Access Management Analysis of some available solutions



Similar documents
Product overview. CA SiteMinder lets you manage and deploy secure web applications to: Increase new business opportunities

CA SiteMinder. Implementation Guide. r12.0 SP2

Oracle Access Manager

RSA ACCESS MANAGER. Web Access Management Solution ESSENTIALS SECURE ACCESS TO WEB APPLICATIONS WEB SINGLE SIGN-ON CONTEXTUAL AUTHORIZATION

IBM Security Access Manager for Web

OpenAM All-In-One solution to securely manage access to digital enterprise and customer services, anytime and anywhere.

Federated single sign-on (SSO) and identity management. Secure mobile access. Social identity integration. Automated user provisioning.

IBM Tivoli Federated Identity Manager

CA Federation Manager

OpenAM. 1 open source 1 community experience distilled. Single Sign-On (SSO) tool for securing your web. applications in a fast and easy way

PingFederate. SSO Integration Overview

Enabling Single Sign-On for Oracle Applications Oracle Applications Users Group PAGE 1

Adobe LiveCycle ES Update 1 System Requirements Adobe LiveCycle ES Foundation-based solution components

OPENIAM ACCESS MANAGER. Web Access Management made Easy

G Cloud 6 CDG Service Definition for Forgerock Software Services

Identity Management in Liferay Overview and Best Practices. Liferay Portal 6.0 EE

Oracle Access Manager. An Oracle White Paper

CA Single Sign-On Migration Guide

TECHNOLOGY BRIEF: CA SITEMINDER. CA SiteMinder Prepares You for What s Ahead

This document lists the configurations that have been tested for the Oracle Primavera P6 version 7.0 release.

Securing your business

TECHNOLOGY BRIEF CA SiteMinder April CA SiteMinder prepares you for what s ahead

IBM InfoSphere Guardium

CA SiteMinder SSO Agents for ERP Systems

UNIVERSITY OF COLORADO Procurement Service Center INTENT TO SOLE SOURCE PROCUREMENT CU-JL SS. Single Sign-On (SSO) Solution

Contents. Primavera P6 Tested Configurations Release Version: Date: December 2013 Revision:

Oracle Identity Management for SAP in Heterogeneous IT Environments. An Oracle White Paper January 2007

Open Source Identity Management

Leverage Active Directory with Kerberos to Eliminate HTTP Password

Tested configuration for Major versions of Primavera:-

September 9 11, 2013 Anaheim, California 507 Demystifying Authentication and SSO Options in Business Intelligence

Web Services Security: OpenSSO and Access Management for SOA. Sang Shin Java Technology Evangelist Sun Microsystems, Inc. javapassion.

Integrigy Corporate Overview

WHITE PAPER. Domo Advanced Architecture

Oracle Business Intelligence Publisher. 1 Oracle Business Intelligence Publisher Certification. Certification Information 10g Release 3 (

Identity. Provide. ...to Office 365 & Beyond

Secure the Web: OpenSSO

Single Sign On. SSO & ID Management for Web and Mobile Applications

The Challenges of Web single sign-on

Securely Managing and Exposing Web Services & Applications

Easy as 1-2-3: The Steps to XE. Mark Hoye Services Portfolio Consultant

ITG Software Engineering

OpenSSO: Simplify Your Single-Sign-On Needs. Sang Shin Java Technology Architect Sun Microsystems, inc. javapassion.com

Federated Identity and Single Sign-On using CA API Gateway

HOL9449 Access Management: Secure web, mobile and cloud access

ProtectID. for Financial Services

CA Service Desk Manager Release 12.5 Certification Matrix

MQ Authenticate User Security Exit Overview

TIBCO Spotfire Platform IT Brief

CA SiteMinder. Policy Server Installation Guide. r12.0 SP2

Security As A Service Leveraged by Apache Projects. Oliver Wulff, Talend

NetIQ Identity Manager Setup Guide

midpoint Overview Radovan Semančík December 2015

BOF2337 Open Source Identity and Access Management Expert Panel, Part II. 23 September :30p Hilton - Golden Gate 6/7/8 San Francisco CA

