Smart strategies for external access
We offer smart strategies for securing extranet consumer portals for Banks and Telecommunication Providers.
There are a number of new policy, access, and authentication components involved in securing today’s extranet architecture that can alleviate these issues. Figure 1 provides a conceptual diagram of the major services that organizations need in a more flexible and extensible authentication and authorization scheme for extranets.
Figure 1: Secure Extranet Components
Let’s take a brief look at each of these components.
• Access Management Gateway. In Figure 1, a user accesses the front-end Access Management Gateway as the initial point of entry into the extranet and is prompted for credentials (1). This is an optional service that can act as a front end for all web portals and other extranet services. Alternately, this can be integrated with some existing applications or not exist at all. In the latter case, credentials are encoded on the client side and simply passed through more traditional web-based extranet services (such as SharePoint) to user and policy data stores and risk analysis services.
• Authentication Risk Analysis Services. An additional platform that runs software integrated with user and policy data stores, a risk analysis engine leverages numerous factors involved in user access requests (such as user behavior profiling, system information, geographic location, browser and cookie data, etc.) to calculate the likelihood of fraudulent behavior. In the diagram above (2), the user’s credentials are passed to riskbased (or other traditional) authentication systems to verify the user’s identity. Once authenticated successfully, the credentials are passed back through the gateway (3).
• Entitlement. Once the user is authenticated, there are multiple mechanisms to associate them with their data stores, including:
-User and Policy Data Stores. Such stores are traditional stores of user and organizational policy data, such as Lightweight Directory Access Protocol repositories and Active Directory servers.
- Policy Enforcement Points (PEPs). The PEP triggers entitlement policy evaluation and is usually integrated at the point of user interaction, typically an existing portal login screen or other web-based service. In the diagram, SharePoint is acting as the PEP, where a user’s credentials are sent to the PDP and evaluated against policy (3).
- Policy Decision Points (PDPs). The PDP or Security Module (SM) is the service that manages entitlement and authorization policy decisions when queried by a PEP. SharePoint (the PEP) passes the credentials through for evaluation against policy within the Security Module (4). A policy decision is made and passed back to the PEP for enforcement and allocation of privileges.
- Policy Administration Points (PAPs). Within an entitlement infrastructure, the PAP is the policy definition server through which administrators can manage policy pushed out to the PDPs.
- Policy Information Points (PIPs). A PIP may consist of any system or application that provides additional data to a PDP for evaluating authorization and entitlement policy decisions. Examples may include risk analytics; user data stores; authentication services such as RADIUS; applications with specific user, group and role definitions; and so on. In Figure 1, the LDAP and AD user stores are acting as PIPs, which contribute information to the PDP.
• Traditional Authentication Services. Ranging from traditional two-factor, token-based solutions to RADIUS and simple username/password solutions, traditional authentication services can still be integrated with extranet architectures, although more riskbased, context-driven solutions should be on the roadmap.
In many cases, organizations have already made investments in consolidated authentication tools such as SSO, and numerous existing applications employ this technology. To interact properly with other applications and web services, extranets need to support standard protocols such as Security Assertion Markup Language (SAML), XACML (Extensible Access Control Markup Language), Simple Object Access Protocol (SOAP), and others. Auditing permissions (who can do what within an extranet application environment) are critical as well—driven, in many cases, by compliance regulations. Gartner analyst Roberta Witty says, “It’s the regulations that have really brought this to a head in the last couple of years because when the auditor says, ‘Show me everyone who can access this application and show me what they can do,’ that’s a pretty tall order in most companies.”
All of the authentication and authorization systems in the new extranet security model should produce detailed audit and log data for review by auditors and security teams. With a centralized policy administration console, dissemination and enforcement of role definitions and policy actions becomes much simpler and supports the goals of audit and compliance.