Monday, February 6, 2012
Access Authorization to Web Applications
A changing workforce as well as a diversity in warfare conditions demands that DoD personnel now expects access to its data from a diversity of sources, anytime, anywhere. Organizations are turning to a new generation of cloud applications in order to meet rapidly expanding requirements. Unfortunately, many of the applications have to be shared by a diversity of forces, in real-time. These applications reside on thousands of systems where access is managed by separate management staffs.
Meanwhile, users are bringing their own technology to the workplace—frequently on multiple devices such as tablets, notebooks and a variety of smartphones. Personnel seeking access are frustrated with managing multiple login credentials to the desired applications. This makes it harder than ever to manage and secure the workplace.
A few years ago an attempt was made to improve the interoperability of access through the implementation of “portals”. After initial success the portals were abandoned because the cost of maintenance and application integration made their use costly and unwieldy.
The present challenge is to provide easy to deploy access to the multiplicity of cloud- and web-based applications while maintaining secure control over applications, user access and devices. A solution must be scalable, affordable and easily implemented, while using commercial standards.
The granting of access authorization to an application is the single most important requirement for security assurance. If the access authorization process is faulty, a security failure is sure to follow. The key question is how to manage the granting of security authorization in a network environment where a user may use both a variety of mobile as well as stationary devices? How can a single access authorization apply in cases where a user may need to connect with to a variety of Windows, Web-based or SaaS applications? How can the granting of access authorizations be subjected to policy restrictions and then tracked for review by management and by security officials?
The requirements for access authorization are:
1. End users must be able to gain access to web applications from a variety of devices, which includes rapidly changing mobile clients. 2. The enterprise security organization must be able to retain control over security at all times. 3. Users, who need permission to access a wide range of applications, hosted on diverse services, must be able to receive access permission through a single sign-on process.
Permissions would apply to virtualized apps, to SaaS apps as well as to Web applications from any customer device, at anytime and from anywhere.
To enable such simplified application access management we have now available a user centric hosted management platform that centralize IT control across the entire network. A cloud-based Access Authorization Service (AAS) will, for an annual fee per seat (estimated in the $20-$30 range), deliver a range of choices for managing the complexity of policy choices. AAS then provides the sign-on and security interfaces that will engage with a wide range of hardware and software platforms.
The AAS hosted service will enable DoD to centrally manage the provisioning, access and usage of applications. It will extend users’ enterprise identities to the public cloud, simplifying the security of application access. Users—even those with multiple devices— will each have a single login and simplified, self-service access to the organization’s application store. AAS can be deployed immediately without costly hardware or complex, time-consuming integration efforts because it operates as a browser commercial accessible service. IT managers can now effectively address security risks
1. Simplify access to private or public clouds as well as to Windows applications. 2. Materially reduce the number of credentials that have to be provided. 3. Scale down the administrative costs that are maintained by security personnel. 4. Increases enterprise security by relying on generally accepted standards for gaining access to all applications. 5. Streamline the login process while reducing the workspace needed for starting up applications. 6. Simplify user-activity reports while making it easier to monitor application usage. 7.Keep track of software licensing.
For AAS to be applied universally throughout DoD will require standardization of the ways authentication and authorization instructions are exchanged between security domains. The current approach is often application specific. Contractors custom-make such exchanges proprietary. The migration towards AAS should be using the approved Security Assertion Markup Language (SAML).
It is a version of the OASIS approved standard for exchanging authentication and authorization data between security domains. It is an XML-based protocol that uses security tokens containing assertions to pass information about a principal (usually an end user) between an identity provider and a web service. It enables web-based authentication, including single sign-on (SSO). An AAS that is fully compliant with SAML should be a mandatory service.