member sign-in
Forgot password? Create new account Close

Web Access Management

Definition

Web Access Management applies to technologies that use access control engines to provide centralized authentication and authorization capabilities for Web applications. WAM products may also include basic identity administration, role/rule administration, and audit and federation capabilities, as well as standardized or proprietary integration points for non-Web applications. They may also provide integration with a user-provisioning tool, as well as integration with authentication methods, such as certificate authentication and one-time password products

User Benefits

Web access management enables organizations to carefully manage access rights to web-based resources on intranets, extranets, portals and exchange infrastructures. With growing numbers of internal and external users, and more and more enterprise resources being made available online, it is critical to ensure that qualified users can access only those resources to which they are entitled. Web access management does just that: it offers business rule-based access management that is easy to deploy and monitor for compliance.

Business Impact

 WAM delivers three primary functions for Web applications in the identity access management (IAM) portfolio: an access control "engine" to provide centralized authentication, authorization capabilities for those applications, and an administration overlay to aid in both.Technology is increasingly provided access product suite bundles and real integration among components, particularly for administration, policy, and attributes storage and integrated intelligence data. WAM is converging with other access management solutions to contribute to a class of "adaptive access control" solutions — i.e., a means of managing users' entitlements and authentication needs to simplify authentication and better address access-related risks. WAM will eventually give way to broadly scoped access management tools that span the entire spectrum of applications and services. As WAM converges with adaptive access management, it will be augmented by boundary technologies such as data loss prevention (DLP) and network access control (NAC) to provide greater granularity and more context for authorization events.


Products supporting this technology

Web Access Management products originated in the late 1990s, and were then known as Single Sign On. Two of the original products were Computer Associates SiteMinder and Oblix Access Manager. These products were simple in their functional capabilities, but solved an important issue of the time – how to share user credentials across multiple domains without forcing them to log in more than once. The challenge stemmed from the fact that cookies are domain-specific, so there was no simple way to seamlessly transfer a user from one website to another. Since then, Single Sign On has come to mean technology that lets users store all of their passwords in a browser plug-in which auto-fills login screens for them. The new term became known as Web Access Management, because products in this space added the functionality of controlling which resources (Web pages) a user could access, in addition to authenticating them.

During the first decade of the 21st century, WAM has given enterprises quick access to the Web application universe, both for internal Web applications and to link with the Internet and with their customers, partners and other stakeholders. Web access has evolved, however. Combinations of "traditional" Web applications, application components, Web services components and applets and platform services abound, as well as SaaS applications. As a result, this increasingly heterogeneous environment requires some form of adaptive access management beyond core WAM.

The WAM technology is part of the overall IAM market, providing the "A" ("access") in IAM with its range of tools and processes. WAM products also provide proprietary integration points for some non-Web applications — in addition to its core function of brokering authentication to Web applications — although the use of WAM for non-Web application access control remains limited. WAM products may also include basic identity administration (IA), basic role/rule life cycle management, and audit and federation capabilities. This is consistent with redefining core WAM as part of a broader adaptive access management offering.

IAM suite vendors that provide WAM as part of a multiproduct solution recommend their own user provisioning and role life cycle management products as a means of incorporating some level of identity administration functionality or integration. The technology can be integrated with other IAM tools as enterprise single sign-on (but this integration tends to be minimal), Secure Sockets Layer (SSL) virtual private networks (VPNs), public-key infrastructure (PKI), various authentication methods and enterprise fraud management systems.

Web access management enforces corporate security policy compliance, protects enterprise resources from unauthorized access and makes it easier for legitimate users to do their jobs. How? Centralized policy management is the key. Web access management centralizes the establishment and enforcement of policies that control what users can access. More specifically, web access management translates business policies into user access rights and then enforces those rights.

Here’s how it works. A web access management administrator defines the rights needed to access particular corporate resources, say the HR system’s employee performance review page. The administrator makes the rights granular to match corporate policy, so each department’s reviews require specific access rights. For example, Department XYZ manager group membership is required to access Department XYZ reviews. Another administrator assigns users to groups (separation of duty).

When user Joe Manager attempts to access the Department XYZ review page, the web access management system intercepts the request, verifies that Joe Manager is in the Department XYZ manager group, and only then permits Joe to access the department XYZ reviews.

Web access management policies can be static, for example, based on job responsibility, or dynamic, for example, and based on the user’s current location. Web access management can support hybrid policies, or even policies based on external information, where the decision data resides in a separate data repository.

What else can web access management do? One of the biggest efficiency boosters is single sign on (SSO). With a web access management solution that supports SSO, users can gain transparent access across protected sites, even when they travel from the corporate site to business partners’ sites. Web access management does this by authenticating the user and then creating a secured, encrypted token as proof of the authentication. The secured token travels along with the user through browser cookies, or in the case of cross-domain transversals, SAML assertions. When the destination site receives decrypts and validates the token or assertion, it uses the token’s data instead of making the user re-authenticate.

The most common use cases for core WAM are:

  • Extranet access, Web SSO: Core WAM functions are ideal for enterprises that wish to provide remote access and SSO functionality to Web applications in a consistent fashion, for remote employees, partners, citizens or consumers.
  • Intranet access, Web SSO: Core WAM functions can be used to implement a single method of access to internal Web applications within an enterprise network perimeter.
  • Portal access: Core WAM functions (which may include Web SSO) are provided as an access management "front-end" to a portal implementation. Often, the WAM solution will be integrated with portal authentication, authorization and administration functions.
  • Multiple SaaS access: Core WAM functions or WAM plus federation can be used to provide Web SSO and access management functions for employees that wish to consume multiple SaaS applications running in a private- or public-cloud environment.
  • Federation participant: Core WAM can be used as the access point for a federated network of WAM connections to provide authentication across multiple companies, divisions or separate networks where necessary.

Using a WAM technology an enterprise is:

  • Managing Risk - The technology enables organizations to manage risk by securing access to web applications within intranets, extranets, portals, and consumer-facing apps.
  • Ensuring Compliance - The technology enables organizations to support compliance initiatives through centralized user access policy management and enforcement, and through faster audits enabled by centralized user activity logging and reporting. 
  • Reduced Costs - The technology reduces costs by centralizing the management of user identities and user privileges across multiple applications and domains, greatly reducing the administrative burdens of managing disparate identity management systems. The benefit of single-sign on to protected applications is reduced Help Desk costs through minimized password reset calls. 
  • Improved End User Experience - The technology provides an improved end user experience through seamless web single sign-on to multiple web applications protected by the product. Since end-users only need to remember one password to access multiple applications.

Implementation have to include:

  • Plans - will help ensure that the web access management strategy is aligned with business and IT objectives.
  • Architecture - ensure that works with IT, network, user communities and application owners to understand your environment. With this understanding, can then turn your business and technical requirements into an architecture that captures the best solution for your needs.
  • Pilot, test and implement - hands-on knowledge transfer will help you avoid potential pitfalls and implement the web access management solution as quickly and as cost-effectively as possible.
  • Training - ensures that the staff has the knowledge it needs to operate a successful web access management solution. Web access management technology classes are offered in our classrooms or can be given onsite at your locations.
  • Project management - project managers can smooth your web access management implementation process when you leverage their lessons learned.