Pirean Access: One Enhancing The Access Management User Experience through integration with IBM Security Systems Software
Welcome to Pirean Insight Guides, our series of regular papers by Pirean s expert team of consultants. In this edition, Senior Security Consultant Rob Macgregor discusses how the synergistic relationship between Access: One and IBM Security Systems Software enables an integrated, efficient and cost-effective approach to Identity and Access Management
Pirean Access: One Enhancing The Access Management User Experience through integration with IBM Security Systems Software Rob Macgregor Senior Security Consultant, Pirean Limited.
www.pirean.com Copyright 2012 Pirean, all rights reserved. No part of this publication may be reproduced, stored in a retrieval system, used in a spreadsheet, or transmitted in any form or by any means electronic, mechanical, photocopying, recording or otherwise without the permission of Pirean. Pirean, and the Pirean logo are registered trademarks of Pirean Limited (UK). Registered in England No. 4453109
Introduction For any secure application, the Identity and Access Management (IAM) process is the first point of contact for an end user, whether it be registration, gaining approval for access or, later, the process of logging in and maintaining their account. To ensure a user s confidence and trust in the services that they are accessing, it is important that the IAM process is simple, reliable and transparent. For example, where the user base is diverse the IAM system should address the individual in their native language, as well as allow effective communication of status, changes, etc. In complex corporate environments it is also important to maintain a uniform design theme, both to ensure consistency throughout the user experience and to reinforce the brand of the service. At the same time, security must remain paramount the need for a simple user experience must be balanced with a comprehensive method of enforcing strong authentication and authorization policies at all times to ensure systems are not left open or vulnerable to threats.
Usability: The hidden layer When discussing Identity and Access Management solutions, it is usual to focus purely on aspects of control what methods of authentication will we require of the user during login? How will we ensure that every user is compliant with our access policies? Clearly control is always at the root of IAM, but achieving control is only part of the picture in any practical solution. Consider the user login process: the login journey itself is only one of the journeys involved. We also need to handle aspects of single sign-on, self-registration, self-service, internationalization, legal terms and conditions acceptance, service bulletins, and so on. With so many different services coming together it s unsurprising that user journeys can often be fragmented and inconsistent, both functionally and within the presentation layer. The Digital Concierge If we compare our online services to an apartment block, the access management solution is like a doorman who scrutinizes arrivals, and ensures that only tenants gain entry. But today s more service oriented building require a concierge a first point of contact with the premises who will not only fulfil the doorman s task, but provide other invaluable services (such as providing emergency access, signing for deliveries in your absence, and managing maintenance on your behalf), which in turn helps to underwrite the brand values of the establishment. Much of what the concierge delivers may not be required by each tenant on a day-to-day basis, but it makes a significant contribution to the smooth running of the apartment block and ultimately its reputation. If the duties of the concierge are not well executed, then the tenant s experience and perception of quality of the building is impacted. Like the concierge analogy, an organization s online services for Access Management (login, step-up authentication, password request etc.) plays a substantial part in the user s first impressions of the organization. Given that a key factor for visitor retention and satisfaction with a web site is usability, surely this applies as much to the processes of registration, account management and simply getting through the front door as to the content once your user has made it inside? Pirean Access:One Pirean s Access: One, in conjunction with IBM Security Systems Software, improves the presentation of all aspects of the IAM process to the end user user provisioning, login, selfservice and reporting. Its role is primarily as an integrator: tying together a number of other software components. As such, it offers real business benefits by accelerating the time to value of more specialized IAM software and allowing disparate systems to be integrated more easily and consistently. Unifying The Access Management Experience Access: One specializes in integrating with a variety of IAM components user registries, identity and service providers, authentication gateways and authentication devices through the implementation of application specific workflows and authentication policies. Flexibility and extensibility is achieved by the use of a plug-in model, whereby access to each of the integrated components is handled by a set of modules that are sequenced into simple workflows in a central administrative console. Using Access: One, organizations are able to bring together the disparate services required to ensure integrity and service during the access and authentication process and present them along user journeys that are accessible and consistent with the overall brand experience. Figure 1 illustrates a typical 2-factor login workflow, showing how each plug-in is responsible for a specific task (such as: requesting and testing a user s ID and password, looking up user details, etc.). The execution and sequencing of the plug-ins is managed by Access: One, which controls progress through the workflow and handles presentation of web pages using the appropriate theme and language. Access: One can be reconfigured dynamically, without interrupting the service, using its administration console. The console also provides a simple reporting dialog for analysis of the audit data records (see Figure 2).
