NEXUS The RSA Security Identity Management System

Size: px
Start display at page:

Download "NEXUS The RSA Security Identity Management System"

Transcription

1 THE NEXUS IDENTITY WHITE MANAGEMENT PAPER SYSTEM NEXUS The RSA Security Identity Management System A Technical Vision for Identity and Access Management WHITE PAPER The RSA Security Identity Management System, code name NEXUS, is a unified approach by which RSA Security s industryleading authentication and authorization technologies can be easily implemented and commonly managed. NEXUS encompasses every consideration that must be addressed in a comprehensive enterprise identity and access management solution. Building around the core existing RSA Security identity and access management technologies that are currently in use around the globe we have identified and mapped a development path to deliver an integrated identity and access management solution. This white paper is for informational purposes only. RSA Security makes no warranties, expressed or implied, in this document. customers. The information contained in this white paper represents the current view of RSA Security s future plans for this technology. It is possible that those plans could change due to changing market conditions including, among other

2 TABLE OF CONTENTS I. EXECUTIVE SUMMARY II. INTRODUCTION: IDENTITY AND ACCESS MANAGEMENT OVERVIEW III. BUSINESS REQUIREMENTS IV. THE VISION A. Identity Authority Services 1. Authentication Methods 2. Authentication Policies 3. Credential Management 4. Authentication and Attribute Assertions 5. Session Management B. Access Authority Services 1. Authorization Methods 2. Authorization Assertions 3. Single Sign-on (SSO) C. User Management Services 1. Centralized User Management 2. Delegated Administration 3. Self-service 4. Workflow 5. Provisioning D. Network & Application Integration Services 1. Developer Toolkits 2. Application Programming Interfaces (APIs) 3. Data Abstraction Layer (DAL) 4. Web Agents 5. Non-Web Agents 6. Web Services 7. Microsoft.NET 8. Partner Product Interoperability E. Identity Management System Services 1. Availability, Performance and Scalability 2. NEXUS Component Security 3. Operating System Security 4. Central Configuration 5. System Monitoring 6. Logging & Auditing 7. Reporting V. CONCLUSION: THE WAY AHEAD ABOUT RSA SECURITY APPENDIX: GLOSSARY

3 I. EXECUTIVE SUMMARY A significant change in the need for and deployment of e-security technologies in complex enterprise environments is taking place. Combining point solutions for authentication and authorization within a single system that enables centralized user management, this new concept has been termed identity and access management. As a leading provider of authentication and authorization tools and technologies, RSA Security is uniquely positioned to develop the vision for such a comprehensive system and to make it real. The purpose of this white paper, then, is to describe in some technical detail NEXUS, the RSA Security Identity Management System. NEXUS encompasses five distinct components: a shared user management system, an identity authority (providing authentication services), an access authority (providing authorization services), network and application integration capabilities and a common server framework that seamlessly connects the various operations and components of the system as a unified whole. In summary, NEXUS is a powerful and comprehensive solution for organizations requiring the strongest protection possible for their network resources and confidential business information. The system ensures that users are who they claim to be and that they have efficient access only to those resources for which they have permission. At the same time, NEXUS simplifies administration, contributing to lower cost of ownership, increased revenue from online business and greater control over an organization s e-security capabilities, all the while remaining, where necessary, within compliance. II. INTRODUCTION: IDENTITY AND ACCESS MANAGEMENT OVERVIEW Managing digital identities is about intelligently using these identities to achieve business goals such as increasing revenue, improving customer satisfaction and reducing costs. In conducting business online, an organization can only use identities that are trusted. An effective identity and access management solution establishes trust in an organization s online environment. Who users are (authentication) and what users can do (authorization) are tightly coupled and routed in the ability to manage the full life cycle of a digital identity (user management) from creation and maintenance to termination as well as enforce organizational access policies. These components are critical to the success of an organization s identity and access management solution. Identity and access management will play an extremely critical role in the advancement of e-business as a primary mode of operation. As a result, this technology will transform the way that organizations deploy security. This transformation to identity and access management could revolutionize e-business, allowing organizations to use digital identities to contribute real value to their business. NETWORK AND APPLICATION INTEGRATION AUTHENTICATION WEB ACCESS MANAGEMENT PROVISIONING USER MANAGEMENT An Overview of Identity & Access Management DATA STORAGE 1

4 ENTERPRISE A TODAY S E-BUSINESS ENVIRONMENT Today s identity infrastructure can be difficult to manage for both administrators and users. III. BUSINESS REQUIREMENTS NEXUS is designed to address the following business requirements: ENTERPRISE B Cost-effectively manage identities and access rights for a growing number of applications and users Seamlessly connect users and applications across business boundaries Establish and maintain trust in user identities and perform cost-effective credential life cycle management Flexibly define and enforce security policies for varying business requirements, with a single infrastructure to manage them Extend the infrastructure beyond users to support web Services authentication and authorization requirements While NEXUS is currently in develop-ment, many of its components are in use today and development paths have been mapped for the remainder. In fact, RSA Security today offers a range of industryleading e-security solutions that are uniquely managed and provide a high degree of inter-operability. The vision behind NEXUS, therefore, is a logical and necessary next step in the evolution of these powerful solutions. Having created this award-winning family of solutions, RSA Security is uniquely qualified to develop the integrated framework that offers enterprises unparalleled security and usability. TOMORROW S E-BUSINESS ENVIRONMENT The identity and access management infrastructure of the future makes it easier to manage identities while simplifying sign-on for users Application Platform (J2EE) Remote Access VPN 2

5 Mindful of these factors, we also established a set of guiding principles for the development of this system, including: Ensuring interoperability with both J2EE and Microsoft.NET environments Providing simple and flexible user and policy management Developing a common infrastructure for securing users, applications and transactions. RSA Security has leading discrete e-security solutions today, and the unparalleled experience and expertise needed to combine them tomorrow, providing our customers with a migration path to address critical security needs as they emerge over time. IV. THE VISION The components of NEXUS, as they are presented in this white paper, are as follows: a. Identity authority services b. Access authority services c. User management services d. Network and application integration services e. NEXUS system services A. Identity Authority Services The ability to establish trust in identities begins with authentication. With nearly 20 years experience in the authentication of people, devices and transactions, RSA Security is positioned as the acknowledged leader in the authentication market. NEXUS is designed to provide a centralized authentication service that offers simplified enrollment and credential management throughout the enterprise. The system supports a range of authentication methods and enables enterprises to provide centralized life cycle management of those credentials over time. Authentication Methods Every company has a need to manage multiple authentication methods, based either on the nature of the applications being protected, or on the diversity of the user base and the varied permissions that must be assigned. NEXUS authentication service provides a standard interface to an extensible set of authentication methods, including RSA SecurID authenticators and smart cards, passwords, RSA Mobile access codes and RSA Keon (X.509) digital certificates. In addition, the system will support other non- RSA Security authentication alternatives, such as Microsoft Passport, Kerberos and biometrics. NEXUS authenticates some of these methods natively, while others are proxied to an external authentication engine or service. RSA SecurID software is a leading solution for two-factor authentication and an integral component of NEXUS. RSA SecurID software is used with authenticators ( tokens ) and an authentication server, which is the management component of the RSA SecurID solution. Used to verify authentication requests and centrally administer authentication policies for enterprise networks, the authentication server is built upon an enterprise-class, multiprocessor architecture, capable of handling millions of users per server and up to thousands of simultaneous authentications. NEXUS also provides administrators with extensive configuration options for password management. These include setting minimum and maximum password sizes, requiring the use of at least one non-alphabetic character, the ability to exclude certain characters from passwords as well as certain common passwords and defining the lifetime of a password. The system also maintains a history of the last n (an administrator-defined number) passwords for each user to prevent password reuse. In addition, NEXUS generates and stores cryptographic key material. A common mechanism is provided to generate random numbers to seed number pairs to be used as public and private keys. In addition, the system creates and manages the required two symmetric keys: the encryption key that is used for encrypting sensitive data stored in a repository; and the context-signing key that is used to cryptographically protect the authentication assertions generated by the system. Such broad support for leading trusted authentication methods can reduce administrative, management and deployment costs by making it easier for enterprises to deploy multiple authentication credentials that best serve the diverse needs of different users access a wide variety of applications and resources in large organizations. Authentication Policies Authentication policies describe the requirements placed on a user when authenticating. A policy may be associated with a user, resource, system or any other object where authentication requirements are managed. When a user logs on to a resource, that resource sends an authentication request to an authentication broker on the back-end. The broker has access to policy data and user records. Acting essentially as a traffic cop, the authentication broker checks the policy data and sends the logon data either to the back-end or a proxied authentication system, where its validity is checked. Responses are sent back to the application, which either allows the user to proceed or denies the user access. 3

