a bes t
pr ac tices
guide
Ensuring the Security
of Your Company’s
Data & Identities
Safe and Secure Identity Management Best
Practices
The transition to “Cloud” means that companies often become reliant on security procedures implemented
by each 3rd party SaaS provider they employ to keep their corporate data safe. This means that your se-curity and user access could be placed in the hands of multiple cloud vendors, each having varying levels of strength and quality controls. This patchwork of cloud applications can leave your organization open to threats and vulnerabilities.
Fortunately, Symplified offers an alternative to this lack of direct control.
Symplified offers a complete solution, unifying federated single sign-on, access management, audit report-ing, and user provisioning across on-premises, cloud, and mobile applications. No matter who the user is or the device they use to access applications, Symplified delivers the same seamless access experience. Organizations gain a single, secure portal to all of their existing cloud and web applications and services while utilizing their existing identity infrastructure for authentication.
Safe, Secure and Flexible Architecture
Symplified was architected from the ground up to be flexible, safe, and – most importantly – secure. A safe communications channel between your users, your identity hub or gateway, and their cloud ap-plications is provided by Symplified via secure communication protocols, cryptography, authentication, and other techniques to ensure your data and access are protected.
Symplified routinely scans for possible threats or other issues and promptly notifies its customers when-ever preventative action needs to be taken. Physical security is also paramount and Symplified protects its data centers with the latest in physical access technology.
FLE X IBLE DEPLOYMENT
Symplified’s central identity gateway, the Identity Router (IDR), can be delivered using either an on-prem-ises managed virtual appliance or as a hosted cloud service utilizing the Amazon EC2 platform. Both IDR deployment methods afford your business a secure SSO identity gateway.
The on-premises option allows your business to maintain the IDR behind your firewall within your existing data center. Choosing the hosted option means that your IDR will be managed by Symplified in the cloud. Both options, however, provide identical security features. User access events, for example, are logged and available for audits, forensics and other compliance requirements. This extensible and flexible architecture is continuously monitored by Symplified’s Information Security Team. In order to publish new application connectors and policy rules to the IDR, Symplified maintains a separate yet equally secure Management Console. These two discrete components ensure that there is no one single point of failure that would pre-vent your users from accessing the resources that they need.
»The Identity Router (IDR) is the runtime component, a virtual appliance that can be deployed
on-premis-es, at a Service Provider, or on Amazon EC2. The IDR provides co-located policy enforcement and a central decision point that enforces authentication and authorization for all users. The IDR also serves as an audit collection point for all user actions. This is a single-tenant component and is completely controlled by you, our customer. There is no chance for comingling of customer information, and is the most secure architecture for your SSO solution.
»The Symplified Management Console is a multi-tenant SaaS administration application that provides
user-friendly policy configuration to manage all runtime components on the IDR. The Symplified Management Console also acts as a location for continuous monitoring and maintenance for your single-tenant SSO environment.
CONTINUOUS MONITORING
Your business depends on an identity management system that is secure and reliable. This requires con-sistent internal testing to insure the highest levels of protection. Symplified’s Operations Team conducts regular network scans of all its systems, monitoring any vulnerabilities and necessary security patches. We also conduct 3rd-Party Security Assessments on a routine basis to ensure independent reviews of our inter-nal network processes and practices. A summary report of these independent findings is always available to our customers by request.
Symplified plans to be fully SSAE16/SOCII compliant in early 2013. Note that this audit has already been completed for our data center, where the Symplified Management Console is hosted.
The additional 3rd-party assessments completed and available for review include:
»Application vulnerability threat assessments
»Network vulnerability threat assessments
»Select penetration testing and code review
»Security control framework review and testing
Symplified continues to use the following methodologies and standards as best practices in the course of our solution development process:
employees partners customers subscribers
admin user
symplified management console <<policy administration point>>
identity router (idr) <<policy enforcement + decision point>>
>> hosted application >> multi-tenant >> configuration management >> status monitoring >> runtime component >> single-tenant >> identity provider >> runtime integration
system concept
During a release publication event, the code repository is digitally signed and the resulting signature is checked on the IDR to ensure code changes are not tampered with in-flight from the originating source. Symplified monitors all IDRs 24/7 – no matter where they are deployed for a particular customer. The IDR is also maintained and updated during scheduled maintenance windows, all standard service components of our Identity as a Service (IDaaS) offering.
SECURE COMMUNIC ATIONS
Symplified is further protected across every step of the communications process between the Management Console, the IDR and the end users’ application access. Below you will find a high-level overview of each area of communication and how security is handled in each scenario.
T YPE OF COMMUNIC ATION
T YPE OF SECURIT Y A PPL IED
Symplified Management Console à Identity Router (IDR)
SSL VPN tunnel, outbound UDP port (1194).
IDR à SaaS Application Normally over SSL but the SaaS application deter-mines the connection type supported.
IDR à Local Applications Normally over SSL. Network controls can be used to ensure application only accepts connections from the IDR to prevent side-door access.
End User à IDR Information sent from the user’s browser to the IDR is sent over HTTPS. The SSO session cookie contains a cryptographically random string, which contains the session ID. If the session cookie is tampered with the session is invalidated and the user must re-authenticate.
IDR à Simplelink SimpleLink is used to access user stores internal to a customer’s network only when the IDR is deployed in the cloud. The connection is a SSL VPN tunnel that is initiated as the client to Studio as the server.
SimpleLink à Userstore The type of connection from SimpleLink to the user store is dependent on the security implemented by the user store. If the user store supports LDAPS then SimpleLink will use LDAPS.
Administrator à Symplified Management Console Access to the Symplified Management Console is protected by user name and password. Option-ally, two-factor authentication can be enabled to access the Management Console. This connection is always over HTTPS port 443.
Conclusion
Symplified securely unifies federated single sign-on, access management, audit reporting, and user pro-visioning across any access device – be it laptop, tablet or a smartphone. Symplified can be delivered as either an on-premises managed virtual appliance or via a fully-hosted solution available on the massively scalable Amazon Web Services platform.
Symplified has been recognized by the Wall Street Journal, CRN, Network World, the RSA conference, and others for its Identity and Access Management innovations. Symplified’s Management Team is composed of individuals that have deep roots in the seucrity and access management space. By way of example, Darren Platt (CTO) co-authored the SAML standard that has become one of the most popular federated identity protocols for application communication.
THE SYMPL IFIED ADVANTAGE
Symplified enables IT organizations to simplify user access to applications, regain visibility and control over usage and meet security and compliance requirements. Symplified provides single-sign-on, identity and access management, directory integration, centralized provisioning, strong authentication, mobile device support and flexible deployment options. Symplified is headquartered in Boulder, Colorado.