IBM Tivoli Directory Integrator

Oracle Access Management 11gR2 ( x) Frequently Asked Questions (FAQ)

OracleAS Identity Management Solving Real World Problems

How To Use Ibm Tivoli Composite Application Manager For Response Time Tracking

HYPERION RELEASE SUPPORTED PLATFORM MATRICES

Oracle Platform Security Services & Authorization Policy Manager. Vinay Shukla July 2010

Tivoli Access Manager for e-business FP4 with Tivoli Federated Identity Manager FP2 Security Target

SENTINEL MANAGEMENT & MONITORING

Identity Focus, LLC SUMMARY

<Insert Picture Here> Oracle Policy Automation System Requirements

Novell Access Manager

Session Code*: 0310 Demystifying Authentication and SSO Options in Business Intelligence. Greg Wcislo

THE NEW DIGITAL EXPERIENCE

Oracle Access Manager

How to Get to Single Sign-On

Novell Access Manager

From the Intranet to Mobile. By Divya Mehra and Stian Thorgersen

An Oracle White Paper December Access Manager for Oracle Access Management 11gR2 PS2

Connecting Users with Identity as a Service

CA Adapter. Installation and Configuration Guide for Windows. r2.2.9

SAP Identity Management Overview

Oracle Identity Analytics Architecture. An Oracle White Paper July 2010

Approaches and challenges for a SSO enabled extranet using Jasig CAS. Florian Holzschuher René Peinl

Tech Brief: Upgrading from Sun IAM to ForgeRock Open Identity Stack

nexus Hybrid Access Gateway

Flexible Identity Federation

IBM Lotus Enterprise Integrator (LEI) for Domino. Version August 17, 2010

LinuxCon North America

UNI. UNIfied identity management. Krzysztof Benedyczak ICM, Warsaw University

First-hand Information about the Enhanced Functionality and Integration Options Within SAP NetWeaver Identity Management 7.2

STRONGER AUTHENTICATION for CA SiteMinder

Gabriel Magariño. Software Engineer. Overview Revisited

ManageEngine (division of ZOHO Corporation) Infrastructure Management Solution (IMS)

User Pass-Through Authentication in IBM Cognos 8 (SSO to data sources)

PingFederate. Integration Overview

Enable Your Applications for CAC and PIV Smart Cards

Mobile Identity and Edge Security Forum Sentry Security Gateway. Jason Macy CTO, Forum Systems

PRODUCT BRIEF OpenAM. Delivering secure access for customers, applications, devices and things

Oracle Desktop Virtualization

DEPLOYMENT ROADMAP March 2015

SIEMENS. Teamcenter Windows Server Installation PLM

Communiqué 4. Standardized Global Content Management. Designed for World s Leading Enterprises. Industry Leading Products & Platform

USING JE THE BE NNIFE FITS Integrated Performance Monitoring Service Availability Fast Problem Troubleshooting Improved Customer Satisfaction

Contents. BMC Atrium Core Compatibility Matrix

Transcription:

Access Management Analysis of some available solutions Enterprise Security & Risk Management May 2015 Authors: Yogesh Kumar Sharma, Kinshuk De, Dr. Sundeep Oberoi

