Modernizing Authentication — What It Takes to Transform Secure Access
The market for Web application authorization products, also known as single sign-on tools, is robust, but implementing the tools remains a chore that won't be painless.
That was the gist of a session given at the recent E-Security Conference and Expo in Boston by Chris King, program director of Global Networking Strategies at the META Group consultancy. In the session, King also laid out his view of the top vendors in the field, as well as the up-and-comers from which you might be able to strike a favorable deal.
Web authorization products are known by a number of names, including SSO and Web SSO tools. They all fundamentally do the same thing: implement a permissions infrastructure that details which users can access which resources. For internal corporate applications, the tools purport to reduce user logon requirements; users log on once to the web authorization tool, and it takes care of logons to all other applications. Implemented in public Web sites or extranets, the tools can allow a company to differentiate among its visitors, giving some access to content and applications that others can't see.
There are two basic approaches that authorization tools use, one based on cookies and the other a gateway or proxy model. With the cookie approach, a user logs in to a security server, which checks the user's permissions against a directory, then places a cookie on the client machine that details what that user is allowed to access. The alternative is to have users log on to a gateway, or proxy server. The server checks the user's permissions and retrieves data or other requested resources if the user is properly authorized.
Pros and cons exist for both approaches - cookies are less secure but more scalable, while gateways offer more centralized control but add infrastructure - so increasingly vendors are offering both, King said.
In either case, Web authorization tools offer a number of benefits, he said, including enabling the use of a single user directory and a centralized repository for authorization data, down to the page-level. In some instances, the tools also offer delegation of administration, user self service, such as for resetting passwords, and fine-grained control over authorizations.
That's not to say realizing all those benefits will be easy.
"Doing role-based authorization across an enterprise is a nightmare," King said. "You can do it, but it'll take you 18 months."
Users get into particular trouble when they try to customize the tools. "That may tie you too closely to a vendor," King said. That could come back to haunt you if you decide to go in a different direction down the road, such as if your vendor is acquired. "Make sure the exit or swap-out doesn't kill you."
But if customizing is troublesome, building your own authorization software is even worse. "It may seem straightforward, until your developer bolts the company," King said. Additionally, maintenance and support is likely to be much more difficult with a homegrown application than an off-the-shelf one. In fact, he said most companies that tried to build their own authorization system are now moving to off-the-shelf software.
As for which vendors they're choosing, the top tier includes Netegrity, which King called the "obvious leader," Securant and IBM, which bought authorization vendor DASCOM some time ago. Each product has its strengths and weaknesses, as detailed in the chart King presented.
|Ranking the top Web Authorization tool vendors|
|Vision / Focus|
|Ability to Execute|
|Vendor Viability & Strength|
|Complexity / Ease of Use|
|Level of Integration / Supported Apps|
|Number of integrated web servers|
|Mean Time to Value|
SOURCE: META GROUP, STAMFORD, CONN.
A number of vendors inhabit the second tier. Among them are Entrust, which King dropped from the top tier due to support problems and its inability to keep up with functions rolled out by other top players; he expects the company to graduate back to the top, however.
Also at the top of the second tier are Oblix and OpenNetwork Technologies. Oblix has leading edge administration capabilities, King said, while Open Network is particularly strong in the health care industry and may also soon graduate to the top tier.
Rounding out the second tier are Axent (a subsidiary of Symantec), Baltimore, Blockade, Computer Associates, Entegrity Solutions (which bought Gradient Technologies about a year ago), Evidian (the former BullSoft, a subsidiary of Groupe Bull), Hewlett-Packard and RedCreek Communications.
Customers would be wise to consider these second-tier vendors for price, their knowledge of a particular vertical market and any architectural quirks that make for a good fit, King said. Price is a particular concern, given prices have gone up about 15% since the third quarter of 2000.
"Some vendors have said, 'We're going to get a certain amount of dollars no matter how many seats you buy,'" King said. The good news is the vendors trying to break into the top tier are likely to put price pressure on those that are already there.