SlideShare ist ein Scribd-Unternehmen logo

Combining Modern Authentication Needs with Identity and Access Management

S
Stonesoft

Recent trends such as cloud computing and virtualization have defined new challenges for CIOs and CISOs. What was once the definite perimeter for corporate IT became a thin, vague boundary, often extending outwards to include partners’ and even service providers’ zones. This whitepaper discusses the pressing demand to precisely outline the separation of duties and privileges, the visibility of applications to users and the verification of security postures. A need that goes beyond the mere validation of credentials.

TechnologieBusiness
1 von 10
a2cloud Solution for secured authentication and access to cloud Whitepaper Combining Modern Authentication Needs with Identity and Access Management
Table of Content Introduction 3 The weakest link of the chain 4 A modern multi-method Authentication Solution 6 Cloud interoperability with Federated ID 8 Completing the “big picture” with uni ed management and centralized information processing 9 2 Whitepaper Combining Modern Authentication Needs with Identity and Access Management
Recent trends such as cloud computing and virtualization have de ned new challenges for CIOs and CISOs. What was once the de nite perimeter for corporate IT became a thin, vague boundary, often extending outwards to include partners’ and even service providers’ zones. A pressing demand exists to precisely outline the separation of duties and privileges, the visibility of applications to users and the veri cation of security postures. A need that goes beyond the mere validation of credentials. Introduction Infrastructural technologies have already helped IT managers to connect and interconnect different physical, virtual and hybrid environments into what is known as the cloud. Clouds, both private to a company or publicly offered by a service provider, can be considered a) autonomous yet b) interoperable computing environments. Users connect to the cloud(s) using a huge variety of client devices — immediately opening the need for universal access on different client platforms, where the only common denominator is the strength of the authentication process. Cloud computing is subtly bringing uniformity and standardization to the way that applications behave and to the way that different cloud environments interoperate with one another. Naturally, the private and corporate nature of certain clouds mandates access to legacy applications, with the effect of slowing down this uniformity of presentation, which is a common feature of clouds managed by service providers. Where standardization is pervading quite consistently is in the role that a cloud plays in IT, since users are connecting/using the clouds mainly for two reasons: veri cation of credentials and access to applications. These usage patterns have created mixed environments where a cloud can play the role of Identity Provider (IdP — if the purpose is to validate user credentials) or a Service Provider (SP — if the purpose is to give access to applications). SP and IdP roles can coexist in the same cloud. Interoperability between an IdP and an SP is normally de ned as a Federated Authentication scenario. Combining Modern Authentication Needs with Identity and Access Management Whitepaper 3
Access — The weakest link of the chain Agility, exibility and universal access to corporate applications de ne situation where security needs to be granularized and enforced in layers — infrastructure, applications, connectivity and above all access — forming the big picture. Access is by far the weakest link of the security chain, since it represents the point of contact between two clouds (in the case of federated authentication) and between the users and the data/application they need to operate with. In such a situation, the security of access process is de nitely a focus of the attention of security of cers and administrators. This is because compromising the process could undermine the whole security infrastructure — in place to protect data against leakage and applications against misuse. There is therefore a pressing demand for solutions combining Identity and Access Management with classic Authentication Systems, featuring contextuality, versatility and adaptability as in-built features. The solution CISOs are looking for must offer the highest level of security, with minimal impact on usability. Thus, uni ed and centralized control and information processing represent the natural, complete solution. The solution that users want to see, is access to a needed application that feels as natural as possible using instead tools they are keen on using, such as tablets or smartphones. Without the need to carry dedicated devices. Subtly and transparently as much as possible, they should also go through a process aimed to verify and validate the security posture of the client used and evaluate contextual information from the connection — such as time, IP and so forth. In short, the whole authentication and access process should be ergonomic because it should prioritize people’s ef ciency in their working environment. 4 Whitepaper Combining Modern Authentication Needs with Identity and Access Management
Role Expectations Challenges CISO Strong Authentication — a solution Balancing the need for strong authen- with minimized costs and maximized tication against maintenance costs manageability and security. — e.g. with hardware tokens that may Ability to extend trust to the connecting break, get lost, expire, etc. client machine depending on the con- Notifying end users of the need for text of the connection. passwords/seeds/PINs in a simple yet secure way. Going beyond veri cation of credentials to verifying contextual security pos- tures. Operative Administrators Real-Time Situational Awareness and Real time statistics as well as time– understanding of success/failures based, automatic reporting. rates when multiple authentication Ability to get detailed information to methods are deployed. support troubleshooting. Ability to analyze all information related Avoiding the need to manually notify to security events, no matter if they are users of pro le creation or modi ed related to network, authentication or authentication information (e.g. when a client security posture. new seed is generated). Ability to document everything using the “incident” concept instead of stor- ing documentation in multiple different locations. Top Management Gain justi cation to invest in security, Gain clear consistent information about avoid security concerns becoming an working/non working solutions. obstacle to processes/business. Avoid investing in complex solutions (often non-integrated and dif cult to manage). Have in place a security system that can integrate with partners’ systems. End Users Access to applications and resources Transparency of security posture veri - in the cloud (private and public) without cation. complex authentication processes. Use devices already used for multiple Avoid carrying authentication devices. purposes (e.g. smartphones, tablets, Positive user experience when access- mobile phones) for authentication. ing corporate applications. Combining Modern Authentication Needs with Identity and Access Management Whitepaper 5
A modern multi-method Authentication Solution Stonesoft offers the StoneGate a2cloud Authentication Solution. A balanced mix of products and technologies that embody the ideal implementation of modern multi-method strong authentication and secured access to the cloud. At the heart of the solution is security of access through interoperability between two key products of StoneGate Network Security Architecture. StoneGate Authentication Server and StoneGate SSL VPN. StoneGate Authentication Server provides secure remote access to critical data and applications across a given network with a set of four Radius based servers to implement different authentication methods Different verticals have different security needs, varying sometimes even on a per-application basis. E.g. a bank that needs to offer their employees and customers a differentiated access to applications. Differentiation could be based on authentication methods (some being stronger than others due to multiple factors of strength involved). These methods are ergonomic, which means they can be used with mobile devices like smartphones that people carry with them at all times. Thus, organizations do not need to make investments in the purchase and/or training of additional hardware, tokens and/or tools. Applying soft token solutions frees a huge amount of resources from IT. Soft tokens are free, they do not get lost and if broken, can be replaced immediately. The same applies to security. Changing unsecured physical devices and hard tokens is expensive with considerable risks involved. Take the case of RSA. When hard-coded security was compromised the only choice left was to replace all physical devices. While it may be the only reasonable course of action, it takes time and offer no guarantees against it happening again. That’s why software-based authentication methods represent the only dynamic way to stay updated and secured. StoneGate Authentication Server is tightly integrated with StoneGate Management Center, allowing rapid deployment of a centralized backend authentication system and transparent integration with existing user databases such as MS Active Directory, Novell eDirectory, OpenLDAP and other LDAPv3 compliant systems. Typeahead user-linking allows for one-click creation of user accounts, Automatic user-linking can be used to allow dynamic generation of user pro les when users attempt login (combined with ef cient SMS or mail-based noti cation of user credentials and/or through One Time Passwords). Overall ease of management extends to disabling user pro les (when an employee leaves the company) or setting expiry-dates to pro les (for consultants or temporary workers). 6 Whitepaper Combining Modern Authentication Needs with Identity and Access Management
