Novell Home

Stewart's stomach churned as he clicked off his cell phone and stared ahead at the traffic clogging the interstate. The news was bad. A competitor had managed to hack into sensitive research files in a partner's system. Months of ground-breaking research toward development of a pioneering medication were compromised. Trusted sources were now suspect. Important information was now inaccessible to everyone while the partner assessed the damages. Development of the drug was on hold.

If it could happen to their partners, Stewart knew it could happen to his own pharmaceutical company. And as COO, he needed to act fast to secure his organization's most critical assets. Practically every corporate asset other than the buildings themselves was housed on the network. He had to give employees, partners and customers easy access from anywhere, at any time. But he had to aggressively keep competitors—and criminals—out.

Stewart needed to guarantee the right mix of security and access. He needed to do it quickly. And he needed to do it without incurring budget-breaking expenses.

The concept of "security" is simple enough at first glance: either you let people in, or you keep them out. But the complex maze Stewart faced—his enterprise that spanned the globe had recently completed two acquisitions and relied on a variety of partners—made things a lot more difficult than they seemed on the surface.

Stewart needed an advanced solution that could secure his infrastructure, prevent information theft and protect the privacy of people inside and outside his organization. It had to be airtight—no room for failure or compromise.

But with all that security, it also had to be a solution that every employee could use without hassle, regardless of location, operating system or platform. It had to keep everything running smoothly. It had to allow trusted partners quick and easy access to the information they needed. It had to be user-friendly for customers. And it had to let the organization comply with strict regulatory mandates in a simple, straightforward way, without taking up valuable system administrator time.

Stewart knew that some solutions provided great security. He knew that others allowed good access, but without the state-of-the-art security he needed—especially with existing threats to his organization and those of his partners. Stewart needed a solution that provided both security and access—and that could be implemented in his enterprise cost-effectively despite its wide variety of platforms.

The Solution: Novell Access Manager 3
Novell Access Manager 3 is that solution. Three fundamental reasons explain why:

First, Novell Access Manager 3 allows your employees, partners and customers to access appropriate information easily and securely, but it effectively prevents anyone else from using your assets. You identify exactly which people should have access to your resources and they are able to access everything they have rights to with a single password. (Of course, for more secure resources, more advanced methods can be required, such as Tokens or X.509 certificates.) Everyone else is kept out.

Second, Novell Access Manager 3 lets you control access to both your Web-based and your traditional business applications the way you want. With that single password, a trusted partner can place orders with you over the Internet. She can also check on the status of key projects she's helping your team with or join a chat with developers from one of your divisions.

Finally, Novell Access Manager 3 lets you conduct business with confidence over the Internet, because in every case you know exactly with whom you are dealing. The competition can't use technology to compromise your business.

Here's how it works: you decide who will be able to access your information. You set policies by which those people gain access to your information. Novell Access Manager 3 then enforces those policies. When someone tries to access your information, your system authorizes access based on that user's role within your organization or his relationship to it.

Stewart establishes a policy allowing all research scientists who are working on a cancer prevention project to have access to the data for that project. He also allows a partner to have access to that data. Still another simple policy gives that partner access to all necessary data, but prevents him from accessing other proprietary information.

Changing those policies takes only a few simple keystrokes, and the change is implemented across your enterprise. So as business needs change, you can easily and quickly change the policies—and you can apply different policies to different users. Stewart gives all managers access to the personnel information for those they manage, but secures it from people who are not managers.

What about compatibility issues? Unlike other access management solutions, Novell Access Manager 3 supports a broad range of platforms and directory services. In fact, it's flexible enough to work within and between even the most complex, multivendor environments, including AIX, HP-UX, Linux, NetWare, Solaris and Windows platforms. In an enterprise like Stewart's, that's critical: the companies his organization acquired were set up on a wide variety of systems. Novell Access Manager 3 allows him to create reliable security combined with easy access—all without the expense and frustration of replacing systems already in use by thousands of newly acquired employees. It also means he doesn't have to make special accommodations for partners who might be using disparate systems or applications.

