Identity management appliances reduce password cost

SECURITY SPOTLIGHT

Why deploy an Identity management appliance?
A well-implemented identity management solution can eliminate much of this overhead while strengthening network security and improving productivity. Identity management consolidates directory services and data stores that hold user identities, credentials, and policies. Identity management automates workflows associated with identity lifecycle, from account provisioning to update to revocation. Identity management helps companies regain control over independently-managed systems and applications that define their own user accounts and generate their own access logs. In many cases, identity management can also simplify life for end users.

Various devices have been called identity appliances. Appliances like Infoblox IDeal IP consolidate disparate DNS, DHCP, and IP management services into a single box. Appliances like the RSA SecurID Appliance, Bayshore Neworks SingleKey Appliance, and SecureComputing Safeword SecureWire interface with many access devices to authenticate, authorize, and audit usage. Appliances like the Cisco Clean Access Appliance and the Juniper Infranet Controller 4000 enforce network access policies.

Nework addressing, authentication, and access control all depend upon identity, but "identity management appliances" are devices that unify identity management across diverse access devices, authentication methods, directory services, and internal systems/applications. An identity management appliance helps you glue together what you already have by automating time-consuming or error-prone tasks and streamlining identity-related workflows.

Deploying an Identity management appliance
Identity management appliances are deployed inside your network, in a location where they can communicate securely with existing infrastructure.

To access devices, the identity management appliance appears as an authentication server, speaking standard protocols like RADIUS, 802.1X, and EAP. The identity management appliance may have an on-board authentication server, but generally appears to existing authentication servers as an authentication proxy.

To create a meta-directory or virtual directory, the identity management appliance imports or synchronizes user accounts and attributes from directory services like LDAP, Active Directory, Sun iPlanet, Solaris NIS, and RSA ACE.

To support lifecycle tasks, the identity management appliance interfaces with administrators and end users. Administrative GUIs and CLIs enable provisioning and maintenance, providing a consolidated view of each account and synchronizing adds, removes, and changes across directories. A self-help GUI may provide users the ability reset their own passwords.

An appliance that implements single sign-on must go further, playing middle-man between users and applications. This may involve deploying an agent on user devices to discover and manage credentials, based on profiles that characterize each application's login process.

Shopping for an Identity management appliance?
Features to look for include the following:

• Authentication services: Can the appliance support methods and servers used by your company, including strong authentication?
• Directory services: Can the appliance consolidate user accounts obtained from your existing directories?
• Account provisioning: Does the appliance enable centralized account creation and maintenance, including ability to quickly revoke access?
• Password self-help: Is there an interface for users to reset their own passwords, without help desk intervention?
• Logging and reporting: Can you track an individual user's activity, or enumerate access to a specified resource?
• Single or reduced sign-on: Can the appliance reduce the number of passwords that each user must remember?

Choosing the right Identity management appliance
A challenge for any appliance is dovetailing with all the moving parts in your network. Look carefully at the authentication methods and directories required by your security policy. For example, 802.1X does not ensure interoperability; make sure the appliance supports the EAP types you plan to use (e.g., EAP-TLS, PEAP, EAP-SIM).

A primary identity management goal is to simplify workflow and cut cost. Consider speed of deployment and installation aids, like ability to use selected features without inter-dependencies, or to use single sign-on without application impact or script development.

Identity management not only consolidates provisioning and authentication, it creates a unified platform for compliance reporting, troubleshooting, and incident investigation. Use this to justify and leverage your identity management investment.

Finding an Identity management appliance Historically, identity management solutions have involved expensive software suites designed for large enterprises with lengthy deployment cycles. Small-to-medium businesses were unable to afford that cost or complexity. But recently, turn-key identity management appliances have appeared, priced and packaged for rapid deployment:

• Imprivata OneSign ESSO
• Identity Engines Ignition
• A10 Networks IDSentrie

As security appliances go, identity management is a new field, and features offered by these three appliances differ quite a bit. For example, Imprivata is the only appliance on this list to offer single sign-on; A10 is the only appliance to offer identity-based firewall logs. But all share a common goal: improving security and productivity while cutting identity management cost.

About the author:
Lisa Phifer owns Core Competence Inc., a consulting firm specializing in network security and management technology. Lisa has been involved in the design, implementation and evaluation of data communications, internetworking, security and network management products for over 20 years. At Core Competence, she has advised large and small companies regarding security needs, product assessment and the use of emerging technologies and best practices. Lisa teaches about wireless LANs, mobile security and virtual private networking at many industry conferences and on-line webinars. Lisa's WLAN Advisor column is published by SearchNetworking.com, where she is a site expert on wireless LANs. She also has written extensively about network infrastructure and security technologies for numerous publications including Wi-Fi Planet, ISP-Planet, Business Communications Review, Information Security and SearchSecurity.com.

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Network Security Best Practices and Products Enterprises demand next-generation firewalls with IPS, app visibility Preventing hacker attacks with network behavior analysis IPS Is there a way to trace my stolen laptop computer? Integrating NAC with network security tools Should organizations separate technical from administrative security? What network equipment is needed to secure a small business LAN? Ethical hacking and countermeasures: Network penetration testing intro Are you on a domain name system (DNS) blacklist database? Rogue access points: Preventing, detecting and handling best practices Network security threats solved by risk management: John Pironti explains

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary anti-replay protocol  (SearchNetworking.com) dynamic packet filter  (SearchNetworking.com) HELLO packet  (SearchNetworking.com) packet filtering  (SearchNetworking.com) rule base  (SearchNetworking.com) stateful inspection  (SearchNetworking.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary