Cloud-Based Single Sign-On Identity Federation Gateways Streamline Security, Access for BAE Systems to Trading Partner Apps

| 0 Comments | 0 TrackBacks

Page:   1   2   3  Next  »

Authenticate Internally Once, Access Many Outside Apps

(Why read this? Because identity federation--or extending an identity outside an enterprise so it can access the enterprise's various partners logically and/or physically--is growing among vertical industries and via cloud computing. Ensuring that identity is really who it is thought to be is critical, which brings up strong authentication, which is an area in which business users, IT and physical security specialists should collaborate on solutions.)


Identity and password proliferation are painful for most users and enterprises, with password reset requests remaining big, frustrating business for help desks.  Extend those problems beyond the enterprise domain out to trading partner systems and you have a situation ripe for disgruntled users, as BAE Systems can attest.

Employees of the big aerospace & defense firm were using applications from Herndon, Va.-based Exostar to share data with trading partners. However, it wasn't going as smoothly as it might. "The user experience was atrocious," said Malcolm Carrie, head of strategy and architecture in the corporate IT office at BAE Systems.  

He said users disliked logging into the BAE Systems network using company credentials, then having to use completely different user ID and password formats to log in separately to Exostar's cloud-based Managed Access Gateway identity federation tool and/or external trading partner systems . Further, their unhappiness with the password situation was scaring off other internal prospective system users, said Carrie.

To solve the issue, BAE Systems recently deployed the Enterprise Access Gateway, a feature that's part of Exostar's Managed Access Gateway.

"Without the Enterprise Access Gateway, every access to every separate trading partner application was a separate authentication," said Carrie.  Each authentication was determined by the trading partners' requirements, so there was no uniformity.
  "Without the Enterprise Access Gateway, every access to every separate trading partner application was a separate authentication," said Carrie.  Each authentication was determined by the trading partners' requirements, so there was no uniformity.

Just as many enterprises deploy internal single sign-on solutions to insulate their users from multiple passwords for different applications, Carrie said the Enterprise Access Gateway is addressing that problem writ large because of the numbers of applications, systems and trading partners involved.

Major Hub in a Big Wheel

"What really excited us about the Enterprise Access Gateway is it gives us the ability to get access to more trading partner applications. That hub concept is tremendously powerful," said Carrie.

He is expecting the "big benefits" of the Enterprise Access Gateway to come when his company starts reaching other partners in its supply chain through the gateway.

"With the hub and spoke architecture, half of the work is done already when new applications come on because the connection between BAE Systems and the Enterprise Access Gateway is done and will not change," Carrie said. "There's a benefit to the A&D community with this model."

The alternative, he said, would be for BAE Systems to develop unique connections to each of its suppliers, and then to specific applications within each supplier, and take on all the ensuing design, testing and implementation work.

Page:   1   2   3  Next  »

Authenticate Internally Once, Access Many Outside Apps

(Why read this? Because identity federation--or extending an identity outside an enterprise so it can access the enterprise's various partners logically and/or physically--is growing among vertical industries and via cloud computing. Ensuring that identity is really who it is thought to be is critical, which brings up strong authentication, which is an area in which business users, IT and physical security specialists should collaborate on solutions.)


Identity and password proliferation are painful for most users and enterprises, with password reset requests remaining big, frustrating business for help desks.  Extend those problems beyond the enterprise domain out to trading partner systems and you have a situation ripe for disgruntled users, as BAE Systems can attest.

Employees of the big aerospace & defense firm were using applications from Herndon, Va.-based Exostar to share data with trading partners. However, it wasn't going as smoothly as it might. "The user experience was atrocious," said Malcolm Carrie, head of strategy and architecture in the corporate IT office at BAE Systems.  

He said users disliked logging into the BAE Systems network using company credentials, then having to use completely different user ID and password formats to log in separately to Exostar's cloud-based Managed Access Gateway identity federation tool and/or external trading partner systems . Further, their unhappiness with the password situation was scaring off other internal prospective system users, said Carrie.

To solve the issue, BAE Systems recently deployed the Enterprise Access Gateway, a feature that's part of Exostar's Managed Access Gateway.

"Without the Enterprise Access Gateway, every access to every separate trading partner application was a separate authentication," said Carrie.  Each authentication was determined by the trading partners' requirements, so there was no uniformity.
  "Without the Enterprise Access Gateway, every access to every separate trading partner application was a separate authentication," said Carrie.  Each authentication was determined by the trading partners' requirements, so there was no uniformity.

Just as many enterprises deploy internal single sign-on solutions to insulate their users from multiple passwords for different applications, Carrie said the Enterprise Access Gateway is addressing that problem writ large because of the numbers of applications, systems and trading partners involved.

Major Hub in a Big Wheel

"What really excited us about the Enterprise Access Gateway is it gives us the ability to get access to more trading partner applications. That hub concept is tremendously powerful," said Carrie.

He is expecting the "big benefits" of the Enterprise Access Gateway to come when his company starts reaching other partners in its supply chain through the gateway.

"With the hub and spoke architecture, half of the work is done already when new applications come on because the connection between BAE Systems and the Enterprise Access Gateway is done and will not change," Carrie said. "There's a benefit to the A&D community with this model."

The alternative, he said, would be for BAE Systems to develop unique connections to each of its suppliers, and then to specific applications within each supplier, and take on all the ensuing design, testing and implementation work.

<!--nextpage-->

Easy for Users

About 2000 BAE Systems employees are now using the Enterprise Access Gateway to reach two Exostar applications for the aerospace & defense world: ForumPass, a collaborative tool based on Microsoft's SharePoint, and Supply Chain Platform. In addition, the company is piloting using the Enterprise Access Gateway to connect with Lockheed Martin.

"I can log into the BAE Systems network the way I normally do, and through Enterprise Access Gateway, I get literally single-sign on authentication to my Exostar ForumPass application and to a Lockheed Martin application," said Carrie.

To BAE System employees, once they've authenticated to the internal network, using the gateway to access external applications is as easy as clicking on a web page bookmark.  That simplicity for the user is managed by a network of connections in the background.

When employees log in, Microsoft's Active Directory Federation Services software generates a WS Federation identity token that passes to the Enterprise Access Gateway. As necessary, the Enterprise Access Gateway translates those tokens for trading partners using different federation standards, such as SAML versions. The Enterprise Access Gateway essentially vouches for the identity to the Exostar Managed Access Gateway, the hub to which other aerospace & defense companies have federated their applications. They trust the Managed Access Gateway, which in turn vouches for the trustworthiness of connections coming via the Enterprise Access Gateway.
 
"You connect once to the hub, and we will ensure you can make the transition from your internal domain to your partner's domain and domain applications," said Vijay Takanti, vice president, security and collaboration solutions for Exostar. "The  Managed Access Gateway is not seen by the BAE Systems employee but is involved in the decision making of whether you can access the application."
 
For example, the Managed Access Gateway can hold a rule that trading partner X will only authorize access for identities that have been authenticated via digital certificates. That capability means an enterprise can adopt different requirements for different applications.

 "You can build multiple scenarios," said Takanti, such as requiring only user name and password authentication for logging into SalesForce.com, but require multiple levels of authentication to have occurred for someone trying to access more sensitive documents. "Yet from the user experience perspective, it is all single sign-on," he said.

<!--nextpage-->

Industry Standards

Carrie emphasized that while the Managed Access Gateway is responsible for authenticating user identities, the trading partners are responsible for authorization. In other words, the trading partners maintain control over which identities may access an application and over what activities and transactions they may conduct inside the application.

"We are federating authentication, not authorization," said Carrie.

Specifications created by the Transglobal Secure Collaboration Program (TSCP) come into play. The TSCP is a federation of A&D companies trying to define sets of data attributes that are common within the industry for accessing and exchanging information.

In future, as industry participants agree on common data sets for various transactions, more granular authorization could occur outside an enterprise, within the Managed Access Gateway. That's compared to authorizations being granted by individual applications, typically the case today.

Strengthening Authentication


As users access more applications and data with a single log-in, enterprises often increase authentication measures to two or more factors, including something the person has (token, fingerprint, etc.) and something they know, to more strongly ensure physical and logical identities match. At BAE Systems today, Carrie said the vast majority of authentication is done via user name and password, and those measures also hold for the employees using the Enterprise Access Gateway.

"We've done nothing special over and above what we normally do," said Carrie. That said, he pointed out that the connection from BAE Systems' network to the Enterprise Access Gateway is architected such that only users with company-owned devices on the company network within the company's walls can access the gateway.

"It's not necessarily as good as strong authentication...but it does mean we are very confident whoever is logged on and presenting themselves to the gateway is on the BAE Systems network using BAE Systems equipment," said Carrie, noting it's impossible to get to the gateway from, say, an Internet café. "That means there's a greater level of confidence for us and our trading partners."

Nonetheless, BAE Systems is piloting several strong authentication technologies, including one-time password devices, software certificates, and certificates on hardware tokens. "It's all about trying to increase the confidence of the physical to logical binding," said Carrie.

Using the Enterprise Access Gateway creates "one road leading to enterprise applications," said Takanti. "So the company can concentrate on improving security on that one road and by extension, they're improving security for their entire enterprise."

Increasing confidence about authentic identities getting access to the appropriate data is at the heart of BAE Systems' investment in identity federation, the Enterprise Access Gateway and Managed Access Gateway and TCSP, said Carrie.

"The whole business rational for this is pretty simple: my business depends on working with other people, my business depends on working with other people electronically, and my business depends on doing so with a degree of security and trust," said Carrie, noting that email is not adequate to the rigors of exchanging data during a major project. "How do I trust when somebody logs into my system that they are the right person?

"All of those things are specific issues to aerospace & defense--but I would suggest they arise in lots and lots of other industries," he said. "The philosophies, the fundamentals, will be the same at Wal-Mart as they are with us."

# # #

No TrackBacks

TrackBack URL: http://www.securitysquared.com/cgi-bin/mt/mt-tb.cgi/232

Leave a comment