Extranet Access Management Web Access Control for New Business Services

Transcription

1 Extranet Access Management Web Access Control for New Business Services An Evidian White Paper Increase your revenue and the ROI for your Web portals Summary Increase Revenue Secure Web Access Control with SSO

2 2013 Evidian The information contained in this document represents the view of Evidian on the issues discussed at the date of publication. Because Evidian must respond to changing market conditions, it should not be interpreted as a commitment on the part of Evidian, and Evidian cannot guarantee the accuracy of any information presented after the date of publication. This is for informational purposes only. EVIDIAN MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. We acknowledge the rights of the proprietors of trademarks mentioned in this book.

3 Contents Increase Revenue... 4 Protecting and Managing Enterprise Internet Access...6 Increase the return on investment for your web portal by extending it to enterprise applications...7 SAM Web Controls the Accesses to the Insurance Company's Applications...8 Controlling Access Centrally or on the Applications...8 Keeping an Access Control List up to date...8 Simplified Access with Web SSO and a Personalized Welcome Page...8 SAM Web Speeds Up Web Services Implementation...9 Secure Web Access Control with SSO Control and Secure User Access...10 Enforce Access Control for any Applications...10 Control Access to Applications and URLs...10 Dynamic Authorizations...10 Authentication Methods...11 Track all User Activity...11 Encrypt Confidential Data...11 Protect Web Resources Against Attacks...12 Creating User Accounts...12 Using the Enterprise LDAP Directories...12 Account Creation by the User...12 Reinitializing a Primary Password...12 Using Multiple Identities...12 Universal Single Sign-On...12 Improve the User Experience and Security with Single Sign-On...13 Single Sign-On to External Web Sites...13 Personalize the End-user s Web Environment...13 The User Can Opt to Manage Sensitive Passwords Himself...13 Extensible to J2EE, SOA and Web Services Project Accesses...14 Extensible to Non-Web Access and Legacy Applications...14 Instant Security for a Low Cost of Ownership...14 A Non-intrusive Solution for Easy Deployment...14 More Effective Administration...15 Lower Ownership Costs A2 08LT Rev02 3

4 Increase Revenue A large B2B insurance company has found a simple way to increase its revenue, by selling a new service to its existing enterprise customers. The new service allows enterprise customers to delegate contract management and accident declaration inside their organization. With this new service The HR departments can manage the list of attributes of contracts and insured employees directly, through a web application. Employees can fill out their own accident declarations and obtain any type of information they may need about their personal situation. Figure 1. New Service Enterprise customer Super User Declare new employee Modify contract attributes HR Manager User Declare accident Consult personal information Employees For Customer enterprise, this new service Speeds up insurance operations by delegating contract management to the HR department. Lowers the central cost of insurance contract management by delegating accident declaration to the customer enterprise employees, and by implementing an information self-service. The accessed data is critical for the insurance company. Since the data is used to compute invoice and premium reimbursement, it can impact the bottom line of the enterprise. Since the data may contain personal health information, it can engage the insurance company's legal responsibility. 39 A2 08LT Rev02 4

5 At the same time, the security risks are important. The people using the new services are not insurance company employees. The security rules for employee workstation are not managed by the insurance company's security policy. Users can access the service through the "wild, wild web". In a second phase, the insurance company wishes to sustain the investments made within the framework of its web project by extending it to the staff of its own enterprise and to their web applications spread over several organizations. To limit its costs, minimize vulnerabilities and maximize staff efficiency, these new services must be based on the authentication and administration services set up in the first phase of the project. Protecting access to data is a key issue for the business success of this new service. 39 A2 08LT Rev02 5

6 Protecting and Managing Enterprise Internet Access In order to protect its data, the insurance company has implemented a secure web access point with three main functions: A network filter, implementing standard firewall mechanisms An HTML code filter, implementing high-level HTML code analysis to protect it from malicious incoming code User access control, implementing strong authentication and access authorization checks to protect it from malicious users Figure 2. Strong Access Control Point LDAP Enterprise customer Firewall Firewall Access Management HR Manager Super User HTML Code Filter Customers & Contracts User Premium Calculation Employees Secure Access Manager - Web Edition 39 A2 08LT Rev02 6

