Integrate Web server platforms into one authentication system

Large-scale Web-server farms need enterprise-level authentication systems, but achieving seamless authentication across multiple systems and platforms can be difficult if you've founded your operation on mixed server technologies that don't share a common authentication system. Enter Securant Technologies' ClearTrust SecureControl 4.0, which serves as a Web application authentication system that lets you seamlessly control user access across different platforms.

The product can run on Microsoft IIS 5.0 and Windows 2000, but for my tests I used an IIS 4.0 environment running on Windows NT 4.0. Securant sends an engineer to each customer's site to help set up the product and to provide hands-on training for the product's administrators. For my tests, Securant sent engineer Orlando Salinas, who quickly taught me about the product and answered all my questions. Having one of Securant's knowledgeable engineers on site saved me a lot of time.

ClearTrust essentially acts as a proxy between end users and the Web applications that users access. By positioning itself between a user and the applications, ClearTrust can successfully offer simple single sign-on (SSO) technology for HTTP resources (i.e., Web-based applications and Web servers). The product provides a common point for the administration of user access rights and supports local and remote Lightweight Directory Access Protocol (LDAP) directory replication for easier user integration.

The product comes with three basic components: an authentication service, a Java-based Entitlements Manager administration utility, and Web plug-in modules for Apache, Netscape, and IIS. The Web plugins intercept Uniform Resource Identifier (URI) requests (URLs are a subset of URIs) and pass those requests to the authentication service, which determines the user's access rights and passes that information back to the Web plugins for action. You must install the Web plugins directly on your Web servers; the authentication service and Entitlements Manager can run on separate systems, depending on how you want to structure the overall installation for performance and security.

A slick benefit of this product is that Securant provides the source code for its Java-based Entitlements Manager so that you can extend or integrate Entitlements Manager into other applications. Securant also provides Java and C-based APIs, so developers can use their preferred development language to extend the product's functionality.

The setup process involved installing a database server to act as ClearTrust's data-store back end for configuration data. Although the product supports Sybase, I installed the Oracle database runtime back end that ships with ClearTrust. By providing a database system with the product, Securant eliminates the need to allocate resources from an inhouse database server and helps isolate ClearTrust's database. This isolation can help protect the database from intrusion.

After I installed and configured the required components, I ran the Entitlements Manager to configure the product. I used various dialog boxes on the Entitlements Manager's tabbed interface to create user, user group, and application definitions. Then, I defined access rules to correlate the users and groups to the various applications. Because ClearTrust considers every URI to be a separate application, the product offers a tremendous amount of granular access control. However, some users might find that granularity to be cumbersome because they must manually enter each URI during the configuration process. Securant could easily improve the product by offering an import or drag-and-drop mechanism to make definitions easier to configure. The best solution I found was to copy the various URIs that I wanted to protect.

ClearTrust uses a model that groups Web servers into various realms for easier control. The product also lets you define user groups to more easily provide common sets of access rights across the enterprise and even across different domains. You can also give users individual access rights. ClearTrust administrators own the objects (i.e., realms, groups, and users) that they create, so other administrators can't tamper with those objects. Before you can remove an administrator from ClearTrust management duties, you must transfer ownership of that administrator's objects to another administrator. This requirement prevents orphaned objects.

The product's Smart Rules technology lets you define rules that provide a diverse set of access rights. For example, as Figure 1 shows, I defined a rule to provide application access to all users whose titles contained the string admin. You can't get that level of granularity with Apache's, Netscape's, or IIS's built-in security subsystems.

Another nice touch is the Entitlements Manager's Test feature, which let me test my defined rules without opening a URL in a Web browser. During a test, I could select a User, a Web Server, and a URI, as Figure 2 shows, then click Test to determine how ClearTrust would process the rule. My only complaint about the Test feature is that it let me test rules only as they applied to individual user accounts, not as they applied to the user groups I'd created. You can make certain assumptions about a user's rights according to the user's group, but doing so leaves room for error and doesn't completely test group rights as a whole. Securant would do well to integrate a way to test group policies.

Overall, the Entitlements Manager, with its tab-style interface, is well designed. The tabs eliminate buried commands on drop-down menus and simplify the learning curve for using the administrative interface. And although the Java base made Entitlements Manager run much slower than a native desktop application, the Java base also let me run the tool on any device that supported Java technology. This capability lets the product fit well into diverse network environments.

Although fairly easy to use, ClearTrust is complex under the hood. The product's granular level of control required a bit of study, but with the well-written documentation and onsite engineer to help answer questions, the learning curve wasn't so steep as to introduce significant overhead into the total cost of ownership (TCO). The printed documentation was extensive enough to answer all the questions that popped into my mind during my tests. In addition, I found Securant's onsite support staff to be well educated about the product: Mr. Salinas quickly and easily solved all problems I encountered.

If you operate a large Web farm and need a good SSO method or want to integrate diverse platforms into one authentication system, I highly recommend that you put ClearTrust on your shortlist. This product is definitely worth a close look.

ClearTrust SecureControl 4.0
Contact: Securant Technologies * 415-315-1500
Web: http://www.securant.com
Price: $20 per user; quantity discounts available
Decision Summary
Pros: Supports multiple Web server platforms; lets you define diverse access rules; includes an onsite visit by a Securant engineer for assistance with initial installation; provides source code for administration interface; provides Java and C-based APIs; ships with a database server
Cons: Web application setup is inflexible and somewhat cumbersome; test feature can't test user groups; granular control can be slightly cumbersome