Featured Author - Laura Taylor
- December
22, 2001
Introduction
With the proliferation of web-based technologies, single sign-on has emerged
as an important and central architecture solution for enterprise applications.
As security breaches become increasingly more frequent, minimizing user
access to back-end systems and web applications without impacting legitimate
usage is more important than ever before. As more web-based applications
are deployed, enterprise single sign-on (SSO) solutions that have the
capabilities to provide authentication, management, access control, and
logging across the complete front- and back-end e-business chain will
become increasingly more important to Information Technology (IT) decision
makers. Relevant Technologies has reviewed three leading portal single
sign-on products to see which comes out on top.
Virtually
every viable business, non-profit or public sector organization today
has a web site connected via the Internet that links them with customers,
prospects, constituents, employees, partners and other groups. Some online
only businesses would not exist without the web and the Internet.
Advancements
in web-related technologies have spawned portals, which act as gateways
to individual web sites. No matter what you're looking for, the portal
will try to give it to you. In that sense, portals go way beyond intranets
and extranets because of their community appeal and structure. Some portals
share a common content or theme, such as e-marketplaces, while others
try to be all things to all people (news, weather, entertainment, finance,
etc.). Typically most portals offer either a business-to-business (B2B)
or business-to-consumer (B2C) focus.
Portals
provide access to large amounts of information within their own managed
servers but, importantly, also provide access to other sites beyond their
own direct control. Accessing portal information has created new security
challenges, and responding to these challenges is the impetus for this
report. Specifically, Relevant Technologies has researched to what extent
Netegrity, Securant and Evidian succeed in providing a high level of access
control without making the experience too burdensome for end users. The
challenge is how to mask the complexity of authentication, authorization
and administration (3As) to users while empowering portal administrators
to provide end-user single sign-on (SSO) access to pages not only within
the portal but to external sites selected by the users themselves. Portals
who respond to this balancing act efficiently retain tight security controls
and still provide real value and convenience. By improving the user experience,
web site stickiness is created -- the process by which user loyalty is
created and future return visits to the portal are increased.
Technology
and Market Genesis
Initially, web security products protected only URLs, creating passwords
to be passed via Secure Sockets Layer (SSL), an encryption protocol built
for web browsers. In the beginning, during the Web's earliest stages,
this was sufficient, since a large array of web-enabled enterprise applications
did not exist. With the momentum of the web, web-enabled applications
have become ubiquitous, and today, are the norm. Each application typically
requires its own authorization process, and if numerous applications are
built into your portal point-of-presence, numerous authentication processes
are required. Without a single sign-on solution, a user may have to identify
themselves through a password logon scenario as many as half a dozen times
on one web site. Single sign-on creates an improved user experience, allowing
a user to authenticate themselves once on a web site, and continue to
use as many applications on that site that are available for their usage.
A
properly implemented single sign-on solution will write the front-end
authentication through to a central SSO management console on the back-end,
and is able to share this authentication for the extent of the user session.
By improving the user authentication experience without compromising security,
web-sites can retain user stickiness, and expect an increase in return
visitors, page views, and hits.
As
an added benefit, some single sign-on solutions obscure the links and
information that users are not allowed to access, and by doing so, reduce
the risk of unauthorized access, since unauthorized users and hackers
are not able to see what they are not allowed to access, at least through
the website's front-end. This process of hiding the true location of pages
and network resources access is known as URL Mapping. It should be noted
though that URL mapping makes no distinction between authorized or unauthorized
access, so the initial authentication and authorization process is again
of paramount importance.
Integration
with partner websites, and supply chain management (SCM) vendors, can
more easily be obtained through single sign-on, since it allows the host
web-site to create authentication access policies that are transparent
and unique user groups as well as individual users.
IT
decision makers should expect to pay no more than $20 per user (in volume)
for a single sign-on implementation. Price above $20 per user is not price
competitive and signifies an engineering and development process that
has lacked adequate control over operational expenses.
Technology
Fundamentals
Portal single sign-on has three key areas that are important for full
integration and interoperability into an enterprise environment:
- Authentication
verifies that users are in fact who they claim to be, and strong authentication
also provides non-repudiation. Non-repudiation is the ability to prevent
a user from refuting their self-identity or transaction.
- Authorization,
also known as access control, is based on user roles or privileges,
and allows administrators to specify which users can access which applications,
data, or functions. Administration consists of the tools and centralized
management system that exists in order to administer and distribute
(if necessary) user data and the security policy.
- Administration
also includes logging and auditing capabilities that provide time-tracked
archived records of who did what during their session.
