1. DirectorySmart
Product Review Guide v0.2
OpenNetworkTechnologies®
13577 Feather Sound Dr.
Suite 390
Clearwater, FL 33762
727.561.9500
www.opennetwork.com
EnhancedSecurityWebAccessControland
PortalServicesRole-BasedPolicyManagement
DelegatedAuthorityMeasurementandAnalysis
WebSingleSign-onFine-GrainAccessControl
January15,2001
4.5
V E R S I O N
2. OVERVIEW...........................................................................................................................................................................................................................1
NOTE TO REVIEWERS.......................................................................................................................................................................................................1
Included in this package.................................................................................................................................................................................................1
KEY EVALUATION CRITERIA..........................................................................................................................................................................................1
Cost of Ownership....................................................................................................................................................................................................1
Scalability....................................................................................................................................................................................................................2
Deployment Time.....................................................................................................................................................................................................2
Integration of the Security Infrastructure........................................................................................................................................................2
Directory Based Security Infrastructure...........................................................................................................................................................2
SECURE EBUSINESS INFRASTRUCTURE HIGH-LEVEL REQUIREMENTS.......................................................................................................2
DirectorySmart Secure eBusiness Infrastructure...................................................................................................................................................3
Centralized User Identity Repository.........................................................................................................................................................................4
Authentication...........................................................................................................................................................................................................4
Authorization.............................................................................................................................................................................................................4
Password Management..........................................................................................................................................................................................4
Password Policies......................................................................................................................................................................................................4
Role Based Policy Management...................................................................................................................................................................................5
User Interface.............................................................................................................................................................................................................5
Organizational Management...............................................................................................................................................................................5
Streamlined Web Application Rollout...............................................................................................................................................................5
Multiple Roles for Individual Users.....................................................................................................................................................................5
Organizational Ownership of Roles...................................................................................................................................................................5
Configurable Advanced Searches.......................................................................................................................................................................5
Configurable User Management User Interface............................................................................................................................................6
Web Access Control..........................................................................................................................................................................................................6
Web Access Control with Plug-In Technology................................................................................................................................................6
Web Single Sign-On.................................................................................................................................................................................................6
Robust Login Functionality...................................................................................................................................................................................6
Session Timeout........................................................................................................................................................................................................7
Fault Tolerant Directory Connection Support................................................................................................................................................7
Support for Public Pages Access.........................................................................................................................................................................7
Delegated Authority and User Management.........................................................................................................................................................7
Multiple Levels of Delegation for Policy Management Across Unlimited Sites.................................................................................7
Point-and-Click Web-Based Interface for Delegated User Management.............................................................................................7
Policy Security Management Extended to External Administrators......................................................................................................7
Self-Service Capabilities for User and Policy Management.......................................................................................................................8
Product Review Guide i
3. Fine-Grain Access Control..............................................................................................................................................................................................8
C/C++ and Java API’s for Customization and Enterprise Integration.....................................................................................................8
Portal Services and Personalization............................................................................................................................................................................8
Personalized Web-Based User Portal.................................................................................................................................................................8
Internationalized User Interface for Login and Portal Services...............................................................................................................8
Point-and-Click Customization of Web Interface per Organization.......................................................................................................9
Reporting, Measurement and Analysis.....................................................................................................................................................................9
Reporting Usage: Security and Marketing......................................................................................................................................................9
Lockout and Security Alert Notification Enhancements............................................................................................................................9
Security Audit Trails.................................................................................................................................................................................................9
Targeted Messaging................................................................................................................................................................................................9
ARCHITECTURE AND INTEGRATION......................................................................................................................................................................10
Multiple Platforms.................................................................................................................................................................................................10
LDAP Directories....................................................................................................................................................................................................10
Web Servers.............................................................................................................................................................................................................10
DirectorySmart APIs.............................................................................................................................................................................................10
Multiple Authentication Methods...................................................................................................................................................................10
ARCHITECTURE IMPACTS...........................................................................................................................................................................................11
Scalability..........................................................................................................................................................................................................................11
Availability........................................................................................................................................................................................................................11
Manageability..................................................................................................................................................................................................................11
LOWEST COST OF OWNERSHIP...............................................................................................................................................................................11
Initial Deployment.........................................................................................................................................................................................................11
Ease of Use........................................................................................................................................................................................................................11
Delegation of Authority...............................................................................................................................................................................................12
HOW DIRECTORYSMART IS USED: AN EXAMPLE..............................................................................................................................................00
SPECIFICATIONS AND COMPONENTS...................................................................................................................................................................12
DirectorySmart Web Access Control Agents – Supported Web Servers....................................................................................................12
DirectorySmart LDAP Centralized Policy Store - Supported Directory Servers.......................................................................................12
DirectorySmart User Role Based Policy Management – Supported Platforms........................................................................................12
DirectorySmart API - Supported Development Environments.....................................................................................................................12
DIRECTORYSMART PRODUCT DESCRIPTIONS..................................................................................................................................................12
ABOUT OPENNETWORK TECHNOLOGIES............................................................................................................................................................13
Product Review Guide ii
4. O V E R V I E W
Enterprises are under increasing competitive, cost and regulatory pressures to deliver
more and more services to potentially millions of users via the web. Underlying these
increasing pressures is the question of how to deliver these services to a complex
range of business partners, employees and customers while maintaining security and
without overburdening internal resources. Enterprises must have a proven, scalable
solution to ensure security in the face of this increasing volume and complexity.
Organizations require a reusable, flexible, efficient and comprehensive security solu-
tion for protecting distributed Web applications.
OpenNetwork partnered with leading Fortune 500 companies to understand their
needs for a secure eBusiness infrastructure and applied these requirements to the
development of DirectorySmart, a software infrastructure for securing web applica-
tions and managing eBusiness security policies. DirectorySmart’s integrated security
infrastructure combines the efficiency of directory-based user definition and authenti-
cation with the effectiveness of delegated user management and role and policy-
based Web access control.
Fortune 500 companies recognize that by utilizing the DirectorySmart secure infra-
structure they can focus their scarce internal IT resources on their own core compe-
tencies and strategies. Utilizing the DirectorySmart security infrastructure they can
reduce time to production for their eBusiness strategies, and lower their cost of
ownership for their overall eBusiness infrastructure. DirectorySmart is specifically
designed to install easily into existing customer environments and has been in pro-
duction with Fortune 500 enterprises for almost 3 years. The technological strength
of DirectorySmart has been recognized by the market and has attracted GE, Chase
Capital, MedEquity and SI Ventures to join with OpenNetwork to bring our solutions
to a larger customer audience.
N O T E T O R E V I E W E R S
OpenNetwork Technologies thanks you for the opportunity to participate in your
review process. We wish to be supportive of your review process. To aid you in your
review, we are including the complete set of product documentation that would be
sent a new client.
Included in this package:
• The DirectorySmart User Guide
• The DirectorySmart Installation Guide
• The DirectorySmart Configuration Guide
• The DirectorySmart Application Developer’s Guide.
Each of these documents will provide you with in-depth information about Directory
Smart. Additionally, you may feel free to contact Susan Nelson-Crowley, Directory
Smart Product Manager, at 727-561-9500, ext. 302 for any questions that arise during
your evaluation.
Product Review Guide 1
5. K E Y E VA L U AT I O N C R I T E R I A
Many vendors have embraced the security opportunity evolving from the explosion
of eBusiness initiatives. In addition to the inherent functional characteristics of the
product, it is important to evaluate the following attributes as well:
Cost of Ownership
Cost of ownership can be influenced by the product’s architecture, ease of use, and
the efficiency of the business processes required or enabled by the system. Flexible
pricing schemes, and the chosen product’s ability to plug in to the existing corporate
IT infrastructure are highly desirable attributes. The chosen product should minimize
the need for additional single-use hardware dedicated to the support of the product.
For example some systems require separate additional policy enforcement servers
(see Architecture section for further detail).
Scalability
Scalability is the ability to efficiently and cost effectively deploy to millions of users
and has a significant impact on the total cost of ownership. Efficient scalability is
based on both the hardware and software required, as well as the efficient business
processes required or supported by the system. The ability of the system to easily
and quickly define organizations and user roles, coupled with a robust delegated
management approach, is necessary to support the efficient scaling of the business
processes related to the system. These capabilities ensure the minimal burden on
centralized resources for user management and allow the organization to minimize
the administrative time and cost of deployment required for the system. Robust
delegated authority allows an enterprise to delegate user management out to the
lowest logical level while providing a greater level of customer service to their users.
Deployment Time
The reusability of security components allows an enterprise to minimization deploy-
ment time and allows them to reap the benefits of their eBusiness strategy more
rapidly. With the optimal solution, Web access control plug-ins and APIs can directly
leverage an enterprise’s established security infrastructure to speed the deployment
of new web applications in a secure environment. Effective functionality such as role
based policy management allows an enterprise to make a security policy decision
once, and implement that policy across the enterprise with eBusiness speed.
Integration of the Security Infrastructure
The most desirable solution is one that addresses all enterprise requirements with one
product, at a value based cost. eBusiness security can only be completely managed
when Authentication, Authorization, Access Control and Auditing can be addressed
with a single, well integrated approach.
Directory-Based Security Infrastructure
Utilizing an LDAP directory as the central repository for security policy allows a
security infrastructure to make the most of the native characteristics of LDAP—high
performance, availability and robust scalability.
Product Review Guide 2
6. S E C U R E E B U S I N E S S I N F R A S T R U C T U R E
High-level Requirements
Companies are under tremendous pressure to leverage the benefits of eBusiness
internally with diverse divisions and employees, and externally with their range of
business partners and customers.
There are two drivers for companies that eventually force them to purchase a secure
eBusiness infrastructure product: an increasing number of applications to which
access must be controlled, and diverse user communities that can range into the
millions. The complexity of managing the increasing number of security policies to
enforce the proper business relationships demands that a secure eBusiness infrastructure:
• be based on solid security principles
• streamline the management of complex eBusiness security relationships
• allow for integration with existing applications and support rapid application
deployment
• support scalability for future applications and users communities
• support increasingly rigorous security auditing and reporting requirements.
Authentication and Authorization
Web access control has at its roots the basic concepts of authentication and authori-
zation assuring that web users are clearly identified so that they are allowed access to
only those applications and functions defined by the organization’s eBusiness security
policies.
Delegated User and Security Policy Management
To manage users and security policies in enterprise and Internet-scale environments,
companies engaging in eBusiness must be able to delegate these administrative tasks
appropriately to diverse divisions internally, and externally to customers, suppliers,
partners, and vendors. The cost-savings in the ideal flexible security infrastructure
are balanced against the need to securely delegate this authority such that individual
Administrators can assign no greater access and capability than that which they are
authorized to assign.
Web Application and Fine Grain Access Control
Existing Web-enabled applications must be able to be rapidly integrated and rolled
out within the secure eBusiness infrastructure. As new applications are developed
or existing applications upgraded, fine grain access control and personalization func-
tions must be available to application developers so that they can increase the
security and extend the usability of their applications.
Scalability
Web-enabled systems must be able to handle the high transaction rates and numbers
of users that are common in deployments ranging from enterprise-wide up to Busi-
ness to Consumer deployments, where transaction rates can range into the millions
of transactions per day.
Product Review Guide 3
7. Security Audit Support
With the Internet, it is essential that companies be able to audit all aspects of
their system security. This includes active notification of specified events, passive
measurement and reporting, and user accountability. Government regulations in
specific markets [such as health care with the HIPAA regulations] are placing specific
rigorous demands on enterprises engaged in eBusiness. The chosen secure eBusiness
infrastructure must support these requirements.
D I R E C T O R Y S M A R T S E C U R E E B U S I N E S S
I N F R A S T R U C T U R E
DirectorySmart’s key components provide a robust security infrastructure that can be
used flexibly to map to an enterprise’s specific security, IT architecture and business
model needs. These key components include:
• LDAP directory as an authoritative centralized source for user identity attributes, to
ensure authentication, authorization and access privileges
• DirectorySmart User Management system for user identity and role-based policy
management
• DirectorySmart Menu of Services system for providing personalized portal services
• DirectorySmart Web Access Control Agents (WACs) to protect resources on a
particular web server
• DirectorySmart APIs for use by application developers to leverage the Directory
Smart infrastructure to deliver fine grain access control within a web application
These DirectorySmart components provide companies with a comprehensive system
to define their security infrastructure, secure web applications and manage eBusiness
security policies. The key features and benefits of the resulting system include the
following.
• Centralized User Identity Repository
• Role Based Policy Management
• Web Access Control
• Web Single Sign-On
• Delegated Authority and User Management
• Fine-Grain Access Control
• Reporting, Measurements and Analysis
Centralized User Identity Repository
Authentication
Authentication is the means by which users are identified and validated within a
security infrastructure. Typical installations require user ID/password combinations.
DirectorySmart allows companies to easily deploy a variety of authentication mecha-
nisms across the infrastructure. DirectorySmart extends the security of each of
these credential types by allowing for the chaining, or combination, of multiple
types of authentication depending on the resource or user requesting authentication
and authorization. DirectorySmart supports a wide variety of 3rd
party authorization
products. DirectorySmart supports native LDAP user ID/password authentication
Product Review Guide 4
8. LDAP
Directory
Browser Memory
User
DirectorySmart
Menu of Services
DirectorySmart
User & Policy
Management
LDAP RDBMS
ODBC
LDAP
Replica
Internet
Firewall
Security Audit &
Business Metric
Reporting
DSAC
HTTPS HTTPS HTTPS
Audit & Access
Logger
AAL
Primary
Communication
Logging
Back Up
Communication
DSMOS
AAL
Key to Symbols
DSAC
API
DSUM
DirectorySmart Audit
Access & Logger
DirectorySmart API
DirectorySmart
Authentication Cookie
DirectorySmart
Menu of Services
DirectorySmart
User & Policy Plug-in
DirectorySmart Web
Access ControlWAC
DirectorySmart Basic Configuration
web appweb app
WAC
Web Server
web app
web app
API
WAC
Web Server
DSMOS DSUM
WAC
Web Server
w w w . o p e n n e t w o r k . c o m
9. Product Review Guide 6
against the leading LDAP directory vendors. DirectorySmart also supports single-
factor authentication using X.509 compliant digital certificates such as those from
Baltimore Technologies, Entrust, RSA, Microsoft, Netscape, and Verisign.
Authorization
Authorization defines how users are either granted or denied the ability to access a
particular Web application or particular function within an application. DirectorySmart
provides authorization using multiple parameters including role-based entitlements,
session timeouts, and user authentication.
Password Management
Passwords submitted by the DirectorySmart user are passed across an SSL-encrypted
channel. Once the password reaches a Web server, DirectorySmart communicates
with the directory using an SSL-encrypted LDAP session to authenticate the user.
Passwords are stored in the directory using encryption algorithms provided by the
directory. At no time is the password passed in an un-encrypted manner.
Password Policies
Password policy is an integral piece of any comprehensive security policy. It is
important that passwords be secure as possible as they are the most common
method of user authentication. DirectorySmart provides a set of comprehensive ser-
vices that help an enterprise define the appropriate password policies for their busi-
ness model(s). DirectorySmart password policies are independent modules that allow
enterprises to tailor the policies to meet their specific needs.
Length – Password minimum and maximum lengths are configurable to prevent
brute force attacks against passwords.
Syntax – Password syntax (valid characters, format, and character exclusion) is
configurable via Javascript to prevent dictionary attacks, provide particular formats,
and prevent characters which may cause problems in a particular environment.
Dictionary Search – The dictionary policy uses a list of common words which are
checked against all new passwords. If a password matches a dictionary entry, it is
rejected, and an alternative requested.
Validity Period – The longer a password is valid, the greater the chance of
compromise. DirectorySmart provides for password validity time period to be
defined at a system level and at the role level to provide the greatest flexibility
possible.
Role Based Policy Management
In order to easily manage millions of users, DirectorySmart provides security manage-
ment using role-based policies. Roles are logical groups of users who perform similar
business functions and hence share a common security profile. Individuals that have
been defined as administrators are able to define multiple roles to segment the
security profiles of their users as they best see fit. Through the use of roles, administra-
10. Product Review Guide 7
tors can easily modify security profiles of large numbers of users simply by modifying
the security privileges associated with a role common to each of the users. Individual
users are easily assigned to one or more roles and are subsequently managed and
given access to specifically designated Web services.
Roles may include administrative capabilities such as Super Administrator, Delegated
Administrators of various levels, and End Users of different types. Roles may also have
a business context such as Customer Support Representative or Agent.
User Interface
DirectorySmart’s browser-based user interface allows organizations to administer
the user and policy management system through the Web. The DirectorySmart user
interface features simple‘point and click’screens which allow administrators to
create and manage users, organizational management structures, and Web services
quickly and easily with minimal training required.
Organizational Management
By streamlining the management of organizational hierarchies, DirectorySmart pro-
vides administrators with the ability to easily manage complex and diverse organiza-
tional structures in a secure fashion. Realms of authority can be managed through the
creation of different organizations which have access to different Web applications
and content.
Multiple Roles for Individual Users
Individual users can be assigned to one or more roles. This function allows users to
retain a single login ID while performing multiple types of functions (e.g. a person can
be both Customer Service Representative and also a Claims Processor).
Organizational Ownership of Roles
DirectorySmart allows individual organizations to customize roles within the organi-
zation to suit their needs. With DirectorySmart, each organization can define the
entitlements of the role to match their definition and requirements.
Configurable Advanced Searches
DirectorySmart allows Administrators to do simple and advanced searches based on
Web services or applications, organizations, roles and users. Simple searches are
available by default with advanced searches accessible at the push of a button. This
function is configurable to allow for complex search capabilities. An enterprise is
able to configure these advanced searches to balance the needs for flexibility and
performance.
Configurable User Interface
All of the DirectorySmart User and Policy Management interfaces for Web services
and applications, organizations, roles and users are configurable to allow an organi-
zation to define the specifics of the screens presented to the Administrative user
including the attributes, labels and input controls.
11. Product Review Guide 8
Web Access Control
By keeping track of user profiles, roles and information entitlements in the central
directory via the DirectorySmart user management system, DirectorySmart ensures
that users are authenticated and authorized before allowing access to specific Web
services. A web access control agent secures each web server and validates each
request before allowing access to a protected resource.
Web Access Control with Plug-In Technology
DirectorySmart Web Access Control is implemented as a plug-in to each Web server
(NSCP, IIS, IBM HTTP) that it protects. The plug-in works in sync with each server and
examines every HTTP request that the server processes.
Web Single Sign-On
DirectorySmart handles security for multiple domains within an enterprise or between
an enterprise and its partners. DirectorySmart allows users to sign on once for access
to multiple Web services for which they are authorized even if these services are
located on multiple domains or on a domain operated by an ASP partner.
DirectorySmart supports Web single sign-on using an encrypted session cookie. The
cookie is created for each user after the user’s first successful authentication. The
cookie contains the user’s credentials and is passed to the WAC agent, eliminating the
need for multiple logins by the user. The cookie is shared by all DirectorySmart WAC
agents and allows them to confirm the authentication of the user at each request. The
DirectorySmart authentication cookie is protected at the client in three ways:
• Cookies are stored in the browser memory, never to the hard drive.
• Cookies contain IP-specific information that is checked to see whether it comes
from the address that it was created for, preventing the cookie from being hijacked
by a malicious user.
• Cookies have inactivity thresholds that render them unusable after a configurable
period of inactivity. These inactivity thresholds are set on a role, Web application
or system level.
• Cookies are encrypted using 128-bit Blowfish algorithms.
For added protection, the Web server should run with SSL encryption on to protect
all data transmitted from the server to the browser, which is supported by Directory-
Smart.
Secure Password Storage and Transmission
Passwords submitted by the DirectorySmart user are passed across an SSL-encrypted
channel. Once the password reaches a Web server, DirectorySmart communicates
with the directory using an SSL-encrypted LDAP session to authenticate the user.
Passwords are stored in the directory using encryption algorithms provided by the
directory. At no time is the password transmitted in an un-encrypted manner.
12. Session Timeout
Session timeout can be defined on a per Web service, role, user or access control
agent basis. An enterprise can configure the precedence of enforcing the session
timeouts (i.e., role supersedes Web service, Web service supersedes user).
Fault Tolerant Directory Connection Support
DirectorySmart Web access control system handles cases where one directory server
is unavailable by rolling over to secondary directory servers. In order for this rollover
to occur, the appropriate directory service implementation must be in place, which
includes replication across the primary and secondary servers.
Support for Public Pages Access
DirectorySmart’s Web Access Control supports the concept of‘public’pages. For
example, specific areas under DirectorySmart protection or specific file types can be
defined as accessible by the general public without the need for user authentication
via login.
Delegated Authority and User Management
One of the most powerful DirectorySmart capabilities is that it allows a Delegated
Administrator to securely create, modify and change a paritcular organization’s indi-
vidual user information. The enhanced delegated authority feature allows companies
to delegate user management out to the lowest logical level, decreasing the central-
ized management burden of user roles and profiles. This feature provides tremendous
cost savings and a greater level of customer service for companies using Directory
Smart.
DirectorySmart is specifically designed to enable organizations to manage security
for millions of users and dozens of Web applications. Each administrator of the
system can develop organizational management structures, create administrator roles
in each organization, and allow these‘Delegated Administrators’to take responsibility
for the management of their particular user communities. In this way, the responsibil-
ity and time required for management is distributed across the system thereby defray-
ing the administrative impact to the central enterprise. Take note that the drive for
cost-savings in no way impacts security in that authority is securely delegated such
that Delegated Administrators can assign no greater access and capability than that
which they are authorized to assign.
Multiple Levels of Delegation for Policy Management Across Unlimited
Sites
Organizational realms of management and security are supported within Directory
Smart and allow the organization administrators to create subordinate organizations
for delegation and delineation of user and policy information.
Point-and-Click Web-Based Interface for Delegated User Management
The user interface for delegated user management is designed for maximum ease of
use, using familiar point and click features. This maximizes usability and minimizes
training and supports costs.
Product Review Guide 9
13. Policy Security Management Extended to External Administrators
Through Delegated Authority, DirectorySmart provides enterprises with the ability
to allow internal organizations as well as external partner, supplier, vendor and
customer administrators to manage their own user sets. This feature provides tremen-
dous cost savings to an enterprise using DirectorySmart as it effectively“outsources”
an internal administrative task to the external users of the system. This feature pro-
vides tremendous cost savings and a greater level of customer service for enterprises
using DirectorySmart.
Self-Service Capabilities for User and Policy Management
DirectorySmart provides simple self-service functionality to users. This functionality
extends DirectorySmart’s Delegated Authority system beyond Administrators to the
end users themselves, thereby allowing DirectorySmart to easily support the adminis-
tration of millions of users. Through self-registration and password policy functions,
DirectorySmart enables the enterprise to allow users to register for and manage
their own access to the web applications as appropriate and as determined by the
enterprise’s security requirements.
Fine-Grain Access Control
DirectorySmart provides the infrastructure to manage application level controls within
a Web service or application. This feature enables companies to provide personalized
security and content within their Web applications through simple API calls to the
DirectorySmart secure infrastructure, thereby enhancing their ability to rapidly bring
applications to the Web in a secure environment.
C/C++ and Java API’s for Customization and Enterprise Integration
DirectorySmart provides a set of strong Application Programming Interfaces (APIs)
available in C/C++ and Java. These APIs allow Web application developers to take
advantage of the policy management and storage provided by DirectorySmart with no
knowledge of LDAP programming concepts required. The DirectorySmart APIs easily
allow developers to incorporate personalization and detailed security features into
their Web applications based on information stored in the directory and managed by
DirectorySmart.
Portal Services and Personalization
Working in conjunction with Web Access Control, DirectorySmart can leverage user
profile, role and information entitlement information to create a personalized“portal”
or view of corporate Internet services based on an individual user’s organization and
role profile.
Personalized Web-Based User Portal
DirectorySmart Portal Services utilize the profiles and policies stored in the directory
and creates a custom portal for each user as they log into the system. The user is
presented with the Web services they may access without needing to wade through
services they are not authorized to access.
Product Review Guide 10
14. How Portal Services Can Be Used
An insurance company found that when their users logged onto their site they were
shown all applications, even those they were not allowed to access. Utilizing the
DirectorySmart Portal Services and Personalization through the menu of services
feature, the company now provides personalization, authentication and authorization
to specific, user-defined Web services for their users. For example, if a user logs
onto the provider’s DirectorySmart - powered Web site now, the user sees only the
applications and services specific to his or her privileges. They will not see any
applications for which they are not authorized.
Internationalized User Interface for Login and Portal Services
DirectorySmart provides language localization (Internationalization) support in the
end-user interfaces of the software. When it is detected that a login is required,
DirectorySmart can check the user’s browser settings to determine their language
preference and then present an appropriate HTML page developed in that language
by the enterprise.
Point-and-Click Customization of Web Interface per Organization
In conjunction with support for Internationalization, the DirectorySmart portal is built
using XML in conjunction with XSL templates. This architecture and design allows an
organization to build completely personalized portals through custom templates.
Each organization created in DirectorySmart can be configured to have a customized
portal presented to all users in the organization. For example – for an enterprise
with 3 divisions and 4 external partners leveraging the DirectorySmart security infra-
structure, a custom menu of services screen can be developed and presented for
each one of those organizations for appropriate users as they log in, triggered by the
organizational component of the user profile. This allows organizations to‘brand’the
interface as they see fit.
Reporting, Measurement and Analysis
DirectorySmart provides activity and usage measurement and analysis that can be
analyzed by organization, individual and Web service. This provides benefits in mul-
tiple key areas: security auditing and reporting, marketing support and communica-
tion, and security alerting.
Reporting Usage: Security and Marketing
DirectorySmart Web Access Control agents log every request to protected resources
down to the user ID level, and all directory modifications made using the Direc-
torySmart system. This function allows the Reporting, Measurement and Analysis
system to collect log information and process it against the profile information stored
in the directory. This supports the security auditing requirements of recent govern-
ment regulations through standard and custom reports.
In addition, an enterprise can utilize this information to enhance their marketing strat-
egies by analyzing employee and business partner usage of particular web applica-
tions, interest areas and activity patterns. This information can be utilized to develop
Product Review Guide 11
15. targeted messaging campaigns, to adjust or prioritize particular web services, or to
enhance marketing strategies vis a vis particular user profiles.
Lockout and Security Alert Notification Enhancements
The ability to lockout users who have exceeded the threshold for consecutive failed
logins is configurable and allows for the automatic notification of interested parties
via email. This feature enhances the security provided by DirectorySmart by allowing
for the real-time notification of security personnel during possible password attacks
against the system.
Security Audit Trails
Security audit trails are used to help the system track and record usage and access
to secured resources. DirectorySmart provides strong auditing functions to increase
the overall security of the system. It also provides standard reports which track usage
by user or by Web service. This type of comprehensiveness in auditing provides
accountability and makes troubleshooting and detection of security abnormalities
easier.
Targeted Messaging
DirectorySmart allows organizations to identify specific target audiences based on
groups or customized profiles so that targeted communications can be pointed
directly to the audience identified.
A R C H I T E C T U R E A N D I N T E G R AT I O N
Multiple Platforms
DirectorySmart is available on multiple operating systems, thereby minimizing the
impact on a business’enterprise. By supporting the leading eBusiness platforms
DirectorySmart is able to support the major operating systems in the market today.
DirectorySmart is currently available on Windows NT, Windows 2000, Solaris, and
AIX.
LDAP Directories
At the core of DirectorySmart is the belief in the power of directory services to
provide the necessary scalability and availability required in a security infrastructure.
DirectorySmart utilizes LDAP native functions to store profile and policy information
as well as authenticating and authorizing users and requests. DirectorySmart is in
production with the market leading directory vendors, iPlanet, IBM, Microsoft, and
Novell.
Web Servers
DirectorySmart provides two separate components, User and Policy Management, and
Web Access Control Agents which provide policy enforcement. DirectorySmart User
and Policy Management is a Web application which is available to reside on Web
servers from iPlanet, Microsoft, and IBM.
Product Review Guide 12
16. LDAP
Directory
Browser Memory
User
DirectorySmart
Menu of Services
DirectorySmart
User & Policy
Management
LDAP RDBMS
ODBC
LDAP
Replica
Internet
Firewall
Security Audit &
Business Metric
Reporting
web app
web app
API
WAC
Web Server
DSAC
web appweb app
WAC
Web Server
DSMOS DSUM
WAC
Web Server
HTTPS HTTPS HTTPS
Audit & Access
Logger
AAL
Primary
Communication
Logging
Back Up
Communication
DSMOS
AAL
Key to Symbols
DSAC
API
DSUM
DirectorySmart Audit
Access & Logger
DirectorySmart API
DirectorySmart
Authentication Cookie
DirectorySmart
Menu of Services
DirectorySmart User
& Policy Plug-in
DirectorySmart Web
Access Control Plug-inWAC
DirectorySmart: Availability LDAP Deployment
& Security Audit & Business Metric Reporting
w w w . o p e n n e t w o r k . c o m
17. The DirectorySmart Web Access Control (WAC) agents run as web server plug-ins
and sit on the web servers hosting the resources the enterprise wishes to protect.
A separate“Policy Enforcement”server is not required (as is the case for some
competitive systems).
DirectorySmart APIs
DirectorySmart provides a set of strong Application Programming Interfaces (APIs)
available in C/C++ and Java. These APIs allow Web application developers to take
advantage of the policy management and storage security infrastructure provided
by DirectorySmart without requiring them to know LDAP programming concepts.
The DirectorySmart APIs easily allow developers to incorporate personalization and
fine grain access control features into their Web applications based on information
stored in the directory and managed by DirectorySmart. Determination of a users
authentication, authorization and access profile can be established through simple API
calls to the DirectorySmart security infrastructure.
Multiple Authentication Methods
DirectorySmart supports a wide variety of 3rd
party authorization products. Directory
Smart supports native LDAP user ID/password authentication against the leading
LDAP directory vendors. DirectorySmart also supports single-factor authentication
using X.509 compliant digital certificates such as those from Baltimore Technologies,
Entrust, RSA, Microsoft, Netscape, and Verisign.
A R C H I T E C T U R E I M PA C T S
Scalability
DirectorySmart leverages the inherent capabilities of LDAP to support deployments
of systems supporting millions of users. The WAC agent is a lightweight web server
plug-in which runs inline with the protected web server. As the web server traffic
requires the scaling of the web server through available network technologies, the
DirectorySmart WAC agent, and its use of native LDAP calls for authentication and
authorization, scales as well. By using LDAP directories as the policy and profile store,
DirectorySmart is able to take advantage of standard LDAP deployment strategies to
support millions of users.
Availability
The DirectorySmart architecture is based on the independence of the individual
components to provide high availability in addition to scalability. Each component
can be independently configured in the network to provide high availability. The
DirectorySmart WAC agent is embedded directly into the web server that it is protect-
ing. As long as the web server is available, the WAC agent is available to protect it.
Standard LDAP features of replication provide directory availability.
Product Review Guide 14
18. Manageability
DirectorySmart is based on a minimal network footprint requirement, thereby result-
ing in a minimal impact on the enterprise. Because of this minimal footprint, com-
posed of the WAC agents, the User and Policy Management system, and the LDAP
directory, IT staffs are able to efficiently manage the system tasks necessary to support
a production environment.
L O W E S T C O S T O F O W N E R S H I P
Initial Deployment
DirectorySmart’s minimal network footprint reduces the time and difficulty of the
installation and configuration of the initial system. DirectorySmart’s User and Policy
Management system provides industry-leading functionality in the initial rollout of
the infrastructure to internal employees and external partners and customers. As the
initial rollout expands to production level sizes, DirectorySmart provides advanced
deployment features that allow organizations to be easily and quickly created.
Ease of Use
DirectorySmart’s user interface is designed to support internal and external adminis-
trative users who most likely are not Web application savvy. By providing a simple
‘point and click’interface the training, maintenance, and support burden on the
IT staff are greatly reduced. Another feature of the DirectorySmart User and Policy
Management interface is the ability to streamline the processes which businesses
follow to rapidly create complex organizational and business relationships.
For most end-users their only interaction with DirectorySmart will be through the
logon screen and resulting menu of services or customized portal. For those individu-
als who are participating as Delegated Administrators, their interaction with the
system is through a simple point and click graphical user interface. This maximizes
ease of use and minimizes training, maintenance, and support costs for the central-
ized IT support staff.
Delegation of Authority
One of the most powerful and mature capabilities of DirectorySmart is that it allows
a Delegated Administrator to securely create, modify and change an organization’s
individual user information. The enhanced delegated authority feature allows compa-
nies to delegate user management out to the lowest logical level, decreasing the
centralized management burden of user roles and profiles. This feature provides
tremendous cost savings and a greater level of customer service for companies using
DirectorySmart. Through the easy to use DirectorySmart interface, companies are able
to roll out systems to millions of users more quickly and with less administrative
overhead.
Product Review Guide 15
19. Product Review Guide 16
H O W D I R E C T O R Y S M A R T I S U S E D :
A N E X A M P L E
In this next section we present the example of a hypothetical health care insurance
company – HealthPlan of America. The have developed a state-of-the-art web site
powered by DirectorySmart that allows them to provide a wide variety of services to
their business partners, internal departments and employees, and customers via the
web in a secure environment.
First we will outline the many types of potential users of the system in this example.
Then we’ll review how the insurance company can leverage the DirectorySmart
security infrastructure to delegate user and role-based policy management out to the
lowest logical level – simultaneously decreasing the centralized burden of managing
the user roles and profiles while improving customer service.
Roles are logical groups of users who perform similar functions and hense share a
common security profile. Individuals who have been defined as administrators are
able to define multiple roles to segment the security profiles of their users as they
best see fit. Through use of roles, administrators can easily modify security profiles
of large numbers of users simply by modifying the security profiles associated with
a role common to each of the users. Individuals users are easily assigned to one or
more roles and are subsequently managed and given access to specifically designated
Web services or applications.
The sample screens we present below are examples of the personalized easy to use
interfaces that would be presented to the various users of the system.
Internal departments and employees of HeathPlan of America itself include:
• customer service
• claims management
• accounting and
• other areas.
Their business partners or‘Providers’include:
• hospitals
• clinics
• doctors’practices and
• pharmacies.
Their business partners’staff include:
• business manager
• doctor
• billing manager
• new patient and pre-approval clerk.
20. HealthPlan of America’s‘customers’include both the companies that have contracted
with them, and the individual members or‘insureds’i.e. employees of the client firm
who have their insurance coverage via a plan managed by the insurance company.
Users therefor might include staff and employees across a variety of departments and
organizations:
• COO
• HR Director
• HR Manager
• Benefits Manager
• Benefits Co-ordinator
• HR Assistant
• Employees
Product Review Guide 17
22. Create and Modify an
Organization
How Delegation Begins
The sample screen we present below are examples of the personalized user interfaces
that would be presented to the various users of the example system.
Super Administrator
A‘super administrator’at the insurance company can create organizations and create
delegated administrators for each of those organizations based on their business
model and chosen security policies. The super administrator can determine what
capabilities to allow to each of these delegated administrators. They can specify
access to a particular functions such as add, modify, view or delete for organization
profiles, user profiles, web service profiles and other functions.
Product Review Guide 19
Delegated Administrator
A delegated administrator will have a certain scope of authority that has been
specifically delegated to them by the administrator‘above’them in the hierarchy. If
the super administrator has delegated‘add organization’capability to a delegated
administrator, then the delegated administrator may in-turn create additional sub-
organizations to match their business model, and may chose to add additional
delegated administrator(s) below them as appropriate. In this way DirectorySmart can
map to the specific requirements of many varied business models and provide as
many levels as necessary in the security infrastructure. The Delegated Administrator
can (if allowed) create new users and assign roles to users.
25. Pre Approval Clerk
New Patient and Pre-approval Clerk
This person might be in effect the receptionist at a Clinic who
has been defined by the Delegated Administrator above them as
having access to the HealthPlan of America’s New Patient Web
enabled application as well as the Web application that checks
Authorization Status. This clerk has not been given access to any
other functions.
Product Review Guide 22
26. Billing Clerk
Product Review Guide 23
Billing Clerk
The Billing Clerk role has been defined as having an expanded suite of responsibilities
and thus this role has been given access to additional functionality in this example,
including Eligibility Status, Deductible Status, Claims Status and Other Health Insur-
ance Status, in addition to Authorization Status. Note that this role has not been
defined as having the ability to create new patients so that function is not presented
to them.
27. Product Review Guide 24
Benefits Manager
HealthPlan of America’s customers include hundreds of client companies and the
thousands of insured individuals who work for those companies. In our example
diagram we have indicated two representative client companies: one a manufacturer,
the other a restaurant corporation.
In our example HealthPlan of America has delegated certain member management
capabilities to the Acme Manufacturing Company. Acme Manufacturing has many
divisions and plants and has chosen to delegate out the member management to the
HR departments of each of these huge plants. This is efficient because they empower
the benefits management staff to have direct access to the appropriate Web enabled
applications.
Benefits Manager
This allows, for example, the HR staff at Plant 4 to add a new employee immediately
and modify an employee’s eligibility and authorization status, and check on claims
directly. This is very efficient and provides the convenience of an immediate response
and doesn’t require the use of phone, fax, or email to a call center or utilize some
other support mechanism. The benefits management staff at Plant 3 have access to
the applications and functions specifically assigned to them by the Acme and only
for their organization.
28. Product Review Guide 25
Insured Employee
Each of Acme Manufacturing’s plants has thousands of employees, each of whom
is insured by plans offered by HealthPlan of America. Acme Manufacturing has
chosen to allow employees access to certain Web enabled applications provided by
HealthPlan of America. Acme has defined an employee or member role that gives
access to the following functions:
ID Card Request, Eligibility Status, Choose a Primary Physician, and Ask Customer
Service. Thus insured employees are provided access to the appropriate support and
services directly via the Web without having to go through either their HR department
or through a HealthPlan of America call center.
29. S P E C I F I C AT I O N S A N D C O M P O N E N T S
DirectorySmart Web Access Control Agents –
Supported Web Servers
iPlanet Enterprise Server
Microsoft IIS
IBM
DirectorySmart LDAP Centralized Policy Store -
Supported Directory Servers:
IBM SecureWay
iPlanet Directory Server
Microsoft Active Directory
DirectorySmart User and Policy Management –
Supported Platforms
Solaris
AIX
Windows NT
Windows 2000
DirectorySmart API -
Supported Development Environments
C/C++
Java
D I R E C T O R Y S M A R T P R O D U C T D E S C R I P T I O N S
25 words:
OpenNetwork Technologies’flagship product, DirectorySmart offers the most compre-
hensive, proven solution for securing Web applications and managing eBusiness
security policies.
50 words:
OpenNetwork Technologies’flagship product, DirectorySmart, offers the most com-
prehensive, proven solution for securing Web applications and managing eBusiness
security policies. DirectorySmart provides large enterprises with an eBusiness security
infrastructure for managing millions of online users while offering the lowest cost of
ownership and fastest time to market.
100 words:
DirectorySmart(tm), OpenNetwork Technologies’(r) flagship product, offers the most
comprehensive solution for securing Web applications and managing eBusiness secu-
rity policies. DirectorySmart provides large enterprises with an eBusiness security
infrastructure for managing millions of online users while offering the lowest cost of
ownership and fastest time to market.
Product Review Guide 26
30. Product Review Guide 27
Its integrated security infrastructure combines the efficiency of directory-based user
definition and authentication with the effectiveness of delegated user management
and role and policy-based Web access control. DirectorySmart enables streamlining
of complex relationships, consolidates user and policy management, and securely
extends access to Web applications and resources to diverse customers and partners.
250 words:
DirectorySmart offers the most comprehensive, proven solution for securing Web
applications and managing eBusiness security policies. Its integrated security infra-
structure combines the efficiency of directory-based user definition and authentication
with the effectiveness of delegated user management and role and policy-based Web
access control.
DirectorySmart enables an enterprise to manage millions of users securely without
overburdening their central resources. The system provides centralized storage of
security policies and the relationships between users, roles, Web applications and
access levels, while delegating out the management of the user profiles to the lowest
logical level.
The DirectorySmart infrastructure provides convenience to users through Web single
sign-on, self-registration, self-service and personalization, and provides rapid scal-
ability and lowest cost of ownership to the enterprise through a small footprint,
reusable infrastructure components and efficient user management. It provides large
enterprises with an eBusiness security infrastructure for managing millions of online
users while offering the lowest cost of ownership and fastest time to market. Directo-
rySmart’s low cost of ownership is driven by its unique architecture, the ease of use
of the software, and by the efficient processes supported by the system, and installs
in a matter of hours.
DirectorySmart enables streamlining of complex relationships, consolidates user and
policy management, and securely extends access to Web applications and resources
to diverse customers and partners. It delivers state-of-the-art and easy-to-use role-
based policy management, delegated authority, fine-grain access control and person-
alization. The enhanced features of DirectorySmart include security audit logging and
reporting, streamlined organizational management and deployment, security alerting,
and Web single sign-on.
A B O U T O P E N N E T W O R K T E C H N O L O G I E S
About OpenNetwork Technologies®
Headquartered in Tampa Bay, Fla., OpenNetwork Technologies is a leading provider of
secure eBusiness infrastructure software. OpenNetwork Technologies’flagship prod-
uct, DirectorySmart™, offers the most comprehensive, proven solution for managing
eBusiness security policies. DirectorySmart enables an enterprise to streamline com-
plex relationships, consolidate user and policy management, and securely extend
access to Web applications and resources to diverse customers and partners.
31. OpenNetwork has offices across the United States and partners with leading eBusi-
ness companies such as IBM, Microsoft, Radiant Logic, iPlanet and RSA. Open-
Network Technologies has a growing Fortune 500 customer base in the healthcare,
insurance, financial and telecom markets, including Blue Cross Blue Shield of South
Carolina, Empire Blue Cross Blue Shield; Anthem Blue and Cross Blue Shield; Cincin-
nati Financial; Trustmark and First National Bank of Omaha.
The technological strength of DirectorySmart has been recognized by the market and
has attracted GE, Chase Capital, MedEquity and SI Ventures to join with OpenNetwork
to bring our solutions to a larger customer audience.
OpenNetwork’s DirectorySmart provides large enterprises with an eBusiness security
infrastructure for managing millions of online users while offering the lowest cost
of ownership and fastest time to market. DirectorySmart enables streamlining of com-
plex relationships, consolidates user and policy management, and securely extends
access to Web applications and resources to diverse customers and partners.
DirectorySmart delivers state-of-the-art and easy-to-use role-based policy man-
agement, delegated authority, fine-grain access control and personalization. The
enhanced features of DirectorySmart include security audit logging and reporting,
streamlined organizational management and deployment, security alerting, and Web
single sign-on. DirectorySmart also features an optional bundle that includes iPlanet
Directory Server.
DirectorySmart’s Features Include:
• Role-Based Policy Management
• Web Access Control
• Reporting, Measurement
• Delegated Authority
• Fine-Grain Access Control
• Web Single Sign-On
• Enhanced Security
What Makes DirectorySmart Unique?
Lowest Cost of Ownership
DirectorySmart’s low cost of ownership is driven by its unique architecture, the ease of use of the
software, and by the efficient processes supported by the system. Its server plug-in based architecture
for Web access control means that it does not require additional platforms for policy enforcement.
Support costs are minimized through DirectorySmart’s user-friendly delegated user management
capabilities, which allow an enterprise to cost effectively scale to support millions of users. In addition,
DirectorySmart is offered with flexible pricing, allowing a company to choose from server based, user
based, or enterprise wide options based upon their current needs.
Fastest Deployment Time
DirectorySmart installs in a matter of hours and provides an enterprise with reusable security
infrastructure components. These components include Web access control plug-ins and APIs that
can directly leverage the established security infrastructure and thus speed the deployment of Web
Product Review Guide 28
