Web access management

Last updated

Web access management (WAM) [1] is a form of identity management that controls access to web resources, providing authentication management, policy-based authorizations, audit and reporting services (optional) and single sign-on convenience.

Contents

Authentication management is the process of determining a user’s (or application’s) identity. This is normally done by prompting for a user name and a password. Additional methods of authentication can also include access tokens (which generate one-time passwords) and digital certificates.

Once a user's (or process') identity is confirmed, policy-based authorization comes into play. A web resource can have one or more policies attached to it that say e.g. "only allow internal employees to access this resource" and/or "only allow members of the Admin Group to access this resource." The requested resource is used to look up the policy, and then the policy is evaluated against the user’s identity. If the user passes the policy evaluation, she/he is granted access to the resource. If the user fails the evaluation, access is denied.

After an authentication or authorization policy decision is made, the outcome can be recorded for auditing purposes, such as:

As a benefit to the end user, a web access management product can then tie this security together (which is more of a benefit to IT and administrative staff), and offer single sign on, the process by which a user logs in only once to a web resource, and then is automatically logged into all related resources. Users can be inconvenienced when attempting to get authenticated to multiple websites throughout the course of a day (potentially each with different user names and passwords). A web access management product can record the initial authentication, and provide the user with a cookie that acts as a temporary token for authentication to all other protected resources, thereby requiring the user to log in only once.

History

Web access management products originated in the late 1990s, and were then known as single sign on. Five of the original products were Hewlett-Packard HP IceWall SSO, CA Technologies SiteMinder, Oblix Access Manager, Magnaquest Technologies Limited IAM (Identity and Access Management) and Novell iChain. These products were simple in their functional capabilities, but solved an important issue of the time – how to share user credentials across multiple domains without forcing the user to log in more than once. The challenge stemmed from the fact that cookies are domain-specific, so there was no simple way to seamlessly transfer a user from one website to another. The new term became known as web access management, because products added the functionality of controlling which resources (web pages) a user could access, in addition to authenticating them.

Architectures

There are three different types of architectures when it comes to web access management architectures: plug-in (or web agent), proxy and tokenization.

Plugins are programs that are installed on every web/application server, register with those servers, and are called at every request for a web page. They intercept the request and communicate with an external policy server to make policy decisions. One of the benefits of a plugin (or agent) based architecture is that they can be highly customized for unique needs of a particular web server. One of the drawbacks is that a different plugin is required for every web server on every platform (and potentially for every version of every server). Further, as technology evolves, upgrades to agents must be distributed and compatible with evolving host software.

Proxy-based architectures differ in that all web requests are routed through the proxy server to the back-end web/application servers. This can provide a more universal integration with web servers since the common standard protocol, HTTP, is used instead of vendor-specific application programming interfaces (APIs). One of the drawbacks is that additional hardware is usually required to run the proxy servers.

Tokenization differs in that a user receives a token which can be used to directly access the back-end web/application servers. In this architecture the authentication occurs through the web access management tool but all data flows around it. This removes the network bottlenecks caused by proxy-based architectures. One of the drawbacks is that the back-end web/application server must be able to accept the token or otherwise the web access management tool must be designed to use common standard protocols.

Solutions like CA SiteMinder (now known as CA Single Sign-On) offer both agent and proxy based options while including standards based federation. maXecurity from P2 Security employs a proxy approach. NetIQ Access Manager offers a hybrid solution that consists of both proxy and J2EE agent approaches. TELEGRID SMRTe employs a tokenization approach.

Costs

In most cases, the annual maintenance costs dwarf the purchase price. For example, when policy servers are used (in both the plugin and proxy-based architectures), high-end hardware is needed in order to handle the workload required to run the web access management infrastructure.

Centralized administration is an additional hidden cost, because customers will need to hire and train staff to exclusively manage policy entitlements for the underlying web applications. A final hidden cost relates to regulatory compliance. Since web access management is similar in concept to a firewall (more closely aligned to an application-layer firewall), it must be able to handle major audit requirements, especially for public companies subject to the Sarbanes-Oxley Act (not to mention those that are bound by the Health Insurance Portability and Accountability Act, PCI, or CPNI). Larger companies spend tremendous amounts of time and money auditing these web access management infrastructures since they are the enforcement points for many internal and external applications.

Related Research Articles

Authorization Function of specifying access rights and privileges to resources

Authorization is the function of specifying access rights/privileges to resources, which is related to general information security and computer security, and to access control in particular. More formally, "to authorize" is to define an access policy. For example, human resources staff are normally authorized to access employee records and this policy is often formalized as access control rules in a computer system. During operation, the system uses the access control rules to decide whether access requests from (authenticated) consumers shall be approved (granted) or disapproved (rejected). Resources include individual files or an item's data, computer programs, computer devices and functionality provided by computer applications. Examples of consumers are computer users, computer software and other hardware on the computer.