Access Management - Analysis of some available solutions Introduction The emergence of technologies like cloud, social, mobility, IoT and identity federation have added complex business needs and problem of giving secure, convenient access to users from access management (AM) point of view today. With increase in threat landscape, need to be always connected and requirement to govern and manage access, organizations continue to adopt either custom developed solutions, open source or commercial proprietary solutions based on access management objectives. Managing access to enterprise resources with emphasis on the management of different relationships in a more secure and effective way, remains a top priority for enterprises. Simplification with improved user experience is now a strong undercurrent. Access managers are also focusing on user behavior patterns, contextual information and improved adaptive access decisions. Single-sign-on solutions also continue to provide benefits in terms of cost reductions and reduced workload. Custom Solutions Many organizations resort to bespoke AM development to address specific business needs. This is a good strategy to accommodate particular enterprise preference and expectation vis-à-vis commercial proprietary solutions or open source. These custom solutions are often considered expensive compared to proprietary solutions. However, in many cases, the cost and delay of implementing commercial proprietary solution s and customization requirement adds to the expense. The decision to build a custom solution or not may be based on following considerations: - Cost and benefit: A thorough cost-benefit analysis is essential. - Commercial proprietary solutions usually have a shorter time to deployment. - Scalability: commercial proprietary solutions have standard business processes and reporting. Open Source Solution Open Source AM solution are cost effective, though not free in real terms, promising and available in various formats of licensing and support models. These open source AM solutions are supported by community and have downsides like support issues, frequent releases, lack of documentation, scalability, in-adequate security testing, etc. There are some licensed cool open source AM solutions like OpenIAM, Forgerock OpenAM with whom TCS has some experience and relation, and have been recommended by Analysts. Table below gives a comparison of features of open source AM solutions: Architecture Modular / Services Based Architecture OpenIAM Access Manager Sun OpenSSO Atlassian Crowd Forgerock OpenAM Service based architecture Service Based Architecture Modular architecture Deployment Architecture (Policy Server, Reverse Proxy, Agents Policy Server on JEE server, Reverse Proxy for coarse grained access, SSO and Federation. Fine grained through, Agents for fine grained access, Integration with Development frameworks, XACML 2 support, Rich API Policy Server, Reverse Proxy, Agents for fine grained integration Java-based architecture allows deployment across platforms many Authentication Types of authentication supported Password Auth, Form Auth, SAML Version 2.2 (Certificate, Token, OAuth) Password Certificates, Auth, SAML Auth, Form Password Auth, Form Auth, OpenID Supports 20 authentication methods out of the box along with Social, Contextual, Adaptive auth. 2 (7)

Associate authentication strengths Yes No No Yes per resource Pass through authentication Yes Yes Yes Yes Authorization Coarse Grained Yes Yes Yes Yes Fine Grained Yes No No Yes Role Based Access Control Yes Yes Limited Yes Support for XACML 2 Yes NO NO Yes Integration with Developer frameworks Dynamic Access Control (capable of rendering complex decisions based on real time data) Spring Security, JAAS -Microsoft Geneva Planned Yes ( Rules engine is used while enforcing policies) Spring Security Provides client application programming interfaces with Java and C APIs and a RESTful API Yes NO Web Single Sign On Yes Yes Yes Yes Cookie vs Cookie less Cookie less Cookie less Requires Connectors / Custom Code NO NO Yes No Administration UI Web Based UI Web Based UI Web Based UI Web Based UI Federation Yes Yes No Yes Supported standards SAML 2, 1.1, 1.0, WS- SAML 2, 1.1, 1.0, NA SAML, OpenID Federation WS-Federation Connect and OAuth 2.0 Support for Identity Services Yes Yes NA Yes Security Token Service (STS) Yes No NO Yes Delegated Administration Yes (Limited) No (Requires Sun Access Manager) No No Global Session Management ( user session management, session timeouts, single Sign Off Yes Yes Yes Yes Integration with Identity Manager Yes Yes Limited to updating Yes user and password information Auditing and Reporting Yes Yes Limited Yes Integration API Web Services Based Web Agent and C API Java Java Commercial Proprietary Solution Commercial proprietary solutions though involve financial investment, are more stable, secure, rigorously tested and mature. These solutions are widely adopted, deployed and recommended for enterprises. They offer advanced features and functionalities to cater to various security requirements, business needs and operational requirements of enterprises. These solutions are well evaluated by industry and leading Analyst 3 (7)

firms. TCS has wide experience in working with leading access management solutions from Computer Associates (CA), IBM, Novell and Oracle. A table comparing and contrasting some of the key features of leading AM solutions are illustrated below: Stability and Deployment Support for Cloud Based Apps. Oracle (OAM) IBM (SAM) CA (SSO) Novell (AM) Easy to deploy and has many functionalities that enable different deployment strategies based on needs. Deployment is best suited on a Linux platform vis a vis Windows because of stability, compatibility, processing power & security Supports cloud based applications and the process for integrating with them is the same as for any normal web based application. Considered to be more stable among all. Little difficult to deploy but once deployed, it is easy to maintain. Custom adapter development is required Stable, easy to deploy. Has a dedicated deployment methodology. Highest deployment of access manager is from CA Single Sign On (earlier called Siteminder). Yes, supported through open standards including SAML, OAuth, OpenID and WS-Federation. Out of the box connectors are available. Stable, scalable and easy to deploy. Software components can be installed on different infrastructures like High availability servers, clusters, failover systems etc. 1). Google apps is supported for both IDM and Access Manager. 2). Office 365 requires additional work for provisioning. Password Management Authentication Schemes. For further advanced Password policy management, integration with Oracle Identity Manager is additionally necessary. Various inbuilt Authentication Schemes that can be used out of the box or you can create your own Authentication scheme that can be applied to the resource when being protected via access manager and mostly configuration based Various authentication methods, such as Form Based, username/ password, RADIUS, token-based authentication, Client side X.509 digital certificates, Kerberos etc available. You can develop and integrate your own authentication scheme as well. Single Sign On Most Comprehensive and Flexible. Mostly Command based configuration Federated SSO Support Federated SSO is supported in access manager Yes, Basic Password Services & Advanced Password Services (APS) available. Wide variety of authentication schemes available as compared to other solutions, including, anonymous, Basic, Basic over SSL, Custom, HTML Forms, Impersonation OAuth, OpenID, RADIUS CHAP/PAP, RADIUS Server, SafeWord, SafeWord and HTML Forms, SecurID, SecurID and HTML Forms, certificate based Windows Authentication Yes. CA Single Sign-On can provide your organization with five separate SSO architectures for your organization to use independently or mix and match to meet your various business needs. Yes, CA Federation provides expanded use of the identity federation and Web services and mostly configuration based Supports a number of authentication methods, such as username/password, RADIUS token-based authentication, X.509 digital certificates, Kerberos, and OpenID. Easy to implement. Mostly GUI based configuration. 4 (7)

Reporting and Logging Audit Capability Have various Auditing capabilities with logging to a flat file or a separate database if a schema is included. Authorization There are various Authorization Schemes that can be attached to an Authentication policy. Comprehensive List of out of the box reports available. Different type of users can view different reports by themselves. Customized Reports can be developed, however reporting engine is vast and complex Reasonably Good. Text log files based Audit Trails and Logging. Report Server for Reporting available. CA SSO has Trace Level Logging for Troubleshooting. For advance reporting you would require UARM (CA product). Alternatively, Crystal Reports can be used. CA SSO has detailed Audit Logs for events which can either be stored in DB or Text File. It has a concept of Profiler where we can select the components for Logging & Auditing. Text based log files generated.. The authorization model is based on security policies. Comprehensive reporting and logging functionality available All access through Access Manager can be logged. Policy Management GUI based administration Main Components Platforms Supported Database Supported Strong. Yes, using WAMUI GUI for creating & maintaining Policies containing Rules & Responses. The thick client application admin UI based administration client Combination of Web Strong. Yes, provides based and Commandline WAMUI for GUI based administration administration /configuration, but comprehensive and flexible WebGates and AccessGates Authorization server, Webagent, Policy Server & are Policy Enforcement Policy server, Policy WAMUI Points or PEPs, the Access proxy server, Session Server is the Policy Decision management server, Point or PDP and the Policy WebSEAL Manager is the Policy Management Authority. OAM can be installed only on 64 bit Linux servers, 32 bit is not supported. Support is provided for Oracle Standard and Enterprie edition including RAC. Windows 2003/2008 SE/EE (32/64 bit), Solaris, Red Hat Enterprise Linux 4, 5 (32/64bit), SUSE Linux ES 9,10,11 (32/64 bit), AIX 5.2, 5.3,6.1, HP-UX 11i IBM DB2 Universal Database. Configurable and Customizable Identity server, access gateway, web server, LDAP directory Windows, RHEL & Solaris Windows 2003 (32bit)/2008 (64bit) SE/EE, SUSE Linux Enterprise Server (SLES) 10/11 (32bit/64bit) IBM DB2 UDB, Microsoft SQL Server Including cluster 2,3, Oracle MySQL Enterprise Server, Oracle RDBMS4, Oracle RAC, PostgreSQL Not required 5 (7)