6 Method Chaining. Some resources might require more than one authentication method to be successfully employed in order to gain access. This is known as method chaining. Administrators can select which and how many authentication methods are required for a particular resource. When a user attempts to logon, the application processes each method individually and then requests the authentication service to validate the next method in the chain. Furthermore, an administrator could specify that either of the two different authentication credentials is acceptable -- this is particularly useful when an organization migrates its users from passwords to a stronger form of authentication. Graded Authentication. In a situation where a resource requires a chain of authentication methods to be successfully deployed in order to gain access, it can be useful to assign relative strength to each method. For example, a digital certificate stored on a smart card may be graded the most secure method, a password the least secure and a RSA SecurID token might be somewhere in between. Furthermore, different methods can be graded identically. Administrators are able to assign and alter the relative strength of all authentication methods used within the system. The benefit of this capability is that if a user does not have a particular credential (either because it hasn t yet been provisioned or because in most instances the user would not need it) he or she could substitute a credential with the same grade and still gain access. Credential Management Credential is a generic term for any authenticator that establishes identity for controlling access to protected resources and applications such as a token, digital certificate or password. Credential management includes control over the full life cycle of credentials (creating, maintaining and terminating), provisioning the credentials to users (typically, each authentication method has its own form of credential provisioning) and verification, whereby the system is always checking to ensure that the right user is using the right credential and that the credential is still valid. NEXUS provides a centralized framework for assigning and provisioning credentials to users that control access to enterprise applications and resources. Rather than creating and issuing individual credentials for each resource, the system supports the ability to use a single credential for all RSA Security and third-party applications on the enterprise network. Therefore, when an employee leaves and his or her credential needs to be revoked, it can be done with a single operation rather than having to delete separate credentials for each resource to which he or she had access. For a digital certificate, NEXUS performs real-time checks to ensure that the certificate being transmitted through the system in fact belongs to the person who sent it, and that it has not expired or been revoked. Administrators can renew an expired certificate through the same common user interface from which all credential management functions can be managed. In addition, credential verification can also refer to other credentials such as passwords and RSA SecurID token codes which must be authenticated before the user is validated. Authentication and Attribute Assertions An assertion is a declaration of fact. In NEXUS, web servicesbased assertions are used as real-time, session-limited credentials that provide federated identity to users as they traverse through internal and external web-based resources. The OASIS standards body defines three kinds of security assertions: authentication (who a user is), authorization (what a user can do) and attribute (including role, user group and other identity profile values) that can be passed between applications. When a user authenticates him- or herself at an application or URI and then tries to logon to a subsequent application or URI, that resource requests proof of authentication. That proof is an assertion. NEXUS uses industry standard SAML (Security Assertion Markup Language) assertion. A SAML assertion is a message that confirms the user s original successful authentication. With native SAML support and RSA Security s leadership role in developing the Liberty Alliance standard for federated identity, NEXUS possesses exceptional capabilities for providing secure access to trusted identities across a broad range of internal and external resources. Session Management A session represents the period of time after a successful user authentication until logout from a web-based resource. A user may access any number of applications or URIs during that time, yet it still counts as a single session. Administrators may choose to set policies around sessions to ensure security and optimize network bandwidth. For example, a session could have a maximum lifetime say, five hours, at the conclusion of which the session would be automatically terminated (although the system could prompt the user to re-authenticate within a certain short window of time in order to extend the session and maintain productivity). Administrators can also set a maximum number of concurrent sessions per user, as well as a maximum period of inactivity before the session is terminated. NEXUS supports the ability to specify which user properties/attributes should be published to the HTTP header upon successful authentication. This functionality is available on a per-application or resource basis and extends the 4

7 existing user property functionality by increasing the granularity of when and where user property information is published. This provides enterprises with ease of integration and customization within their environments. By passing the specific properties in the headers, applications can utilize the information for easier integration and to deliver additional personalization capabilities. The data can now also be segregated, for example, so that one application receives a user s Social Security Number, while another application may receive his or her job title. B. Access Authority Services By defining and enforcing online access polices that map to an enterprise s business policies, access management technology can extend an organization s reach while offering the protection required whenever information is made available on, or transmitted over, the public Internet. RSA Security s web access management solution, RSA ClearTrust technology, is an integral part of NEXUS. With RSA ClearTrust software driving the authorization component of the framework, this solution is able to provide varied levels of authorization from yes/no access to a URI, file or application, all the way down to fine-grained authorization of J2EE and.net resources. Authorization Methods NEXUS solution offers three distinct methods of delivering authorization services, which define and manage the permissions granted to specific users seeking to access web and non-web resources from both internal and external systems. These methods are known as entitlements, Smart Rules (of which there are two kinds: conditional and transactional) and role-based access control (RBAC). Entitlements. Basic entitlements explicitly allow or deny access to a specific resource. Entitlements can be assigned to individual users or to groups of users. They are fixed, meaning that a given user either does or does not have permission to access a resource under any condition. For users granted basic entitlements, the system can respond with only two values: allow (the user is authorized) or deny (the user is not authorized). Conditional Smart Rules. More complex than entitlements, conditional Smart Rules work by defining a user attribute (such as location, role or account balance) and an accompanying value (such as Boston, VP status or higher, or account balance greater than $1,000) and attaching them to a resource or application. For example, a customer with an account balance of $100,000 will be granted access to a Silver Member section of a web site, whereas a customer with an account balance of $10,000 will be denied access to this section. In a situation where both entitlements and Smart Rules are employed, entitlements always take precedence. The system supports three types of conditional Smart Rules Deny, Allow and Require and processes them in that order. Require means that multiple conditions apply; once one is satisfied, the system automatically checks the next one in the series. For example, a URI could be associated with these two Smart Rules: Allow if State=CA, Deny if Age<21. As a default function, the system will deny access when policy conflicts occur. Therefore, an 18-year-old user from California will be denied access because of his or her age, and the system will not evaluate the State property because Deny is processed before Allow. On the other hand, a 22-year-old from Oregon will be able to pass the first Deny rule but the system will look for the next Require rule before deciding whether or not to grant access. Because the next property, Oregon, does not meet the Allow condition, and the system is set to deny access when policy conflicts occur, access is denied. Transactional Smart Rules. Transactional authorization involves the ability to fill in the values of an authorization decision with data from a variety of sources request parameters, external databases, customer code, user attributes, environmental factors, web services requests, etc. The idea is to simplify what could otherwise be a highly complex string of conditions. For example, instead of a rule where a requested charge is less than $1,000 if the user has a platinum card or less than $500 if the user has a gold card and if the expiration date is prior to January 1, 2006, transactional authorization removes the actual values and is expressed instead as requested charge is less than credit limit. Role-based Access Control (RBAC). Role-based access control (RBAC) grants rights and permissions to roles rather than to individual users. Users acquire the rights and permissions by being assigned to appropriate roles. By grouping users in this way, RBAC can provide significant security management efficiencies. In implementing RBAC, an enterprise must first define all of the roles within the organization and the permissions attached to each role. Each role is a class of users who have similar access rights. Each individual is assigned to one or more roles and receives the rights associated with the assigned roles. The permissions not only allow or deny access to a particular web-based resource or application, but also delineate all of the possible activities the role could undertake once the user has obtained access such as viewing, creating, editing, signing, releasing, amending, copying and archiving a file. 5

8 Administrators can also create hierarchical categories of subclasses within a role. For example, an intern might be a subclass of a general role physician. A disability nurse case manager might be a subclass of a general role case manager. RBAC enables enterprises to implement inheritance from subclasses to general classes of roles. In this way, if a change is made to the authorizations granted to all subclasses such as intern, attending and consultant, then all related general classes such as physician automatically receive that change as well. Authorization Assertions Just like the authentication and attribute assertions discussed earlier, authorization assertions are SAML-based messages. Agents that interface with the authorization system and the web server relay these messages back and forth. The web server, which is closest to the user, is known as the policy enforcement point (PEP). The PEP sends a message to the system, where there resides a policy decision point (PDP) that in effect says, A user is trying to access a resource, please make a decision to allow or deny access. The PDP then makes the decision by checking the rules it uses to protect the resource against the information passed to it within the SAML authorization assertion. Single Sign-on (SSO) Single sign-on (SSO) is a high-value benefit of most identity and access management solutions. With SSO, users can securely navigate across multiple applications, sites and domains, including partner and affiliate sites, by authenticating only once per session. SSO makes access to web-based resources in multiple domains more efficient and less frustrating for the end-user, significantly improving the web experience and user productivity. This is especially beneficial when the user is a customer or a partner. Equally important, by reducing reliance on multiple user names and passwords which are hard to remember SSO eliminates a weak link in your security strategy and reduces support costs related to password administration. Various technologies are employed to accomplish SSO. NEXUS interoperates with multiple forms of security, including SAML tokens, RSA SecurID tokens, passwords, digital certificates, Kerberos and others to ensure authenticity. This information takes the form of trusted statements called security assertions about any user or application that has been assigned a digital identity. Other important emerging standards supported by NEXUS are Liberty Alliance which provides for federated identities, thereby enabling subsequent applications to trust identities that have been authenticated previously in the same session and Microsoft.NET Passport. RSA Security has played a leadership role in developing and shaping key standards and protocols for web services, including SAML, Liberty Alliance and WS-Security. RSA Security is working to bridge federated identities between Liberty Alliance and Microsoft.NET to enable seamless interoperability with.net applications. C. User Management Services A key goal of NEXUS is to provide a common look and feel, shared web interface and common administration capabilities across RSA Security products. The various aspects of common user management and administration are described below. Centralized User Management With centralized user management, administrators can add and edit users and groups that are recognized by all installed RSA Security products. NEXUS enables users and user attributes that are common to all RSA Security products (as well as product-specific attributes) to be managed via the common management interface. The following list, while only a sampling, is an example of the range of user attributes common to all RSA Security products: First name and last name User identifier address Account enabled/disabled Start date and end date (for temporary users) Access time (time of day and days of the week that the user can authenticate) Number of consecutive bad login attempts allowed (before user is locked out of the system) User administrative role (if assigned) Rather than enter all this information and more for each user and each application, administrators are able to manage and share a single user profile across the full spectrum of installed applications (as well as RSA Security products installed at a later time, if and when an enterprise chooses to expand its identity and access management solution). 6

