enCommerce Inc.: getAccess

by Paul Grosse - January 1999

Introduction

Increasingly, companies are finding that the Internet is useful for more than simply providing a glossy, interactive catalogue of products and services, instead, providing a channel though which sales, services and support operations may take place with the real world acting only for the delivery of physical purchases. However, with the realisation of online functionality creating the necessity for previously internal-only business information systems and applications now to be used externally, and new applications to be created and deployed, the administration of the system as a whole quickly gets out of hand.

Ordinarily, each application has its own user access control list which, as the user population grows and becomes more complicated, makes security administration complicated and difficult in addition to making the user dissatisfied with having to sign onto each application - administrators find that they are having to repeat similar processes so that users may use different applications and as a result quickly find their departments unable to cope with the work load. enCommerce's getAccess allows this to be performed with a minimum of effort by integrating the functionality of the applications as well as implementing a hierarchical roles-based model for the organisation on-line.

In addition to the Internet, getAccess also allows the deployment of secure applications on intranets and extranets for running an organisation's internal operations and conducting electronic commerce with customers, partners and suppliers.

Products

By using a browser only client that presents a consistent, corporate log-in screen which leads to a personalised navigation menu, enCommerce's getAccess provides users with the simplicity and functionality that they need whilst still maintaining security over the network. Administrators are given a system that is easy to keep up to date and monitor - giving real time monitoring thus allowing the administrator to terminate sessions that are presenting suspicious behaviour. In addition, the system's flexibility means that it is able to interface with existing databases and cope with increased workloads without any serious impact upon performance, allowing the incorporation of new features into the profiles of many individual users with just a few mouse clicks.

getAccess

getAccess consists of four main software modules: Registry Server - the central component of getAccess which includes an intelligent object oriented data model to represent the organisations structure; Access Server - which, using the registry data, authenticates users and displays the appropriate personalised navigation menu for each authorised user; Administration Application - a web based application that manages the registry, allowing administrators to set up the organisations business rules, manage users and resources and configure the system; and, Integration Tools - tools for batch loading information, APIs, HTML templates, and a Self-Registration module that allows new users to generate their own accounts provided that they satisfy certain validation criteria.

The Registry Server, located securely behind a firewall, provides the system with all of the confirmation of authentication and authorisation details relevant to any particular user. The database itself - the Registry Repository - can be stored as either an Oracle Server Database or a Microsoft SQL Server Database. The Registry Server - a multithreaded Java-based application - communicates with the Registry Repository using (Secure Sockets Layer) SSL, maintaining a persistent connection so that optimum performance is ensured.

Dependent upon the architecture of the system, the Access Server is located either on the same side of the firewall as the Registry Server or, should there be some valid reason for it, on the outside. The Access Server acts as the interface between the user and the Registry Server, allowing only those details that are relevant to the user to go through the firewall, displaying the appropriate personalised navigation menu for each authorised user.

Both Access Servers and Registry Servers may be replicated across the system so that load balancing can be implemented when it becomes necessary to increase system availability. The system can handle around 25 sign-ons per minute per CPU with, theoretically, an unlimited number of users signed on concurrently.

A given session starts off with the user supplying a name and password from either an internally or externally located browser. The Access Server then contacts the Authentication and Authorisation Service which in turn, calls the appropriate Pluggable, Authentication and Authorisation Module (PAAM) to authenticate the user. If the authentication is successful, the Authentication and Authorisation Service looks at user and resource profiles (from the Registry Repository and information returned by the PAAM) and creates a list of resources that the user is authorised to use. Next, the Authentication and Authorisation Service requests a Session ID from the Session Management Service and returns to the Access Server a token containing the user's Session ID, roles and resources. The Access Server then encrypts the token, creates a navigation menu and returns the menu and token to the user's browser - the token remaining in RAM as a default and then, only for a limited amount of time as defined by the administrator. When the user chooses a resource from the menu, the browser sends the encrypted token to the specified server upon which the getAccess runtime module confirms access rights and returns the appropriate user specific information - the runtime module providing security for the web server on which it is running.

