Vendor Accent

A fresh look at identity management solutions

Pranay Jhaveri accentuates the need for identity management in the corporate world

Corporate networks are increasingly being opened for broader access to support not only a diversified group of employees around the world but also to support contracted staff, business partners and customers. It is crucial for organizations to review their identity and access management processes periodically to ensure that confidential personal and business information is protected from unauthorized access.

As there is no recognized standard for organizations to follow and there is no all-in-one identity management product, organizations can only implement point products and package them together to achieve identity management according to their comfort level. But, what should be packaged in an inter-related solution?

Strong authentication and single sign-on technologies are common choices in Identity and Access Management. Single sign-on helps organizations store and use identity information in one place to conveniently and efficiently control the authorized user in order to access their authorized corporate resources. Strong authentication is rolled out to better identify a person. A combination of these solutions gives a certain comfort level to corporations with regard to the identity of a person accessing the corporate network. Is it good enough? What if this person gains access to corporate information through a suspicious machine that has malware or key-logging software installed? What if a hacker is getting access to the network through a back-door attack?

Access to corporate resources should be controlled through something stronger than simple identity-based access, it should also be based on the device used to access the system and the software process that is running on said device. This type of information should be considered as part of the identity for granting access. It is similar to a person entering a high security embassy or boarding an airplane, this person not only has to present his identification document but also have all his belongings scanned before being granted access to the premises.

The goal of protecting business and personal information in identity management can then be better achieved with detailed client checking. With the maturity of SSL VPN technology, it is the most suitable technology to provide such functions.

First off, most SSL VPN devices can check client end-points for date and time of access, IP address, operating system version, the Windows registry, the version of Internet Explorer, whether the anti-virus software is up to date, is there a Personal Firewall, a hidden file name and its MD5 checksum. Organizations can mix and match various client credentials to grant application access.

Secondly, a lot of the SSL VPN devices also support Windows GINA. This helps enforce corporate system policy through MS Windows Domain and Active Directory. Organizations can then adopt universal application control, meaning that the same criteria to access the application apply to all users on the LAN as well as those who are remotely connected. For example, when a user accesses the Oracle Finance System, he has to be an authorized person using an authorized machine with anti-virus software that has been updated during the past five days; in addition, no key logging process should be running on his machine and a personal firewall should be activated to prevent a back-door attack. This requirement will then be reinforced whether he is accessing the Oracle Finance System on the LAN or remotely from home. With GINA integration, whenever the user logs on to Windows, he is automatically checked as to his identity and the related end-point information, the organization can then mandate all users that access the Oracle system to meet this requirement.

Without SSL VPN technology, there is no simple way to get end-point information or enforce controls. Some SSL VPN devices can go further by turning on various controls under different situations to protect critical information. Control features like a virtual desktop that does not write files to disk, blocking file downloads on e-mail attachments or a virtual keyboard for password entry can be activated if a device does not meet corporate standards.

An example of an application of control in real life: a company that has sensitive information for its partners to view already restricts said partners from downloading information and provides its own desktop without an output mechanism for saving files. To take things one step further, it leverages the SSL VPN device to force its partners to only read the material via the virtual desktop feature so that all information viewed stays in the end-point’s memory and is cleared when the user logs-off.

To enforce role-based control, most SSL VPN devices work with common authentication servers—Windows AD, LDAP and Radius. Organizations only need to maintains one single authentication system, it is more efficient when a user is added or deleted from said system, as the IT administrator only has to make the changes in the authentication server. Moreover, some SSL VPN devices allow applications to be grouped into various resource groups, the mapping of a user’s role with its relevant resources can, therefore, be done in a straightforward manner.

SSL VPN is a key enabler of identity management. It should be included in an inter-related identity management solution to administer, control, manage user access and enforce the security required to access sensitive applications. Missing this piece in identity management would be like letting a user enter your premises without checking his belongings. Although SSL VPN is commonly known largely for its ability to provide remote access, a SSL VPN device can be deployed as a key component in the inter-related identity management solution.

The author is the Sales Director, F5 India p.jhaveri@f5.com.