9 Consistent Administration GUI. A consistent, web-based graphical user interface (GUI) that provides a single launching point for all RSA Security applications installed on the system provides platform independence and zero footprint for the administrative client. The administrative user interface supports extensions that allow multiple installed RSA Security products to automatically share the common GUI. Delegated Administration Rather than require a single administrator to control all access functions for a system, RSA Security s delegated administration model enables divisions, departments and other entities to manage users and groups within their domain. An administrative group is a collection of objects (including users, groups, servers, applications and properties) owned by a single administrative domain and managed by a dedicated administrator (who also is part of that group). An organization can create as many administrators as it requires, each can create subadministrators as well as a super administrator who can view, add, edit or delete any object in the system, regardless of the administrative group that owns the object. There can be a granularity of roles assigned to administrators at different levels in the hierarchy as well. Providing the ability to delegate administrative tasks is central to a scalable architecture. The delegated administration model allows administrators to manage users and groups from a single location across their authentication and access management infrastructure. Key benefits of this model include reduced administration costs, improved ease of use and increased security. Self-service Just as delegated administration provides efficiencies by enabling a network of administrators to manage finite domains within an enterprise s implementation, user selfservice helps to reduce some of the burdens on administrators and IT staff by empowering users to perform a limited range of tasks by themselves. Some of these activities include: requesting access to enterprise applications; account creation for RSA Security products such as the RSA SecurID, RSA ClearTrust and RSA Keon solutions; accessing and making changes to their profiles (such as updating address or phone number); changing their own passwords or RSA SecurID PINs; lost smart card recovery and accessing online help. Users would not be able to add, view, edit or delete information outside of their own user records, because the system would control and limit their ability to access that information based on their role and the privileges assigned to that role (see Role-based access control in the Access Management section). Workflow NEXUS also includes an account and credential creation workflow system that reduces administrative costs by automating the credential deployment process, traditionally a time-intensive burden on administrators. Instead of requiring IT staff to contact resource owners and employee managers, the workflow technology distributes the request either automatically or through designated levels of approval to securely grant access and ensure fast, cost-effective rollout of authentication credentials. Approval workflow allows approvers to review pending request lists, review pending request detail and approve or deny requests. It also allows administrators to set up file configurations for workflow approvals (approval chain with escalation chains or automatic no approval) and set up e- mail templates for communication with end users and approvers. Robust support for escalations, multiple approvers, notifications and more is provided to enable sophisticated workflow that maps to an enterprise s unique business processes. Provisioning Provisioning refers to deploying digital identities and access rights based on business policies for employees, business partners and customers across multiple applications and resources. This must be done accurately and securely at the outset in order to reduce problems down the line. Automatically assigning, maintaining and revoking these identities and rights should be a centralized function. NEXUS includes automated provisioning capabilities for all RSA Security components of the system including RSA ClearTrust software, RSA SecurID tokens, passwords, RSA Mobile access codes and RSA SecurID Passage smart card solutions. Provisioning is also extended to RSA Keon digital certificate management technology for full life cycle credential management, including issuance, validation and revocation of X.509 credentials. Identities managed within NEXUS can also be provisioned to non-rsa Security applications through RSA Secured Partner solutions, such as Thor Technologies Xellerate secure enterprise provisioning product, which is tightly integrated with NEXUS. D. Network and Application Integration Services To be truly comprehensive, NEXUS must integrate the functions of trusted identity and access management with an organization s existing and future enterprise technologies and infrastructure. Enterprises want to leverage and protect their investments in solutions ranging from VPN, CRM and HR application servers to supply chain management systems linked to portals, web 7

10 servers and other network and back-office systems. NEXUS is designed to effectively integrate heterogeneous enterprise systems with the security technologies that keep them safe. Developer Toolkits RSA BSAFE software is embedded in more than one billion products, including web browsers, enterprise software, wireless devices, commerce servers, systems and VPN products. Built to provide implementations of standards such as SSL, S/MIME, WTLS, IPSec PKCS, WS-Security, XML and SOAP, RSA BSAFE toolkits can save developers time and risk in their development activities, and give them the strong security that comes only from a decade of proven, robust performance. Stringent testing by RSA Security ensures that all RSA BSAFE software implementations are interoperable. NEXUS is built using the RSA BSAFE tools to implement security and industry standards. This permits other standards-based applications to interoperate with NEXUS, allowing enterprises to extend their investment in existing and future IT infrastructure. Application Programming Interfaces RSA Security has developed a robust set of application programming interfaces (APIs) that enable enterprises to quickly and easily develop custom applications that provide the integrated functionality they need for their heterogeneous environment. There are currently five sets of API libraries, which leverage popular programming languages and can be written in C, Java and DCOM: Administrative APIs, which allow developers to create applications to manage users, resources and entitlements Runtime APIs, which can be used to develop applications that communicate directly with the system s authorization servers web server extension APIs, which extend the functionality of web server agents during authentication and authorization processing OS-level APIs, for developing custom authentication modules for Windows and UNIX applications Pre- and post-processing hook APIs, which enable developers to trigger functions either before or after a specified event Data Abstraction Layer (DAL) NEXUS uses industry-standard design patterns to implement access to data stored in a repository. NEXUS is configurable to allow access to data from multiple types of repositories including directories, relational databases and others through its data abstraction layer (DAL). Native connections to the data repositories are supported through the use of industry standards such as LDAP and SQL. While RSA Security has a broad range of expertise in developing and unifying the various elements of NEXUS, the company relies exclusively on its large network of RSA Secured technology partners for the data store component of the solution. All user and group information entered in the system are maintained in an LDAP data store or a Java Data Base Connectivity (JDBC)-compliant database. We leverage our close relationships with trusted third-party providers of directory services and storage products to ensure interoperability with the framework s data storage subsystem, which provides standards-base schema and mapping for LDAP and relational database storage. By supporting multiple types of data repositories, RSA Security s solution has the flexibility to offer organizations the ability to leverage their existing investment in directory server and database technology. Web Agents NEXUS integrates with web servers and web application servers through the use of web agents. Web agents enforce security policies configured into the system by bundling details of an authentication or information request, taking it to the server on which the relevant policy resides and then delivering the deny or approve response back to the application from which the request was initiated. Common web agents for all security and enterprise applications are provided so enterprises only have to deploy a single filter on their servers. Enterprises then are able to utilize that infrastructure with whichever RSA Security authentication or authorization tools they need, when they need them. RSA Security web agents are currently being developed for each specific target environment. They utilize standards where appropriate (e.g. J2EE, Microsoft.NET) and take full advantage of the native services offered by the target platform for maximum efficiency and interoperability. Non-Web Agents While more and more enterprise systems are now webbased, the predominance of virtual private networks (VPNs) and the need to secure routers, firewalls and operating systems such as Microsoft Windows and UNIX operating systems means that the non-web environment remains a 8

