Making corporate applications available via the Web is the order of the day for many IT shops, which are also clamouring to provide better integrated solutions to employees, customers, partners and suppliers. But whenever you open up the corporate network to partnerships, extranets and outside connections, security and control become pressing issues.
Identifying users and controlling their access to applications and services is a key aspect of any distributed architecture. If you don’t know who is accessing your network, anyone could log on and place a US$20 million order. Yet identity management and access control are typically very complex, convoluted processes. At the most basic level, a business could create virtual servers for each group of users needing to access the system, just by using basic authentication software. But when multiple sites are involved, that approach can quickly become a nightmare to manage.
In steps NetPoint, a new identity management and access control solution from Oblix Inc., which allows you to control how users identify themselves and to determine which services they can access after the authentication process is completed.
NetPoint allows you to use the Internet as your corporate network: The solution does not differentiate between requests from company employees and requests made by random Web surfers. That kind of ingenuity impressed us enough to award NetPoint a Deploy rating in our tests.
NetPoint has two major components: the Identity System and the Access System. The Identity System allows administrators to create, delete, and manage user information. Software known as the Identity Server processes all user-related requests (including credential management); WebPass, a Web server plug-in, manages the information exchange between the Web server and the Identity Server.
The Access System, the second major part, allows administrators to define and enforce policy-based authorization and single sign-on rights. The Access System is configured to prevent everyone but a few select users from making changes. For example, an employee at a key supplier could be given rights to browse inventory data, but not to update it.
The Access System consists of three components: the Access Server, WebGate gateway, and AccessXML Server. The Access Server, the heart of the product, processes policy evaluations for access requests. WebGate, an intermediary, takes the requests from the Web server and passes them on to the Access Server for authorization. Finally, the AccessXML Server translates the XML requests from the Web server into Access Server API equivalents.
NetPoint’s access management system is attribute-based, which means enterprises can wield very granular policy control. Most access-control solutions base their management features on groups or individual users. But with NetPoint, access control can be based on user attributes in the directory.
For example, the rights to submit online expense reports in a company’s Denver office can be limited to those employees with Denver defined as their office location. Or, access to sensitive data shared with only one strategic partner can be restricted to users defined as employed by that partner.
In fact, NetPoint’s flexibility is one of its greater strengths. Practically every aspect of the solution – which uses standard XML and SOAP (Simple Object Access Protocol) over HTTP – can be tailored to fit an organization’s needs.
NetPoint also boasts valuable features to help ease administration and management. For example, the package supports workflows that map current business processes to the system, rather than the other way around. That allows enterprises to define specific steps for a given process. For example, if a user must increase his or her purchasing privilege from US$10,000 to US$100,000, that request is made by the individual, approved by his or her manager, and approved by the vice-president – all through NetPoint.
We installed NetPoint 5.2 on a Windows 2000 server running IIS 5.0 and iPlanet Directory Services 5.1, and imported data provided by Oblix to populate our directory. The installation was simple and easy to follow, particularly if you have properly defined the directory structure before starting. Within two hours, we had finished installing all the components and were off, creating new users and defining new security policies through the Web-based administration console.
The console can be customized to resemble any Web site design using standard XML, which means that end-users don’t even need to know that NetPoint is running behind the scenes.
Oblix is also working to support SAML (Security Assertions Markup Language). SAML support would let users authenticated with NetPoint move to other applications using different access management systems while maintaining their authentication and providing true single sign-on functionality.
The one snag we experienced – a known issue with Oblix – were bad Web-page displays when we tested the solution on Internet Explorer 6.0. But when we set our IE6 security zones to Low or reverted to IE 5.5, the problem vanished.
NetPoint provides a highly flexible, granular solution to identity management and access control that’s suitable to any organization. It allows IT staff to easily control access to Web applications today and will ease migration to a Web services infrastructure tomorrow.
THE BOTTOM LINE: DEPLOY
Oblix NetPoint 5.2
Business Case: This flexible, granular identity and access management framework is perfect for controlling Web applications and migrating to Web services. Most aspects of the solution can be customized.
Technology Case: Support for XML, SAML (Security Assertions Markup Language), and other developing standards is key to NetPoint’s flexibility and interoperability. Support for a wide range of Web and directory servers means the solution fits into almost any environment.
Pros:
+ Attribute-based policy control
+ Granular workflow control
+ Highly flexible
Cons:
– Display problems with Internet Explorer 6.0
Cost: US$15 per user
Platform(s): Solaris, Windows NT/2000
Company: Oblix, http://www.oblix.com