Pirean Access: One. integration with IBM Security Systems Software

Pirean access: One

Enhancing ThE accEss ManagEMEnT UsEr ExpEriEncE ThroUgh

inTEgraTion wiTh iBM sEcUriTy sysTEMs sofTwarE

Welcome to Pirean insight guides, our series of regular

PaPers by Pirean’s exPert team of consultants.

in this edition, senior security consultant rob macgregor discusses how

the synergistic relationship between access: one and ibm security systems

Software enables an integrated, efficient and cost-effective approach to

Pirean access: One

Enhancing ThE accEss ManagEMEnT UsEr ExpEriEncE

ThroUgh inTEgraTion wiTh iBM sEcUriTy sysTEMs sofTwarE

rob macgregor

Copyright © 2012 Pirean, all rights reserved. No part of this publication may be reproduced, stored in a retrieval system, used in a spreadsheet, or transmitted in any form or by any means – electronic, mechanical, photocopying, recording or

otherwise – without the permission of Pirean.

‘Pirean’, and the Pirean logo are registered trademarks of Pirean Limited (UK). Registered in England No. 4453109

introduction

For any secure application, the Identity and Access Management (IAM) process is the first point of contact

for an end user, whether it be registration, gaining approval for access or, later, the process of logging

in and maintaining their account. To ensure a user’s confidence and trust in the services that they are

accessing, it is important that the iam process is simple, reliable and transparent. for example, where the

user base is diverse the IAM system should address the individual in their native language, as well as allow

effective communication of status, changes, etc. In complex corporate environments it is also important

to maintain a uniform design theme, both to ensure consistency throughout the user experience and to

reinforce the brand of the service.

at the same time, security must remain paramount – the need for a simple user experience must

be balanced with a comprehensive method of enforcing strong authentication and authorization

policies at all times to ensure systems are not left open or vulnerable to threats.

The Digital concierge

If we compare our online services to an apartment block, the access management solution is like a doorman who scrutinizes arrivals, and ensures that only tenants gain entry. But today’s more service oriented building require a concierge – a first point of contact with the premises who will not only fulfil the doorman’s task, but provide other invaluable services (such as providing emergency access, signing for deliveries in your absence, and managing maintenance on your behalf), which in turn helps to underwrite the brand values of the establishment. Much of what the concierge delivers may not be required by each tenant on a day-to-day basis, but it makes a significant contribution to the smooth running of the apartment block – and ultimately its reputation. if the duties of the concierge are not well executed, then the tenant’s experience and perception of quality of the building is impacted.

Like the concierge analogy, an organization’s online services for Access Management (login, step-up authentication, password request etc.) plays a substantial part in the user’s first impressions of the organization. Given that a key factor for visitor retention and satisfaction with a web site is usability, surely this applies as much to the processes of registration, account management and simply getting through the front door as to the content once your user has made it inside?

usability: the hidden layer

When discussing Identity and Access Management solutions, it is usual to focus purely on aspects of control – what methods of authentication will we require of the user during

login? How will we ensure that every user is compliant with our access policies?

Clearly control is always at the root of IAM, but achieving control is only part of the picture in any practical solution. Consider the user login process: the login journey itself is only

one of the journeys involved. We also need to handle aspects of single sign-on, self-registration, self-service, internationalization, legal terms and conditions acceptance, service

bulletins, and so on. With so many different services coming together it’s unsurprising that user journeys can often be fragmented and inconsistent, both functionally and within

the presentation layer.

pirean access:one

Pirean’s Access: One, in conjunction with IBM Security Systems Software, improves the presentation of all aspects of the IAM process to the end user – user provisioning, login, self-service and reporting. Its role is primarily as an integrator: tying together a number of other software components. As such, it offers real business benefits by accelerating the time to value of more specialized iam software and allowing disparate systems to be integrated more easily and consistently.

Unifying The access Management Experience

Access: One specializes in integrating with a variety of IAM components – user registries, identity and service providers, authentication gateways and authentication devices – through the implementation of application specific workflows and authentication policies. Flexibility and extensibility is achieved by the use of a plug-in model, whereby access to each of the integrated components is handled by a set of modules that are sequenced into simple workflows in a central administrative console. Using Access: One, organizations are able to bring together the disparate services required to ensure integrity and service during the access and authentication process and present them along user journeys that are accessible and consistent with the overall brand experience.

Figure 1 illustrates a typical 2-factor login workflow, showing how each plug-in is responsible for a specific task (such as: requesting and testing a user’s ID and password, looking up user details, etc.). The execution and sequencing of the plug-ins is managed by Access: One, which controls progress through the workflow and handles presentation of web pages using the appropriate theme and language.

Access: One can be reconfigured dynamically, without interrupting the service, using its administration console. The console also provides a simple reporting dialog for analysis of the audit data records (see Figure 2).

username / password form One-time passcode form

ldaP

Presentation, theme and language support

fetch user’s mobile phone number generate sms challenge LDAP Lookup plugin SMS Service ldaP update plugin

Workflow Next-Step Logic

Auditing Service sms Passcode authentication plugin ldaP authentication plugin user access attempt intercepted by isam User provides ID and password User receives passcode in text message user enters passcode into form

logged in. isam authorises access to the application

flag user as locked out

isam eai plugin retries

exceeded?

Verfiy uid and password

Figure 1 - Access: One Workflow Example

Figure 2 - Access: One Administration Console

“pirean’s access: one, in conjunction with iBM security systems software, improves

the presentation of all aspects of the iaM process to the end user – user provisioning,

login, self-service and reporting.”

Figure 3 - Access: One Relationships with ibm security systems software iBM security access Manager

websEaL

external authentication provider and

local-response-redirect service

Integration of self-service with user enrolment and authorisation, self-service

provisioning, automated access request fulfilment,

password management and synchronisation.

operation as one side of a service provider/identity

provider pair with ISFIM. oauth client for restful

web services

audit log database adapter (under development) iBM Qradar iBM security identity Manager iBM security federated identity Manager directories other identity managers oauth resource Servers saas applications

access: one integration with the iBM iaM products

As we have discussed, Access: One is designed to orchestrate the dialogues and interactions that a user has with IAM services, during login and other related journeys.

IBM Security Systems portfolio of enterprise IAM software, is both highly regarded and widely used throughout the corporate world. Businesses know that by choosing

IBM they will get the rich functionality they need to address diverse requirements and challenges as part of an IAM platform. Implementing Access: One simplifies the

development and deployment of a centralized Web Access Management (WAM) platform. Reducing risk and complexity, the time to value of implementing centralized

Authentication and Authorization, Single Sign-On, Federated Identity Management and Strong Authentication is greatly reduced. Implementing Access: One in conjunction

with IBM’s Security Systems IAM portfolio provides a turnkey capability for complex IAM deployments without the need for specialist skills or in-house development. IAM

projects can often become unduly extended, thanks to the complexities of corporate requirements and the need to integrate with existing systems. Combining the flexibility

of Access: One with the power of the IBM software products can help to keep project costs under control and bring a faster return on software investment.

The iBM products that are most commonly integrated with access: one are:

• for login processing, access control and single sign-on: iBM security access Manager

• for integration of access across distributed organizations: iBM security federated identity Manager and Business gateway

• for management of the user provisioning lifecycle: iBM security identity Manager

• for deep analysis of security threats: iBM Qradar

ibm security access manager

the ibm security access management family is a group of security management products which automate sign-on and authentication to enterprise web applications and services and provide entitlement management for fine-grained access enforcement.

use scenarios

sMs-based Two-factor authentication:

The vulnerability of simple username/password login to compromise is well documented, so there is often a requirement to add another factor. Security theory categorizes different identification techniques as “the three somethings”: something you know, something you have and something you are. The more varied the factors involved, the stronger the overall process. One “something you have” identification method that is almost universal is the mobile phone, which also happens to contain a device (the SIM) which 100% guarantees uniqueness. Access: One offers a simple method of authentication in which a random 6-digit PIN is generated and sent to the mobile phone number associated with the user who is logging in.

to use this in combination with isam, we arrange for Webseal to pass control to access: one, either for the whole of the login process, or as a result of a “step-up”. Figure 1 showed the former scenario. Let’s look at the workflow in more detail:

The first step utilizes username and password to establish the ID of the user logging in. access: one exercises strong control here – only if the user succeeds in providing valid credentials will the workflow proceed. The next step again references LDAP, to lookup the mobile phone number of the user. The third step is the second factor – the plugin generates a limited-lifetime random code and sends it to the user’s mobile phone in an SMS message. It then presents a form for the user to enter the received code into. If this too is successful, the final plugin formats headers to pass the user identity and access level back to WebSEAL, so it can verify the user is permitted access and complete the login process.

access: one and ibm security access manager

ibm security access manager (isam) can help organizations to manage growth and complexity, control escalating management costs, and address the difficulties of implementing security policies across a wide range of Web and application resources. ISAM WebSEAL is a secure reverse web proxy, whose job is to enforce authentication and authorization policy on browser access to web applications. it also offers a foundation for single sign-on, by allowing a user to authenticate with one set of credentials and then access a number of target applications via a number a trust mechanisms.

WebSEAL provides an enriched Access Management environment by offering a number of authentication methods – including Strong Authentication, collecting session specific information to enrich authentication and authorization decision making, and tailoring the interfaces and workflow based on the device and users location. However for more esoteric requirements it is frequently necessary to extend Webseal by use of the external authentication interface (eai), which allows an external application to orchestrate the login process and then pass control back to WebSEAL once the user authentication has succeeded. Access: One provides seamless integration with IBM Security access manager through this mechanism.

WebSEAL also offers a facility called “local response redirect”. This causes the user to be directed to an external application whenever WebSEAL would normally present a page of its own. If that application is Access: One, all of the capabilities of the workflows are available to enrich the user experience.

Figure 4 - ISAM External Authentication Provider Scenario

Access: One workflow ldaP authentication plugin LDAP Lookup plugin sms Passcode authentication plugin

isam eai plugin access: one

Request Router

isam Webseal, access enforcer

Figure 7 - ‘Forgotten Password’ page

handling a Locked-out account

For many organizations, the increasing ubiquity of online services in recent years has been mirrored by a rise in the size and cost of help desk functions. Clearly this is a prime target for cost reduction, so anything that allows a user to rectify a problem themselves, instead of making a call to the helpdesk, is welcome. Consider a very common situation – the user has forgotten his password and after a few failed attempts, is locked out of his account. The following diagram shows how ISAM and IBM Security Identity Manager (ISIM) could be used to provide a self-service solution, with Access: One facilitating the integration between the two.

Figure 8 assumes that WebSEAL is configured to direct the user to Access: One when a “locked user” error occurs (for example, using local-response-redirect). The workflow triggered uses the ISIM password recovery challenge/response process to authenticate the user. If this is successful it will unlock the account and set a new password. Finally, it returns control to WebSEAL, asserting the ID so the user is immediately logged in.

Figure 8 - ISAM User Self-Reset Scenario

“portcullis” function

Almost every online system needs occasional scheduled downtime for maintenance or upgrade. Rather than ask the user to login only for them to find that the service is unavailable, it is friendlier to present the user with advance notification of outages, and then during the scheduled window completely replace the login process with an information page. access: one allows this to be enabled dynamically, simply by switching the request mapping on the fly.

Figure 6 shows how the normal request routing can be temporarily overridden, by updating the rules in the console and propagating to the Access: One login servers. By never returning a user ID, WebSEAL knows that access must not be allowed.

Access: One workflow

isam eai plugin isim change Password plugin isim c/r authentication plugin access: one Request Router

isam Webseal, access enforcer ISIM User Provisioning

error: user Locked

return

authenticated user to Webseal

Figure 6 - ISAM Portcullis Scenario Figure 5 - A typical ‘Portcullis’ page

Webpage plugin

Normal login workflow

Presentation, theme and language support

Workflow Next-Step Logic

Auditing Service

•••

information page with details of outage

access: one and ibm security federated identity manager

IBM Security Federated Identity Manager (ISFIM) is a multi-faceted product that provides web and federated single sign-on (SSO) to end users across multiple applications, using browser-based integration and open standards. It supports a wide range of roles, as identity provider, consumer and a source of identification tokens using a large number of protocols.

access: one includes federation protocols support as a standard feature for the most common modes of SAML2 (SSO with HTTP redirect and POST). This allows single sign-on to a number of cloud-based SAAS services. In these modes it can also operate as a peer to ISFIM, either in an identity provider or service provider role. However, for more complex types of federation protocol, ISFIM alone will provide the solution. in these cases there is still a role for access: one, as isfim is generally deployed with isam, which has the enforcement role, so the EAI and local-response-redirect scenarios described above will be valid.

ISFIM also contains an OAUTH resource authorization service provider. The OAUTH protocol is an extension of the so-called “Facebook Model”, whereby a client application can ask the user to allow it to access resources on a third-party server, without entering credentials for the resource server into the client. In the ISFIM case, it is handling the Resource Server end of the protocol. Access: One provides an OAUTH client plug-in that handles the client end of the protocol, allowing it to access resources on social network sites, such as Facebook and LinkedIn. This same plug-in can provide access to resources held in an ISFIM-protected resource server.

use scenarios

federated hub and spoke

one of the characteristic features of a federated solution is the range of elements and protocols that may be involved. ITFIM is ideally suited to facilitating such solutions, because of the number of standards it supports and the wide range of roles it can play. for example, imagine a scenario where a company is offering services to a number of partners or suppliers, as illustrated in Figure 9. In this case the versatility of ISFIM, combined with the capabilities of Access: One, allows you to easily implement a service provider model for a range of different identity provider types as a relaying party, generating security tokens (such as Kerberos tickets) for consumption by target services, and as a WS-Trust broker for secure web services.

Figure 9 - ISFIM Hub and Spoke Scenario

shared applications_applicationssharedshared

applications saml 2 protocol Web Service Request liberty protocol isfim federated Access Services dataPower xml gateway WS-Trust IDP liberty federation idP Kerberos token service

Access to Application Resources through OAUTH 2

the oauth protocol emerged as a method to allow an application (the “client application”) to request the user for access to personal account information held by a third-party application (the “resource owner”), such as Facebook. It would be possible to do this by asking the user for login credentials and then relaying them to the resource owner, but this would be contrary to good practice and would leave the user open to a number of attacks.

ISFIM provides the OAUTH 2 authorization server component that handles access requests on behalf of the resource owner. The following diagram illustrates a scenario whereby an application can use OAUTH services with Access: One operating as a proxy client on its behalf. Whilst the process looks a little complicated, it is actually quite simple. There are two workflows involved, the first of which handles the interactive process of requesting access to resources, with the second operating asynchronously and allowing the client application to retrieve information from the resource server. The objective of this setup is to allow the client application to make use of OAUTH-derived resources without having to implement OAUTH itself.

ibm security federated identity manager

IBM Security Federated Identity Manager enables the flow of identity across domains – it does this for Web applications, services connected to an Enterprise Service Bus (ESB), point-to-point Web services and programmatic access to mainframe systems. From a Web application perspective, the Federated Single-Sign-On aspects provide secure, open-standards-based single-sign-on across independent Web domains. Linking of domains is inherent to an SOA, and Federated Identity Manager enables the flow of identity across domains. It can augment the functionality provided by an ESB to allow services to connect to the bus and access other services, without identity-specific code being written into the service implementations. This reduces development time and time to delivery, and helps realize the potential business benefits from the flexibility and responsiveness to change aspects of SOA.

Figure 10 - OAUTH Resource Retrieval with ISFIM as the OAUTH Authorization Server

Presentation, theme and language support

Workflow Next-Step Logic auditing Service access: one Request Router oauth authorization workflow

OAUTH Web Service workflow OAUTH Request authorization plugin oauth get Access Token plugin client application

OAUTH Request Resource plugin isfim

OAUTH Authorization Server

Web Service request Redirect to request authorization redirect to get token Redirect back to client application

ibm security identity manager

Security Identity Manager is an automated, and policy-based solution that manages user access across IT environments. Through the use of roles, accounts, and access permissions, it helps automate the creation, modification, and termination of user privileges throughout the entire user lifecycle. It also enhances identity governance with separation of duties, checks user certification and enables group management. Role mining and lifecycle management, provided by the IBM Security Role and Policy Modeler component, helps reduce time and effort to design a role and access structure for the enterprise, and automates the process to validate the access information and role structure with the business owners.

access: one and ibm Qradar

IBM QRadar is a security analytics application that can track vulnerabilities in real time by cross-referencing activity from a wide range of security components with various threat databases, including IBM’s X-Force database.

the Qradar adapter for access: one audit database will allow authentication, login, and provisioning information (such as password resets and account lockouts) to be included into the data stream under analysis. The well-structured nature of the Access: One audit data will facilitate correlation with information from firewalls, content scanners and intrusion detection systems.

ibm Qradar

The IBM QRadar Security Intelligence Platform integrates previously disparate functions – including security information and event management (SIEM), risk management, log management, network behavior analytics and security event management – into a total security intelligence solution, making it the most intelligent, integrated and automated security intelligence solution available. QRadar provides users with crucial visibility into what is occurring with their networks, data centers and applications to better protect IT assets and meet regulatory requirements.

IBM’S X-FORCE DATABASE

The IBM X-Force research and development team provides the foundation for a pre-emptive approach to Internet security. The X-Force team is one of the best-known commercial security research groups in the world. This group of security experts researches and evaluates vulnerabilities and security issues, develops assessment and countermeasure technology for ibm products, and educates the public about emerging internet threats.

The IBM X-Force database is the world’s most comprehensive threats and vulnerabilities database. It is the result of thousands of hours of research by the X-Force team, and much of the data is used to power the pre-emptive protection delivered by IBM products.

Figure 11 - A ‘Terms and Conditions ‘ page added via Access: One

access: one and ibm security identity manager

IBM Security Identity Manager (ISIM) provides full lifecycle management of user identities, allowing accounts and entitlements across multiple systems, applications and databases to be managed centrally, based on policy rules and approval cycles. It also forms a base for assessing policy compliance, separation of duties and role profiling.

ISIM includes a number of self-service facilities, but as discussed already, it is often a requirement that the self-service journeys are incorporated within other access control flows. Access: One incorporates a comprehensive set of capabilities for integrating with ISIM that allow user registration, self-service, and access request functions to be embedded within the Access: One workflows, and ISIM provisioning processes to be triggered and monitored as a result of authentication actions or errors.

One particular area of integration lies around password recovery. The Access: One ISIM plug-in can make use of the ISIM password recovery challenge/response mechanism, so that in addition to being used as intended, it may also be used as a secondary authentication factor for special access requests.

use scenarios

Please refer also to the earlier ISAM scenario, which incorporated an ISIM update as part of a self-service process.

Terms and conditions page

It is often a legal requirement when a user logs in to an application for the first time, for them to be presented with a disclaimer or ‘terms and conditions’ page, which they must agree to before continuing. With Access: One interstitial pages of this type can be easily introduced into a workflow, using the WebPage plugin mentioned previously. However, if the page only needs to be displayed once, a way of tracking which users have accepted it and which have not is required. One approach would be to implement a flag in ISIM, which the Access: One workflow can query before displaying the page and update once the acceptance has been received.

Figure 12 - Prior to the user logging in, Access: One’s Webtop only presents applications that are publicly available

Figure 13 - Upon login, the user is presented with applications they have access to, those that will require further ‘step-up’ authentication and applications, they can request access to

Figure 14 - Once access has been granted to an application, or the user has logged in using ‘step-up’ the application remains available during the session

webTop: simplifying the user access experience

As we have seen, Access: One can play an important role in binding together the functions of the IBM Security Systems IAM portfolio. Although we have focused on the

functional aspects of this, presentation is often equally important. Consider the scenario where a new employee joins the organization: this can be a time-consuming part of

the user life-cycle and the new recruit can spend a significant portion of their first days and weeks of employment going through user registration, learning what IT resources

they have access to, where to find them, and what further resources they need to ask for. Additionally, getting every new user up and running also places a burden on the

IT helpdesk.

From a management point of view, expediting this process by directing the new user to a place where they can find the applications they need to use and link to the

processes they need to follow, results in the new employee becoming a productive resource in a significantly shorter period of time.

Access: One’s “Webtop” provides a dynamic desktop view for web based applications, publishing an end-user workspace customized according to a user’s access rights and

authentication level – from where they can view and launch the applications which they’re authorized to access, as well as request access to new applications or perform

common self-service requests (such as password reset requests).

Whether accessed via a desktop, laptop or mobile device the use of Access: One’s Webtop ensures that user experience and security remains exactly the same

- regardless of platform.

Figure 15 illustrates how Webtop acts as a visual hub, linking up provisioning processes and application access from a single screen. Since all the linkages can exploit the

flexibility of Access: One workflows, Webtop allows a consistent look and feel across mobile and traditional computing devices - with the flexibility to adjust login and security

patterns based on device and session criteria.

Figure 15 - Access: One’s Webtop acts as a visual hub, linking provisioning processes and application access from a single screen

directories

saas applications other identity

managers ibm security access

manager Webseal

ibm security identity manager

ibm security federated identity manager

“access: one’s ‘webtop’ provides a dynamic desktop view for web based applications, publishing

an end-user workspace customized according to a user’s access rights and authentication level –

from where they can view and launch the applications which they’re authorized to access,

sUMMary

In this paper we have shown how Pirean Access: One can add to the value of the IBM Security Systems portfolio by providing

a centralized resource from which to speed delivery times and add rich and flexible capabilities. Additionally, it can also

extend the brand experience to services that are more commonly overlooked, enabling disparate Access Management

services (such as implementing access control policy, providing information services, and offering the user help on first

access and when they have locked themselves out), to be brought together and presented in a way that is both usable and

flexible enough for a satisfying user journey.

To find out how pirean can enable your

enterprise visit www.pirean.com

call +44 (0)845 226 0542

or email [email protected]

Head Office (UK):

Pirean limited,

faretec,

cams hall estate,

fareham,

hants.

Po16 8uy

+44(0)845 226 0542

+44(0)845 226 2742

sWitchboard:

fax:

www.linkedin.com/company/pirean-ltd

@pirean

www.pirean.com

WWW.Pirean.com

Copyright © 2012 Pirean, all rights reserved. No part of this publication may be reproduced, stored in a retrieval system, used in a spreadsheet, or transmitted in any form or by any means – electronic, mechanical, photocopying, recording or otherwise – without the permission of Pirean.

‘Pirean’, and the Pirean logo are registered trademarks of Pirean Limited (UK). Registered in England No. 4453109