11 highly critical area for e-security solutions. Furthermore, some enterprises such as those in the financial industry may require more proprietary systems, while others prefer to develop their own homegrown enterprise applications. Either way, companies need the same secureyet-convenient access for their non-web resources as they do for web-based systems especially in instances where users require remote access. RSA Security s approach to this need will be two-fold: by offering OS-level agents for non-web resources and by working with RSA Secured partners to develop APIs for third-party products such as VPNs. These solutions will enable users to employ the same credential and password to access multiple non-web resources what we call a consistent sign-on experience. Web Services Web services, which can be defined broadly and simply as application-to-application transactions, are an important aspect of the total solution. The requirements of federated identity, the proliferation of XML-based standards and protocols and the need for interoperable credentials and policies that cross application, division and corporate boundaries are at the heart of NEXUS. Even though web services involve application-driven interactions, as opposed to human-driven, trusted application identities are still required. The system secures web services by enabling distributed management of authentication and authorization within a heterogeneous environment. With web services, there are two security-related foci: protecting the application being used as a web service and protecting the web service transactions themselves. There are numerous ways to do this. In the first instance, protecting the application, the framework would deploy RSA Security s leading authorization technology, the RSA ClearTrust solution, which limits resource and application access to properly authenticated and authorized identities that have been granted appropriate rights. Web services security is supported by RSA ClearTrust software through implementation of the WS-Security standard. To protect the transactions, WS-Security and SAML are used to ensure that Simple Object Access Protocol (SOAP) messages are not tampered with. SOAP is the messaging protocol that allows web service applications to talk to each other. SAML is an XML-based language that enables web services to exchange information relating to authentication and authorization. Microsoft.NET RSA Security understands the central role that Microsoft technology plays in most large enterprises. Through extensive agent support and application integration, our solutions interoperate with key Microsoft products including the Windows 2003 operating system, Internet Information Services (IIS) Web server and Active Directory. This makes it easy for an enterprise to add RSA Security products to its Microsoft assets as part of a unified enterprise solution for identity and access management. Microsoft s commitment to web services is embodied in the Microsoft.NET product line. Microsoft.NET offers extensive security capabilities that can be leveraged by developers and security vendors to provide enterprises with the levels of trust and assurance that web services demand. Capitalizing on these capabilities, NEXUS enables enterprises to implement unified, scalable identity management solutions that span.net technologies, non- Microsoft web services technologies and traditional infrastructures. RSA Security works closely with Microsoft to ensure interoperability between NEXUS and the new generation of.net products. That collaboration extends across three of the four major components of the.net platform: web services,.net servers and the.net development environment. For example, NEXUS secures web services by accepting Microsoft Passport authentication statements and serving as a web services authorization engine. NEXUS will also offer deep integration with Windows.NET servers (including key data servers, connectivity servers and business application servers) and Microsoft web servers and business applications. In addition, RSA Security will offer fully integrated.net developer support so that XML web services and.net applications can leverage the RSA Security solution. Functionality includes support for Visual C#.NET, the WS-Security specification and ASP.NET and J2EE session management interoperability. Partner Product Interoperability Partnering and product interoperability are critical to our ability to provide a complete solution. RSA Security has a long and successful history of partnering with industry leaders and innovators. Ours is the most mature oldest and largest technology partner program of its type. We leverage that partnering expertise with NEXUS to ensure that every need is addressed. 9

12 Providing these capabilities requires strong partnerships with enterprise vendors and close relationships with customers, both of which are hallmarks of RSA Security. Through the RSA Secured technology partner program, we conduct extensive testing and certification to ensure that third-party systems are interoperable with RSA Security technologies and make implementation guides publicly available to enable faster deployment of an enterprise s solution. Aside from the stringent interoperability testing and certification process, a key differentiator of the RSA Secured technology partner program is our contractual insistence on providing mutual customer support. If technical assistance is ever required, enterprises will always have someone to call. E. Identity Management System Services NEXUS is built upon a common framework composed of Java-based building blocks that provide much of the tools and functionality needed for a comprehensive and interoperable authentication and authorization system. This common framework eliminates the need to install and manage separate infrastructures for each RSA Security product. Rather, all products tie into and operate from a common set of functions and capabilities. A description of these functions and capabilities follows. Availability, Performance and Scalability Clustering and data replication, which ensure availability by eliminating single points of failure, and load-balancing are intended to be handled by the underlying application server. However, NEXUS subsystems can be deployed in a cluster ensuring NEXUS services are seamlessly and continuously available. NEXUS conforms strictly to the J2EE standards and can be deployed in various commercial application server environments. While clusters are implemented in local area networks (LANs), data replication allows for systems geographically distributed in wide area networks (WANs) to be secured and managed by NEXUS. Clusters of local areas act on distributed replicated data, providing high availability for mission-critical applications. This system offers high performance and scalability to address the current and future needs of complex, heterogeneous environments. NEXUS Component Security Creating a truly secure identity and access management system requires more than just protecting application servers. The communication between the various components must be secure and sensitive information stored in the file system must also be protected. Intercomponent security protects information as it is passed between NEXUS components and RSA Security applications. NEXUS is designed to allow enterprises to configure different inter-component security methods between the various components. These include shared secret (or symmetric) encryption, anonymous SSL and mutually authenticated SSL. Shared Secret Encryption. Shared secret (or symmetric) encryption is used to protect the sensitive information in NEXUS single sign-on (SSO) cookie. Shared secret encryption is required if you are using SSO and it is always enabled, regardless of whether or not SSL is used. The SSO cookie is always encrypted when passed over the network. To ensure that the SSO cookie is only encodable and decodable by trusted NEXUS components, each application server agent and access authority service provider must have a valid key generated by NEXUS. This key must be presented to the NEXUS key server before the client can obtain the current encryption/decryption key for the cookie. Anonymous SSL. All data exchanged between NEXUS components can also be encrypted using Secure Sockets Layer (SSL) encryption technology. Before transmission over the network, the data is encrypted using anonymous SSL. Anonymous SSL means that neither the client nor the server is required to present a certificate in order to authenticate itself. The particular SSL modes vary from one component to another, but 128-bit encryption is always used for messages sent across the network. Authenticated SSL. Communications between NEXUS components can be secured using authenticated SSL. In this mode, each NEXUS component must present its digital certificate when contacting another component, allowing that component to verify the other s identity. To activate SSL communications, the various agents must be configured within the system to use authenticated SSL and each component must have access to the key store containing both its certificate and the trusted Certificate Authority s (CA) certificate. Operating System Security Authentication credentials (passwords, tokens, certificates, etc.) stored in the system must be protected and file permissions on NEXUS directory tree should be very tightly controlled. Administrators should only grant access to the few individuals or groups that absolutely need it; otherwise, administrators alone should have access to the configuration files. 10

13 User Passwords. Passwords are among the several forms of authentication that NEXUS users may utilize. In order to reduce the likelihood of password theft, all passwords stored in NEXUS data stores are hashed, meaning that they are converted into strings of seemingly random characters. Given a character hash, there is no way to retrieve the original human-readable password. SSO Cookie Security. The SSO cookie can be protected on the client in the following ways: NEXUS can be configured to treat the cookie as a session cookie (rather than as a persistent cookie). This way, the cookie is stored in browser memory only, rather than on disk. This helps prevent intruders from retrieving a cookie from a user s computer for later use. NEXUS application server agents can be configured to check the source of each incoming cookie. To allow this, the cookie is labeled with the IP address of the machine (where the user s browser is running) for which the cookie was created. Each time the user cookie is used to request another resource, the agent will check that the request originated at the IP address for which that cookie is valid. This means that only the requesting client machine can use the cookie created for that client. NEXUS software can enforce validity periods for cookies. With this feature, each cookie becomes unusable after a determined period of inactivity. For example, this is helpful when a user logs into an NEXUS-protected resource and then leaves his or her computer. By setting a short expiration period, administrators can minimize the window of time during which another person could assume the existing session. The cookie has a maximum lifetime that forces a reauthentication when the time threshold is exceeded. Administrators can set the maximum lifetime for a user s session. The time-out settings, both for maximum lifetime and inactivity, are set on a per web server basis. In addition, application servers can also be configured to run with SSL encryption turned on, so that cookies are encrypted (along with all other communications) between the web browser and application server. Centralized Configuration Centralized configuration enables administrators to manage the various components in NEXUS particularly the web agents and application server agents that contain configuration files from a single location. Rather than manually editing these files using a text editor, administrators are able to use a centralized utility to easily manage configuration files throughout the system. With NEXUS, configuration information is centrally managed and accessible through the administration GUI and APIs. System Monitoring NEXUS provides a standard interface to support monitoring requirements via the Simple Network Management Protocol (SNMP) and can function as an SNMP agent. The SNMP agent runs as a service that responds to requests from third-party SNMP managers and sends SNMP trap notifications to SNMP managers for reporting and notification. The agent provides the following capabilities: Accesses runtime information to monitor attributes available on NEXUS Accesses NEXUS domain configuration information Subscribes for notifications generated by NEXUS for monitoring or logging events Supports configurable, log-based, enterprise-specific SNMP trap notifications In the SNMP management framework, a resource is said to be manageable if SNMP requests can obtain information about the values of its attributes, or can modify the values of such attributes. SNMP management software calls manageable attributes objects and arranges them in a hierarchy of information known as a Management Information Base (MIB). Each object in the MIB has an object identifier (OID), which the manager uses to request the object s value from the agent. Logging and Auditing Logging and auditing capabilities enhance an enterprise s security by providing the records required to review and meet security policy and compliance requirements. The NEXUS logging subsystem implements a framework for the centralized creation, storage and life cycle management of logs. Audit logs are used by administrators to maintain records of system activity, and are used to monitor administrative operations, application service fulfillment and significant error conditions. All system events are logged to a central logging repository for secure storage and easy retrieval. The logging repository is configurable and can be one of many formats: a flat file, Microsoft Windows NT event log or UNIX syslog. In addition, a tamper-proof secure log is kept, by which audit events are signed and time-stamped. Administrators can specify a log file name, set message priority (either Informational, Warning, Error, or Fatal), select which critical events are to be logged and perform other management and archival actions. 11

