Access Management Analysis of some available solutions

Transcription

1 Access Management Analysis of some available solutions Enterprise Security & Risk Management May 2015 Authors: Yogesh Kumar Sharma, Kinshuk De, Dr. Sundeep Oberoi

2 Access Management - Analysis of some available solutions Introduction The emergence of technologies like cloud, social, mobility, IoT and identity federation have added complex business needs and problem of giving secure, convenient access to users from access management (AM) point of view today. With increase in threat landscape, need to be always connected and requirement to govern and manage access, organizations continue to adopt either custom developed solutions, open source or commercial proprietary solutions based on access management objectives. Managing access to enterprise resources with emphasis on the management of different relationships in a more secure and effective way, remains a top priority for enterprises. Simplification with improved user experience is now a strong undercurrent. Access managers are also focusing on user behavior patterns, contextual information and improved adaptive access decisions. Single-sign-on solutions also continue to provide benefits in terms of cost reductions and reduced workload. Custom Solutions Many organizations resort to bespoke AM development to address specific business needs. This is a good strategy to accommodate particular enterprise preference and expectation vis-à-vis commercial proprietary solutions or open source. These custom solutions are often considered expensive compared to proprietary solutions. However, in many cases, the cost and delay of implementing commercial proprietary solution s and customization requirement adds to the expense. The decision to build a custom solution or not may be based on following considerations: - Cost and benefit: A thorough cost-benefit analysis is essential. - Commercial proprietary solutions usually have a shorter time to deployment. - Scalability: commercial proprietary solutions have standard business processes and reporting. Open Source Solution Open Source AM solution are cost effective, though not free in real terms, promising and available in various formats of licensing and support models. These open source AM solutions are supported by community and have downsides like support issues, frequent releases, lack of documentation, scalability, in-adequate security testing, etc. There are some licensed cool open source AM solutions like OpenIAM, Forgerock OpenAM with whom TCS has some experience and relation, and have been recommended by Analysts. Table below gives a comparison of features of open source AM solutions: Architecture Modular / Services Based Architecture OpenIAM Access Manager Sun OpenSSO Atlassian Crowd Forgerock OpenAM Service based architecture Service Based Architecture Modular architecture Deployment Architecture (Policy Server, Reverse Proxy, Agents Policy Server on JEE server, Reverse Proxy for coarse grained access, SSO and Federation. Fine grained through, Agents for fine grained access, Integration with Development frameworks, XACML 2 support, Rich API Policy Server, Reverse Proxy, Agents for fine grained integration Java-based architecture allows deployment across platforms many Authentication Types of authentication supported Password Auth, Form Auth, SAML Version 2.2 (Certificate, Token, OAuth) Password Certificates, Auth, SAML Auth, Form Password Auth, Form Auth, OpenID Supports 20 authentication methods out of the box along with Social, Contextual, Adaptive auth. 2 (7)

3 Associate authentication strengths Yes No No Yes per resource Pass through authentication Yes Yes Yes Yes Authorization Coarse Grained Yes Yes Yes Yes Fine Grained Yes No No Yes Role Based Access Control Yes Yes Limited Yes Support for XACML 2 Yes NO NO Yes Integration with Developer frameworks Dynamic Access Control (capable of rendering complex decisions based on real time data) Spring Security, JAAS -Microsoft Geneva Planned Yes ( Rules engine is used while enforcing policies) Spring Security Provides client application programming interfaces with Java and C APIs and a RESTful API Yes NO Web Single Sign On Yes Yes Yes Yes Cookie vs Cookie less Cookie less Cookie less Requires Connectors / Custom Code NO NO Yes No Administration UI Web Based UI Web Based UI Web Based UI Web Based UI Federation Yes Yes No Yes Supported standards SAML 2, 1.1, 1.0, WS- SAML 2, 1.1, 1.0, NA SAML, OpenID Federation WS-Federation Connect and OAuth 2.0 Support for Identity Services Yes Yes NA Yes Security Token Service (STS) Yes No NO Yes Delegated Administration Yes (Limited) No (Requires Sun Access Manager) No No Global Session Management ( user session management, session timeouts, single Sign Off Yes Yes Yes Yes Integration with Identity Manager Yes Yes Limited to updating Yes user and password information Auditing and Reporting Yes Yes Limited Yes Integration API Web Services Based Web Agent and C API Java Java Commercial Proprietary Solution Commercial proprietary solutions though involve financial investment, are more stable, secure, rigorously tested and mature. These solutions are widely adopted, deployed and recommended for enterprises. They offer advanced features and functionalities to cater to various security requirements, business needs and operational requirements of enterprises. These solutions are well evaluated by industry and leading Analyst 3 (7)

4 firms. TCS has wide experience in working with leading access management solutions from Computer Associates (CA), IBM, Novell and Oracle. A table comparing and contrasting some of the key features of leading AM solutions are illustrated below: Stability and Deployment Support for Cloud Based Apps. Oracle (OAM) IBM (SAM) CA (SSO) Novell (AM) Easy to deploy and has many functionalities that enable different deployment strategies based on needs. Deployment is best suited on a Linux platform vis a vis Windows because of stability, compatibility, processing power & security Supports cloud based applications and the process for integrating with them is the same as for any normal web based application. Considered to be more stable among all. Little difficult to deploy but once deployed, it is easy to maintain. Custom adapter development is required Stable, easy to deploy. Has a dedicated deployment methodology. Highest deployment of access manager is from CA Single Sign On (earlier called Siteminder). Yes, supported through open standards including SAML, OAuth, OpenID and WS-Federation. Out of the box connectors are available. Stable, scalable and easy to deploy. Software components can be installed on different infrastructures like High availability servers, clusters, failover systems etc. 1). Google apps is supported for both IDM and Access Manager. 2). Office 365 requires additional work for provisioning. Password Management Authentication Schemes. For further advanced Password policy management, integration with Oracle Identity Manager is additionally necessary. Various inbuilt Authentication Schemes that can be used out of the box or you can create your own Authentication scheme that can be applied to the resource when being protected via access manager and mostly configuration based Various authentication methods, such as Form Based, username/ password, RADIUS, token-based authentication, Client side X.509 digital certificates, Kerberos etc available. You can develop and integrate your own authentication scheme as well. Single Sign On Most Comprehensive and Flexible. Mostly Command based configuration Federated SSO Support Federated SSO is supported in access manager Yes, Basic Password Services & Advanced Password Services (APS) available. Wide variety of authentication schemes available as compared to other solutions, including, anonymous, Basic, Basic over SSL, Custom, HTML Forms, Impersonation OAuth, OpenID, RADIUS CHAP/PAP, RADIUS Server, SafeWord, SafeWord and HTML Forms, SecurID, SecurID and HTML Forms, certificate based Windows Authentication Yes. CA Single Sign-On can provide your organization with five separate SSO architectures for your organization to use independently or mix and match to meet your various business needs. Yes, CA Federation provides expanded use of the identity federation and Web services and mostly configuration based Supports a number of authentication methods, such as username/password, RADIUS token-based authentication, X.509 digital certificates, Kerberos, and OpenID. Easy to implement. Mostly GUI based configuration. 4 (7)

5 Reporting and Logging Audit Capability Have various Auditing capabilities with logging to a flat file or a separate database if a schema is included. Authorization There are various Authorization Schemes that can be attached to an Authentication policy. Comprehensive List of out of the box reports available. Different type of users can view different reports by themselves. Customized Reports can be developed, however reporting engine is vast and complex Reasonably Good. Text log files based Audit Trails and Logging. Report Server for Reporting available. CA SSO has Trace Level Logging for Troubleshooting. For advance reporting you would require UARM (CA product). Alternatively, Crystal Reports can be used. CA SSO has detailed Audit Logs for events which can either be stored in DB or Text File. It has a concept of Profiler where we can select the components for Logging & Auditing. Text based log files generated.. The authorization model is based on security policies. Comprehensive reporting and logging functionality available All access through Access Manager can be logged. Policy Management GUI based administration Main Components Platforms Supported Database Supported Strong. Yes, using WAMUI GUI for creating & maintaining Policies containing Rules & Responses. The thick client application admin UI based administration client Combination of Web Strong. Yes, provides based and Commandline WAMUI for GUI based administration administration /configuration, but comprehensive and flexible WebGates and AccessGates Authorization server, Webagent, Policy Server & are Policy Enforcement Policy server, Policy WAMUI Points or PEPs, the Access proxy server, Session Server is the Policy Decision management server, Point or PDP and the Policy WebSEAL Manager is the Policy Management Authority. OAM can be installed only on 64 bit Linux servers, 32 bit is not supported. Support is provided for Oracle Standard and Enterprie edition including RAC. Windows 2003/2008 SE/EE (32/64 bit), Solaris, Red Hat Enterprise Linux 4, 5 (32/64bit), SUSE Linux ES 9,10,11 (32/64 bit), AIX 5.2, 5.3,6.1, HP-UX 11i IBM DB2 Universal Database. Configurable and Customizable Identity server, access gateway, web server, LDAP directory Windows, RHEL & Solaris Windows 2003 (32bit)/2008 (64bit) SE/EE, SUSE Linux Enterprise Server (SLES) 10/11 (32bit/64bit) IBM DB2 UDB, Microsoft SQL Server Including cluster 2,3, Oracle MySQL Enterprise Server, Oracle RDBMS4, Oracle RAC, PostgreSQL Not required 5 (7)

