Entrust GetAccess™

Get Technical

What is Entrust GetAccess™?
What is authentication?
What is authorization?
Who needs Entrust GetAccess?
How does Entrust GetAccess support Web server access controls?
What if we've already invested in authentication methods?
Does any software need to be installed on client machines?
Why should I care about support for authentication methods I don't even have?
If I use a digital ID, will users need to re-identify themselves to each protected Web server?
How does Entrust GetAccess perform authorization?
What are the advantages of roles-and-rules-based authorization?
Does Entrust GetAccess support mobile devices?
Why is it important that Entrust GetAccess does not cache user information?
Entrust GetAccess delivers session management. Why is this important?
What is SAML?
What is XACML?
How does Entrust GetAccess help provide Secure Identity Management?

What is Entrust GetAccess™? (top)
Entrust GetAccess is an authentication and authorization solution for Web portal and Identity Management security. With Entrust GetAccess, organizations can more rapidly deploy secure Web applications by plugging them into a common security management framework. Enabling organizations to serve millions of customers, suppliers, partners, and employees worldwide with secure, private, and personalized information and services.
What is authentication? (top)
Authentication is the process by which online applications determine for certain, the identity of a user, device, or other entity.
What is authorization? (top)
Authorization is based on a set of business rules established by organizations to dictate who is allowed to use which resources, and the conditions under which such resources may be used or accessed.
Who needs Entrust GetAccess? (top)
Organizations that are moving business services and applications online and who want to establish a single entry point for their customers, suppliers, partners, and employees with minimal risk and upfront cost.
How does Entrust GetAccess enhance Web server access controls? (top)
To extend the native functionality of Web servers, Entrust GetAccess provides security services that reduce the need to separately administer user authentication information for various Web resources. Aside from allowing organizations to save time and money, an organization can reduce the operational and security risks associated with updating multiple access control mechanisms to reflect change (e.g., employees changing jobs, partnerships dissolving, customers upgrading a service). It also can speed an organizations development and deployment of online services by providing a common security infrastructure that new applications can utilize so that new frameworks do not have to be created for each project.
What if we've already invested in authentication methods? (top)
Entrust GetAccess supports and leverages established security methods, including:
- Digital IDs from Entrust and other X.509-compliant vendors
- Custom-developed methods, including biometrics
- Identification methods such as username/password verification via Netscape Directory Server, Novell NDS, IBM SecureWay Directory, CA OpenDirectory, Siemens X.500 Directory, Microsoft Windows NT/Domain, as well as other LDAP v.2 or v.3 compliant directories and RADIUS servers
- Two-factor authentication tokens such as RSA SecurID tokens, and SecureComputing SafeWord tokens
- Authentication via Microsoft.net Passport
Does any software need to be installed on client machines? (top)
Entrust GetAccess does not require any special plug-ins or browser additions. Users only need a Web browser (Netscape or Microsoft Internet Explorer) or a wireless device that supports Web browsing. Support for a wide range of Web browsers is important for the widespread success of any online initiative.
Why should I care about support for authentication methods I don't even have? (top)
The fact that Entrust GetAccess supports the leading authentication methods used today gives you the option to extend your security when the value and volume of transactions moving through your portal increase.
If I use digital ID, will users need to re-identify themselves to each protected Web server? (top)
Once authenticated by Entrust GetAccess, users may securely access information across applications and even across different Web servers. Provided the user session is still valid, there's no need to sign-on again or re-present digital IDs for authentication.
How does Entrust GetAccess perform authorization? (top)
Entrust GetAccess performs authorization using a roles-and-rules-based approach. First, it determines the roles associated with a user (roles may be stored in the Entrust GetAccess registry or the user’s group and other profile attributes may be read from an LDAP directory and automatically mapped into business roles). Then, Entrust GetAccess processes all rules associated with protected resources in order to determine which resources the user’s role(s) is entitled to access. A rule may specify that only users with Role A and Role B or Role C may access an application.
What are the advantages of roles-and-rules-based authorization? (top)
The primary advantages are increased flexibility and the ability to efficiently respond to change. This approach allows you to effectively create a group of one, and thus flexibly grant access to resources to any user or group of users. This allows users to be treated appropriately in any online interactions based on their total relationship with the organization. And, with a single click, user roles can be modified and as a result, a whole new set of resources made available. Similarly, a new service can be rapidly deployed to a new class of users by simply modifying the roles and rules required for access to that resource.
Does Entrust GetAccess support mobile devices? (top)
The proliferation of digital wireless devices has driven the demand for additional features, including the ability to access Web content anywhere, any time. Entrust GetAccess provides a secure, end-to-end channel from the wireless client to back-end content and services. Entrust GetAccess is mobile gateway independent, and supports Wireless Access Protocol (WAP) enabled phones and Personal Digital Assistant (PDA) devices. It is also possible, through system integration, to use Entrust GetAccess with Palm.net, and i-Mode from NTT DoCoMo.

In addition to supporting WAP devices, Entrust GetAccess can also personalize content delivery to the latest generation of Windows CE devices that support SSL in the browser. This capability not only allows for mobile access to centralized data through the PDA (such as a Compaq IPAQ), but also to dynamically format the data specifically for that device, delivering a more pleasing experience to the end user.
Why is it important that Entrust GetAccess does not cache user information? (top)
Web servers operate in a relatively unprotected environment commonly referred to as the DMZ or demilitarized zone. Security experts recommend that Web servers should only contain/store information that is of a public nature and has no real monetary or personal value. Many portal security vendors cache user information on the Web server in order to improve performance. While these vendors attempt to protect this cache it has been regularly proven that Web servers are NOT safe places to keep sensitive information. Entrust GetAccess does NOT cache information at the Web server and thus maintains a higher level of security when compared to other vendor solutions. Entrust GetAccess continues to outpace the performance expectations of our customers even without this Web server caching.
Entrust GetAccess delivers session management. Why is this important? (top)
Web Portals can be very large and be comprised of several domains. Single Sign-on permits users to enter their authentication details just once at the start of the session and subsequently have authorized access to resources across Web servers and across domains. However, without centralized Session Management there is no ability to effectively implement a Single Sign-off capability. Entrust GetAccess implements a centralized session management capability that controls user sign on, administrative timeouts, idle timeouts and activity logging. On session termination ALL session activity is terminated even across domains. Many Portal security vendors require custom development to implement the concept of Single Sign Off, without this development user sessions are NOT properly terminated across domains and may be subject to attack.
What is SAML? (top)
SAML (Security Assertions Markup Language) is an initiative of OASIS (Organization for Advancement Structured Information Sciences). SAML enables businesses to more easily and securely interact with other organizations by providing a standard way to define user authentication, authorization and attribute information in XML documents that are exchanged between sites.

Learn more about SAML
What is XACML? (top)
XACML (XML Access Control Markup Language) is a proposal for an XML syntax for specifying authorization and authorization policies. XACML is expected to address fine grained control of authorized activities, characteristics of the access requestor, and the protocol over which the request is made.

Learn more about XACML
How does Entrust GetAccess provide Secure Identity Management? (top)
Entrust GetAccess is a key component of the recently announced Entrust Secure Identity Management Solution combining fine-grained Web access control and Web SSO with provisioning, audit, workflow and user self-service capabilities. Entrust GetAccess is used across both administrator and user environments to secure and streamline access to identity information. It can also be extended to provide robust access controls for both internal and external portal content applications. The Entrust Secure Identity Management Solution is unique because of the tighter integration and bi-directional technology sharing between the combined software products.