7 Increase the return on investment for your web portal by extending it to enterprise applications To control its employees' access and protect the data on the web applications spread all over its organizations, this insurance company has introduced modules known as Web agents on each of the target web servers. Figure 2.1. Architecture Web Agents de SAM Web SAM Web Audit Employees Employees SSL Authentication Welcome Page SSO Web Agents SSO MySAP Enterprise Browsers SSL Web Agents WebLogic In the present case, the web agents are installed on the web server of two organizations: Finance and Internal Publications. The web agents of the Finance organization secure the access to MySAP, while the web agents of the Internal Publications organization secure the access to WebLogic. This architecture uses the same authentication and administration server deployed with the Evidian security gateway. The administration server enables you to define and implement an enterprise-specific security policy. However, the employee LDAP base is different from the one used for the partners' accesses. The following security functions are implemented: Authentication of users based on password, and on their profile for direct access to the Finance and Internal Publications URLs Single Sign-On To enable the enterprise to be always more efficient and cooperate more closely with its partners, the solution would allow this architecture to be extended to partner Web Services. This solution would also allow this enterprise to deploy commercially-available or open-source J2EE server applications. 39 A2 08LT Rev02 7

8 SAM Web Controls the Accesses to the Insurance Company's Applications SAM Web is a web security gateway that intercepts every HTML request and verifies the associated user's access rights. Controlling Access Centrally or on the Applications Each time a customer requests a URL, SAM Web checks customer access rights before allowing or if necessary denying the request. The SAM Web access control modules are placed either at the entrance to the most protected area of the information system (gateway mode), or on the server on which the application to be protected is located (Web agent mode). In the first phase of the project, the insurance company uses SAM Web in gateway mode within the DMZ. SAM Web is thus a mandatory gateway to the applications. All application accesses must be authorized. In the second phase, the company deploys web agents on its application servers spread over different organizations. Keeping an Access Control List up to date The insurance company has delegated the role of "user access manager" for enterprise customer employees to the HR managers: it is these HR managers who can declare, modify, and remove the access rights of their employees. The delegated management application is an in-house application that feeds the SAM Web LDAP directory to implement access rules. Simplified Access with Web SSO and a Personalized Welcome Page This SAM Web Single Sign-On feature simplifies access by providing: Primary authentication when the user first connects to SAM Web A welcome page that shows only authorized applications Transparent secondary access to target applications without supplementary user authentication, whatever the authentication method of the primary authentication (OTP or login/password). This function is called Single Sign-On. 39 A2 08LT Rev02 8

9 SAM Web Speeds Up Web Services Implementation The simple and powerful SAM Web architecture is a key factor for secure deployment of new web business services. SAM Web Features Non-intrusive solution and integration with LDAP directories Robust authentication, SSO and URL control Reverse Proxy Architecture or Web Agent Centralized Administration SAM Web Management Console Centralized Audit Implementing new Web Services Accelerate the creation of 24x7 on-line web access Guarantee the security and confidentiality of information Access to information is dynamically implemented according to each user's characteristics. Separate security from web applications and allow the use of customized architecture Add new web servers and applications simply Fewer clicks to revoke job relevant access Track all user and administrator activities 39 A2 08LT Rev02 9

10 Secure Web Access Control with SSO Control and Secure User Access Traditionally, as businesses move online, security enforcement falls to the administrators of each application. As applications are added, the number of administrators and security policies quickly becomes unmanageable. This kind of patchwork approach to security results both in security breaches and end-user frustration. Enforce Access Control for any Applications SAM Web allows you to define and manage what applications and resources users can access. Instead of having each resource manager control security on their servers, SAM Web centralizes access control management of web resources. Through an easy-to-use console, an administrator can control user access dynamically. New employees can be added to the appropriate groups and gain access to multiple applications immediately. With SAM Web, former partners and employees can be deprived of access to company services with a mouse click. With SAM Web, you can enforce a comprehensive security policy across internal as well as external web resources. Control Access to Applications and URLs Dynamic Authorizations The SAM Web URL access control modules can be placed either at a security gateway on a line interruption or on the applications themselves on the same servers. SAM Web allows the implementation of three architecture types: Purely "gateway" architecture in which the access control module is placed at a line interruption on a single gateway Purely "Web agent" architecture in which the access control module is placed on the application servers to be protected Mixed "Web agent"/"gateway" architecture in which, depending on the security policy, network and application architecture and optimization of network flows, the control points may be located either on the line interruption or on servers. URL and application access authorizations can be calculated dynamically using simple "And", "Or", "Not" rules applied to the user attributes available in the LDAP directory. These rules are centrally defined by the administrator then applied by the access control modules. 39 A2 08LT Rev02 10

11 Authentication Methods SAM Web can authenticate users with different methods such as: Classical identifier and password Virtual keyboard for identifier and password. This lets you enter your identifier and password by clicking on a keyboard displayed on the PC s screen. A virtual keyboard improves the protection of the identifier and password against key loggers, without using a strong authentication device. One-time password Smart card with X.509 certificates X.509 certificates (including CRL and OCSP) Kerberos token SAML token (e.g. VPN access) Radius-based authentication Track all User Activity Any proper access management policy requires monitoring. SAM Web tracks all user accesses or access attempts, in order to protect web resources and thus enable security administrators to monitor who has accessed what and when. Manage Securely and Quickly Multiple Web Accesses 1. Separation between the security infrastructure and application deployment. 2. A non-intrusive solution without any developments. 3. Offering high scalability and availability. SAM Web is compatible with log analysis tools such as NetIQ WebTrends. This makes it easier for administrators to review security audit records. Encrypt Confidential Data To guarantee the confidentiality of the data exchanged on the Internet, the partners must open encrypted sessions. As more and more companies now work on line, encrypting each web application is becoming a problem, because not all applications can be encrypted. With SAM Web, all communications with the browser can be encrypted. Customers, employees and partners can dialogue in all confidence within the community of sites managed by SAM Web. 39 A2 08LT Rev02 11

12 Protect Web Resources Against Attacks Creating User Accounts SAM Web helps prevent attacks against web resources exposed on the Internet. The SAM Web gateway hides the real address of web resources. It alters the URL of web applications to prevent hackers from knowing the network topology. SAM Web also acts as a gatekeeper for all web accesses, making it easier to protect against worms or other attacks the web applications that require an access code. SAM Web is consistently integrated into existing user management processes. Using the Enterprise LDAP Directories SAM Web reuses the user definition contained in the enterprise's different LDAP directories. The LDAP directories may be from different suppliers, have different structures and be located on different sites. Account Creation by the User Depending on the existing security policy, a user may be authorized to create a personal account in a predefined LDAP directory, by connecting to SAM Web. The account can then be integrated by an administrator into the company's general access control policy. Reinitializing a Primary Password Using Multiple Identities Universal Single Sign-On When a user forgets his or her primary password, SAM Web offers the user the possibility to reinitialize this primary password using a question/answer form. The user does not need any assistance from the help desk. The password creation policy defined by the enterprise (number of characters, non-use of an already existing password, etc.) is then applied. A user can access several domains using the same name. Each identity is then defined in a different LDAP directory. We then talk in terms of different domains. These different domains may, for instance, correspond to different enterprises, subsidiaries or organizations. SAM Web enables the user to choose his domain during initial authentication. He is then granted the rights associated with the identity of the domain he has chosen. Traditional security solutions impede efficiency and taint the user experience. SAM Web's streamlined approach to security improves user loyalty. By facilitating navigation with single sign-on and improving the user experience with customized content, SAM Web improves user productivity and confidence. 39 A2 08LT Rev02 12

13 Improve the User Experience and Security with Single Sign-On When users are expected to provide a password for each internal and external application, enforcing security infringes on accomplishing business. Managing multiple login information is time-consuming and frustrating. Users find shortcuts such as choosing weak passwords or leaving them in conspicuous places. Password-related help-desk calls make up a significant portion of help-desk costs. Multiple passwords not only impede business by damaging the user experience and productivity, they also lead to security breaches. With SAM Web, customers, partners or employees access internal and external Web resources with one user name and password. After an initial authentication by SAM Web, they can navigate freely among the resources that they are allowed to access. Transparently to the user, SAM Web supplies each application with the appropriate password, in particular by means of forms. Single Sign-On to External Web Sites With the activity of organizations extending beyond the firewall across multiple domains, single sign-on also needs to follow the same path: Intranet portals often allow access to purchasing web sites or subscription services, extranets can cover multiple partner sites. With SAM Web, portal managers can control their web environment by adding and removing resources dynamically. Users can access resources outside of the enterprise without being prompted for another password. SAM Web's Single Sign-On solution improves security, user experience and reduces help desk calls. Personalize the End-user s Web Environment While navigating the Web is notoriously impersonal as users often have irrelevant links on their welcome page, SAM Web customizes the user experience, giving users a feeling of community. With SAM Web, users in certain industries and geographic areas can be provided with personal information and access. Customers and partners access to services can be multi-tiered. This ability to respond to users' needs with SAM Web makes users feel like members of a trusted community by providing seamless navigation between authorized applications. The User Can Opt to Manage Sensitive Passwords Himself Passwords can be managed either by the manager or by the end-user. Group passwords can be transparent to the users. For instance, the manager can grant members of a certain group access to analyst reports without informing them of the company password. Similarly, when employees access their web mail accounts, the portal administrator will not know their password. 39 A2 08LT Rev02 13

14 Extensible to J2EE, SOA and Web Services Project Accesses Thanks to AccessMaster's modular architecture, the SAM J2EE module extends SAM Web functions by offering an integrated SSO solution to J2EE, SOA and Web Services environments. Using a common authentication and administration server, SAM Web and SAM J2EE cooperate to offer users a Single Sign-On both for Web environments and J2EE and Web Services environments. Thanks to SAML technologies, SAM J2EE simply extends the SAM Web access control functions to interconnect portals or Web applications to J2EE servers or to internal and external Web Services. Extensible to Non-Web Access and Legacy Applications Not all applications are web-enabled. Secure Access Manager Standard Edition can address non-web applications; it complements SAM Web to provide a complete and integrated solution for securing and simplifying access to non-web, legacy and clientserver applications. Instant Security for a Low Cost of Ownership With SAM Web, you do not have to sacrifice convenience for security. SAM Web does not require any modification or component on user desktops or target systems. The other solutions in the marketplace today are overcomplicated, requiring months to deploy and consuming precious IT resources. Keep Control of Security 1. Centralized administration: minimize costs of security skills and minimize security administration tasks. 2. Flexible Administration: add or revoke simply new web servers and applications in few clicks. 3. Secure access control to instantly know who has accessed what (central audit). A Non-intrusive Solution for Easy Deployment Thanks to its non-intrusive architecture, SAM Web can be fully deployed in a matter of hours, enabling the extended corporation to change as quickly as the market does. Downloadable from the Web, SAM Web is one piece of software and is standards based. 39 A2 08LT Rev02 14

15 More Effective Administration Lower Ownership Costs SAM Web enables portal or web server managers to seamlessly manage access to any web application without deploying any software, and without reorganizing the directories. There is no need to modify any existing administration processes or applications. SAM Web reuses the existing LDAP user directories to apply a security policy to the enterprise resources. SAM Web enables you to dramatically reduce additional IT costs. No need to redefine or modify user directories. Increases your return on investment for web projects, by facilitating the extension of portal projects to Java and SOA environments. No need to update SAM Web when a protected application is updated. The end result is a full security solution that most simplifies access to end-users, with the least ownership cost. 39 A2 08LT Rev02 15

16 For more information go to