Extending Identity
31
Extending Identity & Access Management Mike Barry Enterprise Relationship Manager Bill Tompkins Sales Engineer
-
Upload
sandra4211 -
Category
Documents
-
view
299 -
download
1
Transcript of Extending Identity
Extending Identity &Access Management
Mike Barry Enterprise Relationship Manager
Bill TompkinsSales Engineer
2
Agenda
Part I – Overview of NYS Identity & Access Management
Benefits Across Organizations
Benefits Within an Organization
Part II – Citrix Advanced Access Control
Extends and Secures NYS Access Infrastructure
Part III – Citrix Password Manager
Facilitates single sign on thus limiting complexity
3
Benefits Across Organization
• Facilitate cross agency collaboration and data sharing by “eliminating the need for complex, cumbersome bi-lateral data sharing agreements”
• Improve productivity by “increasing access to external information resources”
4
Benefits Within an Organization
• “Simplify process for establishing users, granting and revoking access to electronic resources” – as the agencies requirements expand
• “Reduce the number of separate user ID’s and passwords for users, thereby enhancing security” – by leveraging password management/ SSO utilities
• “Enable the organization to securely access external resources owned by another member of the federation” – to facilitate user access from outside the enterprise
5
Citrix Delivers Access Security
Perimeter Security Establishes a barrier to keep malicious attacks from affecting the productivity of the organization
Access Security Provides regulated access only to the business resources users need to perform their duties
6
Secure Access Challenges
• Anywhere access to business applications and data
• Expanding access to more users and device types cost-effectively
• Prevent downtime and business loss from security breaches
• Meet or exceed security, privacy and regulatory concerns
Mobile PDA
Kiosks
Partner Machine
Corporate Laptop
Home Computer
7
Endpoint security, identification, and integrity validation
The Customer Problems
Centralized access control to all IT
resources
Hardened Appliance
Control over how information and
applications can be used
Internet
Mobile PDA
Home Computer
Partners
Fir
ewal
l
File Servers
Web or App Servers
CPS ApplicationsLocal Users
AccessGateway
AdvancedAccess Control
Corporate Laptop
Email Servers
Desktops & Phones
Fir
ewal
l
Consistent user experience
Consistent user experience
• Bandwidth• Latency• Device
idiosyncrasies
Cannot access from behind firewalls
Access from widely varying devices
Minimize re-authentication on re-connect
Need access to all internal IT resources
8
Product Components
Access Gateway Advanced Access Control
+• Access Gateway hardened appliance
in DMZ • Enables end-to-end secure
communication via SSL• Authentication point• Enforces policies generated by
Advanced Access Control
• Deployed in a secured network• Deployed on Windows Server platform• Centralizes administration, management &
policy based access control• Centralized reporting and auditing• Manages endpoint analysis and client
delivery• Extends access to more devices and
scenarios• Advanced policy engine with action control
9
Advanced Access Control 4.2 New Features
• End User Features– Enhanced authentication support
• Appliance integration allows several authenticators to be used• Active Directory, LDAP (such as Novell eDirectory), Radius,
RSA SecurID, Secure Computing Safeword
– Client consolidation and improved end-user experience• Secure Access Client replaces ActiveX Gateway Client and
Advanced Gateway Client from previous versions• All clients are downloaded on as-needed basis
– Simplified access to published applications• Published applications are accessible from Navigation UI page
10
Advanced Access Control 4.2 New Features
• Administrative Features– Access Suite Console administration of appliance
• Majority of appliance settings are configured within Access Suite Console
• Only basic appliance settings are configured within Access Gateway Admin Console
– Extended Citrix License Server support• Licenses for appliance are maintained on Citrix License Server• Advanced Access Control acquires a license for user when
connecting through the appliance
– Extended Endpoint Scan Functionality• Standard scans control access to login page and resources• Continuous scans control VPN tunnel session to appliance
Advance Access Control
Architecture Overview
12
Access Gateway Advanced AccessControl
Access Gateway with Advanced Access Control 4.2
Internet
Mobile PDA
Partner computer
Home computer
File Servers
Web or App Servers
Presentation Server Applications
Local Users
Corporate Laptop
E-mail Servers
IP Phones
Kiosks
Fir
ew
all
Fir
ew
all
Advanced Access Control Server Farm
Citrix Access Gateway Appliance
13
Advanced Access Control 4.2Proof of Concept Deployment
File Servers
Web/App Servers
Presentation Server
E-mail Servers
IP PBX
Fir
ewal
l
Fir
ewal
l
Client Device
SSL / Port 443 Traffic
SSL / Port 443
Advanced Access ControlAccess
Gateway
14
NetScalerLoad-Balancer
Advanced Access Control 4.2Production (Fully Redundant) Deployment
Internet DMZ Protected Network
Exchange/ Notes
FileShares
Web Servers
MPS
Enterprise Resource Servers
Advanced Access Control Servers
Access Gateways
Endpoint Device
Database Cluster
Optional - Access Center Agent Services
Optional - Indexing Services
Citrix Password Manager
16
What is Citrix Password Manager?