The system is configured and maintained by a Web-based Administration Application - security policies, user and resource management and so on. In addition to this, administrator tasks may be divided into different levels and jobs delegated to help desk personnel, branch offices, business units and so on. As the Administration Application is web-based, servers may be configured remotely, the system may be monitored in real time so that user sessions that exhibit suspicious behaviour or have become dormant may be terminated and, general troubleshooting may be performed. In addition, the extensive logs of user, administrator and system activity allows security audits and with strong authentication, obviates repudiation.

One significant advantage of getAccess is the roles based authorisation which groups like users together whilst maintaining the required granularity to make fine adjustments to individual user's rights where appropriate. The functionality of a particular role may defined which itself may be incorporated into another role thus creating an hierarchical roles based system of authorisation that permits the administrator to make single modifications to a simple role that can affect the functionality of thousands of users in one go. Any new facility that is added to the system may simply be added to a particular user profile or role and the next time a user who uses that profile logs on, they will automatically have the new facility incorporated in their authorisation list. Looking at it from the other side, a new user, or one that has just been promoted can have their user authorisation profile, no matter how complicated, updated in just a few steps.

Using open APIs, developers may customise the system using a number of integration tools that allow them to: Present the corporation's identity by customising the sign-on page, navigation menus and so on; Use self-service account creation taking advantage of an already existing, custom, self-registration module that allows users to register should they conform to a set of specifications defined by the administrator; Authenticate and authorise users using alternative mechanisms; Authenticate and authorise users using information from an external repository by using customised PAAM objects; and, Batch load and synchronise user profiles and digital certificates from external repositories or certificate servers.

Platforms

OS Platforms for getAccess Servers:

OS Platform for getAccess Runtime Modules (on protected Web Servers):

Web Servers:

Database Systems (DBMS):

Web Application Development Environments:

Web Browsers for Clients:

Web Browsers for Administrators:

Authentication Mechanisms:

Pricing

Pricing is based upon the number of users to be authenticated in the system with Corporation-wide licenses available for large institutions.

Prices start at $50 per user.

Opinion

Half of the problem with any system, whether it is with an external user population that purchases products occasionally, international corporations that place large orders or an internal user population that uses the intranet as a company-wide information resource, is that the users, no matter who they are, have to be comfortable using it. Making them log on again and again, presenting them with a different procedure every time they want to use a different resource is not an ideal way of going forward and such systems fall into disuse except by those who have no alternative but to use them. getAccess allows companies to get around this problem by providing a customisable interface and log-on so that the users are presented with a standard company defined image and only have to go through the procedure once per session. With a controlled environment such as a company intranet, where there are other security measures such as personal access control at the entrance to the site and so on, this single sign-on can be effective at increasing the productivity of the users. With a more open environment such as on a public network, strong authentication and public key cryptography in the form of X.509 certificates need to manifest themselves as they do with this product.

Another headache for the administrator is that of making sure that users have access only to those parts of the system to which they have authorisation. With only a few users on a system, there are only a few problems but when the user population numbers tens or hundreds of thousands, a system that did not use some method of role based rules would never get started. Using hierarchical groupings, putting one role within another, dramatically reduces the amount of work involved in maintaining access rights to a system - new or newly promoted users can simply be 'plugged in' and new resources can be added without having to edit everyone's profile. The fact that getAccess looks up the privileges of a user in terms of their role (rather than using an exclusive, user specific list) each time he logs on means that the user automatically has an up to date profile, containing all of the applications that he is authorised to access.

One concern is having the Access Server on the outside of the firewall whilst it communicates to the Registry Server via what is effectively a secure link. This communication must go through the firewall but the weak link is the Access Server which is in an ideal place to be compromised. If it is compromised, the hacker has what is effectively - as far as the registry at least is concerned - a golden key though the firewall and just to make it worse, a secure one. If a systems administrator is thinking about having the Access Server on the outside of the firewall, he must consider the fact that most breaches of security are as a result of the system concerned not being configured properly and therefore, he must take great care in making certain that the Access Server and all of the components that protect it and use it are configured properly as well - making the system of no use to the hacker by encrypting the things that matter will not stop them from destroying it.

