Extranet Access Management Web Access Control for New Business Services



Similar documents
Integrating Hitachi ID Suite with WebSSO Systems

Oracle Enterprise Single Sign-on Technical Guide An Oracle White Paper June 2009

PortWise Access Management Suite

Sarbanes-Oxley Compliance and Identity and Access Management

Oracle Identity Management for SAP in Heterogeneous IT Environments. An Oracle White Paper January 2007

Product overview. CA SiteMinder lets you manage and deploy secure web applications to: Increase new business opportunities

Last Updated: July STATISTICA Enterprise Server Security

Oracle Access Manager. An Oracle White Paper

PortWise Access Management Suite

Permeo Technologies WHITE PAPER. HIPAA Compliancy and Secure Remote Access: Challenges and Solutions

RSA SecurID Two-factor Authentication

Cisco ASA Adaptive Security Appliance Single Sign-On: Solution Brief

Entrust Secure Web Portal Solution. Livio Merlo Security Consultant September 25th, 2003

Using Entrust certificates with VPN

Single Sign-on (SSO) technologies for the Domino Web Server

API-Security Gateway Dirk Krafzig

CA SiteMinder SSO Agents for ERP Systems

SSO and Call Center. Summary. An Evidian White Paper. Version 1.1b

White Paper Delivering Web Services Security: The Entrust Secure Transaction Platform

WHITEPAPER. SECUREAUTH 2-FACTOR AS A SERVICE 2FaaS

Web Applications Access Control Single Sign On

INTEGRATION GUIDE. IDENTIKEY Federation Server for Juniper SSL-VPN

The Top 5 Federated Single Sign-On Scenarios

Improving Security and Productivity through Federation and Single Sign-on

SafeNet Authentication Service

Leverage Active Directory with Kerberos to Eliminate HTTP Password

STRONGER AUTHENTICATION for CA SiteMinder

Securing access to Citrix applications using Citrix Secure Gateway and SafeWord. PremierAccess. App Note. December 2001

SECURE YOUR DATA EXCHANGE WITH SAFE-T BOX

SharePoint 2013 Logical Architecture

Perceptive Experience Single Sign-On Solutions

Authentication Integration

Configuration Guide BES12. Version 12.2

Migration Best Practices for OpenSSO 8 and SAM 7.1 deployments O R A C L E W H I T E P A P E R M A R C H 2015

Dell One Identity Cloud Access Manager How to Configure for SSO to SAP NetWeaver using SAML 2.0

Is your mainframe less secure than your file server? Malcolm Trigg Solutions Consultant 24 th February 2016

HOTPin Integration Guide: Google Apps with Active Directory Federated Services

An Overview of Samsung KNOX Active Directory and Group Policy Features

INUVIKA OPEN VIRTUAL DESKTOP FOUNDATION SERVER

Entrust IdentityGuard Comprehensive

Oracle Identity Management Concepts and Architecture. An Oracle White Paper December 2003

Why MobilityGuard OneGate?

CA Performance Center

IBM Maximo technology for business and IT agility

Enterprise SSO Manager (E-SSO-M)

managing SSO with shared credentials

Collaboration solutions for midsized businesses Buyer s guide

Password Management Buyer s Guide. FastPass Password Manager V 3.3 Enterprise & Service Provider Editions

Administration Guide. BlackBerry Enterprise Service 12. Version 12.0

nexus Hybrid Access Gateway

SonicWALL SSL VPN 3.5: Virtual Assist

New Single Sign-on Options for IBM Lotus Notes & Domino IBM Corporation

Vidder PrecisionAccess

StoneGate Administrator's Guide SSL VPN 1.1

Professional Integrated SSL-VPN Appliance for Small and Medium-sized businesses

Application Note. Intelligent Application Gateway with SA server using AD password and OTP

An Oracle White Paper Dec Oracle Access Management Security Token Service

Service management White paper. Manage access control effectively across the enterprise with IBM solutions.

White Paper Secure Reverse Proxy Server and Web Application Firewall

Maximize the Productivity of Your Help Desk With Proxy Networks Remote Support Software

WatchGuard SSL 2.0 New Features

CA Single Sign-On r12.x (CA SiteMinder) Implementation Proven Professional Exam

Web Access Management. RSA ClearTrust. Enhancing control. Widening access. Driving e-business growth. SSO. Identity Management.

Welcome Guide for MP-1 Token for Microsoft Windows

Configuration Guide BES12. Version 12.3

Understanding Enterprise Cloud Governance

White Paper Cybercom & Axiomatics Joint Identity & Access Management (R)evolution

Best Practices for Secure Remote Access. Aventail Technical White Paper

White Paper. McAfee Cloud Single Sign On Reviewer s Guide

ADDING STRONGER AUTHENTICATION for VPN Access Control

A viable alternative to TMG / UAG Web Application security, acceleration and authentication with DenyAll s DA-WAF

Configuration Guide BES12. Version 12.1

Symantec On-Demand Protection 2.6 Juniper IVE SSL VPN 5.2 Integration Guide

A brief on Two-Factor Authentication

ADMINISTRATOR S GUIDE

Cybersecurity and Secure Authentication with SAP Single Sign-On

Integrating EJBCA and OpenSSO

Avaya Mailbox Manager and Unimax 2nd Nature A Comparison

Leveraging SAML for Federated Single Sign-on:

INTEGRATION GUIDE. DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server

Security solutions Executive brief. Understand the varieties and business value of single sign-on.

TFS ApplicationControl White Paper

Citrix Password Manager 4.1

Zone Labs Integrity Smarter Enterprise Security

HP A-IMC Firewall Manager

TECHNOLOGY LEADER IN GLOBAL REAL-TIME TWO-FACTOR AUTHENTICATION

Enterprise Single Sign-On City Hospital Cures Password Pain. Stephen Furstenau Operations and Support Director Imprivata, Inc.

Copyright

A Guide to New Features in Propalms OneGate 4.0

TIBCO Spotfire Web Player 6.0. Installation and Configuration Manual

WebNow Single Sign-On Solutions

BlackShield Authentication Service

SAP SECURITY AND AUTHORIZATIONS - RISK MANAGEMENT AND COMPLIANCE WITH LEGAL REGULATIONS IN THE SAP ENVIRONMENT

RSA Authentication Manager 7.1 Security Best Practices Guide. Version 2

Transcription:

Extranet Access Management Web Access Control for New Business Services An Evidian White Paper Increase your revenue and the ROI for your Web portals Summary Increase Revenue Secure Web Access Control with SSO

2013 Evidian The information contained in this document represents the view of Evidian on the issues discussed at the date of publication. Because Evidian must respond to changing market conditions, it should not be interpreted as a commitment on the part of Evidian, and Evidian cannot guarantee the accuracy of any information presented after the date of publication. This is for informational purposes only. EVIDIAN MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. We acknowledge the rights of the proprietors of trademarks mentioned in this book.

Contents Increase Revenue... 4 Protecting and Managing Enterprise Internet Access...6 Increase the return on investment for your web portal by extending it to enterprise applications...7 SAM Web Controls the Accesses to the Insurance Company's Applications...8 Controlling Access Centrally or on the Applications...8 Keeping an Access Control List up to date...8 Simplified Access with Web SSO and a Personalized Welcome Page...8 SAM Web Speeds Up Web Services Implementation...9 Secure Web Access Control with SSO... 10 Control and Secure User Access...10 Enforce Access Control for any Applications...10 Control Access to Applications and URLs...10 Dynamic Authorizations...10 Authentication Methods...11 Track all User Activity...11 Encrypt Confidential Data...11 Protect Web Resources Against Attacks...12 Creating User Accounts...12 Using the Enterprise LDAP Directories...12 Account Creation by the User...12 Reinitializing a Primary Password...12 Using Multiple Identities...12 Universal Single Sign-On...12 Improve the User Experience and Security with Single Sign-On...13 Single Sign-On to External Web Sites...13 Personalize the End-user s Web Environment...13 The User Can Opt to Manage Sensitive Passwords Himself...13 Extensible to J2EE, SOA and Web Services Project Accesses...14 Extensible to Non-Web Access and Legacy Applications...14 Instant Security for a Low Cost of Ownership...14 A Non-intrusive Solution for Easy Deployment...14 More Effective Administration...15 Lower Ownership Costs...15 39 A2 08LT Rev02 3

Increase Revenue A large B2B insurance company has found a simple way to increase its revenue, by selling a new service to its existing enterprise customers. The new service allows enterprise customers to delegate contract management and accident declaration inside their organization. With this new service The HR departments can manage the list of attributes of contracts and insured employees directly, through a web application. Employees can fill out their own accident declarations and obtain any type of information they may need about their personal situation. Figure 1. New Service Enterprise customer Super User Declare new employee Modify contract attributes HR Manager User Declare accident Consult personal information Employees For Customer enterprise, this new service Speeds up insurance operations by delegating contract management to the HR department. Lowers the central cost of insurance contract management by delegating accident declaration to the customer enterprise employees, and by implementing an information self-service. The accessed data is critical for the insurance company. Since the data is used to compute invoice and premium reimbursement, it can impact the bottom line of the enterprise. Since the data may contain personal health information, it can engage the insurance company's legal responsibility. 39 A2 08LT Rev02 4

