlements) SOAP Simple Object Access Protocol; how parties exchange XML documents over http. SSO Single sign-on, where a user needs only to logon one time in order to access numerous applications and resources. WS-Security Web Services Security XML Extensible Markup Language 13

16 BSAFE, ClearTrust, Keon, RSA, RSA Security, RSA Secured, Smart Rules, SecurID and Confidence Inspired are registered trademarks or trademarks of in the U.S. and/or other countries. All other products and services mentioned herein are the tradmarks of their respective owners All rights reserved. NEXUS WP 0903

Domain 12: Guidance for Identity & Access Management V2.1

Domain 12: Guidance for Identity & Access Management V2.1 Domain 12: Guidance for Identity & Access Management V2.1 Prepared by the Cloud Security Alliance April 2010 Introduction The permanent and official location for this Cloud Security Alliance Domain 12

More information

Oracle Access Management

Oracle Access Management Oracle Access Management Complete, Integrated, Scalable Access Management Solution O R A C L E W H I T E P A P E R M A Y 2 0 1 5 Disclaimer The following is intended to outline our general product direction.

More information



More information

Best Practices for Securing Privileged Accounts

Best Practices for Securing Privileged Accounts Best Practices for Securing Privileged Accounts 2015 Hitachi ID Systems, Inc. All rights reserved. Contents 1 Introduction 1 2 Risk management 2 2.1 Baseline risks............................................

More information

Siebel Security Guide. Siebel Innovation Pack 2013 Version 8.1/8.2 September 2013

Siebel Security Guide. Siebel Innovation Pack 2013 Version 8.1/8.2 September 2013 Siebel Security Guide Siebel Innovation Pack 2013 Version 8.1/8.2 September 2013 Copyright 2005, 2013 Oracle and/or its affiliates. All rights reserved. This software and related documentation are provided

More information


SPECIFICATION PROFILE BOKS SERVERCONTROL. Fox Technologies, Inc. 616.438.0840 SPECIFICATION PROFILE BOKS SERVERCONTROL Fox Technologies, Inc. 616.438.0840 Spec Profile: BoKS ServerControl BoKS ServerControl provides a centralized source for managing access

More information

Secure Credential Federation for Hybrid Cloud Environment with SAML Enabled Multifactor Authentication using Biometrics

Secure Credential Federation for Hybrid Cloud Environment with SAML Enabled Multifactor Authentication using Biometrics Secure Credential Federation for Hybrid Cloud Environment with SAML Enabled Multifactor Authentication using Biometrics B.Prasanalakshmi Assistant Professor Department of CSE Thirumalai Engineering College

More information

RSA Authentication Manager 8.1 Help Desk Administrator s Guide. Revision 1

RSA Authentication Manager 8.1 Help Desk Administrator s Guide. Revision 1 RSA Authentication Manager 8.1 Help Desk Administrator s Guide Revision 1 Contact Information Go to the RSA corporate website for regional Customer Support telephone and fax numbers:

More information

Product Overview for Windows Small Business Server 2011. December 2010

Product Overview for Windows Small Business Server 2011. December 2010 Product Overview for Windows Small Business Server 2011 December 2010 Abstract Microsoft offers Windows Small Business Servers as a business solution for small businesses by providing a simplified setup,

More information

Securing Microsoft s Cloud Infrastructure

Securing Microsoft s Cloud Infrastructure Securing Microsoft s Cloud Infrastructure This paper introduces the reader to the Online Services Security and Compliance team, a part of the Global Foundation Services division who manages security for

More information

OPEN DATA CENTER ALLIANCE : The Private Cloud Strategy at BMW

OPEN DATA CENTER ALLIANCE : The Private Cloud Strategy at BMW sm OPEN DATA CENTER ALLIANCE : The Private Cloud Strategy at BMW SM Table of Contents Legal Notice...3 Executive Summary...4 The Mission of IT-Infrastructure at BMW...5 Objectives for the Private Cloud...6

More information

Siebel Security Guide. Version 8.0, Rev. C February 2011

Siebel Security Guide. Version 8.0, Rev. C February 2011 Siebel Security Guide Version 8.0, Rev. C February 2011 Copyright 2005, 2011 Oracle and/or its affiliates. All rights reserved. The Programs (which include both the software and documentation) contain

More information

Cyber Security Planning Guide

Cyber Security Planning Guide Cyber Security Planning Guide The below entities collaborated in the creation of this guide. This does not constitute or imply an endorsement by the FCC of any commercial product, service or enterprise

More information

Borland StarTeam 2009. StarTeam Server Help

Borland StarTeam 2009. StarTeam Server Help Borland StarTeam 2009 StarTeam Server Help Borland Software Corporation 8310 N Capital of Texas Hwy, Bldg 2, Ste 100 Austin, Texas 78731 USA Borland Software Corporation may have patents

More information

Understanding and Selecting a Tokenization Solution

Understanding and Selecting a Tokenization Solution Understanding and Selecting a Tokenization Solution Understanding and Selecting a Tokenization Solution 1 Author s Note The content in this report was developed independently of any sponsors. It is based

