Novell is expanding its access management solution today with the addition of new federation options, new client support and new functionality that monitors clients to ensure compliance with security policy, similarly to Network Access Control (NAC).
But don’t call it a NAC.
Novell’s new Access Manager 3.1 release comes as the market for access control solution continues to heat up with IBM, CA, Oracle ramping up their own solutions. The new release also borrows from Novell’s partnership with Microsoft, which plays a key role in the interoperability of the two companies’ wares.
“The goals of designing Access Manager is about how do we simplify the management and deployment of securing access to web as well as enterprise applications,” Lee Howarth, product manager for identity and security at Novell, told InternetNews.com.
A chief addition to the product is improved support for federation — a mechanism by which users can be authenticated across different security domains — through its support of WS-Federation, a specification developed by many of the major players in enterprise identity federation, including Novell. Getting WS-Federation into Access Manager adds compatibility with key business applications, and in particular, Microsoft’s SharePoint collaboration suite.
“One of the key differences of adding WS-Federation is its providing more value than just single sign-on across organizational boundaries,” Howarth said. “This is now providing a business value.”
“If you’ve got lot of different identity stores across your organization, and you need to provide access to outside business partners, it can become difficult to manage identities,” he added.
It’s an enhancement to existing frameworks supported by Access Manager. The Novell Access Manager 3 solution, which debuted in October 2006, included support for SAML 2.0
With Access Manager 3.1, Howarth explained that once Access Manager has authenticated a user, it doesn’t matter whether they are listed in eDirectory, iPlanet, Active Directory or any other compliant identity store — they can now get single sign-on through to Microsoft SharePoint without having to manage individual identities’ from the SharePoint identity store.
“The way it works is we transform the identity … into claims,” Howard said, adding that those, in turn, interoperate with Active Directory Federation Services (ADFS), Microsoft’s implementation of WS-Federation.
Teaming with Microsoft
Howarth said that Novell worked very closely with Microsoft to not only develop the functionality, but to test it. Novell and Microsoft have a joint interoperability and development partnership that dates back to November of 2006.
As part of the technical collaboration, Novell Access Manager integrates with Windows CardSpace, a technology included in Microsoft’s Windows Vista operating system that securely stores and transmits personal identities.
The pair’s joint work also comes into play with the open source Bandit identity management framework, which aims to create an identity fabric for the Web, unifying disparate silos of identity management.
As a result, Access Manager 3.1 can both accept and create cards that can be used wherever CardSpace identities are accepted. Howarth added that Novell, though the Bandit project, also has created CardSpace clients for Mac and Linux.
Cross-platform compatibility is also an area where Access Manager has improved its included SSL-VPN
To NAC or not to NAC?
Access Manager 3.1 also delivers client integrity checking that will identify whether an endpoint has the proper security in place. Howarth added that integrity checking now also occurs continuously, so that if a firewall is disabled for some reason, the Access Manager client will identify that the associated endpoint is out of compliance.
The approach to pre-connect endpoint integrity checking is similar to what network access control (NAC) technologies offer, though Howarth noted that Access Manager 3.1 isn’t exactly the same. Novell also offers a NAC product called ZENworks Network Access Control solution, which debuted in September 2008.
“It’s not specifically related to the Access Manager technology, although we have been exploring where we could use NAC policies in general,” he said. “We haven’t the key pieces that we want just yet.”
Howarth argued that Access Manager is about user identity, as opposed to just network security policy.
“By the fact that you’re actually authenticating to Access Manager, it means we know who you are,” Howarth said. “And we provide mapping capabilities, so we can get you into any other service that is using one of tee supported specifications.”