Several years ago, Stewart migrated all the scientists and support staff in his main facilities to Linux; however, the company his organization acquired six months ago did not have any Linux servers or applications—meaning 4,000 employees worldwide were using a different operating system. Features in Novell Access Manager 3 let Stewart apply both security and ease of access to everyone without making costly software changes.

The fundamental strengths of Novell Access Manager 3 are in its policy management and enforcement. You define your policies—how you want specific users to access specific information. Novell Access Manager 3 then enforces those policies and logs them for later regulatory compliance reporting.

Then there's the issue of regulatory compliance: like many other executives, Stewart faces the need to comply with stringent government regulations. Novell Access Manager 3 lets companies share information and identities—both internally and externally—and provides automatic reports that help them comply with Sarbanes-Oxley, HIPAA and other regulations.

Components That Provide Secure Access
To understand the additional functionality of Novell Access Manager 3, take a look at the new and enhanced components that are part of the solution.

> Standards-Based Single Sign-On
In today's computing environment, passwords are necessary; you can't provide any kind of security without them. Ironically, passwords become a major security liability when people need to keep track of several passwords just to do their jobs. That's when passwords get jotted down on post-it notes and stuck to monitors, keyboards, or other all-too-obvious places in the office. (For more information on the corporate-banned SNUMP method of password control (better known as "Sticky Note Under the Mouse Pad"), see "Password" in the First Quarter 2006 issue of Novell Connection magazine (

Novell Access Manager 3 features single sign-on technology. Simply, your employees and partners have to remember only one password in order to access any information they have rights to—regardless of where it is. Using the same password, users can access both Web-based and server-based information. When needed, Novell Access Manager 3 also supports more advanced authentication methods as well.

> Access Manager Policy
The fundamental strengths of Novell Access Manager 3 are in its policy management and enforcement. You define your policies—how you want specific users to access specific information. Novell Access Manager 3 then enforces those policies and logs them for later regulatory compliance reporting.

Administrator-defined policies define roles, authorization policies and identity injection policies. (See Figure 1.) The new extensible policy engine gives you greater flexibility in defining how you want users to be authorized. It even allows third-party developers to integrate custom processes for defining policies. It also supports existing "classic" modes of user authentication, meaning you can build on established systems that are already working for your enterprise.

> Identity Server
The brain of Novell Access Manager 3—the identity server—uses the policies you establish to authenticate users and decide whether to authorize access. This one server provides authentication services for all components of Novell Access Manager 3, as well as generating services for Liberty Alliance and SAML (Security Assertion Markup Language) requests. The identity server supports both SAML 1.1 and 2.0, unlike previous versions.

The identity server also includes the full Liberty Alliance Web Service Framework that provides a standard method of exchanging identities between trusted partners, but it allows you to control that flow of information. Custom attributes are also provided so you can configure additional attributes for any user.

An additional technology provided by the identity server is federated provisioning. A federation is a group of two or more trusted business partners who have business and technical agreements. Those agreements allow a user from one partner to seamlessly access resources from another partner in a secure and trusted way.

Other solutions require that a user account already exist at both the identity provider and the service provider before the user can be federated. But Novell Access Manager 3 identity server automatically creates user accounts as requested by the federation. As a result, users don't have to register—create a user account—with the service provider before they can establish their identities. Novell Access Manager 3 components are defined as "Enterprise Service Providers," so all external federation partners enjoy the same automation and single sign-on capabilities internal users do.

As an example, imagine a global alliance of federated airlines that provide millions of passengers with airline service to hundreds of countries throughout the world. When John Pratt joins the airline alliance, Novell Access Manager 3 automatically creates an account for John with each of the member airlines using Liberty-enabled services. Novell Access Manager 3 then federates John. The result? John can now use a single password to access appropriate passenger information on any of the airlines. Using the same password and the same simple process, John can check his departure schedule on Lufthansa, book a flight over the holidays on United Airlines and choose a seat for next month's flight on Air New Zealand.

