Securing Web Applications
|
With Authentication Manager and SecurID
Security Dynamics' Web Application Access security solution combines the industry's leading user authentication, encryption and access control technologies to protect the vital information assets stored in your intranet and extranet applications. Built on the award-winning Authentication Manager and SecurID system, Security Dynamics' Web Application Access security solution eliminates inherent security threats, like unauthorized user access, data tampering and eavesdropping, associated with conducting business over the Web. Highlights
These qualities make the Web an attractive medium for delivering information. Yet conducting business in this way often results in a "hostile network environment" where an organization cannot set or control security policy. Moreover, organizations must be concerned with the inherent security threats associated with conducting business over the Web, such as unauthorized user access, data tampering and eavesdropping. Under these conditions, a strong network security solution is essential ? one that transparently and automatically controls who gets access into corporate intranets and extranets as well as what they are authorized to access. The solution must provide identification and authentication of users, encryption of all traffic from the application to the user, and access control to all information. Fortunately, Security Dynamics provides the industry's leading integrated authentication, encryption and access control solution. Using its award-winning Authentication Manager and SecurID, in tandem with Authentication Agents for Windows NT Internet Information Server and Netscape Enterprise Server, the solution eliminates the risks associated with conducting electronic business. With Security Dynamics' Web Application Access security solution, organizations can be assured that only authorized users are gaining access to the corporate information stored on their intranets and extranets. Moreover, with the Security Dynamics' solution organizations can control user privileges to determine what users and can and cannot see once they gain access. And, because Security Dynamics' solution leverages RSA-based Secure Socket Layer (SSL) encryption, organizations can be assured that their information is secure as it travels across the network. By combining these technologies, Security Dynamics has developed a Web Application Access security solution that can be deployed today to meet immediate business requirements. Relying on strong, two-factor user authentication The Secure Web Application Access solution begins with strong, two-factor user authentication. Strong user authentication ensures that only authorized users are gaining access to the confidential information stored on corporate intranets and extranets. Alone, Web servers allow you to protect access to Web applications through the use of user names and static passwords. Static passwords can be easily guessed or "cracked," making them the easiest target for unauthorized users. As a result, organizations that rely on passwords for user authentication cannot be certain that the users behind the browsers are in fact whom they say they are. Security Dynamics' SecurID strong authentication technology eliminates this risk. SecurID authenticators are hand-held devices that come in different form factors, including hardware and software tokens and key fobs. The strength of the SecurID solution is rooted in its patented algorithm that generates a one-time, pseudo-random code that changes every 60 seconds. The same algorithm is incorporated in the Authentication Manager network security software. When the user enters the current one-time code as indicated by SecurID, along with a unique personal identification number (PIN), the Authentication Manager validates the passcode and permits the Authentication Agent that front ends the Web application to allow user access. By combining these two factors ? the one-time code with a PIN, organizations can be certain that only authorized employees, business partners and customers are gaining access to company confidential information. Providing user accountability Because each user must be in possession of a SecurID authenticator to gain access to the intranet or extranet, he or she can be held accountable for the activities performed under his or her name. Unlike a solution with the digital certificate stored on the desktop, where the private key is protected only by a password, SecurID offers user accountability. According to the Gartner Group, while certificates provide better security than just a password, they do not address the fundamental issue of user authentication. Because access to a digital certificate is generally based on a user name and password, an interloper with access to a user's workstation and knowledge of the user's password could masquerade as that user. (1) SecurID's reliance on two factors ensures that only authorized users are gaining access and, consequently, can be held personally accountable for the action performed under their names. No changes to the desktop Using SecurID hardware tokens or key fobs requires no software to be added to the desktop system and no peripheral devices, saving organizations the time, money and manpower associated with purchasing, deploying and maintaining changes to users' desktops. The hand-held SecurID authenticator is all the user needs. Providing portable credentials SecurID offers an easy-to-use, portable credential allowing authorized users to access your Web applications as they move around their office, their campus or the globe. This portability makes secure access to information possible from anywhere at anytime. Delivering single sign-on The Security Dynamics' solution delivers single sign-on across multiple Web applications, eliminating the need for users to re- authenticate at each application and the need to maintain different logins for each application. Using SecurID and a secret PIN, each employee, business partner and customer will only need to authenticate once. This single sign-on process eliminates the inconvenience of re-authenticating as users move between applications and between secured and non-secured Web pages. Offering fine-grained access control The Authentication Manager and Authentication Agent for Windows NT system allows organizations to control access to the information at the directory, page and URL levels using a simple point-and-click interface. This allows organizations to provide information to employees, customers and business partners on an "as-needed" basis, providing users with access to only the information they need to complete their tasks. For example, major banks use the SecurID solution to allow customers to access their accounts and transfer funds as needed, 24-hours a day, from anywhere in the world. In addition, this access control feature eliminates the need to write software to manage Web-based access control, which prevents the corporate application developer from having to develop code for each Web application. (1) The Role of Certificate Authorities in Information Security. Information Security Strategies Gartner Group ?8/25/97 Secure Web Application Access Protecting information in transit As this information travels between the user and the Web application, it is kept secure from any tampering or eavesdropping through the use of RSA encryption. Security Dynamics' Web Application Access security solution takes advantage of the SSL protocol that secures the information as it travels between the user and Web application. Transparently, the information is encrypted, preventing any third-party intervention that could result in data theft or tampering. Managing user authentication and access control Using Authentication Manager, administrators can maintain user information, including access privileges, in one central location, eliminating the need to enter detailed profiles across multiple directories. Administrators need only define user "groups" on each NT server and maintain membership to these groups in the Authentication Manager. Any additions, deletions or modifications in Authentication Manager flow automatically through each Web server. To simplify management across an organization, Authentication Manager allows for distributed policy administration to enable business units to manage user access privileges. Such role-based administration eases the burden placed on security administrators and allows appropriate administrators to assign and manage user access rights among their section of the organization. Administration of Security Dynamics' Web Application Access security solution is eased further through the automation of labor intensive administration tasks, such as log management and batch authenticator replacement.  Providing Extensive Audit and Reporting Capabilities Authentication Manager records all access attempts, as well as the status of connections with Authentication Manager in the application log. That means the administrator has one central place to look at authentication and access activity. Instead of viewing each individual Web server's audit logs, the administrator can determine who authenticated in any Web application by checking the single Authentication Manager log. Migrating to public-key solutions Security Dynamics' Web Application Access security solution can be deployed today, without any need to adapt your current infrastructure. There is no need to deploy a public key infrastructure in order to conduct business over the Web. You can do it today ? quickly and easily ? using the Authentication Manager and SecurID solution. However, as your organization adopts next- generation, public-key technologies, Security Dynamics will provide a clear migration path to help you take advantage of these PKI solutions, like digital certificates and smart cards. As the company that invented public key technology, there is no better security provider to turn to than Security Dynamics. Leveraging your investment In addition to securing Web-based applications like intranets and extranets, Authentication Manager and SecurID manages authentication and access control in other environments, including remote access, Virtual Private Networks and local networks. A single investment in Authentication Manager can deliver multiple security solutions. Platforms
Security Dynamics, Authentication Manager and SecurID are trademarks of RSA Security, Inc. All other trademarks are the property of their respective owners. ?2003 RSA Security, Inc. All rights reserved.
| ESC Home Page |
© 2006 Enterprise Systems Consulting, Inc. all rights reserved. |
|||