Directory Server Supported Oracle Internet Directory 11gR1 (11.1.1.5+), Oracle Virtual Directory 11gR1 (11.1.1.5+), Microsoft Active Directory 2008, Sun Java System Directory Server 6.3, Novell edirectory 8.8, Oracle Directory Server Enterprise Edition (ODSEE) 11gR1 (11.1.1.5+), Oracle Unified Directory 11gR1 (11.1.1.5), Oracle Unified Directory 11gR2 (11.1.2.0), OpenLDAP 2.4, IBM Tivoli DS 6.2, IBM Tivoli DS 6.3 1) Microsoft AD 2) Sun Java system Directory 3) IBM Tivoli Directory Server 4) IBM z/os LDAP Server 5) Novell edirectory CA Directory Server, IBM Domino LDAP, IBM Tivoli Directory Server, Microsoft Active Directory (AD)2, Novell edirectory, OpenLDAP, Oracle Directory Server Enterprise Edition 5, Oracle Internet Directory, Oracle Unified Directory (OUD), Oracle Virtual Directory (OVD), Red Hat Directory Server, Siemens DirX, Sun Java System Directory Server EE Novell edirectory, Microsoft Active Directory and Sun One TCS s Assessment Often, an access management solution is required to meet narrow and specialized requirements or unique business needs, or an enterprise has limited budget to fulfill such needs, in that case a building a custom AM solution is the recommended strategy. Based on the available information on open source AM solutions, though, they claim to support many features; the reliability of such features, its support, documentation, scalability is often seen to be a challenge or suspect. Further, the advanced features and functionalities available in proprietary solutions are clearly missing in open source solutions. However, open source AM solutions are recommended for adoption in environments where the level of risk being carried is low, or resources being accessed are non-sensitive or non-critical, or the organization has its own capability in development of open source platforms. OpenIAM here is an obvious choice which comes in both OpenSource and Commercial license model. If a sophisticated, but broad set of features is required and therefore it is believed that the AM solution must be feature rich, mature and have high quality support commercially available, then one of the leading proprietary access management solutions is the way forward. Based on our analysis of four of the leading solutions, we find that CA Single Sign On is easy to deploy in any environment. Have dedicated guide on Architectural Considerations, Capacity Planning & Configuration Considerations. It can provide enterprises with five separate SSO architectures to use independently or mix and match to meet their various business needs. Along with various predefined authentication schemes and API for customization, CA Single Sign On also provides integration plugin support for esso(enterprise Single Sign On). CA Single Sign On has agents which gives enterprises the flexibility to integrate it with various 3 rd party tools such as Apache HTTP Server, Apache Tomcat, Oracle WebLogic, HP Apache, RedHat JBoss EAP, IBM HTTP Server, IBM WebSphere, Lotus Domino, Microsoft IIS, Microsoft SharePoint, Oracle HTTP Server, Red Hat Apache, Sun Java System, ERP systems, Oracle, PeopleSoft, SAP and Siebel. Additionally, CA Single Sign On comes with extensive technical and documentation support. CA Has a dedicated support site https://support.ca.com/irj/portal with links to various CA Communities as well. CA has constructed extremely useful databases of raised cases and solutions provided which makes it easier to find a solution. On the basis of the available information, Computer Associate s Single Sign On AM solution is scalable, stable, well supported, widely accepted with abundant features and is recommended for deployment. 6 (7)

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information