Start-up consolidates Web application server security

Web access control technology from OpenNetwork Technologies Inc. gives Web-based users the opportunity to click once to access a bevy of corporate applications while enabling administrators to discard the time-consuming process of producing a different authentication scheme for each application.

OpenNetwork's DirectorySmart software works with popular Web application servers, including Microsoft Corp.'s Internet Information Server, IBM's WebSphere and BEA Systems Inc.'s WebLogic Server, to authenticate and manage user access to applications.

BlueCross BlueShield of South Carolina, which was an early investor in Clearwater, Fla.-based OpenNetwork, uses DirectorySmart to create and maintain a sophisticated authentication and authorization process to allow its 4 million-member user community to connect to its line of business applications. "In health care, the need for privacy and security is paramount," says Bry Curry, director of .Net systems at the Columbia, S.C.-based insurer. "We have to make sure that the person actually is who they say they are in order to gain access to personal data."

BlueCross BlueShield's extranet uses DirectorySmart to control access to and manage permissions for Web users accessing information stored on secure legacy systems such as Oracle Corp. databases. It runs DirectorySmart on Windows 2000 Active Directory servers. "We use DirectorySmart to enforce rules for agents, customer service representatives as well as providers and patients," says Curry.

Directory leverage

While DirectorySmart resides on the Web application server, it works with enterprise directory services to store and retrieve user profile and policy information. For example, financial services firm Cincinnati Financial Corp. uses Windows 2000 servers, so DirectorySmart accesses user profiles and policies in Active Directory. "I look at it as a directory service tool," says John Kelly, corporate architect at the Fairfield, Ohio-based insurance company. "We use it to manage the directory and security of the Web site."

DirectorySmart enforces the security rules and access controls established in the directory. It uses the Lightweight Directory Access Protocol (LDAP) to run queries against the directory database to determine the security profile for each user requesting access. DirectorySmart also interacts directly with Web server applications and can support other LDAP-compliant directory systems, including Sun Microsystems Inc.'s iPlanet, IBM's SecureWay and Novell Inc.'s eDirectory.

Since LDAP was designed to run over TCP/IP, DirectorySmart can run in an intranet, Internet, extranet or wide-area network configuration. "They've taken the smart approach to user management, using a directory infrastructure to release authentication and delegated administration," says Michael Hoch, an analyst at Boston-based Aberdeen Group Inc.

DirectorySmart also lets Cincinnati Financial delegate administration and establish role-based management. Kelly uses this feature to control Web site access to the more than 1,600 independent agencies in its network. "We let the independent agencies add users and assign roles while we set up the directory and schemas. It makes it much easier for our IT administration of the Web site," he says.

Web application developers can also use DirectorySmart's application programming interface to manage access to individual Web application functions or services. "Let's say I have a problem with one particular function," says Curry. "From a central location, I can just turn that function off." With this granular level of control, IT administrators can fine-tune access for different users. In addition, the ability to turn off a function makes it much easier and less costly to develop new functions, he says.

Fast and easy

Curry also praises the product's ease of use. "You don't have to be a programmer to use this," he says. "While you need coding to connect legacy applications to a Web-enabled environment, DirectorySmart comes with a robust set of connectors that makes the job relatively easy," he adds. BlueCross BlueShield took just 90 days from the time it started coding connections to roll out six different functions. That qualifies as spontaneous in the world of IT.

Curry says that getting users up and running with DirectorySmart is fairly easy and that the ability to roll out more users is also pretty painless. But there is a caveat. "All DirectorySmart does is create a system to authenticate and authorize; you still have to develop the application to fetch and deliver the data," he says. That kind of additional functionality would add to DirectorySmart's appeal, says Curry.