User Access attempt intercepted by ISAM User receives passcode in text message User provides ID and password Username / password form User enters passcode into form Logged In. ISAM authorises access to the application One-time passcode form Presentation, Theme and Language Support Workflow Next-Step Logic Figure 2 - Access: One Administration Console Auditing Service LDAP Authentication Retries Exceeded? LDAP Lookup LDAP Update SMS Passcode Authentication ISAM EAI Generate SMS challenge Flag user as locked out Verfiy uid and password LDAP Fetch user s mobile phone number SMS Service Figure 1 - Access: One Workflow Example Pirean s Access: One, in conjunction with IBM Security Systems Software, improves the presentation of all aspects of the IAM process to the end user user provisioning, login, self-service and reporting.
Access: One Integration with the IBM IAM Products As we have discussed, Access: One is designed to orchestrate the dialogues and interactions that a user has with IAM services, during login and other related journeys. IBM Security Systems portfolio of enterprise IAM software, is both highly regarded and widely used throughout the corporate world. Businesses know that by choosing IBM they will get the rich functionality they need to address diverse requirements and challenges as part of an IAM platform. Implementing Access: One simplifies the development and deployment of a centralized Web Access Management (WAM) platform. Reducing risk and complexity, the time to value of implementing centralized Authentication and Authorization, Single Sign-On, Federated Identity Management and Strong Authentication is greatly reduced. Implementing Access: One in conjunction with IBM s Security Systems IAM portfolio provides a turnkey capability for complex IAM deployments without the need for specialist skills or in-house development. IAM projects can often become unduly extended, thanks to the complexities of corporate requirements and the need to integrate with existing systems. Combining the flexibility of Access: One with the power of the IBM software products can help to keep project costs under control and bring a faster return on software investment. The IBM products that are most commonly integrated with Access: One are: For login processing, access control and single sign-on: IBM Security Access Manager For integration of access across distributed organizations: IBM Security Federated Identity Manager and Business Gateway For management of the user provisioning lifecycle: IBM Security Identity Manager For deep analysis of security threats: IBM QRadar Figure 3 illustrates some of the core functions that Access: One can establish with IBM Identity and Access Management software, and the role it plays in each case. IBM Security Access Manager WebSEAL Figure 3 - Access: One Relationships with IBM Security Systems Software Directories External Authentication provider and local-responseredirect service SAAS applications IBM Security Identity Manager Integration of self-service with user enrolment and authorisation, self-service provisioning, automated access request fulfilment, password management and synchronisation. Operation as one side of a service provider/identity provider pair with ISFIM. OAUTH client for RESTful web services IBM Security Federated Identity Manager Other Identity Managers Audit log database adapter (under development) IBM QRadar OAUTH Resource Servers
Access: One and IBM Security Access Manager IBM Security Access Manager (ISAM) can help organizations to manage growth and complexity, control escalating management costs, and address the difficulties of implementing security policies across a wide range of Web and application resources. ISAM WebSEAL is a secure reverse web proxy, whose job is to enforce authentication and authorization policy on browser access to web applications. It also offers a foundation for single sign-on, by allowing a user to authenticate with one set of credentials and then access a number of target applications via a number a trust mechanisms. WebSEAL provides an enriched Access Management environment by offering a number of authentication methods including Strong Authentication, collecting session specific information to enrich authentication and authorization decision making, and tailoring the interfaces and workflow based on the device and users location. However for more esoteric requirements it is frequently necessary to extend WebSEAL by use of the External Authentication Interface (EAI), which allows an external application to orchestrate the login process and then pass control back to WebSEAL once the user authentication has succeeded. Access: One provides seamless integration with IBM Security Access Manager through this mechanism. WebSEAL also offers a facility called local response redirect. This causes the user to be directed to an external application whenever WebSEAL would normally present a page of its own. If that application is Access: One, all of the capabilities of the workflows are available to enrich the user experience. Use Scenarios SMS-based Two-Factor Authentication: The vulnerability of simple username/password login to compromise is well documented, so there is often a requirement to add another factor. Security theory categorizes different identification techniques as the three somethings : something you know, something you have and something you are. The more varied the factors involved, the stronger the overall process. One something you have identification method that is almost universal is the mobile phone, which also happens to contain a device (the SIM) which 100% guarantees uniqueness. Access: One offers a simple method of authentication in which a random 6-digit PIN is generated and sent to the mobile phone number associated with the user who is logging in. To use this in combination with ISAM, we arrange for WebSEAL to pass control to Access: One, either for the whole of the login process, or as a result of a step-up. Figure 1 showed the former scenario. Let s look at the workflow in more detail: ISAM WebSEAL, Access Enforcer Transfer control Transfer back, with user assertion IBM SECURITY ACCESS MANAGER The IBM Security Access Management Family is a group of security management products which automate sign-on and authentication to enterprise web applications and services and provide entitlement management for fine-grained access enforcement. Access: One Request Router LDAP Authentication Access: One workflow LDAP Lookup SMS Passcode Authentication ISAM EAI Figure 4 - ISAM External Authentication Provider Scenario The first step utilizes username and password to establish the ID of the user logging in. Access: One exercises strong control here only if the user succeeds in providing valid credentials will the workflow proceed. The next step again references LDAP, to lookup the mobile phone number of the user. The third step is the second factor the generates a limited-lifetime random code and sends it to the user s mobile phone in an SMS message. It then presents a form for the user to enter the received code into. If this too is successful, the final formats headers to pass the user identity and access level back to WebSEAL, so it can verify the user is permitted access and complete the login process.