14 Furthermore, administrators can control how events of different priorities are to be logged. For example, events with the priority of Warning or Informational can be logged to a flat file, while events with the priority of Error can be logged to the Windows NT event log or to the administrator s console. Reporting As the basis for centralized administration and management of user activity, business rules and security policy, NEXUS has the ability to gather, store and protect a wide range of critical information. The system provides centralized logs across all RSA Security solutions to provide one view of complete identity and access management activity. In addition to these logs, NEXUS provides a set of standard reports to document activity. The logs can also be tied into robust third-party reporting tools already in use by enterprises in order to customize the reports in a familiar manner. IV. CONCLUSION: THE WAY AHEAD NEXUS, is a unified approach by which RSA Security s industry-leading authentication and authorization technologies can be easily implemented and commonly managed. Providing a complete set of solutions and functionality enables organizations to easily and cost-effectively expand their e-security capabilities as their needs grow without burdening their network capacities by having to install multiple silo applications. Administration for the full breadth of security technologies purchased is easier to learn and to operationalize, and enterprises have the robust security they need to be more productive, competitive and successful. RSA Security is the only company with the combined experience, expertise and existing technologies needed to conceive, develop and bring to market such an expansive, complete solution in a reasonable time frame. Our reputation for quality, our history as innovators and our commitment to our customers drive our efforts forward and has resulted in a visionary and revolutionary solution for enterprise e-security: NEXUS, RSA Security s Identity Management System. ABOUT RSA SECURITY RSA Security helps organizations protect private information and manage the identities of people and applications accessing and exchanging that information. RSA Security's portfolio of solutions including identity & access management, secure mobile & remote access, secure enterprise access, secure transactions and consumer identity protection are all designed to provide the most seamless e-security experience in the market. RSA Security's strong reputation is built on a history of ingenuity, leadership, proven technologies and more than 15,000 customers around the globe. Together with more than 1,000 technology and integration partners, RSA Security inspires confidence in everyone to experience the power and promise of the Internet. For more information, please visit 12

15 APPENDIX: GLOSSARY Assertion A SAML-based message that provides a real-time session-limited credential. CSF Common Server Framework; implemented in Java using J2EE architecture and the BEA WebLogic application server as the container for the J2EE environment. Credential Any authentication tool that establishes identity and provides access, such as a password, token, smart card or digital certificate. Delegated administration...providing the ability to delegate administrative tasks is central to an architecture that provides scalability, which is required to support enterprise-class and B2B environments Entitlement A basic permission that always takes precedence over a Smart Rule. (see Smart Rule) Failover The automatic substitution of a functionally equivalent system component for a failed one. Federated identity an authenticated identity that is accepted at numerous member applications that have agreed to trust identities authenticated by any one member in a single session. (see Liberty Alliance and Microsoft.NET) J2EE Java 2 Enterprise Edition (Sun) application server LDAP Lightweight Directory Access Protocol Liberty Alliance A standard that provides a set of extensions to SAML for federated identity and session management. Microsoft.NET Microsoft application server platform, which provides a form of federated identity. OASIS Organization for the Advancement of Structured Information Standards RBAC Role-Based Access Control; includes principal, permission, role, rule, resource. Instead of assigning basic entitlements to individuals, all users belong to groups; privileges are connected to roles or groups. SAML Security Assertions Markup Language Smart Rules Conditional entitlements, which take three forms: Deny, Allow and Require. (see Entitlements) SOAP Simple Object Access Protocol; how parties exchange XML documents over http. SSO Single sign-on, where a user needs only to logon one time in order to access numerous applications and resources. WS-Security Web Services Security XML Extensible Markup Language 13

16 BSAFE, ClearTrust, Keon, RSA, RSA Security, RSA Secured, Smart Rules, SecurID and Confidence Inspired are registered trademarks or trademarks of in the U.S. and/or other countries. All other products and services mentioned herein are the tradmarks of their respective owners All rights reserved. NEXUS WP 0903

Web Access Management. RSA ClearTrust. Enhancing control. Widening access. Driving e-business growth. SSO. Identity Management.

Web Access Management. RSA ClearTrust. Enhancing control. Widening access. Driving e-business growth. SSO. Identity Management. RSA ClearTrust Web Access Management Enhancing control. Widening access. Driving e-business growth. Identity Management Authentication Centralized Security Policy SSO Access Management RSA ClearTrust Web

More information

Web Applications Access Control Single Sign On

Web Applications Access Control Single Sign On Web Applications Access Control Single Sign On Anitha Chepuru, Assocaite Professor IT Dept, G.Narayanamma Institute of Technology and Science (for women), Shaikpet, Hyderabad - 500008, Andhra Pradesh,

More information

RSA SecurID Two-factor Authentication

RSA SecurID Two-factor Authentication RSA SecurID Two-factor Authentication Today, we live in an era where data is the lifeblood of a company. Now, security risks are more pressing as attackers have broadened their targets beyond financial

More information

Product overview. CA SiteMinder lets you manage and deploy secure web applications to: Increase new business opportunities

Product overview. CA SiteMinder lets you manage and deploy secure web applications to: Increase new business opportunities PRODUCT SHEET: CA SiteMinder CA SiteMinder we can CA SiteMinder provides a centralized security management foundation that enables the secure use of the web to deliver applications and cloud services to

More information

Oracle Enterprise Single Sign-on Technical Guide An Oracle White Paper June 2009

Oracle Enterprise Single Sign-on Technical Guide An Oracle White Paper June 2009 Oracle Enterprise Single Sign-on Technical Guide An Oracle White Paper June 2009 EXECUTIVE OVERVIEW Enterprises these days generally have Microsoft Windows desktop users accessing diverse enterprise applications

More information

Oracle Identity Management Concepts and Architecture. An Oracle White Paper December 2003

Oracle Identity Management Concepts and Architecture. An Oracle White Paper December 2003 Oracle Identity Management Concepts and Architecture An Oracle White Paper December 2003 Oracle Identity Management Concepts and Architecture Introduction... 3 Identity management... 3 What is Identity

More information

Oracle Identity Management for SAP in Heterogeneous IT Environments. An Oracle White Paper January 2007

Oracle Identity Management for SAP in Heterogeneous IT Environments. An Oracle White Paper January 2007 Oracle Identity Management for SAP in Heterogeneous IT Environments An Oracle White Paper January 2007 Oracle Identity Management for SAP in Heterogeneous IT Environments Executive Overview... 3 Introduction...

More information

TECHNOLOGY BRIEF: INTEGRATED IDENTITY AND ACCESS MANAGEMENT (IAM) An Integrated Architecture for Identity and Access Management

TECHNOLOGY BRIEF: INTEGRATED IDENTITY AND ACCESS MANAGEMENT (IAM) An Integrated Architecture for Identity and Access Management TECHNOLOGY BRIEF: INTEGRATED IDENTITY AND ACCESS MANAGEMENT (IAM) An Integrated Architecture for Identity and Access Management Table of Contents Executive Summary 1 SECTION 1: CHALLENGE 2 The Need for

More information

Controlling Web Access with BMC Web Access Manager WHITE PAPER

Controlling Web Access with BMC Web Access Manager WHITE PAPER Controlling Web Access with BMC Web Access Manager WHITE PAPER Table of Contents Executive Summary...2 The BMC Identity and Access Management Approach...3 BMC Enforcement Agent Deployment Flexibility...3

More information

Oracle Access Manager. An Oracle White Paper

Oracle Access Manager. An Oracle White Paper Oracle Access Manager An Oracle White Paper NOTE: The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any

More information

The Top 5 Federated Single Sign-On Scenarios

The Top 5 Federated Single Sign-On Scenarios The Top 5 Federated Single Sign-On Scenarios Table of Contents Executive Summary... 1 The Solution: Standards-Based Federation... 2 Service Provider Initiated SSO...3 Identity Provider Initiated SSO...3

More information

BlackBerry Enterprise Server for Microsoft Exchange Version: 5.0 Service Pack: 2. Feature and Technical Overview

BlackBerry Enterprise Server for Microsoft Exchange Version: 5.0 Service Pack: 2. Feature and Technical Overview BlackBerry Enterprise Server for Microsoft Exchange Version: 5.0 Service Pack: 2 Feature and Technical Overview Published: 2010-06-16 SWDT305802-1108946-0615123042-001 Contents 1 Overview: BlackBerry Enterprise

More information

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0 Security Guide BlackBerry Enterprise Service 12 for ios, Android, and Windows Phone Version 12.0 Published: 2015-02-06 SWD-20150206130210406 Contents About this guide... 6 What is BES12?... 7 Key features

More information

White Paper Delivering Web Services Security: The Entrust Secure Transaction Platform

White Paper Delivering Web Services Security: The Entrust Secure Transaction Platform White Paper Delivering Web Services Security: September 2003 Copyright 2003 Entrust. All rights reserved. Entrust is a registered trademark of Entrust, Inc. in the United States and certain other countries.

