Concepts and Benefits
- Authentication is the process of verifying the digital identity of a client using the credentials provided by the client. This is normally accomplished by matching the client credentials, such as user ID and password, against an authentication service (AS), which maintains credentials in an Authentication database (AD). Normally, such services also provide for hierarchical grouping of users for ease of management.
- Authorization is the process of verifying that the client, once authenticated, has access rights to a Web resource. For example, an authorization rule may be created to allow clients access to the organization’s partner portal only when they belong to the “partners” group in the AD.
- Auditing is the process of tracking the user activities and resource usage through audit log trails, alerts and reporting. This is also important for meeting compliance regulations such as PCI and HIPAA.
The main benefits of using external authentication services for an organization are flexibility of user access control functions, increased scalability, standardized authentication methods, and high availability.
The Problems with Traditional Access Management Implementations
- Application modification: Building authentication and authorization into the applications requires significant changes to each copy of each application within the DMZ. This entails API implementations, platform specific support procurement, and ongoing maintenance issues.
- Web Server Plugin Availability and Management: Web servers typically require add-in modules for integration with authentication services, which may be provided by the Web server vendor, the authentication server vendor, or a third party. Often these add-ins are available for limited platforms and interoperability tends to be poor.
- Change Management Issues: Changes must be standardized across all the applications or servers. Third party add-ins may require frequent updates to keep up with the evolving platform and some often reach end-of-life. Interoperability issues may require upgrade or downgrade of the Web server, which may conflict with change management processes.
- Network Management Issues: Web servers typically reside in the DMZ, whereas the authentication servers are a part of the enterprise server farm. The entire intermediate network infrastructure must be configured to allow the individual Web servers to access the authentication servers.
- Limited Web Authorization Support: Often, AAA systems do not offer flexible authorization policy specifications for Web resources, as they do not have adequate visibility into the application constructs being used for resource specifications (such as URL query and FORM parameter values).
- Lack of Centralized Auditing: Administrators need to ensure that user audit trails are properly configured across all the applications. There is no consolidation of such disparate audit trails, which is often necessary for meaningful analysis or forensics.
- Single Sign On: Performing single sign on can be a significant challenge when multiple applications are deployed across multiple heterogeneous servers.
A Simple Solution for Application Identity and Access Management
Benefits and Features
- Simple. The appliance solves the authentication and authorization problem for an entire Datacenter.
- Versatile. The appliance scales to provide multiple methods of authentication and authorization integration.
- Standards based support. Traditional methods using LDAP, RADIUS and Active Directory are easily supported and augmented.
- Internal authentication database is included in the system for small user groups that do not have directory services deployed in their network.
- Powerful proxy, Web Address Translation, Request/Response Rewriting and Strong Cookie Session Management provide the ultimate single sign on portal. One system controls user’s authentication rights and which applications they can access, thus negating the need for application modification and Web server plugin management issues.
- Fast and efficient Client SSL Certificate deployments are easily achieved by using the extensive SSL capabilities of the Barracuda Web Application Firewall.
- Integration with industry leading solutions. The Identity and Access Management solution is now available with CA SiteMinder®as the policy decision point and the Barracuda Web Application Firewall as the policy enforcement point. Full scale advanced authentication and authorization, along with identity management is now available with the integration of the CA SiteMinder® Policy Server.
- Two factor authentication is provided by built-in integration with RSA SecurID®. The Barracuda Web Application Firewall integrates with RSA SecurID® to support One Time Password (OTP) token generated by hardware tokens.
- Integrated Single Sign On capabilities of the Barracuda Web Application Firewall enable architects to easily integrate multiple applications into a single portal.
- Extensive logging capabilities on the Barracuda Web Application Firewall provide visibility and enable administrators to build comprehensive access control policies.
- Centralized user audit trail and reports help in meeting compliance, forensic and client analytics requirements.