• Software-based enterprise single sign-on solution
• Provides a single logon to Windows, Web, and host-based applications
• Lightweight agent runs against central database, users automatically synchronize
…and is really easy to deploy and use
Product Overview
Business Challenges
Back to Agenda
18
Overview of Business Challenges
• Passwords are potential security breaches
• High help desk costs for password resets
• Growing number of password-protected applications
• Complex integration required to consolidate numerous backend authentication systems
Business Challenges
19
Growing Number of Password-Protected Applications
• The average user has 18 accounts (Gartner*)
• Constant authentication prompts disrupts work and multiple passwords are difficult to remember
• Average call to help desk for a password reset takes 20 minutes (Gartner*)
*Source: Five Business Drivers of Identity and Access Management. Gartner, 31 October 2003
Business Challenges
20
Top IT initiatives haveone thing in common
Source: Gartner, IDC, META, Forrester, CFO Magazine, Business Week, 2004
RegulatoryCompliance
WirelessMobility
Teleworking
Mergers &Acquisitions
IT Centralization
BusinessContinuity
Branch Office
Expansion
PartnerCommerce
Access
Business Challenges
21
IT Security Breaches
• Users create own insecure password management schemes: sticky notes, text files, spreadsheets
• Infrequent password changes
• De-provisioning users to disable access
Source: Management Update The Future of Enterprise Security. Gartner, 15 September 2004
Business Challenges
22
Security Audits are Top of Mind
Security Audit Observations*Password Manager helps meet
requirement?
*Abstract of an actual security audit conducted by a major auditing company. Information provided by Knowlity, Citrix Silver Solution Advisor in San Juan, Puerto Rico
Applications passwords do not meet minimum complexity criteria
Yes
Applications unable to lock application access
after reaching maximum failed logon attemptsYes
Detailed audit trails of application access, logon
attempts, and change password events not
available on a per application basis
Yes
Users login to critical applications using other
user credentials Yes
Business Challenges
23
High Help Desk Costs
“ Each time an end-user calls the help desk, it costs the organization $25-$50.”
Forrester
“ 30 percent of all calls to the help desk are for password resets”
Gartner Group
“ The average end-user calls the help desk four times per year for password resets”
Gartner Group
“ Businesses spend $200 per year per person on password management”
Forrester
Business Challenges
24
Numerous Backend Authentication Systems
• How many backend authentication systems do you have?– Apps: Windows, Web, host-based applications
– Directories: Active Directory, LDAP, eDirectory, Tivoli Directory Server, etc.
• Directory consolidation projects are frequently unsuccessful– Data owners unwilling to relinquish control
– Not all apps can talk to a single directory
Business Challenges
25
How Do Customers Address these Challenges without Citrix?
SOLUTION COMPROMISES WITHOUT ESSO
Do nothing Users continue to manage passwords on sticky notes,
spreadsheets, text files, or notebooks, decreasing IT security.
Strong authentication
Two or more authentication factors increase security but users
must still manually manage multiple passwords, decreasing user
productivity.
Password synchronization
Users remember a single logon but the common password across
applications is the least strong. Hackers only need to discover a
single password to access all resources directly.
Web SSO Works for Web applications only. Most users still need to manage
passwords for Windows and host-based applications.
Script-based Enterprise Single Sign-on (ESSO)
Scripts are version-specific and require continual maintenance.
Software costs are the “tip of the iceberg” with respect to
implementation costs.
Internal and Partner Use Only Business Challenges
26
How Does It Work?
Smart Card
One Primary Logon…
Biometric
Token
Win
do
ws
Web
Ho
st
For Access to Any Application
How Does it Work?
Citrix Password Manager
27
Intelligent Agent Response
• End users can SSO-enable applications– e.g., Business partner web sites
• Change password requests - generate new passwords without user intervention
• Supports Windows, Web, Host-based applications
• End users can SSO-enable applications– e.g., Business partner web sites
• Change password requests - generate new passwords without user intervention
• Supports Windows, Web, Host-based applications
Automatically respond to end-user password-related events
How Does it Work?
28
smithj
********
********
smithj
********
29
What is Citrix Password Manager?
• Software-based enterprise single sign-on solution
• Provides a single logon to Windows, Web, and host-based applications
• Lightweight agent runs against central database, users automatically synchronize
…and is really easy to deploy and use
Product Overview
Wrap Up Questions?
31
