Novell Home

Who am I? Who are you? Though these may sound like existential questions you'd ask yourself at a spiritual retreat drinking wheat grass shots and perfecting the upavistha konasana yoga posture, they're actually questions IT security managers struggle with day and night.

According to Wikipedia.com, "The Danish philosopher Søren Kierkegaard (1813-1855), the 'father of existentialism,' asserted that... Existentialism emphasizes action, freedom and decision as fundamental to human existence."

With more and more of our personal and enterprise digital assets vulnerable to sneaky identity thieves, it's increasingly important to secure these assets with an advanced authentication service that provisions each user with access to the right resources at the right time.

Until recently, we've relied on other individuals and organizations to keep our identities protected. But the risk of unauthorized access continues to increase and we must take decisive action to secure our enterprise data, provision identities, and manage authentication throughout the enterprise. Kierkegaard would be so proud.

As an end-user, it sounds warm and fuzzy to hear your enterprise, financial institution, health care facility and/or government agency is adding new layers of security to their systems. But what kind of experience will you have the next time you attempt what used to be simple online banking?

How many passwords and retinal scans must you endure? How many times will you have to remember your first pet cat Simon, God rest his soul, and type his lonely name into yet another authentication tool? How many times will you forget your new password which must contain a minimum of six letters, three numbers and two special characters? How often will you be left staring at your Inbox while the system takes its own sweet time sending you a new, temporary password? And all the while, your online banking sits idly by.

As an IT security manager, it's overwhelming to stay on top of all the new security regulations (for example, HIPAA and Sarbanes- Oxley) and keep confidential, digital assets and employee information available and secure, all at the same time.

What does your current authentication plan look like and how effective is it? Do your end-users manage their multiple passwords using the SNUMP method (sticky note under the mouse pad)? Or even worse, on their monitors? How often must you tie up valuable time and resources to reset forgotten passwords? And what about going through new security checks or accessing hardware with additional security levels with identification or smart cards?

Now you've got the added headache of providing temporary smart cards—cards that deactivate and activate the primary card—for forgetful and temporary employees. There's also a certain matter of auditing the actions that take place on your network and recognizing when there's a problem.

Let's face it: you need an easily managed authentication solution that frees up your time for dinners at home so your spouse will stop threatening to go back to New Mexico with the kids and the cat.

Well, whomever you are—end user or IT security manager—let me introduce you to a solution that will satisfy your quest for secure authentication while implementing and delivering it in a way that will put an end to marital turmoil as you know it. It may seem Utopian, but in fact, it's Novell Certificate Login.

> Novell Certificate Login Architecture
Novell Certificate Login extends Novell Modular Authentication Service (NMAS) infrastructure to provide support for X.509-based (the standard) certificates. NMAS is an extensible security product that offers you an easy way to centrally manage multifactor authentication methods across your network. With NMAS, users can authenticate to the network via something they know (password), something they have (a smart card: Novell Certificate Login), and/or something they are (their fingerprint).

Certificate Login is bundled with Novell eDirectory, Novell Identity Manager and Novell Audit. The basic Novell Certificate Login solution is made up of two components: a user credential store (Novell eDirectory) and a client workstation (a desktop or laptop). Additional systems such as Active Directory, Oracle and Peoplesoft may be linked and synchronized using Novell Identity Manager.

> I AM the End User
Experience
To put it simply, the life you used to live—the one riddled with passwords and inconsistent user experiences—is a thing of the past. With Novell Certificate Login you get provisioned resources on the go; if you log in from a remote location you can still expect all the access and roles assigned to your primary location. And with multifactor authentication using a smart card, you truly will enjoy a reduced sign-on experience.

End user Benefits

No more troublesome passwords
Reduced sign-on to local machine and back-end identity store using multifactor authentication via one smart card

Additional security with card removal monitoring: system can be configured to detect if the smart card has been removed and respond with an appropriate action (lock down, log off or do nothing)

Appropriate certificate expiration warnings: users are notified when their card's public key infrastructure (PKI) or certificate is about to expire

Convenient, disconnected login support: using a smart card, mobile users can log in to their local machine when network connectivity isn't available

Easy temporary card support: if a card is left home, the administrator can issue a temporary card that deactivates and activates the primary card, automatically

> I AM the Administrator
Experience
As an administrator, your challenges related to identity management and seamless authentication range from identity theft, insider attacks and meeting required security regulations to managing multiple directories and multiple users in multiple locations and all the while assigning new passwords.

With Novell Certificate Login you can manage all your employees from one central repository using Novell eDirectory and/or Active Directory. These disparate accounts are synchronized and can be managed from any Web browser. Now you can experience the freedom of managing what you want, where you want. Finally, you can get rid of the sleeping cot and extra skivvies in your office and sleep at home like a regular person.

> Simple Account Configuration: Assigning a Certificate
Internal and External Certificate Authorities
A user account can be assigned one or more certificates, allowing access to multiple systems based on user provisioning. Certificates may be created by an external trusted Certificate Authority, for example, VeriSign or Thawte, or by an internal/organizational Certificate Authority. (For more information, see Novell Certificate Server online at novell.com/products/certserver.)

Using an external trusted Certificate Authority allows you to use smart cards across organizations and does not require you to maintain your own Public Key Infrastructure.

> Advanced Account Configuration: Optimizing a Certificate
Certificate Revocation Lists
Once a certificate is issued its status is updated continually by the Certificate Authority using a Certificate Revocation List (CRL). A CRL is cached and updated on a regular basis and applications can access these lists to determine the authenticity of any given certificate.

For instance, a user may swipe his or her smart card to access a piece of hardware or gain clearance into a secured area. At this point the application, for instance, NMAS, queries the CRL to determine the certificate's authenticity. Online Certificate Status Protocol (OCSP) is the successor to CRL and performs realtime every-time queries which are particularly useful when auditing actions between systems.

Expiration Dates and Grace Periods
When a certificate is assigned, it is also given an expiration date which is as short as one day or as long as several years based on the user. Before the point of expiration, the end-user receives expiration warning messages with a frequency determined by the system administrator. The administrator can also identify expiration grace periods independently, to each certificate, based on end user identity.

Card Removal Monitoring
With Novell Audit, the network is monitored both for things that should be happening but aren't, and things that shouldn't be happening but indeed are. Similarly, certificate authentication can work both ways. When a certificate is swiped via a smart card, the system runs its checks and balances and grants (or denies) access. At the same time, if a smart card is removed from a piece of hardware, for instance, the workstation can be set to lock down, log off or take no action at all.

Global Setting Configuration
To simplify things for the administrator, global settings can be created to provide the same authorization to everyone within an organization or everyone within a certain department. For example, within accounting there may be a smart card issued, to each individual, granting access to certain databases. But perhaps there are two or three within accounting that require greater access to protected information. In this instance, exceptions can be made to global settings to appropriately provision these few individuals.

Administrator Benefits

Beneficial central identity repository: one directory for all company employees
Trusted location for all user accounts (Novell eDirectory) based on user provisioning

Synchronized management of Novell eDirectory and other systems including Microsoft Active Director using Identity Manager

Centralized account management: managing differently provisioned identities from one location Unbiased cross-platform support

Timely Web-based administration: using iManager, a security manager can tap the central repository from any machine using nothing more then a Web browser. No client software downloads necessary

Using Identity Manager, administrators can synchronize identities across disparate and legacy systems by creating a unified password or authentication policy. This allows individual end users to access legacy systems such as Oracle or Peoplesoft by simply signing into the network.

Additional Authentication: hardware and software tokens
A hardware security token is a physical device issued to an end user to aid in authentication. Tokens are typically small enough to be carried in a pocket or purse and are often designed to attach to a keychain. Some may store cryptographic keys, such as a digital signature, or biometric data, such as a fingerprint.

A software security token is a form of two-factor authentication. Unlike hardware tokens, software tokens run on your PC or on a separate multipurpose device.

Legacy System Sign In
Using Identity Manager, administrators can synchronize identities across disparate and legacy systems by creating a unified password or authentication policy. This allows individual end users to access legacy systems such as Oracle or Peoplesoft by simply signing into the network.

Auditing actions between systems
Novell Audit (novell.com/products/audit) is bundled with Novell Certificate Login. Audit is a secure logging and auditing solution that collects and stores data about security, system and application events occurring across an organization's network. Using real-time monitoring, Novell Audit will send notifications if policies and regulations are breached.

Leverage existing Smart Card and PKI infrastructure
Novell Certificate Login works with all card readers and middleware and existing organizational/internal Certificate Authorities are leveraged. Certificate Login requires no proprietary certificate extensions and conforms to open standards.

Kierkegaard realized that "human nature and human identity vary depending on what values and beliefs humans hold." As this philosophy applies to Novell Certificate Login, identity is authenticated based on multifactor values assigned to each user through reduced sign on.

In the end, and simply put, as an end user, you'll gain access to everything you need whether you are at your primary location or logging in from the road. As an administrator you'll happily manage access to your network from anywhere, even the poolside lounge chair at your favorite retreat. So sit back, sip your wheat grass juice and look forward to a fulfilling authentication system sure to bring you inner peace. Who are you? Who am I? We are one and the same. We are enlightened. Finally! red N

Find a complete installation guide for Novell Certificate Login and bundled prodocts at novell.com/documentation/ncl201/index.html



© 2014 Novell