More information

OPENIAM ACCESS MANAGER. Web Access Management made Easy

OPENIAM ACCESS MANAGER. Web Access Management made Easy OPENIAM ACCESS MANAGER Web Access Management made Easy TABLE OF CONTENTS Introduction... 3 OpenIAM Access Manager Overview... 4 Access Gateway... 4 Authentication... 5 Authorization... 5 Role Based Access

More information

WebLogic Server 7.0 Single Sign-On: An Overview

WebLogic Server 7.0 Single Sign-On: An Overview WebLogic Server 7.0 Single Sign-On: An Overview Today, a growing number of applications are being made available over the Web. These applications are typically comprised of different components, each of

More information

The Benefits of an Industry Standard Platform for Enterprise Sign-On

The Benefits of an Industry Standard Platform for Enterprise Sign-On white paper The Benefits of an Industry Standard Platform for Enterprise Sign-On The need for scalable solutions to the growing concerns about enterprise security and regulatory compliance can be addressed

More information

An Oracle White Paper Dec 2013. Oracle Access Management Security Token Service

An Oracle White Paper Dec 2013. Oracle Access Management Security Token Service An Oracle White Paper Dec 2013 Oracle Access Management Security Token Service Disclaimer The following is intended to outline our general product direction. It is intended for information purposes only,

More information

The increasing popularity of mobile devices is rapidly changing how and where we

The increasing popularity of mobile devices is rapidly changing how and where we Mobile Security BACKGROUND The increasing popularity of mobile devices is rapidly changing how and where we consume business related content. Mobile workforce expectations are forcing organizations to

More information

The Encryption Anywhere Data Protection Platform

The Encryption Anywhere Data Protection Platform The Encryption Anywhere Data Protection Platform A Technical White Paper 5 December 2005 475 Brannan Street, Suite 400, San Francisco CA 94107-5421 800-440-0419 415-683-2200 Fax 415-683-2349 For more information,

More information

Federated Identity in the Enterprise

Federated Identity in the Enterprise www.css-security.com 425.216.0720 WHITE PAPER The proliferation of user accounts can lead to a lowering of the enterprise security posture as users record their account information in order to remember

More information

An Introduction to Entrust PKI. Last updated: September 14, 2004

An Introduction to Entrust PKI. Last updated: September 14, 2004 An Introduction to Entrust PKI Last updated: September 14, 2004 2004 Entrust. All rights reserved. Entrust is a registered trademark of Entrust, Inc. in the United States and certain other countries. In

More information

Integrating Hitachi ID Suite with WebSSO Systems

Integrating Hitachi ID Suite with WebSSO Systems Integrating Hitachi ID Suite with WebSSO Systems 2015 Hitachi ID Systems, Inc. All rights reserved. Web single sign-on (WebSSO) systems are a widely deployed technology for managing user authentication

More information

CA SiteMinder SSO Agents for ERP Systems

CA SiteMinder SSO Agents for ERP Systems PRODUCT SHEET: CA SITEMINDER SSO AGENTS FOR ERP SYSTEMS CA SiteMinder SSO Agents for ERP Systems CA SiteMinder SSO Agents for ERP Systems help organizations minimize sign-on requirements and increase security

More information

SAP NetWeaver Single Sign-On. Product Management SAP NetWeaver Identity Management & Security June 2011

SAP NetWeaver Single Sign-On. Product Management SAP NetWeaver Identity Management & Security June 2011 NetWeaver Single Sign-On Product Management NetWeaver Identity Management & Security June 2011 Agenda NetWeaver Single Sign-On: Solution overview Key benefits of single sign-on Solution positioning Identity

More information

OpenHRE Security Architecture. (DRAFT v0.5)

OpenHRE Security Architecture. (DRAFT v0.5) OpenHRE Security Architecture (DRAFT v0.5) Table of Contents Introduction -----------------------------------------------------------------------------------------------------------------------2 Assumptions----------------------------------------------------------------------------------------------------------------------2

More information

CA Performance Center

CA Performance Center CA Performance Center Single Sign-On User Guide 2.4 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation ) is

More information

RSA Authentication Manager 7.1 Basic Exercises

RSA Authentication Manager 7.1 Basic Exercises RSA Authentication Manager 7.1 Basic Exercises Contact Information Go to the RSA corporate web site for regional Customer Support telephone and fax numbers: www.rsa.com Trademarks RSA and the RSA logo

More information

nexus Hybrid Access Gateway

nexus Hybrid Access Gateway Product Sheet nexus Hybrid Access Gateway nexus Hybrid Access Gateway nexus Hybrid Access Gateway uses the inherent simplicity of virtual appliances to create matchless security, even beyond the boundaries

More information

FileCloud Security FAQ

FileCloud Security FAQ is currently used by many large organizations including banks, health care organizations, educational institutions and government agencies. Thousands of organizations rely on File- Cloud for their file

More information

www.xceedium.com 2: Do not use vendor-supplied defaults for system passwords and other security parameters

www.xceedium.com 2: Do not use vendor-supplied defaults for system passwords and other security parameters 2: Do not use vendor-supplied defaults for system passwords and other security parameters 2.1: Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing

More information

Introduction to SAML

Introduction to SAML Introduction to THE LEADER IN API AND CLOUD GATEWAY TECHNOLOGY Introduction to Introduction In today s world of rapidly expanding and growing software development; organizations, enterprises and governments

More information

Cisco Application Networking Manager Version 2.0

Cisco Application Networking Manager Version 2.0 Cisco Application Networking Manager Version 2.0 Cisco Application Networking Manager (ANM) software enables centralized configuration, operations, and monitoring of Cisco data center networking equipment

More information

Symantec Enterprise Vault.cloud Overview

Symantec Enterprise Vault.cloud Overview Fact Sheet: Archiving and ediscovery Introduction The data explosion that has burdened corporations and governments across the globe for the past decade has become increasingly expensive and difficult

More information

Protecting Microsoft Internet Information Services Web Servers with ISA Server 2004

Protecting Microsoft Internet Information Services Web Servers with ISA Server 2004 Protecting Microsoft Internet Information Services Web Servers with ISA Server 2004 White Paper Published: June 2004 For the latest information, please see http://www.microsoft.com/isaserver/ Contents

More information

Extranet Access Management Web Access Control for New Business Services

Extranet Access Management Web Access Control for New Business Services Extranet Access Management Web Access Control for New Business Services An Evidian White Paper Increase your revenue and the ROI for your Web portals Summary Increase Revenue Secure Web Access Control

More information

CS 356 Lecture 28 Internet Authentication. Spring 2013

CS 356 Lecture 28 Internet Authentication. Spring 2013 CS 356 Lecture 28 Internet Authentication Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists

More information

CA Single Sign-On r12.x (CA SiteMinder) Implementation Proven Professional Exam

CA Single Sign-On r12.x (CA SiteMinder) Implementation Proven Professional Exam CA Single Sign-On r12.x (CA SiteMinder) Implementation Proven Professional Exam (CAT-140) Version 1.4 - PROPRIETARY AND CONFIDENTIAL INFORMATION - These educational materials (hereinafter referred to as

More information

DEPLOYMENT GUIDE Version 1.2. Deploying F5 with Oracle E-Business Suite 12

DEPLOYMENT GUIDE Version 1.2. Deploying F5 with Oracle E-Business Suite 12 DEPLOYMENT GUIDE Version 1.2 Deploying F5 with Oracle E-Business Suite 12 Table of Contents Table of Contents Introducing the BIG-IP LTM Oracle E-Business Suite 12 configuration Prerequisites and configuration

More information

EMC Physical Security Enabled by RSA SecurID Two-Factor Authentication with Verint Nextiva Review and Control Center Clients

EMC Physical Security Enabled by RSA SecurID Two-Factor Authentication with Verint Nextiva Review and Control Center Clients EMC Physical Security Enabled by RSA SecurID Two-Factor Authentication with Verint Nextiva Review and Control Center Clients A Detailed Review EMC Information Infrastructure Solutions Abstract This white

More information

Cybersecurity and Secure Authentication with SAP Single Sign-On

Cybersecurity and Secure Authentication with SAP Single Sign-On Solution in Detail SAP NetWeaver SAP Single Sign-On Cybersecurity and Secure Authentication with SAP Single Sign-On Table of Contents 3 Quick Facts 4 Remember One Password Only 6 Log In Once to Handle

More information

Securing Physician and Patient Portals for HIPAA Compliance

Securing Physician and Patient Portals for HIPAA Compliance Securing Physician and Patient Portals for HIPAA Compliance HIPAA Summit VIII Session 2.04 1:00 2:00 pm March 8 1 Agenda Identity and Access Management Technology and HIPAA Requirements Bob Tahmaseb, Principal

More information

Open Directory. Apple s standards-based directory and network authentication services architecture. Features

Open Directory. Apple s standards-based directory and network authentication services architecture. Features Open Directory Apple s standards-based directory and network authentication services architecture. Features Scalable LDAP directory server OpenLDAP for providing standards-based access to centralized data

More information

Security Overview Enterprise-Class Secure Mobile File Sharing

Security Overview Enterprise-Class Secure Mobile File Sharing Security Overview Enterprise-Class Secure Mobile File Sharing Accellion, Inc. 1 Overview 3 End to End Security 4 File Sharing Security Features 5 Storage 7 Encryption 8 Audit Trail 9 Accellion Public Cloud

More information

The Primer: Nuts and Bolts of Federated Identity Management

The Primer: Nuts and Bolts of Federated Identity Management The Primer: Nuts and Bolts of Federated Identity Management Executive Overview For any IT department, it is imperative to understand how your organization can securely manage and control users identities.