Portcullis Function Almost every online system needs occasional scheduled downtime for maintenance or upgrade. Rather than ask the user to login only for them to find that the service is unavailable, it is friendlier to present the user with advance notification of outages, and then during the scheduled window completely replace the login process with an information page. Access: One allows this to be enabled dynamically, simply by switching the request mapping on the fly. Information page with details of outage Figure 5 - A typical Portcullis page Figure 6 shows how the normal request routing can be temporarily overridden, by updating the rules in the console and propagating to the Access: One login servers. By never returning a user ID, WebSEAL knows that access must not be allowed. ISAM WebSEAL, Access Enforcer Transfer control Access: One Request Router Presentation, Theme and Language Support Workflow Next-Step Logic Auditing Service Webpage Normal login workflow Figure 6 - ISAM Portcullis Scenario Handling a Locked-Out Account For many organizations, the increasing ubiquity of online services in recent years has been mirrored by a rise in the size and cost of help desk functions. Clearly this is a prime target for cost reduction, so anything that allows a user to rectify a problem themselves, instead of making a call to the helpdesk, is welcome. Consider a very common situation the user has forgotten his password and after a few failed attempts, is locked out of his account. The following diagram shows how ISAM and IBM Security Identity Manager (ISIM) could be used to provide a self-service solution, with Access: One facilitating the integration between the two. Figure 8 assumes that WebSEAL is configured to direct the user to Access: One when a locked user error occurs (for example, using local-response-redirect). The workflow triggered uses the ISIM password recovery challenge/response process to authenticate the user. If this is successful it will unlock the account and set a new password. Finally, it returns control to WebSEAL, asserting the ID so the user is immediately logged in. ISAM WebSEAL, Access Enforcer ISIM User Provisioning Error: User Locked Access: One workflow Return authenticated user to WebSEAL Access: One Request Router ISIM C/R Authentication ISIM Change Password ISAM EAI Figure 7 - Forgotten Password page Figure 8 - ISAM User Self-Reset Scenario
Access: One and IBM Security Federated Identity Manager IBM Security Federated Identity Manager (ISFIM) is a multi-faceted product that provides web and federated single sign-on (SSO) to end users across multiple applications, using browser-based integration and open standards. It supports a wide range of roles, as identity provider, consumer and a source of identification tokens using a large number of protocols. Access: One includes federation protocols support as a standard feature for the most common modes of SAML2 (SSO with HTTP redirect and POST). This allows single sign-on to a number of cloud-based SAAS services. In these modes it can also operate as a peer to ISFIM, either in an identity provider or service provider role. However, for more complex types of federation protocol, ISFIM alone will provide the solution. In these cases there is still a role for Access: One, as ISFIM is generally deployed with ISAM, which has the enforcement role, so the EAI and local-response-redirect scenarios described above will be valid. Liberty protocol Liberty Federation IDP ISFIM also contains an OAUTH resource authorization service provider. The OAUTH protocol is an extension of the so-called Facebook Model, whereby a client application can ask the user to allow it to access resources on a third-party server, without entering credentials for the resource server into the client. In the ISFIM case, it is handling the Resource Server end of the protocol. Access: One provides an OAUTH client plug-in that handles the client end of the protocol, allowing it to access resources on social network sites, such as Facebook and LinkedIn. This same plug-in can provide access to resources held in an ISFIM-protected resource server. SAML 2 protocol ISFIM Federated Access Services Kerberos token service Shared Applications Shared Shared Applications Applications Use Scenarios Federated Hub and Spoke One of the characteristic features of a federated solution is the range of elements and protocols that may be involved. ITFIM is ideally suited to facilitating such solutions, because of the number of standards it supports and the wide range of roles it can play. For example, imagine a scenario where a company is offering services to a number of partners or suppliers, as illustrated in Figure 9. In this case the versatility of ISFIM, combined with the capabilities of Access: One, allows you to easily implement a service provider model for a range of different identity provider types as a relaying party, generating security tokens (such as Kerberos tickets) for consumption by target services, and as a WS-Trust broker for secure web services. DataPower XML gateway Web Service Request WS-Trust IDP Figure 9 - ISFIM Hub and Spoke Scenario