Internet security Branch of computer security specifically related to Internet, often involving browser security and the World Wide Web

Internet security is a branch of computer security. It encompasses the Internet, browser security, web site security, and network security as it applies to other applications or operating systems as a whole. Its objective is to establish rules and measures to use against attacks over the Internet. The Internet is an inherently insecure channel for information exchange, with high risk of intrusion or fraud, such as phishing, online viruses, trojans, ransomware and worms.

Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID and password to any of several related, yet independent, software systems.

Identity management (IdM), also known as identity and access management, is a framework of policies and technologies to ensure that the right users have the appropriate access to technology resources. IdM systems fall under the overarching umbrellas of IT security and data management. Identity and access management systems not only identify, authenticate, and control access for individuals who will be utilizing IT resources but also the hardware and applications employees need to access.

The Central Authentication Service (CAS) is a single sign-on protocol for the web. Its purpose is to permit a user to access multiple applications while providing their credentials only once. It also allows web applications to authenticate users without gaining access to a user's security credentials, such as a password. The name CAS also refers to a software package that implements this protocol.

One-time password

A one-time password (OTP), also known as a one-time PIN, one-time authorization code (OTAC) or dynamic password, is a password that is valid for only one login session or transaction, on a computer system or other digital device. OTPs avoid several shortcomings that are associated with traditional (static) password-based authentication; a number of implementations also incorporate two-factor authentication by ensuring that the one-time password requires access to something a person has as well as something a person knows.

An information security audit is an audit on the level of information security in an organization. Within the broad scope of auditing information security there are multiple types of audits, multiple objectives for different audits, etc. Most commonly the controls being audited can be categorized to technical, physical and administrative. Auditing information security covers topics from auditing the physical security of data centers to auditing the logical security of databases, and highlights key components to look for and different methods for auditing these areas.

A password manager is a computer program that allows users to store, generate, and manage their passwords for local applications and online services.

SSL-Explorer: Community Edition

SSL-Explorer: Community Edition was an open-source SSL VPN product developed by 3SP Ltd, a company acquired by Barracuda Networks. It is licensed under the GNU General Public License (GPL), and is aimed primarily at smaller businesses that need remote access to internal network resources.

OAuth is an open standard for access delegation, commonly used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords. This mechanism is used by companies such as Amazon, Google, Facebook, Microsoft and Twitter to permit the users to share information about their accounts with third-party applications or websites.

Security patterns can be applied to achieve goals in the area of security. All of the classical design patterns have different instantiations to fulfill some information security goal: such as confidentiality, integrity, and availability. Additionally, one can create a new design pattern to specifically achieve some security goal.

Multi-factor authentication Method of computer access control

Multi-factor authentication is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence to an authentication mechanism: knowledge, possession, and inherence. MFA protects user data—which may include personal identification or financial assets—from being accessed by an unauthorised third party that may have been able to discover, for example, a single password.

Active Directory Federation Services, a software component developed by Microsoft, can run on Windows Server operating systems to provide users with single sign-on access to systems and applications located across organizational boundaries. It uses a claims-based access-control authorization model to maintain application security and to implement federated identity. Claims-based authentication involves authenticating a user based on a set of claims about that user's identity contained in a trusted token. Such a token is often issued and signed by an entity that is able to authenticate the user by other means, and that is trusted by the entity doing the claims-based authentication. It is part of the Active Directory Services.

Distributed Access Control System (DACS) is a light-weight single sign-on and attribute-based access control system for web servers and server-based software. DACS is primarily used with Apache web servers to provide enhanced access control for web pages, CGI programs and servlets, and other web-based assets, and to federate Apache servers.

OpenAM

OpenAM is an open-source access management, entitlements and federation server platform. It was sponsored by ForgeRock until 2016. Now it is supported by Open Identity Platform Community.

An identity provider is a system entity that creates, maintains, and manages identity information for principals and also provides authentication services to relying applications within a federation or distributed network.

Computer access control

In computer security, general access control includes identification, authorization, authentication, access approval, and audit. A more narrow definition of access control would cover only access approval, whereby the system makes a decision to grant or reject an access request from an already authenticated subject, based on what the subject is authorized to access. Authentication and access control are often combined into a single operation, so that access is approved based on successful authentication, or based on an anonymous access token. Authentication methods and tokens include passwords, biometric scans, physical keys, electronic keys and devices, hidden paths, social barriers, and monitoring by humans and automated systems.

HDIV is a Web Application Security Framework that controls the information flow between the server and the client avoiding many of the most important web risks. HDIV extends web applications behaviour by adding security functionalities, maintaining the API and the framework specification. This implies that HDIV may be used in applications developed in Spring MVC, Grails, JSTL, Struts 1, Struts 2, JavaServer Faces, Symfony in a transparent way to the programmer and without adding any complexity to the application development.

IBM API Management is an API Management platform for use in the API Economy. IBM API Connect enables users to create, assemble, manage, secure and socialize web application programming interfaces (APIs).

Web API security

Web API security entails authenticating programs or users who are invoking a web API.

References

  1. "Gartner names Oracle for WAM". The Financial Daily. 3 (154). January 8, 2010.

External references