PortWise Access Management Suite

Transcription

1 Create secure virtual access for your employees, partners and customers from any location and any device. With todays global and homogenous economy, the accuracy and responsiveness of an organization s business processes play a key role in its ability to execute and reach its overall business goals. Many companies realize that they need to increase the efficiency and productivity of their workforce, and in order to do so they need to provide their employees with solutions for more flexible working. However, security considerations often prevent a successful deployment of corporate remote access services. For a successful remote access rollout, the following questions need to be addressed: How do we guarantee the user is who he claims to be? How do we know the connecting device is free from Trojans and other malicious software? Is the connection secure? How do we ensure data and application integrity when the network boundary effectively moves beyond the corporate network premises? PortWise Access Management Unlike most remote access solution vendors, PortWise offers a security solution that effectively addresses all of the issues mentioned above. PortWise provides a six-step process to ensure secure and convenient remote connections without compromising security. These six steps include: Assessment of end-user devices Authentication of user s identity Authorization to access applications Access through an encrypted connection Audit of user activity Abolishment of user data PortWise Access Manager and Authentication Server is an integrated software suite developed to help organizations make 1

2 business applications available for remote users in a secure and convenient manner. The product suite includes a comprehensive security feature set. Application Delivery PortWise utilizes clientless SSL VPN technology enabling access to applications by remote users, without having to install proprietary client software on the user s device. And, PortWise utilizes web browser technology to access corporate data. Hence, PortWise supports every device or handset with a built-in web browser. Applications are made available to the end-user though a userfriendly web portal interface and every data transaction is secured with industry standard SSL encryption. Three different access modes are available: Web Access provides remote access to web applications through an SSL proxy. The PortWise SSL proxy mechanism is based on an advanced link translation engine to ensure support for all web applications. Port Access provides access to non-web applications that run on specific IP ports. Port-based access is handled through an on-demand SSL VPN client based on Java or ActiveX technology. Internet Demilitarized Zone (DMZ) Corporate Network Portwise Access Manager SSL VPN SSO Access Enforcement Secure remote connections Customer Employees Partners WebPasswords PKI Token OTP via SMS OTP Token Soft Token Authentication & Policy Server Web Forms WinLogon SOAP-Ticket SAML2.0 Groupware Web-Applications Terminal Server WebServices File Access Cloud 2

3 The PortWise client is transparently installed on the user s device when needed. Network Access provides access to a specific range of IP ports, servers, or networks. End-point Integrity To ensure that malicious software never gets access to the internal network, the integrity of the end-user devices must be checked to guarantee that they meet the security requirements set forth by the organization. This is a crucial step in providing in-depth security since more threats focus on the end-point rather than the network firewall today. Before a user is allowed access, a device scan can be performed to guarantee that the device complies with the corporate security requirements in terms of anti-virus software, personal firewall configurations, and software upgrades. When the user ends a PortWise session, a cleanup procedure can be performed on the end-point to remove all traces of the session, including cookies, URL history, cached pages, registry entries, and downloaded components. Integrated Strong Authentication Identities can easily be faked or stolen. Static passwords are either passed on to non-trusted parties by unknowing users or by malicious software tools. Any organization providing remote access based on static passwords is vulnerable and most likely unable to withstand intrusion attempts. To guarantee a user s true identity, authentication should be based on multiple factors. A multi-factor authentication model can not easily be compromised as it combines a user password/pin with a personal possession, such as a security token. The integrated authentication service in the PortWise Access Management suite provides a framework for multi-factor user authentication that allows deployment of secure and convenient strong user authentication throughout the whole organization. PortWise authentication mechanisms can also be utilized by 3

4 other access solutions through a standard RADIUS interface. The following authentication mechanisms are available: Mobile Two-Factor Authentication uses a consumer device the user already owns, such as a mobile, PDA, or Blackberry, to generate or receive a unique one-time password. Strong One-Factor Authentication The unique PortWise Web Keypad protects the user and the enterprise from Trojans and spyware. External authentication solutions, such as hard tokens, smartcards, and PKI solutions, can be used by PortWise in addition to the built-in authentication mechanisms. Any OATH HOTP compliant security token can be imported and used for user authentication in PortWise. OATH is an initiative to provide an open architecture for tokenbased user authentication that enables customers to replace existing proprietary security solutions and lower their TCO. Single Sign-On During a session, users normally interact with multiple backend systems and data resources, many of which require additional user logins. To create a secure and user-friendly access environment, PortWise includes Single Sign-On mechanisms to provide transparent login to back-end applications. The user signs in once to the PortWise Authentication Service, and subsequent authentication to back-end applications is then handled by the system, without any user interaction. To extend the concept of Single Sign-On, PortWise includes functionality for identity federation between separate administrative domains. With identity federation, a single identity can be used to access applications and resources from multiple departments or external business partners, ideal for easy information sharing in a B2B environment or in company merger scenarios. Policy Management Integrating all aspects of Identity and Access Management into a single, cohesive and integrated policy delivers significant security, 4

5 scale and auditing benefits to an organization. Leveraging the different core technologies included in the PortWise platform, a granular access control policy can be created that effectively determines what a user should gain access to, at any given time. Access policies can be applied on specific applications, IP/port sets and networks and are evaluated using both real-time and static information, such as: User device Grant access based on device type and end-point integrity. Authentication How did the user authenticate? User s role Who is the user, and what is the user s role in the organization? User roles can be defined in PortWise, or provided by an external user directory through PortWise user directory service integration. Network Create access rules based on the user s MAC address or IP address. Audit & Reporting Whether for corporate governance or regulatory compliance with standards such as ISO1771, Sarbanes-Oxley, or Gramm- Leach-Bliley HIPPA, knowing who did what in the enterprise, and which application was accessed from where, is imperative. PortWise includes a number of features to help compliance officers, and corporate governance teams. Consolidated and Comprehensive Audit PortWise collects indepth information about any identity or access activity in a central repository for easy access. Find out exactly who did what when, where and how. PortWise is fully compliant with Sarbanes-Oxley, Gramm-Leach-Bliley, HIPAA, Basel II, and 21 CFR Part 11, among many others. Graphical Reporting All information in the PortWise audit logs can be shown in many different graphical formats (pie charts, line charts, 3D charts, bar charts, etc.) in both real-time and over a historical period. For further data mining and asset management, PortWise can export audit data to Excel or Crystal Reports. 5

6 Audit Policy Management Comprehensive security feature set is included in the Product Suite End-point Security Identity Federation Single Sign-On SSL VPN Strong Authentication Enterprise Administration PortWise provides a central console for the administration of all features included in the PortWise Access Management suite. Real-time alerts can be defined to provide proactive awareness through and SMS. Support for delegated management allows an organization to create administrator roles with limited privileges to shift administrative rights from one organizational level/department to another. User account management can be partly or completely automated with the PortWise user self-service module to offload the corporate IT administration. With support for multi-domains, an organization can host multiple virtual application portals within one single PortWise system. An organization or service provider can customize the user interface and access policy rule sets for separate user domains and administrate them through a single administration interface. 6