Access to Application Resources through OAUTH 2 The OAUTH protocol emerged as a method to allow an application (the client application ) to request the user for access to personal account information held by a third-party application (the resource owner ), such as Facebook. It would be possible to do this by asking the user for login credentials and then relaying them to the resource owner, but this would be contrary to good practice and would leave the user open to a number of attacks. ISFIM provides the OAUTH 2 authorization server component that handles access requests on behalf of the resource owner. The following diagram illustrates a scenario whereby an application can use OAUTH services with Access: One operating as a proxy client on its behalf. Whilst the process looks a little complicated, it is actually quite simple. There are two workflows involved, the first of which handles the interactive process of requesting access to resources, with the second operating asynchronously and allowing the client application to retrieve information from the resource server. The objective of this setup is to allow the client application to make use of OAUTH-derived resources without having to implement OAUTH itself. Client Application Redirect to request authorization Web Service response Redirect back to client application ISFIM OAUTH Authorization Server Redirect to get token Presentation, Theme and Language Support IBM SECURITY FEDERATED IDENTITY MANAGER IBM Security Federated Identity Manager enables the flow of identity across domains it does this for Web applications, services connected to an Enterprise Service Bus (ESB), point-to-point Web services and programmatic access to mainframe systems. From a Web application perspective, the Federated Single-Sign-On aspects provide secure, open-standards-based single-sign-on across independent Web domains. Linking of domains is inherent to an SOA, and Federated Identity Manager enables the flow of identity across domains. It can augment the functionality provided by an ESB to allow services to connect to the bus and access other services, without identity-specific code being written into the service implementations. This reduces development time and time to delivery, and helps realize the potential business benefits from the flexibility and responsiveness to change aspects of SOA. Web Service request OAUTH Request Authorization Workflow Next-Step Logic Auditing Service OAUTH authorization workflow OAUTH Get Access Token Access: One Request Router OAUTH Web Service workflow OAUTH Request Resource Figure 10 - OAUTH Resource Retrieval with ISFIM as the OAUTH Authorization Server
Access: One and IBM Security Identity Manager IBM Security Identity Manager (ISIM) provides full lifecycle management of user identities, allowing accounts and entitlements across multiple systems, applications and databases to be managed centrally, based on policy rules and approval cycles. It also forms a base for assessing policy compliance, separation of duties and role profiling. ISIM includes a number of self-service facilities, but as discussed already, it is often a requirement that the self-service journeys are incorporated within other access control flows. Access: One incorporates a comprehensive set of capabilities for integrating with ISIM that allow user registration, self-service, and access request functions to be embedded within the Access: One workflows, and ISIM provisioning processes to be triggered and monitored as a result of authentication actions or errors. One particular area of integration lies around password recovery. The Access: One ISIM plug-in can make use of the ISIM password recovery challenge/response mechanism, so that in addition to being used as intended, it may also be used as a secondary authentication factor for special access requests. Use Scenarios Please refer also to the earlier ISAM scenario, which incorporated an ISIM update as part of a selfservice process. Terms and Conditions Page It is often a legal requirement when a user logs in to an application for the first time, for them to be presented with a disclaimer or terms and conditions page, which they must agree to before continuing. With Access: One interstitial pages of this type can be easily introduced into a workflow, using the WebPage mentioned previously. However, if the page only needs to be displayed once, a way of tracking which users have accepted it and which have not is required. One approach would be to implement a flag in ISIM, which the Access: One workflow can query before displaying the page and update once the acceptance has been received. IBM SECURITY IDENTITY MANAGER Security Identity Manager is an automated, and policy-based solution that manages user access across IT environments. Through the use of roles, accounts, and access permissions, it helps automate the creation, modification, and termination of user privileges throughout the entire user lifecycle. It also enhances identity governance with separation of duties, checks user certification and enables group management. Role mining and lifecycle management, provided by the IBM Security Role and Policy Modeler component, helps reduce time and effort to design a role and access structure for the enterprise, and automates the process to validate the access information and role structure with the business owners. Access: One and IBM QRadar IBM QRadar is a security analytics application that can track vulnerabilities in real time by crossreferencing activity from a wide range of security components with various threat databases, including IBM s X-Force database. The QRadar adapter for Access: One audit database will allow authentication, login, and provisioning information (such as password resets and account lockouts) to be included into the data stream under analysis. The well-structured nature of the Access: One audit data will facilitate correlation with information from firewalls, content scanners and intrusion detection systems. IBM QRADAR The IBM QRadar Security Intelligence Platform integrates previously disparate functions including security information and event management (SIEM), risk management, log