Ensuring the Security of Your Company s Data & Identities. a best practices guide

Transcription

1 a best practices guide Ensuring the Security of Your Company s Data & Identities Symplified 1600 Pearl Street, Suite 200» Boulder, CO, 80302»

2 Safe and Secure Identity Management Best Practices The transition to Cloud means that companies often become reliant on security procedures implemented by each 3rd party SaaS provider they employ to keep their corporate data safe. This means that your security and user access could be placed in the hands of multiple cloud vendors, each having varying levels of strength and quality controls. This patchwork of cloud applications can leave your organization open to threats and vulnerabilities. Fortunately, Symplified offers an alternative to this lack of direct control. Symplified offers a complete solution, unifying federated single sign-on, access management, audit reporting, and user provisioning across on-premises, cloud, and mobile applications. No matter who the user is or the device they use to access applications, Symplified delivers the same seamless access experience. Organizations gain a single, secure portal to all of their existing cloud and web applications and services while utilizing their existing identity infrastructure for authentication. Safe, Secure and Flexible Architecture Symplified was architected from the ground up to be flexible, safe, and most importantly secure. A safe communications channel between your users, your identity hub or gateway, and their cloud applications is provided by Symplified via secure communication protocols, cryptography, authentication, and other techniques to ensure your data and access are protected. Symplified routinely scans for possible threats or other issues and promptly notifies its customers whenever preventative action needs to be taken. Physical security is also paramount and Symplified protects its data centers with the latest in physical access technology. FLEXIBLE DEPLOYMENT Symplified s central identity gateway, the Identity Router (IDR), can be delivered using either an on-premises managed virtual appliance or as a hosted cloud service utilizing the Amazon EC2 platform. Both IDR deployment methods afford your business a secure SSO identity gateway. The on-premises option allows your business to maintain the IDR behind your firewall within your existing data center. Choosing the hosted option means that your IDR will be managed by Symplified in the cloud. Both options, however, provide identical security features. User access events, for example, are logged and available for audits, forensics and other compliance requirements. This extensible and flexible architecture is continuously monitored by Symplified s Information Security Team. In order to publish new application connectors and policy rules to the IDR, Symplified maintains a separate yet equally secure Management Console. These two discrete components ensure that there is no one single point of failure that would prevent your users from accessing the resources that they need. The Identity Router (IDR) is the runtime component, a virtual appliance that can be deployed on-premises, at a Service Provider, or on Amazon EC2. The IDR provides co-located policy enforcement and a central decision point that enforces authentication and authorization for all users. The IDR also serves as an audit collection point for all user actions. This is a single-tenant component and is completely controlled by you, our customer. There is no chance for comingling of customer information, and is the most secure architecture for your SSO solution. 2» Ensuring the Security of Your Company s Data and Identities»

3 The Symplified Management Console is a multi-tenant SaaS administration application that provides userfriendly policy configuration to manage all runtime components on the IDR. The Symplified Management Console also acts as a location for continuous monitoring and maintenance for your single-tenant SSO environment. system concept admin user symplified management console <<policy administration point>> >> hosted application >> multi-tenant >> configuration management >> status monitoring employees partners customers subscribers identity router (idr) <<policy enforcement + decision point>> >> runtime component >> single-tenant >> identity provider >> runtime integration CONTINUOUS MONITORING Your business depends on an identity management system that is secure and reliable. This requires consistent internal testing to insure the highest levels of protection. Symplified s Operations Team conducts regular network scans of all its systems, monitoring any vulnerabilities and necessary security patches. We also conduct 3rd-Party Security Assessments on a routine basis to ensure independent reviews of our internal network processes and practices. A summary report of these independent findings is always available to our customers by request. Symplified plans to be fully SSAE16/SOCII compliant in early Note that this audit has already been completed for our data center, where the Symplified Management Console is hosted. The additional 3rd-party assessments completed and available for review include: Application vulnerability threat assessments Network vulnerability threat assessments Select penetration testing and code review Security control framework review and testing Symplified continues to use the following methodologies and standards as best practices in the course of our solution development process: Employment of the Agile Development Methodology Process and Controls are audited against NIST 800 Standards and SOC II auditing DoD Technical Implementation Guide (STIG) hardening guideline 3» Ensuring the Security of Your Company s Data and Identities»

4 During a release publication event, the code repository is digitally signed and the resulting signature is checked on the IDR to ensure code changes are not tampered with in-flight from the originating source. Symplified monitors all IDRs 24/7 no matter where they are deployed for a particular customer. The IDR is also maintained and updated during scheduled maintenance windows, all standard service components of our Identity as a Service (IDaaS) offering. SECURE COMMUNICATIONS Symplified is further protected across every step of the communications process between the Management Console, the IDR and the end users application access. Below you will find a high-level overview of each area of communication and how security is handled in each scenario. TYPE OF COMMUNICATION Symplified Management Console à Identity Router (IDR) IDR à SaaS Application IDR à Local Applications End User à IDR IDR à Simplelink SimpleLink à Userstore Administrator à Symplified Management Console TYPE OF SECURITY APPLIED SSL VPN tunnel, outbound UDP port (1194). Normally over SSL but the SaaS application determines the connection type supported. Normally over SSL. Network controls can be used to ensure application only accepts connections from the IDR to prevent side-door access. Information sent from the user s browser to the IDR is sent over HTTPS. The SSO session cookie contains a cryptographically random string, which contains the session ID. If the session cookie is tampered with the session is invalidated and the user must re-authenticate. SimpleLink is used to access user stores internal to a customer s network only when the IDR is deployed in the cloud. The connection is a SSL VPN tunnel that is initiated as the client to Studio as the server. The type of connection from SimpleLink to the user store is dependent on the security implemented by the user store. If the user store supports LDAPS then SimpleLink will use LDAPS. Access to the Symplified Management Console is protected by user name and password. Optionally, two-factor authentication can be enabled to access the Management Console. This connection is always over HTTPS port » Ensuring the Security of Your Company s Data and Identities»

5 Conclusion Symplified securely unifies federated single sign-on, access management, audit reporting, and user provisioning across any access device be it laptop, tablet or a smartphone. Symplified can be delivered as either an on-premises managed virtual appliance or via a fully-hosted solution available on the massively scalable Amazon Web Services platform. Symplified has been recognized by the Wall Street Journal, CRN, Network World, the RSA conference, and others for its Identity and Access Management innovations. Symplified s Management Team is composed of individuals that have deep roots in the seucrity and access management space. By way of example, Darren Platt (CTO) co-authored the SAML standard that has become one of the most popular federated identity protocols for application communication. THE SYMPLIFIED ADVANTAGE Symplified enables IT organizations to simplify user access to applications, regain visibility and control over usage and meet security and compliance requirements. Symplified provides single-sign-on, identity and access management, directory integration, centralized provisioning, strong authentication, mobile device support and flexible deployment options. Symplified is headquartered in Boulder, Colorado. Visit us at 5» Ensuring the Security of Your Company s Data and Identities»