This a part 2 of a 2-part series. Check out Part 1 “Password-based Authentication is Not Sufficient” if you missed it.
Why a Framework?
NetIQ Advanced Authentication provides a framework which is robust and can be centrally managed through one set of policies. This framework also provides a base for password-less authentication environment.
Let’s tackle the question of “Why a Framework?” Usually, organizations end up with multiple authentication silos. To introduce a new authentication method or integration into the organization could be a costly affair, not to mention the inconsistent authentication policies which give room for vulnerabilities. Having a framework provides flexibility in choosing the authentication methods and the supported platforms. It increases security through one universal library of policies. The plus side is it drives down costs through consolidation.
NetIQ Advanced Authentication (AA) provides a U2F authentication framework which is FIPS 140.2 ready with a numerous OOTB methods and integrations: RADIUS, VPN, OpenID, FIDO, RACF Windows, Mac OS, Linux, Citrix, VMWare etc.
The authentication framework is offered as a portable Docker container format which allows the options of cloud, on-prem or a SaaS offering from Micro Focus.
- Flexibility: Provides flexibility for deployment as an appliance, Docker Container or SaaS Offering as well as in choosing from 20 authentication methods.
- Mobile Application Support: SDKs (mobile and native) are available for mobile applications, programmatic and online services.
- Supports multiple repositories: AD, AD Lightweight Domain Servies, NetIQ eDirectory and other RFC 2037 and RFC 2037 compliant LDAP repositories
- Advanced Authentication Server contains a built-in RADIUS server to provide strong authentication for third-party RADIUS clients. Also, it can act as a RADIUS client for the third-party RADIUS servers. Advanced Authentication integrates with Active Directory Federation Services, OAuth 2.0, and SAML 2.0. This enables strong authentication for the users who need to access the third-party consumer applications.
Advanced Authentication Server Components:
- Administration Portal: Centralized portal that helps to configure and manage various authentication settings such as methods, events. It also is the place holder to configure various policies that are required for authentication.
- Self-Service Portal: Allows users to manage the available authentication methods.
- Helpdesk Portal: Allows helpdesk administrators to enrol and manage the authentication methods for users.
- Reporting Portal: Allows to create or customize security reports that provide information about user authentication. It also helps to understand the processor and memory loads.
An Endpoint can be Windows, Linux or Mac OS X machine, NetIQ Access Manager, NetIQ CloudAccess, or RADIUS Client.
A Directory could be Active Directory Domain Services, NetIQ eDirectory or any other LDAP compliant directories.
The important underlying components for Advanced Authentication Server are Tomcat, Nginx and a PostgreSQL database. The webserver responds to authentication request and connects to the database to evaluate the defined policies.
Risk Based Authentication
Traditional password-based authentication has its own security ramifications. Even the strong passwords shall prove to be inadequate in certain cases. NetIQ Advanced Authentication reduces the risk of improper access by enforcing different levels of authentication depending on various factors.
NetIQ Risk Service is available by default with NetIQ Advanced Authentication. It provides the organizations the flexibility of tailoring their authentication requirements based on the context of the user’s access and the risk associated with their access.
The embedded Risk Engine computes risk to determine the threat level of a user’s access by configuring policies and rules. These policies and rules shall evaluate the conditions and arrive at a decision. One of the decisions may involve invoking an additional factor of authentication (MFA).
Let’s look at the illustration of the basic authentication using Risk Service
1. A user tries to login to a resource
2. User enters the login credentials
3. NetIQ Risk Service identifies the user from the User Store.
4. The NetIQ Access Manager provides the contextual data to Risk Service.
5. Risk Service calculates the risk level depending on the defined set of rules and determines the risk level as Low, Medium or High
6. Based on the risk level, additional rules such as invoking MFA or denying access to the resource can be triggered appropriately.
As we move towards the adoption of Zero Trust Architecture, a continuous access management solution based on contextual risk is the way forward to manage identities and their accesses. The NetIQ portfolio offers the most complete identity and access management platform which can be tailored to the complex business needs and support the truly adaptive zero trust environment.
NetIQ provides security solutions that help organizations with workforce and consumer identity and access management at enterprise-scale. By providing secure access, effective governance, scalable automation, and actionable insight, NetIQ customers can achieve greater confidence in their IT security posture across cloud, mobile, and data platforms.