> Access Gateway
The access gateway is the HTTP proxy component of Novell Access Manager. It provides the award-winning security and proxy services for which Novell is known, such as authorization, single sign-on and data encryption. In addition, it also integrates with the new identity and policy services that are available through Novell Access Manager 3. The access gateway is available on both NetWare and Linux platforms, so IT staff can choose their preferred platform.

With Novell Access Manager 3, you get dynamic encryption of data between the access gateway and the browser without any changes on your part. It also provides rewriting capabilities: dynamic encryption occurs from HTTP to HTTPS, enabling your organization to completely hide your internal DNS information without having to modify any of your Web content.

Here's what happens: the user authenticates to the access gateway through the identity server. The access gateway enforces policy decisions. If the user is authorized by your policy, access is granted and single sign-on is activated. All the user knows is that he signs on and enters a password.

The access gateway is configured and administered via the Novell Access Manager 3 management console, which unifies the entire access management infrastructure. As a result, multiple access gateways can be configured as a group, while individual device attributes—such as IP addresses and subnet addresses—are handled separately.

With the access gateway, you can transform identity-provider authentication and services into things like standard Web headers, form fill-in responses and basic authentication responses. In other words, your existing Web applications can support your new identity standards—there's no need to go to the expense and time of modifying the Web applications your business already uses or installing additional software on your Web servers.

An example of that support is the policy-enabled identity injection feature of the access gateway. It leverages the Web services framework of the Liberty Alliance—and then injects identity information from the Liberty Alliance into Web headers or query strings without requiring extra steps on your part.

With Novell Access Manager 3, you also get dynamic encryption of data between the access gateway and the browser without any changes on your part. It also provides rewriting capabilities: dynamic encryption occurs from HTTP to HTTPS, enabling your organization to completely hide your internal DNS information without having to modify any of your Web content.

The SSLVPN provides secure access to non-HTTP-based applications. It is provided as an adjunct to the access gateway to provide secure access to enterprise resources. As a Linux-based service, it is accelerated by and shares information with the access gateway. As soon as successful authentication occurs, an Active-X plug-in or Java applet is delivered to the client.

A user's role in relationship to your organization determines whether that user is authorized to access assets. That same role deter-mines how back-end applications respond. The SSLVPN also validates client integrity, checking for required software, such as firewalls and virus scanners before initiating the SSLVPN session.

> Java Application Agents
Novell Access Manager 3 uses three Java application server agents to accomplish authentication: IBM WebSphere, BEA Weblogics and JBoss. These three agents use the JAAS and JACC mechanisms and internal Web-server APIs. They also use the policies you establish to control access to servlets and EJBs.

In some cases, platform-specific APIs provide even tighter, more robust integration.

> SP Agent
The SP agent is a shared component that provides common implementation of both identity protocols and federation standards. When an authentication request comes in, the SP agent automatically redirects the request to the identity server. The identity server then returns a SAML assertion to the component. Confidential information is protected, because there is no need to pass user credentials between the components.

> Management Console
The Novell Access Manager 3 management interface provides a central place where your system administrator can configure and manage all the components and policies of the product. You can delegate administration responsibilities for individual devices, agents and policy control.

The new management console also groups access gateways so that any change you make to configuration will be pushed to all the gateways at the same time. (See Figures 2 and 3.)

> Conclusion
By implementing Novell Access Manager 3, Stewart secured his company's most critical assets against being compromised. At the same time, he made sure that everyone who needed access to information had it—no matter where they were, regardless of what platform they used. In the process, he simplified access for the people who needed it and reduced management headaches for those who administered the system.

Novell Access Manager 3 is a solution designed to solve both facets of security: it lets the right people in—quickly and easily—while keeping the wrong people out. With broad new capabilities and state-of-the-art components, Novell Access Manager 3 is an advanced solution that effectively secures your infrastructure, prevents information theft and protects the privacy of people inside and outside your organization with the ease and simplicity required in today's fastpaced, competitive business environment. red N

© 2015 Micro Focus