Authentication
and authorization are of critical importance, as they affect performance
and end user satisfaction. Administration capabilities are secondary,
since they affect only one centralized position.
The authentication
mechanism is central to the success of a single sign-on product. All enterprise
single sign-on products should adhere to industry standards, and support
of the Lightweight Directory Access Protocol (LDAP) is paramount to gaining
wide acceptance on the market. LDAP is an alternative to the X.500 Directory
Access Protocol (DAP) and defines standards for user schema, authentication
schema, strings, search queries, and URLs. LDAP has become such a key
component in today's and tomorrow's IT structures that any portal security
product that is not fully LDAP-compliant will rapidly be relegated to
also-ran status.
LDAP's user
schema requires that objects have a Common Name, an Organizational Unit,
and a Domain Component. Windows 2000 and its Active Directory services
are LDAP compliant, and in order for seamless integration into a Windows
2000 environment, single sign-on products designed for enterprise deployment
must be LDAP enabled.
Enterprise-class
single sign-on solutions must be flexible and have the ability to register
and revoke sharing credentials across disparate user populations, and
new and legacy applications. Advanced single sign-on solutions can interoperate
with two-factor authentication mechanisms, such as biometrics and time-based
token IDs.
Figure
1. Product Information
| Product
Names |
Evidian
PortalXpert, Netegrity SiteMinder, Securant ClearTrust |
| Product
Scope |
Portal
security, web security, authentication, passwords |
| Industry
Focus |
Application
security, online access, web usage |
| Key
Features |
Authentication,
access control, management, logging |
Product
Leaders
Netegrity's
SiteMinder, Securant's ClearTrust, and Evidian's PortalXpert are the single
sign-on product leaders for securing extranet- and intranet-based web
applications. Significant competitors to the market leaders include Entegrity's
AssureAccess, Entrust's GetAccess, and Oblix' NetPoint products.
Leading
portal single sign-on products must be LDAP compliant, easy to deploy,
price competitive, and be server based. Products that eliminate the use
of cookies are more secure, and offer a greater user experience than cookie-based
agent services.
Single
Sign-On Challenges
One of the challenges in implementing single sign-on portal security is
adherence to the LDAP standards. LDAP has numerous extensions, and many
vendors implement only parts of LDAP, often just enough to justify calling
their product "LDAP compliant." A weak LDAP implementation will create
scalability and performance issues, and as a company's web environment
becomes more sophisticated, without strong LDAP support, it may not be
able to take advantage of the various capabilities that LDAP allows.
Various
Public Key Infrastructure (PKI) solutions are being marketed as alternatives
to single sign-on solutions. PKI offers equally strong authentication
capabilities, and may mitigate the risk of security exposures to an even
greater degree than single sign-on solutions. However, PKI solutions are
more difficult to deploy, and the general IT public has not accepted PKI
solutions as much as the market originally anticipated.
Firewalls
and VPNs offer important security protections, but they have not been
optimized for customer, partner, and reseller utilization on the extranet.
Firewall protection and authentication services are geared towards employee
usage scenarios and, in order to create comparable extranet user sign-on
privileges, require individual set-up by the firewall administrator for
each user or user group. As important as firewalls and VPNs are, however,
they do not address SSO and 3A capabilities, so cannot be considered as
user-friendly portal security solutions by themselves.
Recommendations
for Vendors
Netegrity, Securant, and Evidian all offer single sign-on solutions that
are LDAP compliant. In this regard, they are all equal contenders, and
this is one of the reasons that these three products are considered the
industry leaders.
Though
Netegrity and Securant offer solutions that work, they are agent-based
products that require additional software on all web servers plus cookies
on end user desktops. Added resources required by these solutions clearly
increases the time-to-deploy and overall price of the entire implementation,
and requires that on-going administration be done on all target systems
and user devices. Additional work on the part of the administrator, and
potential interruption to the user for agent deployment, demonstrates
that these products are not seamless, and their cost of ownership goes
far beyond the initial licensing fees. The time it takes to deploy SiteMinder
and ClearTrust are both equally a factor of how many servers will be supported
by the single sign-on technology. Systems administrators can expect to
spend two hours per server supported. On a web farm of 10 servers, implementations
of SiteMinder and ClearTrust would take 20 hours each compared to a 2
hour implemenation time with PortalXpert. Vendors looking to take their
portal SSO products to the next level need to understand how to migrate
their products to a central administrative console that does not require
server- or client-side intervention.