More information

Enterprise Solution for Remote Desktop Services... 2. System Administration... 3. Server Management... 4. Server Management (Continued)...

Enterprise Solution for Remote Desktop Services... 2. System Administration... 3. Server Management... 4. Server Management (Continued)... CONTENTS Enterprise Solution for Remote Desktop Services... 2 System Administration... 3 Server Management... 4 Server Management (Continued)... 5 Application Management... 6 Application Management (Continued)...

More information

Global Headquarters: 5 Speen Street Framingham, MA 01701 USA P.508.872.8200 F.508.935.4015 www.idc.com

Global Headquarters: 5 Speen Street Framingham, MA 01701 USA P.508.872.8200 F.508.935.4015 www.idc.com VENDOR PROFILE Passlogix and Enterprise Secure Single Sign-On: A Success Story Sally Hudson IDC OPINION Global Headquarters: 5 Speen Street Framingham, MA 01701 USA P.508.872.8200 F.508.935.4015 www.idc.com

More information

FINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE

FINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security

More information

Xerox DocuShare Private Cloud Service. Security White Paper

Xerox DocuShare Private Cloud Service. Security White Paper Xerox DocuShare Private Cloud Service Security White Paper Table of Contents Overview 3 Adherence to Proven Security Practices 3 Highly Secure Data Centers 4 Three-Tier Architecture 4 Security Layers Safeguard

More information

Ensuring the security of your mobile business intelligence

Ensuring the security of your mobile business intelligence IBM Software Business Analytics Cognos Business Intelligence Ensuring the security of your mobile business intelligence 2 Ensuring the security of your mobile business intelligence Contents 2 Executive

More information

Data Collection and Analysis: Get End-to-End Security with Cisco Connected Analytics for Network Deployment

Data Collection and Analysis: Get End-to-End Security with Cisco Connected Analytics for Network Deployment White Paper Data Collection and Analysis: Get End-to-End Security with Cisco Connected Analytics for Network Deployment Cisco Connected Analytics for Network Deployment (CAND) is Cisco hosted, subscription-based

More information

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: 10.1.1. Security Note

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: 10.1.1. Security Note BlackBerry Enterprise Service 10 Secure Work Space for ios and Android Version: 10.1.1 Security Note Published: 2013-06-21 SWD-20130621110651069 Contents 1 About this guide...4 2 What is BlackBerry Enterprise

More information

BlackBerry Enterprise Server for Microsoft Exchange Version: 5.0 Service Pack: 2. Administration Guide

BlackBerry Enterprise Server for Microsoft Exchange Version: 5.0 Service Pack: 2. Administration Guide BlackBerry Enterprise Server for Microsoft Exchange Version: 5.0 Service Pack: 2 Administration Guide Published: 2010-06-16 SWDT487521-1041691-0616023638-001 Contents 1 Overview: BlackBerry Enterprise

More information

How can Identity and Access Management help me to improve compliance and drive business performance?

How can Identity and Access Management help me to improve compliance and drive business performance? SOLUTION BRIEF: IDENTITY AND ACCESS MANAGEMENT (IAM) How can Identity and Access Management help me to improve compliance and drive business performance? CA Identity and Access Management automates the

More information

TFS ApplicationControl White Paper

TFS ApplicationControl White Paper White Paper Transparent, Encrypted Access to Networked Applications TFS Technology www.tfstech.com Table of Contents Overview 3 User Friendliness Saves Time 3 Enhanced Security Saves Worry 3 Software Componenets

More information

RSA Authentication Manager 8.1 Help Desk Administrator s Guide

RSA Authentication Manager 8.1 Help Desk Administrator s Guide RSA Authentication Manager 8.1 Help Desk Administrator s Guide Contact Information Go to the RSA corporate website for regional Customer Support telephone and fax numbers: www.emc.com/domains/rsa/index.htm

More information

Leveraging SAML for Federated Single Sign-on:

Leveraging SAML for Federated Single Sign-on: Leveraging SAML for Federated Single Sign-on: Seamless Integration with Web-based Applications whether cloudbased, private, on-premise, or behind a firewall Single Sign-on Layer v.3.2-006 PistolStar, Inc.

More information

W H IT E P A P E R. Salesforce CRM Security Audit Guide

W H IT E P A P E R. Salesforce CRM Security Audit Guide W HITEPAPER Salesforce CRM Security Audit Guide Contents Introduction...1 Background...1 Security and Compliance Related Settings...1 Password Settings... 2 Audit and Recommendation... 2 Session Settings...

More information

Case studies in Identity Management for Meeting HIPAA Privacy and Security Requirements

Case studies in Identity Management for Meeting HIPAA Privacy and Security Requirements Case studies in Identity Management for Meeting HIPAA Privacy and Security Requirements Agenda E-business trends in healthcare Challenges in Identity Management The Impact of HIPAA Privacy and Security

More information

Introduction to Directory Services

Introduction to Directory Services Introduction to Directory Services Overview This document explains how AirWatch integrates with your organization's existing directory service such as Active Directory, Lotus Domino and Novell e-directory

More information

This research note is restricted to the personal use of christine_tolman@byu.edu

This research note is restricted to the personal use of christine_tolman@byu.edu Burton IT1 Research G00234483 Identity Management Published: 9 July 2012 Analyst(s): Ian Glazer, Bob Blakley Identity management (IdM) has become a distinct aggregation of functions for the maintenance

More information

AD CS. http://technet.microsoft.com/en-us/library/cc731564.aspx

AD CS. http://technet.microsoft.com/en-us/library/cc731564.aspx AD CS AD CS http://technet.microsoft.com/en-us/library/cc731564.aspx Active Directory Certificate Services (AD CS) is an Identity and Access Control security technology that provides customizable services

More information

Tableau Server Security. Version 8.0

Tableau Server Security. Version 8.0 Version 8.0 Author: Marc Rueter Senior Director, Strategic Solutions, Tableau Software June 2013 p2 Today s enterprise class systems need to provide robust security in order to meet the varied and dynamic

More information

Oracle Identity Management: Integration with Windows. An Oracle White Paper December. 2004

Oracle Identity Management: Integration with Windows. An Oracle White Paper December. 2004 Oracle Identity Management: Integration with Windows An Oracle White Paper December. 2004 Oracle Identity Management: Integration with Windows Introduction... 3 Goals for Windows Integration... 4 Directory

More information

RSA SecurID Ready Implementation Guide

RSA SecurID Ready Implementation Guide RSA SecurID Ready Implementation Guide Partner Information Last Modified: December 18, 2006 Product Information Partner Name Microsoft Web Site http://www.microsoft.com/isaserver Product Name Internet

More information

Chapter 10. Cloud Security Mechanisms

Chapter 10. Cloud Security Mechanisms Chapter 10. Cloud Security Mechanisms 10.1 Encryption 10.2 Hashing 10.3 Digital Signature 10.4 Public Key Infrastructure (PKI) 10.5 Identity and Access Management (IAM) 10.6 Single Sign-On (SSO) 10.7 Cloud-Based

More information

WHITE PAPER. Smart Card Authentication for J2EE Applications Using Vintela SSO for Java (VSJ)

WHITE PAPER. Smart Card Authentication for J2EE Applications Using Vintela SSO for Java (VSJ) WHITE PAPER Smart Card Authentication for J2EE Applications Using Vintela SSO for Java (VSJ) SEPTEMBER 2004 Overview Password-based authentication is weak and smart cards offer a way to address this weakness,

More information

P-Synch by M-Tech Information Technology, Inc. ID-Synch by M-Tech Information Technology, Inc.

P-Synch by M-Tech Information Technology, Inc. ID-Synch by M-Tech Information Technology, Inc. P-Synch by M-Tech Information Technology, Inc. ID-Synch by M-Tech Information Technology, Inc. Product Category: Password Management/Provisioning Validation Date: TBD Product Abstract M-Tech software streamlines

More information

Unlock the Value of Your Microsoft and SAP Software Investments

Unlock the Value of Your Microsoft and SAP Software Investments SAP Technical Brief SAP Gateway Objectives Unlock the Value of Your Microsoft and SAP Software Investments Bridging the integration gap between SAP and Microsoft environments Bridging the integration gap

More information

Novell Access Manager SSL Virtual Private Network

Novell Access Manager SSL Virtual Private Network White Paper www.novell.com Novell Access Manager SSL Virtual Private Network Access Control Policy Enforcement Compliance Assurance 2 Contents Novell SSL VPN... 4 Product Overview... 4 Identity Server...