At the same time, the security risks are important. The people using the new services are not insurance company employees. The security rules for employee workstation are not managed by the insurance company's security policy. Users can access the service through the "wild, wild web". In a second phase, the insurance company wishes to sustain the investments made within the framework of its web project by extending it to the staff of its own enterprise and to their web applications spread over several organizations. To limit its costs, minimize vulnerabilities and maximize staff efficiency, these new services must be based on the authentication and administration services set up in the first phase of the project. Protecting access to data is a key issue for the business success of this new service. 39 A2 08LT Rev02 5

Protecting and Managing Enterprise Internet Access In order to protect its data, the insurance company has implemented a secure web access point with three main functions: A network filter, implementing standard firewall mechanisms An HTML code filter, implementing high-level HTML code analysis to protect it from malicious incoming code User access control, implementing strong authentication and access authorization checks to protect it from malicious users Figure 2. Strong Access Control Point LDAP Enterprise customer Firewall Firewall Access Management HR Manager Super User HTML Code Filter Customers & Contracts User Premium Calculation Employees Secure Access Manager - Web Edition 39 A2 08LT Rev02 6

Increase the return on investment for your web portal by extending it to enterprise applications To control its employees' access and protect the data on the web applications spread all over its organizations, this insurance company has introduced modules known as Web agents on each of the target web servers. Figure 2.1. Architecture Web Agents de SAM Web SAM Web Audit Employees Employees SSL Authentication Welcome Page SSO Web Agents SSO MySAP Enterprise Browsers SSL Web Agents WebLogic In the present case, the web agents are installed on the web server of two organizations: Finance and Internal Publications. The web agents of the Finance organization secure the access to MySAP, while the web agents of the Internal Publications organization secure the access to WebLogic. This architecture uses the same authentication and administration server deployed with the Evidian security gateway. The administration server enables you to define and implement an enterprise-specific security policy. However, the employee LDAP base is different from the one used for the partners' accesses. The following security functions are implemented: Authentication of users based on password, and on their profile for direct access to the Finance and Internal Publications URLs Single Sign-On To enable the enterprise to be always more efficient and cooperate more closely with its partners, the solution would allow this architecture to be extended to partner Web Services. This solution would also allow this enterprise to deploy commercially-available or open-source J2EE server applications. 39 A2 08LT Rev02 7

SAM Web Controls the Accesses to the Insurance Company's Applications SAM Web is a web security gateway that intercepts every HTML request and verifies the associated user's access rights. Controlling Access Centrally or on the Applications Each time a customer requests a URL, SAM Web checks customer access rights before allowing or if necessary denying the request. The SAM Web access control modules are placed either at the entrance to the most protected area of the information system (gateway mode), or on the server on which the application to be protected is located (Web agent mode). In the first phase of the project, the insurance company uses SAM Web in gateway mode within the DMZ. SAM Web is thus a mandatory gateway to the applications. All application accesses must be authorized. In the second phase, the company deploys web agents on its application servers spread over different organizations. Keeping an Access Control List up to date The insurance company has delegated the role of "user access manager" for enterprise customer employees to the HR managers: it is these HR managers who can declare, modify, and remove the access rights of their employees. The delegated management application is an in-house application that feeds the SAM Web LDAP directory to implement access rules. Simplified Access with Web SSO and a Personalized Welcome Page This SAM Web Single Sign-On feature simplifies access by providing: Primary authentication when the user first connects to SAM Web A welcome page that shows only authorized applications Transparent secondary access to target applications without supplementary user authentication, whatever the authentication method of the primary authentication (OTP or login/password). This function is called Single Sign-On. 39 A2 08LT Rev02 8

SAM Web Speeds Up Web Services Implementation The simple and powerful SAM Web architecture is a key factor for secure deployment of new web business services. SAM Web Features Non-intrusive solution and integration with LDAP directories Robust authentication, SSO and URL control Reverse Proxy Architecture or Web Agent Centralized Administration SAM Web Management Console Centralized Audit Implementing new Web Services Accelerate the creation of 24x7 on-line web access Guarantee the security and confidentiality of information Access to information is dynamically implemented according to each user's characteristics. Separate security from web applications and allow the use of customized architecture Add new web servers and applications simply Fewer clicks to revoke job relevant access Track all user and administrator activities 39 A2 08LT Rev02 9

Secure Web Access Control with SSO Control and Secure User Access Traditionally, as businesses move online, security enforcement falls to the administrators of each application. As applications are added, the number of administrators and security policies quickly becomes unmanageable. This kind of patchwork approach to security results both in security breaches and end-user frustration. Enforce Access Control for any Applications SAM Web allows you to define and manage what applications and resources users can access. Instead of having each resource manager control security on their servers, SAM Web centralizes access control management of web resources. Through an easy-to-use console, an administrator can control user access dynamically. New employees can be added to the appropriate groups and gain access to multiple applications immediately. With SAM Web, former partners and employees can be deprived of access to company services with a mouse click. With SAM Web, you can enforce a comprehensive security policy across internal as well as external web resources. Control Access to Applications and URLs Dynamic Authorizations The SAM Web URL access control modules can be placed either at a security gateway on a line interruption or on the applications themselves on the same servers. SAM Web allows the implementation of three architecture types: Purely "gateway" architecture in which the access control module is placed at a line interruption on a single gateway Purely "Web agent" architecture in which the access control module is placed on the application servers to be protected Mixed "Web agent"/"gateway" architecture in which, depending on the security policy, network and application architecture and optimization of network flows, the control points may be located either on the line interruption or on servers. URL and application access authorizations can be calculated dynamically using simple "And", "Or", "Not" rules applied to the user attributes available in the LDAP directory. These rules are centrally defined by the administrator then applied by the access control modules. 39 A2 08LT Rev02 10

Authentication Methods SAM Web can authenticate users with different methods such as: Classical identifier and password Virtual keyboard for identifier and password. This lets you enter your identifier and password by clicking on a keyboard displayed on the PC s screen. A virtual keyboard improves the protection of the identifier and password against key loggers, without using a strong authentication device. One-time password Smart card with X.509 certificates X.509 certificates (including CRL and OCSP) Kerberos token SAML token (e.g. VPN access) Radius-based authentication Track all User Activity Any proper access management policy requires monitoring. SAM Web tracks all user accesses or access attempts, in order to protect web resources and thus enable security administrators to monitor who has accessed what and when. Manage Securely and Quickly Multiple Web Accesses 1. Separation between the security infrastructure and application deployment. 2. A non-intrusive solution without any developments. 3. Offering high scalability and availability. SAM Web is compatible with log analysis tools such as NetIQ WebTrends. This makes it easier for administrators to review security audit records. Encrypt Confidential Data To guarantee the confidentiality of the data exchanged on the Internet, the partners must open encrypted sessions. As more and more companies now work on line, encrypting each web application is becoming a problem, because not all applications can be encrypted. With SAM Web, all communications with the browser can be encrypted. Customers, employees and partners can dialogue in all confidence within the community of sites managed by SAM Web. 39 A2 08LT Rev02 11

Protect Web Resources Against Attacks Creating User Accounts SAM Web helps prevent attacks against web resources exposed on the Internet. The SAM Web gateway hides the real address of web resources. It alters the URL of web applications to prevent hackers from knowing the network topology. SAM Web also acts as a gatekeeper for all web accesses, making it easier to protect against worms or other attacks the web applications that require an access code. SAM Web is consistently integrated into existing user management processes. Using the Enterprise LDAP Directories SAM Web reuses the user definition contained in the enterprise's different LDAP directories. The LDAP directories may be from different suppliers, have different structures and be located on different sites. Account Creation by the User Depending on the existing security policy, a user may be authorized to create a personal account in a predefined LDAP directory, by connecting to SAM Web. The account can then be integrated by an administrator into the company's general access control policy. Reinitializing a Primary Password Using Multiple Identities Universal Single Sign-On When a user forgets his or her primary password, SAM Web offers the user the possibility to reinitialize this primary password using a question/answer form. The user does not need any assistance from the help desk. The password creation policy defined by the enterprise (number of characters, non-use of an already existing password, etc.) is then applied. A user can access several domains using the same name. Each identity is then defined in a different LDAP directory. We then talk in terms of different domains. These different domains may, for instance, correspond to different enterprises, subsidiaries or organizations. SAM Web enables the user to choose his domain during initial authentication. He is then granted the rights associated with the identity of the domain he has chosen. Traditional security solutions impede efficiency and taint the user experience. SAM Web's streamlined approach to security improves user loyalty. By facilitating navigation with single sign-on and improving the user experience with customized content, SAM Web improves user productivity and confidence. 39 A2 08LT Rev02 12