Both StoneGate Authentication Server users and backend user databases can be easily browsed on a graphical user interface, minimizing the administrative burden and boosting ef ciency. Users can also be linked to one or more authentication methods, automatically or manually which is very bene cial as often the problem behind implementation of an authentication solution is the administrative burden of importing/accessing/de ning huge numbers of users. Take the case of a company needing to deploy internal access to email with password-based authentication and IPSec mobile VPN for external employees with a stronger authentication method (e.g. OTP to phone). An ideal solution allows the generation of a user pro le immediately as the user tries to authenticate with either of the two methods — enabling both for that user. This minimizes administrative costs, improves ef ciency and shortens the overall solution’s implementation time. StoneGate SSL VPN enforces security of access through a combination of local authentication techniques. It combines the strength and number of factors of each method with the number of methods. For example, a user can start the access process by presenting a digital certi cate. Once this has been validated, the user is prompted for a password and an additional One Time Password is delivered to his mobile phone via SMS. Once the user is allowed in, access to applications is conveniently available through Single Sign-On techniques — for both web and legacy applications, including Remote Desktop, Fileshare Access or SSH/Telnet. This relieves the user from needing to remember multiple passwords or re-typing the same information multiple times. SSO also minimizes errors in accessing applications as well as the time spent on accessing them — improving the overall user experience. Once properly authenticated and trusted, the user is given smooth access to where his level of trust allows. During a session, a rewall instance can grant that only wanted traf c is allowed to/from the client and a trace removal technique ensures that no important data gets left behind should the session is conclude with logout. A winning combination The combination of the two products can be used to achieve maximum security of access to the cloud through multi-factor and multi-method authentication and veri cation of the connecting client’s security posture. Both StoneGate Authentication Server and StoneGate SSL VPN can be implemented in mirrored con guration to ensure resiliency and high-availability in the most demanding environments. Combining Modern Authentication Needs with Identity and Access Management Whitepaper 7
Cloud interoperability with Federated ID Identity Federation techniques are becoming increasingly popular, concurrent with Cloud Computing architectures and scenarios becoming more important for Service Providers. The purpose of a federated authentication scenario is to offer agile application deployment in the service provider’s cloud(s) while leaving authentication to the customer. Losing control and sacri cing the strength of authentication has been a major obstacle that organizations experience with cloud-based services. Especially when they would like to use multiple cloud services and applications. However, Single Sign-On operations and user pro ling remain possible thanks to assertions securely sent from Identity Providers to Service Providers; once the user has been authenticated. With Identity Federation, the application or service provider may delegate the authentication process back to the end-user. The service provider does not need to maintain and administer user account information. This helps improve the time-to-market for cloud-based services and applications, as the app does not need to de ne user pro les. And nobody needs to be burdened with importing user pro les. Additional advantages for the end users are being able to authenticate using any method they prefer - and to access an application in the cloud as easily as they would an application in the corporate network. From the CISO perspective, the company accesses the cloud application while keeping authentication safely “at home”. That is, they retain control over the authentication process, relying on the cloud app service provider just for the operative bene t of having an app in the cloud — reduced maintenance, immediate and easy upgrades, no local implementation, and so forth. The StoneGate a2cloud Solution lets administrators to con gure the components to act as an Identity Provider (StoneGate Authentication Server and StoneGate SSL VPN) and as a Service Provider (StoneGate SSL VPN). Thanks to the open standard nature of such interoperability, the counterpart in a federated authentication scenario can be any third party solution compatible with the supported standard protocols, such as SAML 2.0 and ADFS. 8 Whitepaper Combining Modern Authentication Needs with Identity and Access Management
Completing the “big picture”: Uni ed management and centralized processing The ability to centrally process information related to security events is important in ensuring the ability to drill up and down the data while moving from meaningful “big pictures” made of statistical information, geotagged graphs and maps to logs with precise details about speci c events. Such “situational unawareness”, is an all too common state of affairs resulting from dispersed information, which could lead to multiple negative scenarios, from inef cient troubleshooting to longer reaction times, to longer time to market, excess vulnerability from advanced attacks such as AETs. When negative security events happen, e.g. when a user gets locked due to multiple authentication failures or violation of a security policy, it is important to have an alerting mechanism, complete with escalation and historical data. Not just for smooth handling of the situation, but for both regulatory compliance and auditing purposes. Further negative scenarios include users trying to authenticate through guessing passwords — if the user gets locked, alert is raised to give awareness to admins of the violation attempt. Additionally, as users may have dif culties in understanding or adopting a given method, the administrators may decide to disable it or use a less complex to method. Knowing such a problem may exist in the rst place is possible due to the real time statistics and graphical reporting of StoneGate Management Center, available as a multiplatform software solution included in each StoneGate Authentication Server license. Built on solid architectural foundations, SMC offers uni ed management capabilities for all StoneGate Network Security Platform engines, from the StoneGate SSL VPN, StoneGate Firewall/VPN to the StoneGate IPS, plus the ability to collect logs of third party servers and engines and enhance them with advanced reporting and log analysis capabilities. Combination of StoneGate Authentication Server, StoneGate SSL VPN and StoneGate Management Center de nes the ideal solution for every modern authentication needs, while simplifying security of the cloud computing environments. Combining Modern Authentication Needs with Identity and Access Management Whitepaper 9
Copyright and Disclaimer © 2000—2011 Stonesoft Corporation. All rights reserved. These materials, Stonesoft products, and related documentation are protected by copyright and other laws, international treaties and conventions. All rights, title and interest in the materials, Stonesoft products and related documentation shall remain with Stonesoft and its licensors. All registered or unregistered trademarks in these materials are the sole property of their respective owners. No part of this document or related Stonesoft products may be reproduced in any form, or by any means without written authorization of Stonesoft Corporation. Stonesoft provides these materials for informational purposes only. They are subject to change without notice and do not represent a commitment on the part of Stonesoft. Stonesoft assumes no liability for any errors or inaccuracies that may appear in these materials or for incompatibility between different hardware components, required BIOS settings, NIC drivers, or any NIC con guration issues. Use these materials at your own risk. Stonesoft does not warrant or endorse any third party products described herein. THESE MATERIALS ARE PROVIDED “AS-IS.” STONESOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO, THE INFORMATION CONTAINED HEREIN. IN ADDITION, STONESOFT MAKES NO EXPRESS OR IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE WITH RESPECT THE INFORMATION CONTAINED IN THESE MATERIALS. IN NO EVENT SHALL STONESOFT BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL OR INCIDENTAL DAMAGES, INCLUDING, BUT NOT LIMITED TO, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING FROM THE USE OF THESE MATERIALS, EVEN IF ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH DAMAGES. Trademarks and Patents Stonesoft, the Stonesoft logo and StoneGate are all trademarks or registered trademarks of Stonesoft Corporation. Multi-Link technology, Multi-Link VPN, and the StoneGate clustering technology-as well as other technologies included in StoneGate-are protected by patents or pending patent applications in the U.S. and other countries. All other trademarks or registered trademarks are property of their respective owners. Stonesoft Corporate Stonesoft Inc. Itälahdenkatu 22 A 1050 Crown Pointe Parkway FI-0021O Helsinki Suite 900 Finland Atlanta, GA 30338, USA tel. +358 9 476 711 tel. +1 866 869 4075 fax. +358 9 476 713 49 fax. +1 770 6681 131 Copyright 2011 Stonesoft Corp. All rights reserved. Registered or unregistered trademarks in this document are property of their respective owners. The products described in this document are protected by one or more of U.S. patents and European patents: U.S. Patent No. 6,650,621, European Patents No. 1065844, 1289202,and may be protected by other U.S. patents, foreign patents, or pending applications. Speci cations subject to change without notice.

Empfohlen

Intro to Cloud Computing in the Federal Government
Intro to Cloud Computing in the Federal GovernmentIntro to Cloud Computing in the Federal Government
Intro to Cloud Computing in the Federal GovernmentIntel Corporation
 
DNS is Sexy
DNS is SexyDNS is Sexy
DNS is SexyIntel Corporation
 
Cloud Computing - Apptis Approach
Cloud Computing - Apptis ApproachCloud Computing - Apptis Approach
Cloud Computing - Apptis ApproachIntel Corporation
 
Chanel Ddwards and Tamara Mendelson of Eventbrite
Chanel Ddwards and Tamara Mendelson of EventbriteChanel Ddwards and Tamara Mendelson of Eventbrite
Chanel Ddwards and Tamara Mendelson of EventbriteIntel Corporation
 
Simple cloud reference architecture
Simple cloud reference architectureSimple cloud reference architecture
Simple cloud reference architectureDaeMyung Kang
 
Rethink cloud security to get ahead of the risk curve by kurt johnson, vice p...
Rethink cloud security to get ahead of the risk curve by kurt johnson, vice p...Rethink cloud security to get ahead of the risk curve by kurt johnson, vice p...
Rethink cloud security to get ahead of the risk curve by kurt johnson, vice p...Khazret Sapenov
 
Mobile security-reference-architecture
Mobile security-reference-architectureMobile security-reference-architecture
Mobile security-reference-architectureVishal Sharma
 
Cloud reference architecture as per nist
Cloud reference architecture as per nistCloud reference architecture as per nist
Cloud reference architecture as per nistgaurav jain
 

Empfohlen

Intro to Cloud Computing in the Federal Government
Intro to Cloud Computing in the Federal GovernmentIntro to Cloud Computing in the Federal Government
Intro to Cloud Computing in the Federal GovernmentIntel Corporation
 
DNS is Sexy
DNS is SexyDNS is Sexy
DNS is SexyIntel Corporation
 
Cloud Computing - Apptis Approach
Cloud Computing - Apptis ApproachCloud Computing - Apptis Approach
Cloud Computing - Apptis ApproachIntel Corporation
 
Chanel Ddwards and Tamara Mendelson of Eventbrite
Chanel Ddwards and Tamara Mendelson of EventbriteChanel Ddwards and Tamara Mendelson of Eventbrite
Chanel Ddwards and Tamara Mendelson of EventbriteIntel Corporation
 
Simple cloud reference architecture
Simple cloud reference architectureSimple cloud reference architecture
Simple cloud reference architectureDaeMyung Kang
 
Rethink cloud security to get ahead of the risk curve by kurt johnson, vice p...
Rethink cloud security to get ahead of the risk curve by kurt johnson, vice p...Rethink cloud security to get ahead of the risk curve by kurt johnson, vice p...
Rethink cloud security to get ahead of the risk curve by kurt johnson, vice p...Khazret Sapenov
 
Mobile security-reference-architecture
Mobile security-reference-architectureMobile security-reference-architecture
Mobile security-reference-architectureVishal Sharma
 
Cloud reference architecture as per nist
Cloud reference architecture as per nistCloud reference architecture as per nist
Cloud reference architecture as per nistgaurav jain
 
PCI Compliance and Cloud Reference Architecture
PCI Compliance and Cloud Reference ArchitecturePCI Compliance and Cloud Reference Architecture
PCI Compliance and Cloud Reference ArchitectureHyTrust
 
The Enterprise Reference Architecture and Tools
The Enterprise Reference Architecture and ToolsThe Enterprise Reference Architecture and Tools
The Enterprise Reference Architecture and ToolsSoftware Park Thailand
 
Reference Architecture for Data Loss Prevention in the Cloud
Reference Architecture for Data Loss Prevention in the CloudReference Architecture for Data Loss Prevention in the Cloud
Reference Architecture for Data Loss Prevention in the CloudNetskope
 
Take It to the Cloud: The Evolution of Security Architecture
Take It to the Cloud: The Evolution of Security ArchitectureTake It to the Cloud: The Evolution of Security Architecture
Take It to the Cloud: The Evolution of Security ArchitecturePriyanka Aash
 
The F5 DDoS Protection Reference Architecture (Technical White Paper)
The F5 DDoS Protection Reference Architecture (Technical White Paper)The F5 DDoS Protection Reference Architecture (Technical White Paper)
The F5 DDoS Protection Reference Architecture (Technical White Paper)F5 Networks
 
Extending Active Directory to Box for Seamless IT Management
Extending Active Directory to Box for Seamless IT ManagementExtending Active Directory to Box for Seamless IT Management
Extending Active Directory to Box for Seamless IT ManagementOkta-Inc
 
F5 Application Services Reference Architecture (Audio)
F5 Application Services Reference Architecture (Audio)F5 Application Services Reference Architecture (Audio)
F5 Application Services Reference Architecture (Audio)F5 Networks
 
Security Building Blocks of the IBM Cloud Computing Reference Architecture
Security Building Blocks of the IBM Cloud Computing Reference ArchitectureSecurity Building Blocks of the IBM Cloud Computing Reference Architecture
Security Building Blocks of the IBM Cloud Computing Reference ArchitectureStefaan Van daele
 
AWS Security Architecture - Overview
AWS Security Architecture - OverviewAWS Security Architecture - Overview
AWS Security Architecture - OverviewSai Kesavamatham
 
Identity Management with the ForgeRock Identity Platform - So What’s New?
Identity Management with the ForgeRock Identity Platform - So What’s New?Identity Management with the ForgeRock Identity Platform - So What’s New?
Identity Management with the ForgeRock Identity Platform - So What’s New?ForgeRock
 
Oracle Cloud Reference Architecture
Oracle Cloud Reference ArchitectureOracle Cloud Reference Architecture
Oracle Cloud Reference ArchitectureBob Rhubart
 
NIST Cloud Computing Reference Architecture
NIST Cloud Computing Reference ArchitectureNIST Cloud Computing Reference Architecture
NIST Cloud Computing Reference ArchitectureThanakrit Lersmethasakul
 
Cloud Computing and the Next-Generation of Enterprise Architecture - Cloud Co...
Cloud Computing and the Next-Generation of Enterprise Architecture - Cloud Co...Cloud Computing and the Next-Generation of Enterprise Architecture - Cloud Co...
Cloud Computing and the Next-Generation of Enterprise Architecture - Cloud Co...Stuart Charlton
 
AWS Webcast - Active Directory on AWS
AWS Webcast - Active Directory on AWSAWS Webcast - Active Directory on AWS
AWS Webcast - Active Directory on AWSAmazon Web Services
 
Securing Serverless Workloads with Cognito and API Gateway Part II - AWS Secu...
Securing Serverless Workloads with Cognito and API Gateway Part II - AWS Secu...Securing Serverless Workloads with Cognito and API Gateway Part II - AWS Secu...
Securing Serverless Workloads with Cognito and API Gateway Part II - AWS Secu...Amazon Web Services
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 

Weitere ähnliche Inhalte

Andere mochten auch

PCI Compliance and Cloud Reference Architecture
PCI Compliance and Cloud Reference ArchitecturePCI Compliance and Cloud Reference Architecture
PCI Compliance and Cloud Reference ArchitectureHyTrust
 
The Enterprise Reference Architecture and Tools
The Enterprise Reference Architecture and ToolsThe Enterprise Reference Architecture and Tools
The Enterprise Reference Architecture and ToolsSoftware Park Thailand
 
Reference Architecture for Data Loss Prevention in the Cloud
Reference Architecture for Data Loss Prevention in the CloudReference Architecture for Data Loss Prevention in the Cloud
Reference Architecture for Data Loss Prevention in the CloudNetskope
 
Take It to the Cloud: The Evolution of Security Architecture
Take It to the Cloud: The Evolution of Security ArchitectureTake It to the Cloud: The Evolution of Security Architecture
Take It to the Cloud: The Evolution of Security ArchitecturePriyanka Aash
 
The F5 DDoS Protection Reference Architecture (Technical White Paper)
The F5 DDoS Protection Reference Architecture (Technical White Paper)The F5 DDoS Protection Reference Architecture (Technical White Paper)
The F5 DDoS Protection Reference Architecture (Technical White Paper)F5 Networks
 
Extending Active Directory to Box for Seamless IT Management
Extending Active Directory to Box for Seamless IT ManagementExtending Active Directory to Box for Seamless IT Management
Extending Active Directory to Box for Seamless IT ManagementOkta-Inc
 
F5 Application Services Reference Architecture (Audio)
F5 Application Services Reference Architecture (Audio)F5 Application Services Reference Architecture (Audio)
F5 Application Services Reference Architecture (Audio)F5 Networks
 
Security Building Blocks of the IBM Cloud Computing Reference Architecture
Security Building Blocks of the IBM Cloud Computing Reference ArchitectureSecurity Building Blocks of the IBM Cloud Computing Reference Architecture
Security Building Blocks of the IBM Cloud Computing Reference ArchitectureStefaan Van daele
 
AWS Security Architecture - Overview
AWS Security Architecture - OverviewAWS Security Architecture - Overview
AWS Security Architecture - OverviewSai Kesavamatham
 
Identity Management with the ForgeRock Identity Platform - So What’s New?
Identity Management with the ForgeRock Identity Platform - So What’s New?Identity Management with the ForgeRock Identity Platform - So What’s New?
Identity Management with the ForgeRock Identity Platform - So What’s New?ForgeRock
 
Oracle Cloud Reference Architecture
Oracle Cloud Reference ArchitectureOracle Cloud Reference Architecture
Oracle Cloud Reference ArchitectureBob Rhubart
 
NIST Cloud Computing Reference Architecture
NIST Cloud Computing Reference ArchitectureNIST Cloud Computing Reference Architecture
NIST Cloud Computing Reference ArchitectureThanakrit Lersmethasakul
 
Cloud Computing and the Next-Generation of Enterprise Architecture - Cloud Co...
Cloud Computing and the Next-Generation of Enterprise Architecture - Cloud Co...Cloud Computing and the Next-Generation of Enterprise Architecture - Cloud Co...
Cloud Computing and the Next-Generation of Enterprise Architecture - Cloud Co...Stuart Charlton
 
AWS Webcast - Active Directory on AWS
AWS Webcast - Active Directory on AWSAWS Webcast - Active Directory on AWS
AWS Webcast - Active Directory on AWSAmazon Web Services
 
Securing Serverless Workloads with Cognito and API Gateway Part II - AWS Secu...
Securing Serverless Workloads with Cognito and API Gateway Part II - AWS Secu...Securing Serverless Workloads with Cognito and API Gateway Part II - AWS Secu...
Securing Serverless Workloads with Cognito and API Gateway Part II - AWS Secu...Amazon Web Services
 

Andere mochten auch (15)

PCI Compliance and Cloud Reference Architecture
PCI Compliance and Cloud Reference ArchitecturePCI Compliance and Cloud Reference Architecture
PCI Compliance and Cloud Reference Architecture
 
The Enterprise Reference Architecture and Tools
The Enterprise Reference Architecture and ToolsThe Enterprise Reference Architecture and Tools
The Enterprise Reference Architecture and Tools
 
Reference Architecture for Data Loss Prevention in the Cloud
Reference Architecture for Data Loss Prevention in the CloudReference Architecture for Data Loss Prevention in the Cloud
Reference Architecture for Data Loss Prevention in the Cloud
 
Take It to the Cloud: The Evolution of Security Architecture
Take It to the Cloud: The Evolution of Security ArchitectureTake It to the Cloud: The Evolution of Security Architecture
Take It to the Cloud: The Evolution of Security Architecture
 
The F5 DDoS Protection Reference Architecture (Technical White Paper)
The F5 DDoS Protection Reference Architecture (Technical White Paper)The F5 DDoS Protection Reference Architecture (Technical White Paper)
The F5 DDoS Protection Reference Architecture (Technical White Paper)
 
Extending Active Directory to Box for Seamless IT Management
Extending Active Directory to Box for Seamless IT ManagementExtending Active Directory to Box for Seamless IT Management
Extending Active Directory to Box for Seamless IT Management
 
F5 Application Services Reference Architecture (Audio)
F5 Application Services Reference Architecture (Audio)F5 Application Services Reference Architecture (Audio)
F5 Application Services Reference Architecture (Audio)
 
Security Building Blocks of the IBM Cloud Computing Reference Architecture
Security Building Blocks of the IBM Cloud Computing Reference ArchitectureSecurity Building Blocks of the IBM Cloud Computing Reference Architecture
Security Building Blocks of the IBM Cloud Computing Reference Architecture
 
AWS Security Architecture - Overview
AWS Security Architecture - OverviewAWS Security Architecture - Overview
AWS Security Architecture - Overview
 
Identity Management with the ForgeRock Identity Platform - So What’s New?
Identity Management with the ForgeRock Identity Platform - So What’s New?Identity Management with the ForgeRock Identity Platform - So What’s New?
Identity Management with the ForgeRock Identity Platform - So What’s New?
 
Oracle Cloud Reference Architecture
Oracle Cloud Reference ArchitectureOracle Cloud Reference Architecture
Oracle Cloud Reference Architecture
 
NIST Cloud Computing Reference Architecture
NIST Cloud Computing Reference ArchitectureNIST Cloud Computing Reference Architecture
NIST Cloud Computing Reference Architecture
 
Cloud Computing and the Next-Generation of Enterprise Architecture - Cloud Co...
Cloud Computing and the Next-Generation of Enterprise Architecture - Cloud Co...Cloud Computing and the Next-Generation of Enterprise Architecture - Cloud Co...
Cloud Computing and the Next-Generation of Enterprise Architecture - Cloud Co...
 
AWS Webcast - Active Directory on AWS
AWS Webcast - Active Directory on AWSAWS Webcast - Active Directory on AWS
AWS Webcast - Active Directory on AWS
 
Securing Serverless Workloads with Cognito and API Gateway Part II - AWS Secu...
Securing Serverless Workloads with Cognito and API Gateway Part II - AWS Secu...Securing Serverless Workloads with Cognito and API Gateway Part II - AWS Secu...
Securing Serverless Workloads with Cognito and API Gateway Part II - AWS Secu...
 

Kürzlich hochgeladen

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024The Digital Insurer
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Principled Technologies
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 

Kürzlich hochgeladen (20)

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 

Combining Modern Authentication Needs with Identity and Access Management

  • 1. a2cloud Solution for secured authentication and access to cloud Whitepaper Combining Modern Authentication Needs with Identity and Access Management
  • 2. Table of Content Introduction 3 The weakest link of the chain 4 A modern multi-method Authentication Solution 6 Cloud interoperability with Federated ID 8 Completing the “big picture” with uni ed management and centralized information processing 9 2 Whitepaper Combining Modern Authentication Needs with Identity and Access Management
  • 3. Recent trends such as cloud computing and virtualization have de ned new challenges for CIOs and CISOs. What was once the de nite perimeter for corporate IT became a thin, vague boundary, often extending outwards to include partners’ and even service providers’ zones. A pressing demand exists to precisely outline the separation of duties and privileges, the visibility of applications to users and the veri cation of security postures. A need that goes beyond the mere validation of credentials. Introduction Infrastructural technologies have already helped IT managers to connect and interconnect different physical, virtual and hybrid environments into what is known as the cloud. Clouds, both private to a company or publicly offered by a service provider, can be considered a) autonomous yet b) interoperable computing environments. Users connect to the cloud(s) using a huge variety of client devices — immediately opening the need for universal access on different client platforms, where the only common denominator is the strength of the authentication process. Cloud computing is subtly bringing uniformity and standardization to the way that applications behave and to the way that different cloud environments interoperate with one another. Naturally, the private and corporate nature of certain clouds mandates access to legacy applications, with the effect of slowing down this uniformity of presentation, which is a common feature of clouds managed by service providers. Where standardization is pervading quite consistently is in the role that a cloud plays in IT, since users are connecting/using the clouds mainly for two reasons: veri cation of credentials and access to applications. These usage patterns have created mixed environments where a cloud can play the role of Identity Provider (IdP — if the purpose is to validate user credentials) or a Service Provider (SP — if the purpose is to give access to applications). SP and IdP roles can coexist in the same cloud. Interoperability between an IdP and an SP is normally de ned as a Federated Authentication scenario. Combining Modern Authentication Needs with Identity and Access Management Whitepaper 3
  • 4. Access — The weakest link of the chain Agility, exibility and universal access to corporate applications de ne situation where security needs to be granularized and enforced in layers — infrastructure, applications, connectivity and above all access — forming the big picture. Access is by far the weakest link of the security chain, since it represents the point of contact between two clouds (in the case of federated authentication) and between the users and the data/application they need to operate with. In such a situation, the security of access process is de nitely a focus of the attention of security of cers and administrators. This is because compromising the process could undermine the whole security infrastructure — in place to protect data against leakage and applications against misuse. There is therefore a pressing demand for solutions combining Identity and Access Management with classic Authentication Systems, featuring contextuality, versatility and adaptability as in-built features. The solution CISOs are looking for must offer the highest level of security, with minimal impact on usability. Thus, uni ed and centralized control and information processing represent the natural, complete solution. The solution that users want to see, is access to a needed application that feels as natural as possible using instead tools they are keen on using, such as tablets or smartphones. Without the need to carry dedicated devices. Subtly and transparently as much as possible, they should also go through a process aimed to verify and validate the security posture of the client used and evaluate contextual information from the connection — such as time, IP and so forth. In short, the whole authentication and access process should be ergonomic because it should prioritize people’s ef ciency in their working environment. 4 Whitepaper Combining Modern Authentication Needs with Identity and Access Management
  • 5. Role Expectations Challenges CISO Strong Authentication — a solution Balancing the need for strong authen- with minimized costs and maximized tication against maintenance costs manageability and security. — e.g. with hardware tokens that may Ability to extend trust to the connecting break, get lost, expire, etc. client machine depending on the con- Notifying end users of the need for text of the connection. passwords/seeds/PINs in a simple yet secure way. Going beyond veri cation of credentials to verifying contextual security pos- tures. Operative Administrators Real-Time Situational Awareness and Real time statistics as well as time– understanding of success/failures based, automatic reporting. rates when multiple authentication Ability to get detailed information to methods are deployed. support troubleshooting. Ability to analyze all information related Avoiding the need to manually notify to security events, no matter if they are users of pro le creation or modi ed related to network, authentication or authentication information (e.g. when a client security posture. new seed is generated). Ability to document everything using the “incident” concept instead of stor- ing documentation in multiple different locations. Top Management Gain justi cation to invest in security, Gain clear consistent information about avoid security concerns becoming an working/non working solutions. obstacle to processes/business. Avoid investing in complex solutions (often non-integrated and dif cult to manage). Have in place a security system that can integrate with partners’ systems. End Users Access to applications and resources Transparency of security posture veri - in the cloud (private and public) without cation. complex authentication processes. Use devices already used for multiple Avoid carrying authentication devices. purposes (e.g. smartphones, tablets, Positive user experience when access- mobile phones) for authentication. ing corporate applications. Combining Modern Authentication Needs with Identity and Access Management Whitepaper 5
  • 6. A modern multi-method Authentication Solution Stonesoft offers the StoneGate a2cloud Authentication Solution. A balanced mix of products and technologies that embody the ideal implementation of modern multi-method strong authentication and secured access to the cloud. At the heart of the solution is security of access through interoperability between two key products of StoneGate Network Security Architecture. StoneGate Authentication Server and StoneGate SSL VPN. StoneGate Authentication Server provides secure remote access to critical data and applications across a given network with a set of four Radius based servers to implement different authentication methods Different verticals have different security needs, varying sometimes even on a per-application basis. E.g. a bank that needs to offer their employees and customers a differentiated access to applications. Differentiation could be based on authentication methods (some being stronger than others due to multiple factors of strength involved). These methods are ergonomic, which means they can be used with mobile devices like smartphones that people carry with them at all times. Thus, organizations do not need to make investments in the purchase and/or training of additional hardware, tokens and/or tools. Applying soft token solutions frees a huge amount of resources from IT. Soft tokens are free, they do not get lost and if broken, can be replaced immediately. The same applies to security. Changing unsecured physical devices and hard tokens is expensive with considerable risks involved. Take the case of RSA. When hard-coded security was compromised the only choice left was to replace all physical devices. While it may be the only reasonable course of action, it takes time and offer no guarantees against it happening again. That’s why software-based authentication methods represent the only dynamic way to stay updated and secured. StoneGate Authentication Server is tightly integrated with StoneGate Management Center, allowing rapid deployment of a centralized backend authentication system and transparent integration with existing user databases such as MS Active Directory, Novell eDirectory, OpenLDAP and other LDAPv3 compliant systems. Typeahead user-linking allows for one-click creation of user accounts, Automatic user-linking can be used to allow dynamic generation of user pro les when users attempt login (combined with ef cient SMS or mail-based noti cation of user credentials and/or through One Time Passwords). Overall ease of management extends to disabling user pro les (when an employee leaves the company) or setting expiry-dates to pro les (for consultants or temporary workers). 6 Whitepaper Combining Modern Authentication Needs with Identity and Access Management
  • 7. Both StoneGate Authentication Server users and backend user databases can be easily browsed on a graphical user interface, minimizing the administrative burden and boosting ef ciency. Users can also be linked to one or more authentication methods, automatically or manually which is very bene cial as often the problem behind implementation of an authentication solution is the administrative burden of importing/accessing/de ning huge numbers of users. Take the case of a company needing to deploy internal access to email with password-based authentication and IPSec mobile VPN for external employees with a stronger authentication method (e.g. OTP to phone). An ideal solution allows the generation of a user pro le immediately as the user tries to authenticate with either of the two methods — enabling both for that user. This minimizes administrative costs, improves ef ciency and shortens the overall solution’s implementation time. StoneGate SSL VPN enforces security of access through a combination of local authentication techniques. It combines the strength and number of factors of each method with the number of methods. For example, a user can start the access process by presenting a digital certi cate. Once this has been validated, the user is prompted for a password and an additional One Time Password is delivered to his mobile phone via SMS. Once the user is allowed in, access to applications is conveniently available through Single Sign-On techniques — for both web and legacy applications, including Remote Desktop, Fileshare Access or SSH/Telnet. This relieves the user from needing to remember multiple passwords or re-typing the same information multiple times. SSO also minimizes errors in accessing applications as well as the time spent on accessing them — improving the overall user experience. Once properly authenticated and trusted, the user is given smooth access to where his level of trust allows. During a session, a rewall instance can grant that only wanted traf c is allowed to/from the client and a trace removal technique ensures that no important data gets left behind should the session is conclude with logout. A winning combination The combination of the two products can be used to achieve maximum security of access to the cloud through multi-factor and multi-method authentication and veri cation of the connecting client’s security posture. Both StoneGate Authentication Server and StoneGate SSL VPN can be implemented in mirrored con guration to ensure resiliency and high-availability in the most demanding environments. Combining Modern Authentication Needs with Identity and Access Management Whitepaper 7
  • 8. Cloud interoperability with Federated ID Identity Federation techniques are becoming increasingly popular, concurrent with Cloud Computing architectures and scenarios becoming more important for Service Providers. The purpose of a federated authentication scenario is to offer agile application deployment in the service provider’s cloud(s) while leaving authentication to the customer. Losing control and sacri cing the strength of authentication has been a major obstacle that organizations experience with cloud-based services. Especially when they would like to use multiple cloud services and applications. However, Single Sign-On operations and user pro ling remain possible thanks to assertions securely sent from Identity Providers to Service Providers; once the user has been authenticated. With Identity Federation, the application or service provider may delegate the authentication process back to the end-user. The service provider does not need to maintain and administer user account information. This helps improve the time-to-market for cloud-based services and applications, as the app does not need to de ne user pro les. And nobody needs to be burdened with importing user pro les. Additional advantages for the end users are being able to authenticate using any method they prefer - and to access an application in the cloud as easily as they would an application in the corporate network. From the CISO perspective, the company accesses the cloud application while keeping authentication safely “at home”. That is, they retain control over the authentication process, relying on the cloud app service provider just for the operative bene t of having an app in the cloud — reduced maintenance, immediate and easy upgrades, no local implementation, and so forth. The StoneGate a2cloud Solution lets administrators to con gure the components to act as an Identity Provider (StoneGate Authentication Server and StoneGate SSL VPN) and as a Service Provider (StoneGate SSL VPN). Thanks to the open standard nature of such interoperability, the counterpart in a federated authentication scenario can be any third party solution compatible with the supported standard protocols, such as SAML 2.0 and ADFS. 8 Whitepaper Combining Modern Authentication Needs with Identity and Access Management
  • 9. Completing the “big picture”: Uni ed management and centralized processing The ability to centrally process information related to security events is important in ensuring the ability to drill up and down the data while moving from meaningful “big pictures” made of statistical information, geotagged graphs and maps to logs with precise details about speci c events. Such “situational unawareness”, is an all too common state of affairs resulting from dispersed information, which could lead to multiple negative scenarios, from inef cient troubleshooting to longer reaction times, to longer time to market, excess vulnerability from advanced attacks such as AETs. When negative security events happen, e.g. when a user gets locked due to multiple authentication failures or violation of a security policy, it is important to have an alerting mechanism, complete with escalation and historical data. Not just for smooth handling of the situation, but for both regulatory compliance and auditing purposes. Further negative scenarios include users trying to authenticate through guessing passwords — if the user gets locked, alert is raised to give awareness to admins of the violation attempt. Additionally, as users may have dif culties in understanding or adopting a given method, the administrators may decide to disable it or use a less complex to method. Knowing such a problem may exist in the rst place is possible due to the real time statistics and graphical reporting of StoneGate Management Center, available as a multiplatform software solution included in each StoneGate Authentication Server license. Built on solid architectural foundations, SMC offers uni ed management capabilities for all StoneGate Network Security Platform engines, from the StoneGate SSL VPN, StoneGate Firewall/VPN to the StoneGate IPS, plus the ability to collect logs of third party servers and engines and enhance them with advanced reporting and log analysis capabilities. Combination of StoneGate Authentication Server, StoneGate SSL VPN and StoneGate Management Center de nes the ideal solution for every modern authentication needs, while simplifying security of the cloud computing environments. Combining Modern Authentication Needs with Identity and Access Management Whitepaper 9
  • 10. Copyright and Disclaimer © 2000—2011 Stonesoft Corporation. All rights reserved. These materials, Stonesoft products, and related documentation are protected by copyright and other laws, international treaties and conventions. All rights, title and interest in the materials, Stonesoft products and related documentation shall remain with Stonesoft and its licensors. All registered or unregistered trademarks in these materials are the sole property of their respective owners. No part of this document or related Stonesoft products may be reproduced in any form, or by any means without written authorization of Stonesoft Corporation. Stonesoft provides these materials for informational purposes only. They are subject to change without notice and do not represent a commitment on the part of Stonesoft. Stonesoft assumes no liability for any errors or inaccuracies that may appear in these materials or for incompatibility between different hardware components, required BIOS settings, NIC drivers, or any NIC con guration issues. Use these materials at your own risk. Stonesoft does not warrant or endorse any third party products described herein. THESE MATERIALS ARE PROVIDED “AS-IS.” STONESOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO, THE INFORMATION CONTAINED HEREIN. IN ADDITION, STONESOFT MAKES NO EXPRESS OR IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE WITH RESPECT THE INFORMATION CONTAINED IN THESE MATERIALS. IN NO EVENT SHALL STONESOFT BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL OR INCIDENTAL DAMAGES, INCLUDING, BUT NOT LIMITED TO, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING FROM THE USE OF THESE MATERIALS, EVEN IF ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH DAMAGES. Trademarks and Patents Stonesoft, the Stonesoft logo and StoneGate are all trademarks or registered trademarks of Stonesoft Corporation. Multi-Link technology, Multi-Link VPN, and the StoneGate clustering technology-as well as other technologies included in StoneGate-are protected by patents or pending patent applications in the U.S. and other countries. All other trademarks or registered trademarks are property of their respective owners. Stonesoft Corporate Stonesoft Inc. Itälahdenkatu 22 A 1050 Crown Pointe Parkway FI-0021O Helsinki Suite 900 Finland Atlanta, GA 30338, USA tel. +358 9 476 711 tel. +1 866 869 4075 fax. +358 9 476 713 49 fax. +1 770 6681 131 Copyright 2011 Stonesoft Corp. All rights reserved. Registered or unregistered trademarks in this document are property of their respective owners. The products described in this document are protected by one or more of U.S. patents and European patents: U.S. Patent No. 6,650,621, European Patents No. 1065844, 1289202,and may be protected by other U.S. patents, foreign patents, or pending applications. Speci cations subject to change without notice.