management, network behavior analytics and security event management into a total security intelligence solution, making it the most intelligent, integrated and automated security intelligence solution available. QRadar provides users with crucial visibility into what is occurring with their networks, data centers and applications to better protect IT assets and meet regulatory requirements. IBM S X-FORCE DATABASE The IBM X-Force research and development team provides the foundation for a pre-emptive approach to Internet security. The X-Force team is one of the best-known commercial security research groups in the world. This group of security experts researches and evaluates vulnerabilities and security issues, develops assessment and countermeasure technology for IBM products, and educates the public about emerging Internet threats. The IBM X-Force database is the world s most comprehensive threats and vulnerabilities database. It is the result of thousands of hours of research by the X-Force team, and much of the data is used to power the pre-emptive protection delivered by IBM products. Figure 11 - A Terms and Conditions page added via Access: One
WebTop: simplifying the user access experience As we have seen, Access: One can play an important role in binding together the functions of the IBM Security Systems IAM portfolio. Although we have focused on the functional aspects of this, presentation is often equally important. Consider the scenario where a new employee joins the organization: this can be a time-consuming part of the user life-cycle and the new recruit can spend a significant portion of their first days and weeks of employment going through user registration, learning what IT resources they have access to, where to find them, and what further resources they need to ask for. Additionally, getting every new user up and running also places a burden on the IT helpdesk. From a management point of view, expediting this process by directing the new user to a place where they can find the applications they need to use and link to the processes they need to follow, results in the new employee becoming a productive resource in a significantly shorter period of time. Access: One s Webtop provides a dynamic desktop view for web based applications, publishing an end-user workspace customized according to a user s access rights and authentication level from where they can view and launch the applications which they re authorized to access, as well as request access to new applications or perform common self-service requests (such as password reset requests). Whether accessed via a desktop, laptop or mobile device the use of Access: One s Webtop ensures that user experience and security remains exactly the same - regardless of platform. Figure 15 illustrates how Webtop acts as a visual hub, linking up provisioning processes and application access from a single screen. Since all the linkages can exploit the flexibility of Access: One workflows, Webtop allows a consistent look and feel across mobile and traditional computing devices - with the flexibility to adjust login and security patterns based on device and session criteria. Figure 12 - Prior to the user logging in, Access: One s Webtop only presents applications that are publicly available Figure 13 - Upon login, the user is presented with applications they have access to, those that will require further step-up authentication and applications, they can request access to Figure 14 - Once access has been granted to an application, or the user has logged in using step-up the application remains available during the session
Directories IBM Security Access Manager WebSEAL IBM Security Identity Manager Other Identity Managers IBM Security Federated Identity Manager SAAS applications Figure 15 - Access: One s Webtop acts as a visual hub, linking provisioning processes and application access from a single screen Access: One s Webtop provides a dynamic desktop view for web based applications, publishing an end-user workspace customized according to a user s access rights and authentication level from where they can view and launch the applications which they re authorized to access, as well as request access to new applications or perform common self-service requests.
Summary In this paper we have shown how Pirean Access: One can add to the value of the IBM Security Systems portfolio by providing a centralized resource from which to speed delivery times and add rich and flexible capabilities. Additionally, it can also extend the brand experience to services that are more commonly overlooked, enabling disparate Access Management services (such as implementing access control policy, providing information services, and offering the user help on first access and when they have locked themselves out), to be brought together and presented in a way that is both usable and flexible enough for a satisfying user journey.
To find out how Pirean can enable your enterprise visit www.pirean.com call +44 (0)845 226 0542 or email info@pirean.com Head Office (UK): Pirean Limited, Faretec, Cams Hall Estate, Fareham, Hants. PO16 8UY SWITCHBOARD: +44(0)845 226 0542 FAX: +44(0)845 226 2742 www.pirean.com @pirean www.linkedin.com/company/pirean-ltd
www.pirean.com Copyright 2012 Pirean, all rights reserved. No part of this publication may be reproduced, stored in a retrieval system, used in a spreadsheet, or transmitted in any form or by any means electronic, mechanical, photocopying, recording or otherwise without the permission of Pirean. Pirean, and the Pirean logo are registered trademarks of Pirean Limited (UK). Registered in England No. 4453109