Improve the User Experience and Security with Single Sign-On When users are expected to provide a password for each internal and external application, enforcing security infringes on accomplishing business. Managing multiple login information is time-consuming and frustrating. Users find shortcuts such as choosing weak passwords or leaving them in conspicuous places. Password-related help-desk calls make up a significant portion of help-desk costs. Multiple passwords not only impede business by damaging the user experience and productivity, they also lead to security breaches. With SAM Web, customers, partners or employees access internal and external Web resources with one user name and password. After an initial authentication by SAM Web, they can navigate freely among the resources that they are allowed to access. Transparently to the user, SAM Web supplies each application with the appropriate password, in particular by means of forms. Single Sign-On to External Web Sites With the activity of organizations extending beyond the firewall across multiple domains, single sign-on also needs to follow the same path: Intranet portals often allow access to purchasing web sites or subscription services, extranets can cover multiple partner sites. With SAM Web, portal managers can control their web environment by adding and removing resources dynamically. Users can access resources outside of the enterprise without being prompted for another password. SAM Web's Single Sign-On solution improves security, user experience and reduces help desk calls. Personalize the End-user s Web Environment While navigating the Web is notoriously impersonal as users often have irrelevant links on their welcome page, SAM Web customizes the user experience, giving users a feeling of community. With SAM Web, users in certain industries and geographic areas can be provided with personal information and access. Customers and partners access to services can be multi-tiered. This ability to respond to users' needs with SAM Web makes users feel like members of a trusted community by providing seamless navigation between authorized applications. The User Can Opt to Manage Sensitive Passwords Himself Passwords can be managed either by the manager or by the end-user. Group passwords can be transparent to the users. For instance, the manager can grant members of a certain group access to analyst reports without informing them of the company password. Similarly, when employees access their web mail accounts, the portal administrator will not know their password. 39 A2 08LT Rev02 13

Extensible to J2EE, SOA and Web Services Project Accesses Thanks to AccessMaster's modular architecture, the SAM J2EE module extends SAM Web functions by offering an integrated SSO solution to J2EE, SOA and Web Services environments. Using a common authentication and administration server, SAM Web and SAM J2EE cooperate to offer users a Single Sign-On both for Web environments and J2EE and Web Services environments. Thanks to SAML technologies, SAM J2EE simply extends the SAM Web access control functions to interconnect portals or Web applications to J2EE servers or to internal and external Web Services. Extensible to Non-Web Access and Legacy Applications Not all applications are web-enabled. Secure Access Manager Standard Edition can address non-web applications; it complements SAM Web to provide a complete and integrated solution for securing and simplifying access to non-web, legacy and clientserver applications. Instant Security for a Low Cost of Ownership With SAM Web, you do not have to sacrifice convenience for security. SAM Web does not require any modification or component on user desktops or target systems. The other solutions in the marketplace today are overcomplicated, requiring months to deploy and consuming precious IT resources. Keep Control of Security 1. Centralized administration: minimize costs of security skills and minimize security administration tasks. 2. Flexible Administration: add or revoke simply new web servers and applications in few clicks. 3. Secure access control to instantly know who has accessed what (central audit). A Non-intrusive Solution for Easy Deployment Thanks to its non-intrusive architecture, SAM Web can be fully deployed in a matter of hours, enabling the extended corporation to change as quickly as the market does. Downloadable from the Web, SAM Web is one piece of software and is standards based. 39 A2 08LT Rev02 14

More Effective Administration Lower Ownership Costs SAM Web enables portal or web server managers to seamlessly manage access to any web application without deploying any software, and without reorganizing the directories. There is no need to modify any existing administration processes or applications. SAM Web reuses the existing LDAP user directories to apply a security policy to the enterprise resources. SAM Web enables you to dramatically reduce additional IT costs. No need to redefine or modify user directories. Increases your return on investment for web projects, by facilitating the extension of portal projects to Java and SOA environments. No need to update SAM Web when a protected application is updated. The end result is a full security solution that most simplifies access to end-users, with the least ownership cost. 39 A2 08LT Rev02 15

For more information go to www.evidian.com Email: info@evidian.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information