Enterprise Web Access and Federated Identity – match made in heaven?
The reality of enterprise web access today and the challenges it brings to the companies and their security departments are pretty well described in this blog post. The conclusion of that post is that: “F5 Secure Web Gateway – with BIG-IP Access Policy Manager – delivers this, and more…” Let’s pick it up where that blog post left off and explore the “more” part of that sentence in order to uncover the unique value proposition that F5 brings. Over the past five years, many F5 customers have used F5 Access Policy Manager (APM) to provide granular, context-aware secure access into enterprise applications. In that time, customers have deployed APM to provide strong multi-factor authentication for the applications, perform single sign-on, and enable access control based on Layer 4 and Layer 7 ACLs. Further, as of about 18 months ago, F5 capabilities expanded to include federated access to applications using SAML 2.0. The need to provide federated identify in the enterprise grows rapidly as companies turn to outsourcers and cloud-based applications to meet their needs: Office 365, Salesforce.com, Concur, Amazon Web Services, Microsoft Azure, etc. In fact, it’s hard to find an enterprise today that is not relying on at least one cloud-based application, and thus has the need to provide user identity services to these applications. Based upon real-world APM implementations that I have seen, as well as quite a few DevCentral posts from customers and partners, a real need exists to perform “silent” user authentication and seamless sign-on into cloud-based applications. Let’s go over how that normally works in the enterprise environment: APM would be configured to act in the SAML Identity Provider (IDP) role. When a user attempts to access cloud-based SAML-enabled applications, those applications ask for a SAML assertion from the user’s IDP. So, when a user who has not yet been authenticated attempts to access a cloud application, that user is sent to the IDP that has been defined for that application as the trusted identity provider. The user has to authenticate to that IDP, after which the IDP will issue a SAML assertion to the cloud-based application. The user will then be logged in based upon the SAML assertion data sent by the IDP. Many enterprises today want their users to seamlessly authenticate to the IDP while accessing external applications from an internal network. While many IDPs leverage forms-based authentication method for external access—where a user enters their username and password and submits it to authentication store such as Active Directory for verification—internal IDPs can take advantage of the fact that the user has already authenticated from an endpoint inside the internal network. As such, users may silently authenticate to the IDP using either NTLM or Kerberos authentication, which can then provide seamless logon experience into the IDP. Now, let’s revisit the need to provide enterprise web access control and to ensure the compliance with the outbound security access policy. F5 Secure Web Gateway Services can protect users from exposure to potentially dangerous websites and malware-infected web apps, ensuring compliance with the organization’s web access policy. And because F5 Secure Web Gateway is tightly coupled with APM, customers can now solve two problems simultaneously—ensure efficient web access control while providing seamless federated identity services for accessing SaaS applications. What’s important is that this is all accomplished on the same device, using the same policy-editing GUI, preserving transparency and enhancing end-user experience for both outbound web access and use of cloud applications. By combining the power of Secure Web Gateway Services and Access Policy Manager, you’ve got the cake, and you get to eat it too. It tastes delicious!
The Reality of Enterprise Web Access Today
Web access by employees from their company’s network is table stakes for just about every type of business. Regardless if the employee is local or remote, or if they are accessing the web from a company-owned or personal laptop, tablet or smart phone, it’s nearly ubiquitous, a mission-critical requirement. Just looking at the average number of web- and cloud-based applications in use within enterprises today – which for many companies is in the thousands – dictates employees need corporate web access just to do their everyday jobs and be productive. This is not even taking into consideration millennials, who oftentimes won’t even consider a job opportunity if there are restrictions on using their personal devices or attempts to limit their web access! So, open web access to employees, right? Well, not so fast: With full and unrestricted employee access to the web come serious issues. Recent industry reports claim employees today are surfing non-work related web sites between 60 and 80 percent of the time spent online at work 1 , with social media and news web sites as their favorite productivity killers. So, compliance with corporate Web use policies – not to mention industry and/or government regulations – is an issue; as is saving precious network bandwidth for work-related needs. While no company wants to feel like a scold or be mistrustful of their employees, the truth is enterprises need to insure that staff isn’t wasting too much time and network bandwidth downloading the latest viral video, playing online multi-player games, or watching the latest sports action streaming in real time. And along with productivity issues, unfortunately there are also significant security issues, too: watering hole attacks, drive-by downloads, and targeted spear phishing attacks, just to name a few. Today’s savvy enterprise realizes they need better controls and management for web access – for both employee and guest access. Context-aware web access policies can secure a business, its applications, and sensitive data from potentially dangerous websites and malware-infected web applications. It can also identify and protect against new, fast emerging, sophisticated web threats, malware, and advanced persistent threats (APTs). Controlling access and protecting against malware attacks and other threats is one thing. The ability to analyze, and then filter and remove malicious components embedded inside dynamic web pages is another. URL filtering and prescriptive URL categorization can deliver compliance with corporate, as well as industry and government regulations. URL filtering and categorization help mitigate exposure to Web-based threats and data leakage, and increase employee productivity and protect network bandwidth. Detecting and blocking web-borne malware and malicious scripts in web pages protects enterprise networks, applications, and data from gnarly malware infections and infestations, and insidious, rogue apps and data. F5’s Secure Web Gateway along with our suite of inbound security features running on F5 platforms and context- and content-aware policies with our Access Policy Manager (APM), enables all of these capabilities, and more. Protecting against both inbound and outbound malware is paramount for today’s business. Checking user devices and its applications for malware that might infect a corporate Web app, then checking their device, apps, data and any downloads again on the return trip to the corporate network to ensure that the web sites visited didn’t leave a little “something-something” behind to remember them by is vital. Plus, employers need to know who – as in which user – has been accessing the Web, and where they have gone on the Web, to address any issues, and to – if necessary – limit user access based on identity and other factors. Most of all, business today needs an easy, centralized, “one-stop shop” to create simple yet sophisticated, content-aware and context-sensitive web security policies. F5 Secure Web Gateway – with BIG-IP Access Policy Manager – delivers this, and more. 1 Study: Workers Spend 60% or More of Day Web Surfing for Personal Reasons”, Daily Tech, February 7, 2013