Another concern is the use of Java and JavaScript both at the Registry Server and in the Administration Application. enCommerce states a benefit as 'Fault Tolerance: getAccess ensures that mission critical applications are always protected and available to an authorised user.' whereas Java Technology is not fault tolerant. In addition to the problems relating to JavaScript viruses, other hostile scripting code is available on the Internet and browsers that have these scripting languages enabled so as to make getAccess work better (or at all in the case of the Administration Application) may then be pointed towards untrusted sites on the Internet.

In addition to this, the program that creates the corporate log-in and the menus can, at the discretion of the applications developers, contain frames. Frames can be programmed to produce bogus log-in forms and so on, sending information about user IDs and passwords back to another site, without the user suspecting anything is wrong - the URL in the address window is normal and the browser's GUI makes everything look official. This type of attack can bypass communications that are made via SSL as the attack frame is stored in the user's cache. Although this type of attack is not in any way specific to getAccess, the use of frames based attacks can seriously undermine the security of a site, especially when dealing with users who are not on-site as they can pick up such a frame on a browsing expedition at another time. The safest policy is to have a site that does not use any ActiveX, Java scripting or frames regardless of how clever they may seem at the time.

Strengths

Weaknesses

Conclusions

In order to present a uniform, functional, secure interface that applies both to corporate intranets and extranets as well as e-commerce, a fully scaleable application that requires only a minimum of programming to adapt it and update it is required - this is enCommerce's getAccess.

enCommerce's customer base and strategic partners show that already, the company has made a significant mark in the industry - providing a fairly comprehensive solution to large scale, secure, networking problems of this nature.

As long as the security risks - some of them generic - are assessed and steps are taken to eliminate them or minimise their potential impact, this product looks as though it is going to be a success and is certainly worthy of serious consideration.

Company Profile

Founded in 1997 from a custom software business, enCommerce has expanded quickly - in addition to its headquarters in Santa Clara California, it has offices in New York, London and Tokyo. The company's mission statement is to be the leading provider of open web-based secure-access solutions that protect legacy IT investments and ensure the highest and most flexible levels of security.

enCommerce's strategic partners include: Core; EDS; HaHT Software, Inc.; Hewlett-Packard; IBM; JapanNet; Microsoft; Mitsubishi Corporation; NetDynamics; Netscape; Oracle; Osaka Gas Information Systems; PenCom RSA Data Security; Secure Computing; Security Dynamics; Sun; Sybase; Verisign; Vignette;and, WebLogic.

enCommerce's product is getAccess which aims to enable a company to carry out business over the web whilst keeping information secure - incorporating single sign-on, unified administration, interoperability, strong security and scaleability - with target markets including 'organisations that need to provide customers, resellers, suppliers and employees with selective access to information from legacy or new web applications'.

The company's customers include: AT&T; Administaff; Brigham Young University; Chubb Corporation; EDS; Hexcel; Itoh Chu; JapanNet; Kawasaki Heavy industries; Marubeni; Mitsubishi Corporation; Mycal; NationsBank Global Finance Group; NationsBanc Montgomery Securities; NNT; OkiElectric; Oracle Corporation; Osaka Gas; The Prudential Insurance Company of America; Standard Insurance; UPS; Quantum ; Yazaki; and, 3Com.

enCommerce has recently received financial support from, amongst others, IBM and Novell which, when put into context with the exponential growth of the Internet and the acceptance of e-commerce as an additional business channel, makes the company's future look fairly secure.

In the US:
enCommerce Inc.
1290 Oakmead Parkway
Suite 301
Sunnyvale
California 94086
USA
Tel: +1 408 733 7800
Toll free 800 318 6010
Fax: +1 408 733 7867
Email:
sales@encommerce.com
WWW:
http://www.encommerce.com/

In the UK:
enCommerce Europe
Atrium Court
Apex Plaza
Reading
Berkshire RG 1 1AX
United Kingdom
Tel: +44 (0)7050 329521
Fax: +44 (0)118 956 038
Email:
richard@encommerce.com
WWW:
http://www.encommerce.com/

Copyright (c) 1999 P. A. Grosse. All Rights Reserved.


Back to the Internet Security Index

Back to the Index