More information

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER Table of Contents Introduction.... 3 Requirements.... 3 Horizon Workspace Components.... 3 SAML 2.0 Standard.... 3 Authentication

More information

Rights Management Services

Rights Management Services www.css-security.com 425.216.0720 WHITE PAPER Microsoft Windows (RMS) provides authors and owners the ability to control how they use and distribute their digital content when using rights-enabled applications,

More information

API-Security Gateway Dirk Krafzig

API-Security Gateway Dirk Krafzig API-Security Gateway Dirk Krafzig Intro Digital transformation accelerates application integration needs Dramatically increasing number of integration points Speed Security Industrial robustness Increasing

More information

Oracle Directory Services Integration with Database Enterprise User Security O R A C L E W H I T E P A P E R F E B R U A R Y 2 0 1 5

Oracle Directory Services Integration with Database Enterprise User Security O R A C L E W H I T E P A P E R F E B R U A R Y 2 0 1 5 Oracle Directory Services Integration with Database Enterprise User Security O R A C L E W H I T E P A P E R F E B R U A R Y 2 0 1 5 Disclaimer The following is intended to outline our general product

More information

RSA Digital Certificate Solution

RSA Digital Certificate Solution RSA Digital Certificate Solution Create and strengthen layered security Trust is a vital component of modern computing, whether it is between users, devices or applications in today s organizations, strong

More information

Security Services. Benefits. The CA Advantage. Overview

Security Services. Benefits. The CA Advantage. Overview PRODUCT BRIEF: CA SITEMINDER FEDERATION SECURITY SERVICES CA SiteMinder Federation Security Services CA SITEMINDER FEDERATION SECURITY SERVICES EXTENDS THE WEB SINGLE SIGN-ON EXPERIENCE PROVIDED BY CA

More information

Symantec Managed PKI Service Deployment Options

Symantec Managed PKI Service Deployment Options WHITE PAPER: SYMANTEC MANAGED PKI SERVICE DEPLOYMENT............. OPTIONS........................... Symantec Managed PKI Service Deployment Options Who should read this paper This whitepaper explains

More information

White Paper Cybercom & Axiomatics Joint Identity & Access Management (R)evolution

White Paper Cybercom & Axiomatics Joint Identity & Access Management (R)evolution White Paper Cybercom & Axiomatics Joint Identity & Access Management (R)evolution Federation and Attribute Based Access Control Page 2 Realization of the IAM (R)evolution Executive Summary Many organizations

More information

TIBCO Spotfire Web Player 6.0. Installation and Configuration Manual

TIBCO Spotfire Web Player 6.0. Installation and Configuration Manual TIBCO Spotfire Web Player 6.0 Installation and Configuration Manual Revision date: 12 November 2013 Important Information SOME TIBCO SOFTWARE EMBEDS OR BUNDLES OTHER TIBCO SOFTWARE. USE OF SUCH EMBEDDED

More information

Introduction to Endpoint Security

Introduction to Endpoint Security Chapter Introduction to Endpoint Security 1 This chapter provides an overview of Endpoint Security features and concepts. Planning security policies is covered based on enterprise requirements and user

More information

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections: CHAPTER 1 SAML Single Sign-On This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections: Junos Pulse Secure Access

More information

Introduction. Connection security

Introduction. Connection security SECURITY AND AUDITABILITY WITH SAGE ERP X3 Introduction An ERP contains usually a huge set of data concerning all the activities of a company or a group a company. As some of them are sensitive information

More information

RSA Authentication Manager 7.0 Planning Guide

RSA Authentication Manager 7.0 Planning Guide RSA Authentication Manager 7.0 Planning Guide Contact Information See the RSA corporate web site for regional Customer Support telephone and fax numbers. RSA Security Inc. www.rsa.com Trademarks RSA and

More information

Policy Management: The Avenda Approach To An Essential Network Service

Policy Management: The Avenda Approach To An Essential Network Service End-to-End Trust and Identity Platform White Paper Policy Management: The Avenda Approach To An Essential Network Service http://www.avendasys.com email: info@avendasys.com email: sales@avendasys.com Avenda

More information

Configuring Security Features of Session Recording

Configuring Security Features of Session Recording Configuring Security Features of Session Recording Summary This article provides information about the security features of Citrix Session Recording and outlines the process of configuring Session Recording

More information

Axway Validation Authority Suite

Axway Validation Authority Suite Axway Validation Authority Suite PKI safeguards for secure applications Around the world, banks, healthcare organizations, governments, and defense agencies rely on public key infrastructures (PKIs) to

More information

Identity Management in Liferay Overview and Best Practices. Liferay Portal 6.0 EE

Identity Management in Liferay Overview and Best Practices. Liferay Portal 6.0 EE Identity Management in Liferay Overview and Best Practices Liferay Portal 6.0 EE Table of Contents Introduction... 1 IDENTITY MANAGEMENT HYGIENE... 1 Where Liferay Fits In... 2 How Liferay Authentication

More information

White paper December 2008. Addressing single sign-on inside, outside, and between organizations

White paper December 2008. Addressing single sign-on inside, outside, and between organizations White paper December 2008 Addressing single sign-on inside, outside, and between organizations Page 2 Contents 2 Overview 4 IBM Tivoli Unified Single Sign-On: Comprehensively addressing SSO 5 IBM Tivoli

More information

Middleware- Driven Mobile Applications

Middleware- Driven Mobile Applications Middleware- Driven Mobile Applications A motwin White Paper When Launching New Mobile Services, Middleware Offers the Fastest, Most Flexible Development Path for Sophisticated Apps 1 Executive Summary

More information

Provide access control with innovative solutions from IBM.

Provide access control with innovative solutions from IBM. Security solutions To support your IT objectives Provide access control with innovative solutions from IBM. Highlights Help protect assets and information from unauthorized access and improve business

More information

Implementation Guide SAP NetWeaver Identity Management Identity Provider

Implementation Guide SAP NetWeaver Identity Management Identity Provider Implementation Guide SAP NetWeaver Identity Management Identity Provider Target Audience Technology Consultants System Administrators PUBLIC Document version: 1.10 2011-07-18 Document History CAUTION Before

More information

PRIVACY, SECURITY AND THE VOLLY SERVICE

PRIVACY, SECURITY AND THE VOLLY SERVICE PRIVACY, SECURITY AND THE VOLLY SERVICE Delight Delivered by EXECUTIVE SUMMARY The Volly secure digital delivery service from Pitney Bowes is a closed, secure, end-to-end system that consolidates and delivers

More information

Deploying the BIG-IP LTM and APM with Citrix XenApp or XenDesktop

Deploying the BIG-IP LTM and APM with Citrix XenApp or XenDesktop Deployment Guide Deploying the BIG-IP LTM and APM with Citrix XenApp or XenDesktop Welcome to the F5 deployment guide for Citrix VDI applications, including XenApp and XenDesktop with the BIG-IP v11.2

More information

Security Architecture for Development and Run Time Support of Secure Network Applications

Security Architecture for Development and Run Time Support of Secure Network Applications Tel: (301) 587-3000 Fax: (301) 587-7877 E-mail: info@setecs.com Web: www.setecs.com Security Architecture for Development and Run Time Support of Secure Network Applications Sead Muftic, President/CEO

More information

DEPLOYMENT GUIDE Version 1.1. Deploying the BIG-IP LTM v10 with Citrix Presentation Server 4.5

DEPLOYMENT GUIDE Version 1.1. Deploying the BIG-IP LTM v10 with Citrix Presentation Server 4.5 DEPLOYMENT GUIDE Version 1.1 Deploying the BIG-IP LTM v10 with Citrix Presentation Server 4.5 Table of Contents Table of Contents Deploying the BIG-IP system v10 with Citrix Presentation Server Prerequisites

More information

Allidm.com. SSO Introduction. Discovering IAM Solutions. Leading the IAM Training. @aidy_idm facebook/allidm

Allidm.com. SSO Introduction. Discovering IAM Solutions. Leading the IAM Training. @aidy_idm facebook/allidm Discovering IAM Solutions Leading the IAM Training @aidy_idm facebook/allidm SSO Introduction Disclaimer and Acknowledgments The contents here are created as a own personal endeavor and thus does not reflect

More information

Base One's Rich Client Architecture

Base One's Rich Client Architecture Base One's Rich Client Architecture Base One provides a unique approach for developing Internet-enabled applications, combining both efficiency and ease of programming through its "Rich Client" architecture.

More information

The Primer: Nuts and Bolts of Federated Identity Management

The Primer: Nuts and Bolts of Federated Identity Management The Primer: Nuts and Bolts of Federated Identity Management Overview For any IT department, it is imperative to understand how your organization can securely manage and control users identities. With so

More information

Managing SSL Security in Multi-Server Environments

Managing SSL Security in Multi-Server Environments Managing SSL Security in Multi-Server Environments VeriSign s Easy-to-Use Web-Based Services Speed SSL Certificate Management and Cuts Total Cost of Security CONTENTS + A Smart Strategy for Managing SSL

More information

An Oracle White Paper September 2013. Directory Services Integration with Database Enterprise User Security

An Oracle White Paper September 2013. Directory Services Integration with Database Enterprise User Security An Oracle White Paper September 2013 Directory Services Integration with Database Enterprise User Security Disclaimer The following is intended to outline our general product direction. It is intended

More information