KuppingerCole Report
Executive View
By John Tolbert

PortSys Total Access Control

Zero Trust Architecture requires proper authentication and authorization for each access request in the digital domain. Access management tools must serve ever more complex environments ranging from contemporary cloud hosted applications as well as legacy on-premises applications that do not conform to current access control standards in order to meet strategic Zero Trust initiatives. PortSys Total Access Control is an access management solution that can help customers improve their authentication, authorization, and Single Sign-On capabilities and integrate with existing identity repositories.

1 Introduction

Businesses, government agencies, and non-profit organizations of all sizes have increasingly complex requirements for managing access to their digital resources. With cybercrime and fraud growing in volume and sophistication, access management has become a front-and-center issue for executives, managers, and users alike.

Access management solutions generally contain a core set of functions including authentication, authorization, identity federation, and Single Sign-On (SSO). Access management is a large subset of Identity and Access Management (IAM), which encompasses identity proofing, provisioning, credential issuance, identity repositories, lifecycle management, governance, entitlements management, access reconciliation, deprovisioning, and audit.

Client-server access management was well established by the turn of the millennium and relied upon the fairly static generation and maintenance of users, groups, and roles. Entitlements were coarse-grained permissions contained in Access Control Lists (ACLs). Web access management evolved to meet the different technical requirements of that environment, which largely utilized browser cookies, HTTP headers, and encoded URLs as workarounds for the lack of notions of statefulness and user identity in the online world. Identity federation arrived in the early 2000s to enable SSO between web domains. Authorization and entitlement management have been extended to allow more fine-grained, attribute and policy-based access controls.

Many legacy applications still need to be supported and need to cooperate with enterprise access management systems. For legacy apps that do not work with IAM solutions, a common alternative is to place the application infrastructure behind reverse proxy server(s). In this scenario, the application servers and databases are generally located on isolated VLANs, with a reverse proxy mediating access to the legacy application. The reverse proxies are configured to intercept user requests, interact with authentication and authorization services, and allow or deny access in accordance with enterprise policies.

Each of the areas within broader IAM and access management specifically have been componentized and offered "as-a-Service" by vendors. Adherence to pertinent IAM standards allows interoperability between products and service providers. Some products and services offer discrete functions such as authentication; others serve as Identity Providers (IdP)s, addressing the functions of identity verification, credential issuance and maintenance, governance and lifecycle, etc.; and yet others offer the full stack of IAM capabilities. Some vendors in the IAM space were early to not only support cloud-based applications, but also to create cloud-native identity services, often called Identity-as-a-Service (IDaaS). While current IAM products and IDaaS solutions cover a large percentage of use cases, many organizations still struggle to integrate modern IAM systems with non-standard client-server (legacy) applications.

Besides having a wide range of possible applications, data types, and user identity repositories, managing access is further complicated by the fact that organizations need to allow users outside their home organizations "in" to their resources, which may be in their data centers or in various cloud locations. Depending on the use cases, employees, contractors, B2B customers, and consumers may need to be managed. Moreover, these additional users access resources from disparate types of devices, many of which are not under the control of the target enterprise. Device identity, reputation, and health can and should be considered as attributes in access control decisions.

Authentication has been one of the areas within access management that has experienced the most technical advancement. Researchers and vendors have sought to address the inherent weaknesses of password-based authentication and have thus developed many different kinds of authenticators and protocols to increase assurance levels. Biometrics on mobile devices, out-of-band applications, mobile push notifications, and a variety of hardware tokens are noteworthy examples.

Authentication and authorization services, as two key ingredients in access management solutions, are important threads in Identity Fabrics, which are gaining traction in industry today. An Identity Fabric is an architecture that can be composed of disparate data sources and capabilities delivered as discrete services. Identity Fabrics permit organizations to add and upgrade segments of their infrastructure or contract with service providers to meet business objectives in a more agile manner. Given the widespread availability and adoption of cloud-hosted services running the gamut from IaaS to PaaS to SaaS, more vendors are packaging their solutions in containers such that they can provide the same types of functions regardless of deployment models. This means that on-premises software ships as images or virtual instances that can be deployed on most of the common operating systems or IaaS/PaaS platforms or made available as micro-services via the vendor or MSPs.

Zero Trust Architecture (ZTA) has arisen over the past decade and has become a primary means of addressing access control use cases. ZTA, usually shortened to "Never trust, always verify", is an embodiment of the principle of least privilege, and at its core mandates that every access request be properly authenticated and authorized. Thus, access management is a foundational element for ZTA. Proper access management in service of ZTA means taking into account the requesting user's attributes, authentication context, environmental context, permissions and roles, source device information, and the requested resource attributes. Zero Trust Architecture implies a concept where clients can access services from everywhere, not relying only on internal network security mechanisms and IAM. In fact, ZTA has become the strategic IT security paradigm for many services and products.

The key requirements most organizations look for in ZTA-enabling access management solutions are:

  • Support for multiple authenticator types, such as:

    • Smart Cards, USB tokens, and older form factor hardware tokens

    • Mobile apps and push notifications

    • x.509 certificates

    • Biometrics, especially mobile biometrics leveraging native OS capabilities

    • OTP: HOTP/TOTP over phone, email, and SMS

  • Availability of a mobile SDK for customers to write their own secure apps

  • Adherence to policy-based access control model so that IT departments and Line of Business application owners can define risk-appropriate access control rules

  • Enforcement of configurable actions including permit, step-up authentication, deny, lock account/device, etc.

  • Integration with legacy applications using proprietary means and other IAM systems to allow SSO, usually via cookie support

  • Support for identity federation via OAuth2, OIDC, JWT, and SAML

  • Integration with SIEM, SOAR, UBA, and other security systems

  • Provide administrators with management dashboards and configurable reporting

  • Allow for delegated and role-based administration within the solution

2 Product Description

PortSys is a privately funded company that was founded in 2008 and based in Marlborough, Massachusetts. PortSys started out building security applianc ...

VPN utilization had been growing for years, but with the rapid shift to Work From Home (WFH) as a result of the pandemic, VPNs have become the princip ...

Login Get full Access

3 Strengths and Challenges

The need for strong MFA options continues to grow in response to Account Takeover attacks, data breaches, ransomware, and other cyber threats. Tighter ...

Login Get full Access

Copyright

©2021 KuppingerCole Analysts AG all rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole´s initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. All product and company names are trademarks™ or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

KuppingerCole Analysts support IT professionals with outstanding expertise in defining IT strategies and in relevant decision-making processes. As a leading analyst ompany, KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business.

KuppingerCole, founded in 2004, is a global, independent analyst organization headquartered in Europe. We specialize in providing vendor-neutral advice, expertise, thought leadership, and practical relevance in Cybersecurity, Digital Identity & IAM (Identity and Access Management), Cloud Risk and Security, and Artificial Intelligence, as well as for all technologies fostering Digital Transformation. We support companies, corporate users, integrators and software manufacturers in meeting both tactical and strategic challenges and make better decisions for the success of their business. Maintaining a balance between immediate implementation and long-term viability is at the heart of our philosophy.

For further information, please contact clients@kuppingercole.com.

top