More information

Amazon Web Services: Overview of Security Processes June 2014

Amazon Web Services: Overview of Security Processes June 2014 Amazon Web Services: Overview of Security Processes June 2014 (Please consult for the latest version of this paper) Page 1 of 68 Table of Contents Shared Responsibility

More information

Security Models and Requirements for Healthcare Application Clouds

Security Models and Requirements for Healthcare Application Clouds Security Models and Requirements for Healthcare Application Clouds Rui Zhang 1,2 and Ling Liu 1 1. College of Computing, Georgia Institute of Technology, Atlanta, GA, USA 2. School of Computer and Information

More information

Using Windows XP Professional with Service Pack 1 in a Managed Environment: Controlling Communication with the Internet

Using Windows XP Professional with Service Pack 1 in a Managed Environment: Controlling Communication with the Internet Using Windows XP Professional with Service Pack 1 in a Managed Environment: Controlling Communication with the Internet Microsoft Corporation Published: January 2003 Table of Contents Introduction...4

More information

Cloud Service Level Agreement Standardisation Guidelines

Cloud Service Level Agreement Standardisation Guidelines Cloud Service Level Agreement Standardisation Guidelines Brussels 24/06/2014 1 Table of Contents Preamble... 4 1. Principles for the development of Service Level Agreement Standards for Cloud Computing...

More information

Software-as-a-Service (SaaS) and Physical Security Management for Federal Systems. Adapting to the forces of HSPD 12, Convergence, and FISMA

Software-as-a-Service (SaaS) and Physical Security Management for Federal Systems. Adapting to the forces of HSPD 12, Convergence, and FISMA Software-as-a-Service (SaaS) and Physical Security Management for Federal Systems Adapting to the forces of HSPD 12, Convergence, and FISMA April 18, 2008 1 Abstract Working to meet the requirements of

More information

Understanding and Selecting a Database Activity Monitoring Solution

Understanding and Selecting a Database Activity Monitoring Solution Understanding and Selecting a Database Activity Monitoring Solution By Rich Mogull This Report Sponsored By: Securosis, L.L.C. The SANS Institute Author s Note The

More information

Enable and protect business-ready cloud infrastructures

Enable and protect business-ready cloud infrastructures IBM Software Thought Leadership White Paper June 2012 Enable and protect business-ready cloud infrastructures IBM Tivoli Storage Manager and Front-safe Portal enable security-rich, cloud-based data protection

More information

Introduction to SOA with Web Services

Introduction to SOA with Web Services Chapter 1 Introduction to SOA with Web Services Complexity is a fact of life in information technology (IT). Dealing with the complexity while building new applications, replacing existing applications,

More information

Policy-Based Physical Security Management

Policy-Based Physical Security Management Policy-Based Physical Security Management A Quantum Secure White Paper Quantum Secure, Inc. 100 Century Center Court, Suite 501 San Jose, CA 95112, USA Tel: + 1-408-4543-1008 Fax: + 1-408-453-1009 EMail:

More information

The Critical Security Controls for Effective Cyber Defense. Version 5.0

The Critical Security Controls for Effective Cyber Defense. Version 5.0 The Critical Security Controls for Effective Cyber Defense Version 5.0 1 Introduction... 3 CSC 1: Inventory of Authorized and Unauthorized Devices... 8 CSC 2: Inventory of Authorized and Unauthorized Software...

More information

SecurEnvoy Security Server Administration Guide

SecurEnvoy Security Server Administration Guide SecurEnvoy Security Server Administration Guide SecurEnvoy Global HQ Merlin House, Brunel Road, Theale, Reading. RG7 4AB Tel: 0845 2600010 Fax: 0845 260014 SecurEnvoy Security Server

More information

Outsourcing Workbook

Outsourcing Workbook Outsourcing Workbook Page 1 Copyright 2008 Notice of rights All rights reserved. No part of this book may be reproduced or transmitted in any form by any means, electronic, mechanical, photocopying, recording,

More information

Managed Backup Service Definition. SD003 v1.9 Issue Date 18 March 11

Managed Backup Service Definition. SD003 v1.9 Issue Date 18 March 11 Managed Backup Service Definition SD003 v1.9 Issue Date 18 March 11 10 Service Overview The Managed Backup Service (MBS) provides automated and remote backup & recovery for data stored on: o o o o o o

More information

Revised edition. OIO Web SSO Profile V2.0.9 (also known as OIOSAML 2.0.9) Includes errata and minor clarifications

Revised edition. OIO Web SSO Profile V2.0.9 (also known as OIOSAML 2.0.9) Includes errata and minor clarifications OIO Web SSO Profile V2.0.9 (also known as OIOSAML 2.0.9) Revised edition Includes errata and minor clarifications Danish Agency for Digitisation September 2012 Contents > 1 Introduction 8 1.1 Referenced

More information

WHITE PAPER. Guide to Auditing and Logging in the Oracle E-Business Suite

WHITE PAPER. Guide to Auditing and Logging in the Oracle E-Business Suite WHITE PAPER Guide to Auditing and Logging in the Oracle E-Business Suite FEBRUARY 2014 GUIDE TO AUDITING AND LOGGING IN THE ORACLE E-BUSINESS SUITE Version 1.0 March 2003 Version 1.1 February 2004 Version

More information