The Buzz: State of the Market

Beyond Single Sign-On

The trends in access management and security encompass more than just single sign-on capabilities. According to Jonathan Penn, a senior analyst at Cambridge, Mass.-based Giga Information Group Inc., companies' desire for a strong password management system is an outgrowth of business as well as security concerns. "For businesses that currently have several different applications running across disparate business units, there's a need to find a way to have single sign-on provisions and access management controls that bridge the different domains," he says. This ability is also being extended to outside trading partners and even part-time collaborators who use corporate extranets as well as intranets. This plays to OpenNetwork Technologies Inc.'s abilities because of the product's integration with Microsoft Corp.'s Active Directory product.

"Multidomain sign-in and access control is a big item in the market. Because companies will have different access controls associated with different applications, they want to figure out a way to have one standard running across the enterprise," says Penn. For example, if one business unit uses single sign-on and access management control software from Netegrity Inc. and another unit uses eTrust software from Computer Associates International Inc., there's no widely adopted standard for integration. Penn says that one effort -- the Billerica, Mass.-based Organization for the Advancement of Structured Information Standards' Security Assertions Markup Language -- is under way to set a standard for exchanging security information between partners over the Internet, but it's still a work in progress.

Netegrity Inc.

Waltham, Mass.

Netegrity is a leader in the field of access management, security control and single sign-on software. Sun Microsystems Inc. bundles Netegrity's software with its iPlanet directory and metadirectory products. Netegrity offers connectors to many business applications, and it also recently announced a proxy server product.

RSA Security Inc.

Bedford, Mass.

As a result of its March 2001 purchase of Securant Technologies Inc. in San Francisco, RSA Security offers access management, single sign-on and control software that functions by plugging into Web server applications. Securant had a strong focus in the enterprise and on system architecture.

IBM

Through a relationship with Entrust Inc. in Plano, Texas, IBM offers a proxy server suite of products designed for security management and single sign-on controls. A proxy server approach allows users to switch from domain to domain without reauthentication because no matter what domain is being accessed, the proxy server is always between the user and the domain.

Computer Associates International Inc.

Islandia, N.Y.

CA offers a suite of security management products under the eTrust name that includes support for Web access control and single sign-on capability. The software also adds provisioning tools.

1by1.gif
OpenNetwork Technologies Inc.

13577 Feather Sound Drive

Clearwater, Fla. 33762

(727) 561-9500

Kurt Long, president and CEO at OpenNetwork Technologies Inc.
Kurt Long, president and CEO at OpenNetwork Technologies Inc.

Niche: OpenNetwork's DirectorySmart software supports Web-based single sign-on and access control across domains and to Web-based partners and customers.

Company officers:

• Kurt Long, president and CEO

• Bob Worner, senior vice president of product engineering

• Michael Landis, chief financial officer

Milestones:

• March 2000: DirectorySmart launched.

• June 2000: Interoperability with IBM's SecureWay directory announced.

• January 2001: DirectorySmart support for Microsoft Corp.'s Active Directory announced.

• October 2001: Central security management for BEA System Inc.'s WebLogic server released.

• January 2002: OpenNetwork released DirectorySmart 4.7 and added self-registration and self-service functionality for Active Directory.

Employees: 140

Burn money: $15 million from BlueCross BlueShield of South Carolina, MedEquity Investors LLC, J.P. Morgan Partners, General Electric Capital Corp. and SI Ventures LP

Products/pricing: DirectorySmart costs $200,000 for the first 100,000 users plus a one-time $50,000 service charge and an annual software maintenance fee of 20% to 25% of the software license cost.

DirectorySmart TransactionShield for Microsoft BizTalk Server costs $30,000 for the first CPU, $15,000 for each additional CPU.

Customers: IBM, GTE Corp., BellSouth Corp., Cincinnati Financial Corp. and BlueCross BlueShield of South Carolina

Red flags for IT:

• The technology is just a way to create a security and single sign-on system; it isn't a substitute for the middleware layer between applications and Web-enabled environments.

• Programming to OpenNetwork's application programming interface is required for integration with legacy systems.

Related:

Copyright © 2002 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon