Web Access Management
Encyclopedia
Web Access Management is a subcategory of the broader Identity management
space. Web Access Management controls access to Web resources, providing:
Authentication Management is the process of determining a user’s (or application’s) identity. This is normally done by prompting for a user name and a password. Additional methods of authentication can also include Access token
s (which generate one-time password
s) and digital certificates.
Once a user’s (or process’) identity is confirmed, Policy-based Authorization comes into play. A Web resource can have one or more policies attached to it that say “only allow internal employees to access this resource” and/or “only allow members of the Admin Group to access this resource." The requested resource is used to look up the policy, and then the policy is evaluated against the user’s identity. If the user passes the policy evaluation, she/he is granted access to the resource. If the user fails the evaluation, access is denied.
After an authentication or authorization policy decision is made, the outcome can be recorded for auditing purposes, such as:
As a benefit to the end user, a Web Access Management product can then tie this security together (which is more of a benefit to IT and administrative staff), and offer Single Sign On. Single Sign On is the process by which a user logs in only once to a Web resource, and then is automatically logged in to all additional related and protected resources. Users can be inconvenienced when attempting to get authenticated to multiple websites throughout the course of a day (potentially each with different user names and passwords). A Web Access Management product can record the initial authentication, and provide the user with a cookie that acts as a temporary token for authentication to all other protected resources, thereby only allowing the user to log in once.
Access Manager. These products were simple in their functional capabilities, but solved an important issue of the time – how to share user credentials across multiple domains without forcing them to log in more than once. The challenge stemmed from the fact that cookies are domain-specific, so there was no simple way to seamlessly transfer a user from one website to another. Since then, Single Sign On has come to mean technology that lets users store all of their passwords in a browser plugin which auto-fills login screens for them (such as RoboForm
). The new term became known as Web Access Management, because products in this space added the functionality of controlling which resources (Web pages) a user could access, in addition to authenticating them.
Plugins are programs that are installed on every Web/application server
, register with those servers, and are called at every request for a Web page. They intercept the Web request in order to make a policy decision and communicate with an external policy server in order to make these decisions. One of the benefits of a plugin(or agent) based architecture is that they can be highly customized for unique needs of a particular Web server. One of the drawbacks is that a different plugin is required for every Web server on every platform (and potentially for every version of every server). Further, as technology evolves, upgrades to agents must be distributed and compatible with evolving host software.
Proxy-based architectures differ in that all Web requests are routed through the Proxy server
to the back-end Web/application servers. One of the benefits of a proxy-based architecture is a more universal integration with Web servers since the common standard protocol, HTTP, is used instead of vendor-specific Application programming interface
s (APIs). One of the drawbacks is that additional hardware is usually required to run the proxy servers.
Solutions like CA SiteMinder typify the agent-based approach - although CA SiteMinder offers a proxy option; maXecurity from P2 Security employs a proxy approach.
Centralized administration is an additional hidden cost, because customers will need to hire and train staff to exclusively manage policy entitlements for the underlying Web applications. A final hidden cost relates to regulatory compliance. Since Web Access Management is similar in concept to a firewall
(more closely aligned to an application-layer firewall), it must be able to handle major audit requirements, especially for public companies subject to the Sarbanes-Oxley Act
(not to mention those that are bound by the Health Insurance Portability and Accountability Act
, PCI, or CPNI). Larger companies spend tremendous amounts of time and money auditing these Web Access Management infrastructures since they are the enforcement points for many internal and external applications.
Identity management
Identity management is a broad administrative area that deals with identifying individuals in a system and controlling access to the resources in that system by placing restrictions on the established identities of the individuals.Identity management is multidisciplinary and covers many...
space. Web Access Management controls access to Web resources, providing:
- AuthenticationAuthenticationAuthentication is the act of confirming the truth of an attribute of a datum or entity...
Management - Policy-based AuthorizationAuthorizationAuthorization is the function of specifying access rights to resources, which is related to information security and computer security in general and to access control in particular. More formally, "to authorize" is to define access policy...
s - Audit & Reporting Services (optional)
- Single sign-onSingle sign-onSingle sign-on is a property of access control of multiple related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them...
Convenience
Authentication Management is the process of determining a user’s (or application’s) identity. This is normally done by prompting for a user name and a password. Additional methods of authentication can also include Access token
Access token
In Microsoft Windows operating systems, an access token contains the security information for a login session and identifies the user, the user's groups, and the user's privileges.-Overview:...
s (which generate one-time password
One-time password
A one-time password is a password that is valid for only one login session or transaction. OTPs avoid a number of shortcomings that are associated with traditional passwords. The most important shortcoming that is addressed by OTPs is that, in contrast to static passwords, they are not vulnerable...
s) and digital certificates.
Once a user’s (or process’) identity is confirmed, Policy-based Authorization comes into play. A Web resource can have one or more policies attached to it that say “only allow internal employees to access this resource” and/or “only allow members of the Admin Group to access this resource." The requested resource is used to look up the policy, and then the policy is evaluated against the user’s identity. If the user passes the policy evaluation, she/he is granted access to the resource. If the user fails the evaluation, access is denied.
After an authentication or authorization policy decision is made, the outcome can be recorded for auditing purposes, such as:
- determining the last login time of a user
- identifying attempts to gain access to protected resources
- logging any administrative actions
As a benefit to the end user, a Web Access Management product can then tie this security together (which is more of a benefit to IT and administrative staff), and offer Single Sign On. Single Sign On is the process by which a user logs in only once to a Web resource, and then is automatically logged in to all additional related and protected resources. Users can be inconvenienced when attempting to get authenticated to multiple websites throughout the course of a day (potentially each with different user names and passwords). A Web Access Management product can record the initial authentication, and provide the user with a cookie that acts as a temporary token for authentication to all other protected resources, thereby only allowing the user to log in once.
History
Web Access Management products originated in the late 1990s, and were then known as Single Sign On. Two of the original products were Computer Associates SiteMinder and OblixOblix
The commercial name Oblix may refer either to a suite of software designed to manage authentication identity or to the former company which developed that software.History:...
Access Manager. These products were simple in their functional capabilities, but solved an important issue of the time – how to share user credentials across multiple domains without forcing them to log in more than once. The challenge stemmed from the fact that cookies are domain-specific, so there was no simple way to seamlessly transfer a user from one website to another. Since then, Single Sign On has come to mean technology that lets users store all of their passwords in a browser plugin which auto-fills login screens for them (such as RoboForm
Roboform
RoboForm is a password management and web form filling program that automates password entering and form filling, developed by Siber Systems, Inc. It is available for many web browsers, including Internet Explorer , Firefox, Google Chrome, as well as support for mobile devices such as Palm, Pocket...
). The new term became known as Web Access Management, because products in this space added the functionality of controlling which resources (Web pages) a user could access, in addition to authenticating them.
Architectures
There are two different types of architectures when it comes to Web Access Management architectures: plug-in (or Web agent) and proxy.Plugins are programs that are installed on every Web/application server
Application server
An application server is a software framework that provides an environment in which applications can run, no matter what the applications are or what they do...
, register with those servers, and are called at every request for a Web page. They intercept the Web request in order to make a policy decision and communicate with an external policy server in order to make these decisions. One of the benefits of a plugin(or agent) based architecture is that they can be highly customized for unique needs of a particular Web server. One of the drawbacks is that a different plugin is required for every Web server on every platform (and potentially for every version of every server). Further, as technology evolves, upgrades to agents must be distributed and compatible with evolving host software.
Proxy-based architectures differ in that all Web requests are routed through the Proxy server
Proxy server
In computer networks, a proxy server is a server that acts as an intermediary for requests from clients seeking resources from other servers. A client connects to the proxy server, requesting some service, such as a file, connection, web page, or other resource available from a different server...
to the back-end Web/application servers. One of the benefits of a proxy-based architecture is a more universal integration with Web servers since the common standard protocol, HTTP, is used instead of vendor-specific Application programming interface
Application programming interface
An application programming interface is a source code based specification intended to be used as an interface by software components to communicate with each other...
s (APIs). One of the drawbacks is that additional hardware is usually required to run the proxy servers.
Solutions like CA SiteMinder typify the agent-based approach - although CA SiteMinder offers a proxy option; maXecurity from P2 Security employs a proxy approach.
Costs
It is often underestimated how much a Web Access Management system truly costs. In most cases, the annual maintenance costs dwarf the purchase price. For example, when policy servers are used (in both the plugin and proxy-based architectures), high-end hardware is needed in order to efficiently run the Web Access Management infrastructure, because users will give up on accessing a Web page if it takes more than several seconds to respond.Centralized administration is an additional hidden cost, because customers will need to hire and train staff to exclusively manage policy entitlements for the underlying Web applications. A final hidden cost relates to regulatory compliance. Since Web Access Management is similar in concept to a firewall
Firewall (computing)
A firewall is a device or set of devices designed to permit or deny network transmissions based upon a set of rules and is frequently used to protect networks from unauthorized access while permitting legitimate communications to pass....
(more closely aligned to an application-layer firewall), it must be able to handle major audit requirements, especially for public companies subject to the Sarbanes-Oxley Act
Sarbanes-Oxley Act
The Sarbanes–Oxley Act of 2002 , also known as the 'Public Company Accounting Reform and Investor Protection Act' and 'Corporate and Auditing Accountability and Responsibility Act' and commonly called Sarbanes–Oxley, Sarbox or SOX, is a United States federal law enacted on July 30, 2002, which...
(not to mention those that are bound by the Health Insurance Portability and Accountability Act
Health Insurance Portability and Accountability Act
The Health Insurance Portability and Accountability Act of 1996 was enacted by the U.S. Congress and signed by President Bill Clinton in 1996. It was originally sponsored by Sen. Edward Kennedy and Sen. Nancy Kassebaum . Title I of HIPAA protects health insurance coverage for workers and their...
, PCI, or CPNI). Larger companies spend tremendous amounts of time and money auditing these Web Access Management infrastructures since they are the enforcement points for many internal and external applications.