Asia's Source for Enterprise Network Knowledge

Sunday, April 21st, 2019

Secure Your Cloud

Protecting ‘identity’ perimeter without harming app experience

Fifty-three percent of Asia Pacific respondents to a recent study on users’ app usage behavior prioritize security over convenience. On the other hand, in countries like India, Indonesia and the Philippines where digital adoption is rapidly growing, respondents have largely prioritized convenience over security.

These findings point to the need for application security efforts to begin with understanding the application environment so as to maintain smooth workflow and user productivity. 

Know what applications you have – the apps your organization needs and the apps you build that your customers depend on – and what data repositories they access. Scan and inventory internal apps regularly and work with the developer team to track down applications, future app plans, and development environments. For external apps, you can engage a cloud access security broker to count and track app usage. 

To streamline processes and make them user-friendly while also preventing attacks, you should also understand how apps enable user access and how apps can be compromised by attackers.

Criminals at the gate 

The F5 Labs’ Application Protection Report 2018 showed that 86% of the breaches analyzed started with an attack that targeted the application itself or a user with credentials for the app. Application access were targeted in 33% of the breaches.

Already, access control attacks as varied as credential stuffing, brute force attacks by botnets, man-in-the-middle attacks, and credential theft as a result of phishing, provide ample cause for organizations toprotect the ‘identity’ perimeter.

To this end, F5 Networks adopts a contextual, dynamic, and risk-based approach to application access to improve the user experience while allowing customized policies and controls to stay consistent wherever the app is deployed. Centralized authentication and access control support users wherever they are and with whatever device they’re using.

“The identity perimeter is about securing who can access what, and it has three key parts,” explained Graham Alderson, senior engineer of Global Customer Solutions at F5 Networks. “First, we need the ability to securely identify our users – this is where multi-factor authentication is helpful. Second, we need to extend that identity to applications – this is where we use federation. 

“Third, we must also require that identity to be used for access to everything so that we have a single point of control and ability to inspect the device – this is where an access proxy is helpful.”

Unlike access proxy solutions that are limited in what clouds they can be deployed in, what identity vendors they can consume from, or what controls they can enforce, the F5 Access Manager offers a flexible, high-performance proxy solution that ensures unified global access management.

For example, it offloads and simplifies authentication by leveraging SAML, OAuth and OIDC for a seamless and secure user experience, even for legacy applications. Its context-sensitive policies with guided configuration protects sensitive data with a Zero Trust model while delivering access to users, devices and APIs for increased business efficiency. Real-time web form encryption also safeguards credentials and prevents fraud.

Seamless security

A virtual edition of F5 Access Manager with high-capacity licensing enables your IT organization to scale and bridge on-prem app functionality to the cloud, integrating with identity-as-a-service (IDaaS) capabilities to support evolving heterogenous environments – all through a single point of control.

To simplify user authentication and authorization, you can federate user identity; support Single Sign-On (SSO) to on-premises, cloud-hosted and SaaS-based apps; and drive adaptive multi-factor authentication. You can unify identity for secure remote and mobile access and accelerate secure access to virtual desktop infrastructure through a single gateway. 

Secure web access is simplified through the F5 BIG-IP Access Policy Manager (APM), which proxies web apps for authentication, authorization, and endpoint inspection. BIG-IQ Centralized Management, meanwhile, enables your organization to centrally create, manage, and deploy access policies while monitoring app access and usage and the F5 Advanced WAF ensures apps and data are accessed only by authorized users.

All these are achieved with seamless user experience in mind. At US-based Motorists Insurance Group, a new agent portal gives customers – primarily independent insurance agents – access to SSO capabilities that span its Episerver IaaS and on-premises Guidewire InsuranceSuite application. 

A customer simply signs onto an online portal using Okta, an IDaaS provider and F5 partner. Then, a Security Assertion Markup Language (SAML) token passes from Okta to F5’s BIG-IP Access Policy Manager located on-premises. 

There, a custom iRule generates a JSON token with the key attributes required by Episerver, granting appropriate access to the multiple systems on the back end. Unlike its previous online portal which required multiple sign-ons to several disconnected systems, the customer now sees a clean, modern, login screen, followed by a single page delivering the application access they require. 

“The faster and simpler your online portal is, the more likely it is that insurance agents will give you their clients’ business,” says Jason Wing, workplace services manager at Motorists. “To stay competitive, we needed to improve our portal experience.” 

This is a QuestexAsia blog post commissioned by F5 Networks Asia Pacific.