Netegrity
and Securant both require the use of cookies to manage their user and
password processes. In order to mitigate the security risks associated
with cookies, both vendors should work towards eliminating the need for
cookies. Due to security holes in both Netscape and Microsoft web-browsers,
cookies can inadvertently be emailed out without using HTML email, without
a user's knowledge. Since cookies often hold password and user information,
this represents a potential security exposure. By using cookies for authentication,
a malicious hacker can capture the entire user session using Java applets
or protocol analyzers. Evidian's product requires no additional software
on web servers and target systems. In addition, it does not require the
use of cookies, and users who have cookie management in their browser
turned off will not be affected.
There
are some vendors, such as BMC and Symantec, that offer single sign-on
like capabilities but, in actuality, what they are offering is password
synchronization services to enterprise applications. In order to take
advantage of Control-SA from BMC and PassGo from Symantec, password synchronizations
must be distributed to all target enterprise application servers to replicate
identical credentials across the enterprise. These solutions are not optimal,
since they require more extensive resources and require secure distribution
channels across wide-area networks. Password synchronization is not the
same as single sign-on, and these solutions cannot provide URL mapping
or a unique user welcome page.
Evidian's
PortalXpert, Securant's ClearTrust, and Netegrity's SiteMinder all work
through a combination of rules and role-based configurations. Using a
rules-based approach is considered more scalable and flexible than using
roles because rules can be applied to not just people, but to networks,
domains, and IP addresses. Using roles implies a list-based practice,
and when a user's role changes, say, moving to another department, it
requires file edits and administrative changes. If setup properly, using
a rules-based approach typically takes less administrative resources than
using a roles-based approach. To be a market leader today, a single sign-on
portal product needs to support both rules and roles. The fact that all
these vendors support both rules and roles is one of the reasons that
PortalXpert, ClearTrust, and SiteMinder are all leading the single sign-on
market today.
Evidian's
PortalXpert is a newer product than SiteMinder or ClearTrust, and has
not yet proven itself on the market. There is always a risk in the implementation
of a new product. Evidian has already shown sufficient technical aptitude
with its other security management products, indicating that its success
in the secure portal management market is likely to follow suit. For example,
its AccessMaster enterprise security management software has garnered
"Best Access Control" product honors from SC Magazine for the last two
consecutive years.
For
any enterprise product, scalability is an on-going concern. According
to the vendors, Evidian's PortalXpert and Netegrity's SiteMinder can accommodate
up to 100,000 users, while Securant's ClearTrust can accommodate up to
1,000,000 users. However, since vendors don't use the same standard to
define scalability, it is unclear if this refers to simultaneously connected
users or just the number that can be accommodated by the LDAP directory.
The vendors do not indicate how many servers are necessary to support
the number of maximum users, and statistics on what that means to application
performance is difficult to quantify. For example, 10,000 users might
be able to be accommodated with "instant" response, 40,000 users might
be able to be accommodated with a 3-4 second response time, and 100,000
users might be able to be accommodated with a 4-6 second response time.
Given that Netegrity and Securant have a longer track record with their
products than Evidian has, it is not clear that Evidian's PortalXpert
can scale to the same magnitude that Netegrity's SiteMinder or Securant's
ClearTrust can.
Recommendations
for Users
As the first company to come out with a proxy based enterprise-class single
sign-on solution that does not require additional server or client-side
software or cookies, Evidian is the most visionary of the three market
leaders. Because all administrative capabilities are done on a central
management console and not on the application servers, Relevant Technologies
recommends PortalXpert as the choice for IT decision makers looking to
minimize total cost of ownership and administrative overhead. Due to the
elimination of server-side software, judicious IT managers deploying PortalXpert
can expect to reduce their implementation time for new single sign-on
applications by 80% over the other leading agent-based products.
Evidian
brings more than 10 years of information technology capabilities and base
of more than 600 customers worldwide. The company is particularly strong
in security-intensive industries, such as banking/finance and government
organizations. It also is well positioned in the global telecom and service
provider industries, which has rapidly expanding needs for web as well
as legacy security solutions. With revenues of nearly $50million and an
employee resource base of about 375, Evidian will be around for the long-haul,
and we expect them to continue to anticipate new market requirements as
online transactions become even more sophisticated.
With
supply chain management (SCM) and customer relationship management (CRM)
applications becoming ever more prevalent, the single sign-on solution
market will continue to grow and become a necessary requirement for any
vendor putting in place an enterprise capable SCM or customer relationship
management CRM implementation.
At
$15 per user in volume, Evidian's product is more cost competitive than
Netegrity's or Securant's, which both sell for $20 per user. With a 1,000-user
implementation, IT decision makers can save $5,000 by selecting Evidian's
PortalXpert over Netegrity SiteMinder or Securant ClearTrust.
About
The Author
Laura
Taylor is the Founder and Chief Technology Officer of Relevant Technologies.
Formerly, she was the the Director of Security Research at TEC. Prior
to TEC she served as Director of Information Security of Navisite, and
CIO of Schafer Corporation.
Laura
can be reached at ltaylor@relevanttechnologies.com.
Demystifying SAP Solution Manager | Cloud Assets: A Guide for SMBs—Part 3 | I Want My Private Cloud | The Sum of All Malware Fears: Siemens on Stuxnet | Managing the Overflow of E-mails | Security Risk Assessment and Management in Web Application Security | Are You Adequately Protecting Your IT Infrastructure Components Inside the Firewall? | Enterprise Resource Planning Giants Eye the Shop Floor | Who Else is Using Your Wireless Network? | Information Security Firewalls Market Report
Part Two: Current Market Trends and User Recommendations | Information Security Firewalls Market Report
Part One: Market Overview and Technology Background | Automated Enterprise: Many High-ROI Opportunities | Secure Transfers of Large Files Over the Internet Using YouSendIt | Fed Warms Up to ERP Spending, but Will Contractors and Their ERP Vendors Comply?
Part Two: Challenges and User Recommendations | Feds Warms Up to ERP Spending, but Will Contractors and Their ERP Vendors Comply?
Part One: Event Summary and Market Impact |
Product Review: GFI's LANguard Network Security Scanner | The Best ACT! Is Still to Come | HIPAA-Watch for Security Speeds Up Compliance
Part Two: Phase III and IV, and Product and User Recommendations | HIPAA-Watch for Security Speeds Up Compliance
Part One: Vendor and Product Information | EAM Versus CMMS: What's Right for Your Company? Part One | Using PKI to Protect Your Business Information | The CyberAngel: Laptop Recovery and File Encryption All-in-One | Evaluating Enterprise Software-Business Process or Feature/Function-Based Approach? All the above, Perhaps?
Part Three: Knowledge Bases and User Recommendations | InsideOut Firewall Reporter Unravels the Mysteries of Your Firewall Logs | The Future of Secure Remote Password (SRP)
Part Two: Overcoming Obstacles to Success | The Future of Secure Remote Password (SRP) | Integrated Security: A New Network Approach
Part Two: The Shift Toward Integration | Integrated Security: A New Network Approach | Vendor Analysis: Kaspersky Anti-Virus Products Examined | 6 Immediate Business Improvements Offered by an Online SRM System:
Part 3: Other Points to Consider | Legacy Single Sign-On: Novell, Evidian, IBM, PassGo, or Computer Associates? | Fourth Shift's evolution Within SoftBrands' DemandStream | OKENA Brews Up a StormSystem that Secures All Applications | Incident Handling and Response Capability: An IT Security Safeguard
Part 2: Establishing the Capability | Incident Handling and Response Capability: An IT Security Safeguard
Part 1: Are You Ready to Support an Incident Response Capability? | Outsourcing Security
Part 3: Selecting a Managed Security Services Provider | Outsourcing Security
Part 2: Measuring the Cost | Outsourcing Security
Part 1: Noting the Benefits | Vendor Review: SecureWave Protects Microsoft Operating System Platforms | Thanks to a Smart Little Company called Lexias, CIOs Can Now Empower their Users to Assist in eBusiness Security | Feds Buckle Down on Customer Information Security | Identix Leads Biometric Authentication | Bootcamp for the Pros; Why Ernst & Young Will Lead Security Auditing Standards | Vendor Analysis: Interliant's Security Vulnerability Assessment | OKENA Pioneers Next-Generation Intrusion Prevention | Social Engineering Can Thwart the Best Laid Security Plans | Lost Your Laptop? The CyberAngel® Brings It Back | InsideOut Makes Firewall Reporting Useful | The SOAP Opera Progresses - Helping XML to Rule the World | Talarian and NextSet Team for B2B Solutions | Tempest Creates a Secure Teapot | E*Trade Ignores Private Security Warning, But Public Hullaballoo Gets Response | My Network Engineers are Talking about Implementing Split DNS. What Does that Mean? | Human-Machine Interaction Company Ramps Up Firewall Product Line | Security Information Market Heading for Growth | Alibris Charged with Intercepting Email | Cart32 in Need of Duct Tape | Deutsche Telekom to Acquire VoiceStream Wireless | Study Shows: FBI Alienates Industry Security Experts | Firewall Cowboyz Set the Stage to Free Innocent Convict | Symantec Swallows AXENT; Takes on Network Associates | Novatel Wireless and Diversinet Team Up to Provide Security for Wireless Modems | Windows 2000 Bug Fixes Posted | Baltimore Technologies Doubles Revenues, Offers World-Class PKI Hosting | The Whys and Hows of a Security Vulnerability Assessment | Earthlink Leads the Way in DSL Security | PKI and Biometrics Ready for Take-Off | Secure Transport of EDI and XML for Trading Exchanges | Can You Trust Entrust? | Standard & Poor's Announces Security Certification | Check Point Leads Firewall Market | Fighting Cybercrime on the Internet | NetWare for Small Business – NetWhy? | Let Your Hard Drives Tell You Where they Are! | E&Y Spins-Off eSecurity Online and Unveils Security Vulnerability Assessment Services | With Record Revenues, AXENT Puts Down a Solid Fist | NAI Will Pay Trend $12.5 Million Resulting from Law Suit | Sub7 Tells Chat Rooms All Your Stuff; F-Secure Leads the Battle | E-Cash Rollout Replaces Amex | GSA Schedule Partnership Gets Network-1 in the Door | Los Alamos Loses Top-Secret Information, Again! | Standard & Poor's Exposes Customers' Security | The AS/400 Takes You Securely Where You Want to Go | Trend Micro Steps into PDA/Wireless AntiVirus Information Market | CryptoSwift Takes Rainbow Revenues Up 620% | Smart Shoppers Go Abroad for Affordable Information Security Programs | Anti-Virus Advisories: Rating Them | The 7 Habits of Highly Effective Security | Fischer’s Prio! SecureSync ~ A Solution to Enterprise Directory Chaos | Abandon All Insecurity, Ye Who Enter Here | Top 10 Excuses For Not Securing Your Website or Network | Ernst & Young Leads Big 5 in Security | 6 Days After Advisory Posted, AboveNet Gets Hit | A Firewall is Cheaper Than a Lawyer | Fixing Security Backdoors:
Red Hat 1, Microsoft 0 | WAP Forum Specifies RSA’s RC5 Encryption For Wireless | Netpliance Responds Quickly to Hardware Hack | Security Stocks Burn Rubber | DSL Provider Scoops up Netscreen Firewall Goldmine | Cyclone Untangles Digital Partnerships | Security Begins on Your Desktop | Network Associates Hopes to Rekindle the Flame | Hacker Publication Gets Top Defense Attorney | Saudi Arabian Network Security Provokes Local Considerations | Gosh, There’s a Bug in Windows 98 | Robust Systems are Built from the Bottom Up | DOJ Keeps Low Profile on Curador; Protect Your IIS Server Today! | Security Breach: Now What? | Sendmail, Inc. and Disappearing, Inc. Team Up to Add Enhanced Security | Is Your Financial Transaction Secure? | Compaq, HP, IBM, Intel and Microsoft Create New PC Security Alliance | Expect Boom in Electronic Signatures | Secure Your Search Engine | President Proposes Security of Medical Records | Sendmail Takes Security to the Next Level with Version 3.0 for NT | CheckPoint & Nokia Team Up to Unleash a Rockin' Security Appliance | Trend Micro Anti-Virus Server for Microsoft Exchange ~ A Secure Choice For Enterprise Wide Anti Virus Protection. | Security Snafu at NetBank | Freeware Vendor's Web Tracking Draws Curses | The "S" in SAP Doesn't Stand for Security (that goes for PeopleSoft too) | Content Technologies releases MIMEsweeper PolicyPlus | Hackers Will Be Out in Full Force On New Year's Eve | Analysis of Virgin Net's Hacker Scare | Network Associates RePositions Itself as a Security E-Village | Lexiguard™: The Coming "Adobe Acrobat" of Encryption | CyberPeepers from Korean Sites Peek at U.S. Networks | Would You Hire a Hacker? What Would Your Mother Say? | @Home Scans Own Customers | CIOs Need to Be Held Accountable for Security | New Market for Security Insurance | At Least Your Boss Can't Read Your Home E-mail, Right? Wrong! | PrettyPark Virus Litters Cyberspace | Packard Bell / NEC Leads Secure Etoken Deployment | Congress Acknowledges Outdated Banking Laws | How Secure is Your E-Mail? | Trend Virus Control System - A Centralized Approach to Protection | VPNs Are Hot, but What Are They? | ATM Machines Hacked in Moscow | How To Mitigate Holiday Cybercrime | Surf's Up at Akamai |