6 Directory Server Supported Oracle Internet Directory 11gR1 ( ), Oracle Virtual Directory 11gR1 ( ), Microsoft Active Directory 2008, Sun Java System Directory Server 6.3, Novell edirectory 8.8, Oracle Directory Server Enterprise Edition (ODSEE) 11gR1 ( ), Oracle Unified Directory 11gR1 ( ), Oracle Unified Directory 11gR2 ( ), OpenLDAP 2.4, IBM Tivoli DS 6.2, IBM Tivoli DS 6.3 1) Microsoft AD 2) Sun Java system Directory 3) IBM Tivoli Directory Server 4) IBM z/os LDAP Server 5) Novell edirectory CA Directory Server, IBM Domino LDAP, IBM Tivoli Directory Server, Microsoft Active Directory (AD)2, Novell edirectory, OpenLDAP, Oracle Directory Server Enterprise Edition 5, Oracle Internet Directory, Oracle Unified Directory (OUD), Oracle Virtual Directory (OVD), Red Hat Directory Server, Siemens DirX, Sun Java System Directory Server EE Novell edirectory, Microsoft Active Directory and Sun One TCS s Assessment Often, an access management solution is required to meet narrow and specialized requirements or unique business needs, or an enterprise has limited budget to fulfill such needs, in that case a building a custom AM solution is the recommended strategy. Based on the available information on open source AM solutions, though, they claim to support many features; the reliability of such features, its support, documentation, scalability is often seen to be a challenge or suspect. Further, the advanced features and functionalities available in proprietary solutions are clearly missing in open source solutions. However, open source AM solutions are recommended for adoption in environments where the level of risk being carried is low, or resources being accessed are non-sensitive or non-critical, or the organization has its own capability in development of open source platforms. OpenIAM here is an obvious choice which comes in both OpenSource and Commercial license model. If a sophisticated, but broad set of features is required and therefore it is believed that the AM solution must be feature rich, mature and have high quality support commercially available, then one of the leading proprietary access management solutions is the way forward. Based on our analysis of four of the leading solutions, we find that CA Single Sign On is easy to deploy in any environment. Have dedicated guide on Architectural Considerations, Capacity Planning & Configuration Considerations. It can provide enterprises with five separate SSO architectures to use independently or mix and match to meet their various business needs. Along with various predefined authentication schemes and API for customization, CA Single Sign On also provides integration plugin support for esso(enterprise Single Sign On). CA Single Sign On has agents which gives enterprises the flexibility to integrate it with various 3 rd party tools such as Apache HTTP Server, Apache Tomcat, Oracle WebLogic, HP Apache, RedHat JBoss EAP, IBM HTTP Server, IBM WebSphere, Lotus Domino, Microsoft IIS, Microsoft SharePoint, Oracle HTTP Server, Red Hat Apache, Sun Java System, ERP systems, Oracle, PeopleSoft, SAP and Siebel. Additionally, CA Single Sign On comes with extensive technical and documentation support. CA Has a dedicated support site with links to various CA Communities as well. CA has constructed extremely useful databases of raised cases and solutions provided which makes it easier to find a solution. On the basis of the available information, Computer Associate s Single Sign On AM solution is scalable, stable, well supported, widely accepted with abundant features and is recommended for deployment. 6 (7)

7