Reference Code: TA001441SEC Publication Date: July 2008 Author: Aanchal Sabharwal, Angela Eager, and Somak Roy TECHNOLOGY AUDIT CA SiteMinder Web Access Manager r12 CA BUTLER GROUP VIEW ABSTRACT CA SiteMinder Web Access Manager provides policy based authentication and authorisation, supports multiple advanced authentication techniques, identity federation, and single sign on for Web applications. Traditionally, access management infrastructure has been developed separately for each Web application, leading to duplication and limited control and audit capability. SiteMinder provides centralised capabilities plus extensive additional facilities. Butler Group is impressed with its fine-grained authorisation capabilities, support for advanced authentication techniques, support for a good range of user directories, identity federation based on established standards, and the scalable architecture. Overall, SiteMinder is an impressive solution for mid-sized and large companies who use numerous Web applications to deliver sensitive or business critical data. KEY FINDINGS Supports a wide range of advanced authentication techniques. Administrative module supports multilevel category and scope delegation. Supports a wide range of user directories, mainframe user stores. Multilateral identity federation available through a separately licensable module. Identity federation through established standards. Scales to hundreds of millions of users and hundreds of thousands of policies. Lacks site- and server-based licensing until transactions become large scale. Integrates with related CA Identity and Access Management solutions. LOOK AHEAD Support for Microsoft Windows CardSpace, strong authentication/risk management, enhanced federation. Butler Group. This Technology Audit is a licensed product and is not to be photocopied Page 1
FUNCTIONALITY Web applications are used for a wide range of requirements, from delivering financial transactions and line of business applications to pure information dissemination, as well as delivering services to both an internal audience and external partners and customers. Organisations need to control access to Web applications, which often deliver high-value and sensitive data that is subject to regulatory control. Traditionally, user authentication and authorisation mechanisms were built independently and inflexibly for each major Web application, an approach that reduces visibility as well as being cost inefficient. Also, a typical user requires access to multiple Web applications, and without a mechanism for forwarding the user s credentials to multiple applications (which could be owned by different commercial entities), user fatigue arising from the requirement to log into each application or Web site could set in, leading to lost customers or to security risks such as users resorting to writing passwords down. In addition, Web access technology needs to incorporate authentication tasks performed by partner entities, again to reduce user fatigue and reduce development duplication. Therefore, organisations require a centralised and scalable approach for authenticating users and authorising access to multiple applications, supported by the federation of authentication tasks in a standards-based way. Product Analysis CA provides CA SiteMinder Web Access Manager (CA SiteMinder WAM), a Web access management solution that provides fine-grained, policy-governed authentication and authorisation, administrative delegation, identity federation, and Single Sign On (SSO) capabilities. The solution is aimed at large and medium sized organisations with a large portfolio of Web applications and often a significant external Web audience. A part of CA s Identity and Access Management (IAM) suite, the solution integrates with related solutions such as CA Identity Manager, CA SOA Security Manager for controlled access to Web services and CA Single Sign On for advanced SSO capabilities for non-web applications. At its core, the SiteMinder solution comprises two functional components: the Policy Server, and SiteMinder Agents. The Policy Server engine is the Policy Decision Point (PDP) for policies related to authentication and authorisation. The SiteMinder Agents are the Policy Enforcement Points (PEPs) and are deployed on Web servers or via a reverse proxy server to control access to Web server content and application servers. They also regulate access to Java 2 Platform Enterprise Edition (J2EE) components. The Policy Server provides a valuable audit capability which can be used to analyse access history and to aid regulatory compliance CA SiteMinder WAM supports a wide range of authentication technologies, including X.509 certificates, onetime password (OTP) tokens, and Smart Cards, in addition to the ubiquitous user ID and password. With Web transactions increasingly conducted through multiple steps involving a web of commercially distinct entities, federation capabilities are important and in Butler Group s opinion CA SiteMinder WAM scores well on this front. The solution supports identity federation through Security Assertion Markup Language (SAML) tokens, and WS-Federation via Microsoft s Active Directory Federation Services (ADFS) Regulatory compliance and the mitigation of risks related to loss of reputation from incidents of identity theft (among other security breaches) are key factors driving consolidated Web access management. For large companies, the aforementioned objectives necessitate a solution with high user scalability, careful monitoring of access patterns, and support for a wide range of common applications and Web and application server platforms. In Butler Group s opinion, CA scores well on all of the aforementioned requirements. Butler Group. This Technology Audit is a licensed product and is not to be photocopied Page 2
The SiteMinder solution has proven scalability and is used by BT to manage over 40 million transactions a day and by a large global bank to manage over 100,000 security policies. Crucially, the r12 release adds scope-based delegation capabilities to SiteMinder s administration module. Policies can be much nuanced, existing policies can be easily reused and policies can be readily deployed and modified through an XMLbased import/export feature. The solution also has good reporting capabilities and OEMs Business Objects XI R2. Furthermore, support for Web servers (agents for Apache, IIS, SunOne, Domino, etc) application servers (agents for WebLogic and WebSphere), applications, OS platforms, user directories, and authentication schemes, is comprehensive. Special SSO agents (separately licensed) are provided for common line of business applications from PeopleSoft, Siebel, SAP, and Oracle. While the feature set is impressive, Butler Group believes the lack of support for site and serverbased licensing at lower user license levels is an area of concern (enterprise or site licenses tend to be negotiated on large transactions of perhaps more than $1m in user licenses).the per-user based licensing scheme, while obviously decreasing with volume and, importantly, differentiated for B2C users, might not be fair for instances when user numbers, particularly for peak demand, are hard to predict. CA offers two tiers of per-user pricing: External Users for consumers and partners, and Internal Users for employees. Pricing is proportional to value, with External Users being the lowest cost and Internal Users the highest. Product Operation Solution Architecture CA SiteMinder WAM is comprised of two key components: the Policy Server, and Web Agents. The Policy Server acts as the policy decision point, which means it determines whether an individual user s access request is allowed based on the appropriate policy. Its role is to provide policy management, authentication, authorisation, auditing, and administration tasks. The Web Agents are policy enforcers, tasked with managing access to applications and content, based on security policies. They can be used with Web servers, application servers, and enterprise applications like Enterprise Resource Planning (ERP) software. They can also be deployed as part of a reverse proxy server. All access requests are first intercepted by the Web agent and have to provide credentials to the Web agent or to the secure proxy server. These credentials are then transmitted to the policy server which authenticates them against the appropriate user store (such as Lightweight Directory Access Protocol (LDAP), databases and mainframes). Where entitlements match, the user is granted access assuming that they meet the requirements of the authorisation policy. The entitlement information and the user profile are routed to the target application to ensure the delivery of secure and possibly personalised content. Butler Group. This Technology Audit is a licensed product and is not to be photocopied Page 3
Figure 1: CA SiteMinder WAM Component Architecture Source: CA D A T A M O N I T O R The following list details the key functional components and attributes of the CA SiteMinder WAM: Authentication and Authorisation SiteMinder supports a wide range of authentication techniques including SAML assertions (SAML 1.0, 1.1, 2.0), user IDs and passwords, passwords over Secure Sockets Layer (SSL), OTP tokens (RSA ACE and SecureID), smartcards, custom forms, biometrics, X.509 certificates, or an appropriate combination of factors. CA s unified access management allows authentication and authorisation to work in conjunction to grant the appropriate level of access. For example, a user with a simple password credential can be allowed a lower level of access compared to a user with more secure credentials. Identity federation is based on standards such as SAML, and WS-Federation (Microsoft ADFS). Browser-based identity federation requires a separate license on top of a base CA SiteMinder WAM license. SiteMinder provides fine-grained authorisation, allowing authorisation policies to be based on application roles, time, and even type of authentication credential. SiteMinder integrates with CA Single Sign On, enabling an integrated approach towards implementing SSO for Web-based and non Web-based applications. Butler Group. This Technology Audit is a licensed product and is not to be photocopied Page 4
Policy Formulation and Administration CA offers extensive role and policy information reuse capabilities in keeping with the realities of the company s target market. The Policy Server sits atop user directories and supports a wide range of solutions such as Sun Java System Directory Server, IBM Directory Server, Novell edirectory, Microsoft AD, and OpenLDAP. SiteMinder can also leverage relational databases such as Microsoft SQL Server, IBM DB2, and Oracle Relational Database Management System (RDBMS) as a user repository. SiteMinder can read user information out of mainframe user stores such as ACF2/TopSecret/RACF. An XML-based migration tool for import and export of policy objects is provided. Policies related to a domain, an application, and entire policy stores can be exported. The import/export of policy objects can support dependencies. SiteMinder deployment sites often involve policies in the order of tens or hundreds of thousands and administration has been streamlined through a delegation feature. Typically, administrators are assigned specific categories and scope. Scope relates to administrator rights, such as view objects or create, modify, and delete. The delegation feature allows administrators to assign categories and scopes to other administrators, who can further cascade delegation to low level administrators and even business users themselves in a highly simplified and scoped form, and a hierarchy of policy formulation and modification responsibilities can be built. The administration module also has built-in search capability. Reporting and Analysis SiteMinder is bundled with the CA Report Server which is based on Business Objects XI R2. The Report Server provides analysis reports on policy and audit data. In addition, in February 2008, CA released Wily Manager for SiteMinder WAM, integrating CA s key application performance management solution Wily Introscope with the access management solution. Well aligned with CA s enterprise IT management vision, the Wily Introscope integration allows the analysis of Web application performance to include Web security details. Also, Wily Introscope allows monitoring of Policy Server and Agent performance, enabling notifications to IT operations in the broader context of application performance. Scalability SiteMinder is a highly scalable WAM solution (testing indicates SiteMinder can support in excess of 100 million users of Web applications using standard off-the-shelf hardware and software and standard SiteMinder features). Scalability can be achieved in terms of number of users and number of protected resources and is achieved primarily through efficient connection management and policy processing; caching of policy and user data; load balancing for user stores and policy server clustering; policy store and user store replication; support for multi-cpu servers. The solution provides provision for Policy Server Cluster failover as can be seen from Figure 2, which also illustrates a global deployment topology for SiteMinder. Clusters of Policy Servers can be configured. In case of failure of one cluster, the other cluster can perform the task of evaluation of user s entitlements. This fault-tolerant deployment thus ensures high performance. Butler Group. This Technology Audit is a licensed product and is not to be photocopied Page 5
Figure 2: CA Scalability in a Global Deployment Scenario Source: CA D A T A M O N I T O R Product Emphasis CA SiteMinder WAM is focussed on enabling secure SSO access to multiple owned and affiliate Web applications and providing fine-grained authorisation and comprehensive support for authentication technologies. Its goal is to provide a comprehensive solution, so it also addresses five additional areas: it supports identity federation through a standards-based approach; it provides a solution architecture that scales to millions of users; it offers administrative capabilities that enable consistent and structured policy formulation and management of hundreds of thousands of policies; it enables reuse of existing role definitions through support for a wide range of user directories; and it supports integration with related identity and access management solutions, to achieve a higher level of integrated access management across Web and non-web applications, along with holistic performance management. These types of capabilities are aligned with CA s Enterprise IT Management vision. In Butler Group s opinion, the SiteMinder solution is category leading, and the solution s installed base and deployment growth attest to its alignment with the requirements of the target market. Butler Group. This Technology Audit is a licensed product and is not to be photocopied Page 6
DEPLOYMENT Resources required for deployment include internal resources for administering user and policy store repositories (LDAP, RDBMS, Mainframe); internal security analysts to interpret and communicate security policies including password policies, installation/deployment policies and application access policies; Web developers to integrate SiteMinder with Web applications or to develop custom authentication schemes or login pages; and an operations team to monitor and maintain SiteMinder in production. Other resources are required depending on the technology used (non-password authentication methods: X509 certificates, SecurID, etc) or for the underlying Web servers that will support the Web application (IIS, Apache, etc.). For some of the large scale deployments, the services of third party systems integrators such as Deloitte & Touche, Price Waterhouse Coopers, and/or CA s internal professional services may be advisable. The time taken for implementation depends on the number of applications that will be protected by SiteMinder and the level of integration and complexity. However, on average, it takes 8-12 weeks to gather requirements, formulate architecture, implement, and deploy for an initial set of applications or portals. Post implementation, time taken for integration varies from a few hours for an application with simple integration requirements to a more involved integration process for Web applications with complex and relatively inflexible security infrastructure. The deployment approach for the SiteMinder architecture can be highly modular. The baseline requirements are a Policy Server to provide the Policy Decision Point, and a web agent or proxy server to provide a Policy Enforcement Point, plus a user repository and a policy store. Once these components have been deployed additional modules can be added to build out the infrastructure on an incremental basis. An additional policy server could be added to facilitate load balancing and failover for example, plus extra Web agents and proxy servers, and applications can be added into the infrastructure. Other modules such as the Administrative User Interface (to manage all or specific policy servers) can be added as can the CA Report Server. Other optional add-on products include SiteMinder Federated Security Services and ERP/CRM SSO agents, plus CA SOA Security Manager, which can be layered on top of the base SiteMinder infrastructure. SiteMinder provides role-based training for operators, administrators, and consultant/implementers, at three different levels. Training can be delivered in the form of Computer Based Training (CBT), classroom, and Web-based training. CA s support service responsiveness varies from one hour for the highest severity level and one business day for the lowest severity level, level 4. The solution is available on a variety of platforms. SiteMinder agents are available on IIS, Apache (ASF, HP and Red Hat versions), Tomcat, Sun One/Sun Java System, IBM HTTP Server, Domino, Oracle HTTP Server, WebSphere, WebLogic, SAP, Siebel, and Oracle Application Server. The Policy Server is available on Windows, Solaris, HP-UX, and Linux. SiteMinder can integrate with a wide range of systems in various ways. CA provides a set of documented Application Programming Interfaces (APIs) for enabling WAM/SSO for diverse off-the-shelf, and custom built applications. It can also integrate out-of-the-box with CA Single Sign-on to enable SSO to non-web applications covered by this product. Butler Group. This Technology Audit is a licensed product and is not to be photocopied Page 7
The potential risks faced by WAM deployments are relatively low as they have very minimal impact on end users and regular business processes. As would be expected from a solution of this nature, the risks that do exist are related to scope and phasing. PRODUCT STRATEGY SiteMinder s target market is horizontal and includes large and medium sized organisations across geographies that require controlled access to numerous Web applications. However, organisations in sectors such as financial services, government, healthcare, telecommunications, high-tech manufacturing and utilities vertical markets typically have huge Web communities where the data is sensitive and of high value. The target customer for SiteMinder would typically have more than $250M in revenues, more than 5,000 employees, and more than 10,000 non-employee users. However the average SiteMinder customer has a lot more than 10,000 non-employee users. The expected Return on Investment (ROI) depends on the current and post deployment state of the customer. The sources of ROI include reduced application development and maintenance costs, reduced security administration costs, reduced user helpdesk/call centre calls, and reduced security compliance costs, plus increased and easier deployment of revenue enhancing and cost saving applications that require security. The sales channels are both direct (on a global basis), and also through Value-Added Resellers and systems integrators. CA expects the percentage of sales through the indirect channel to increase. The key business partnerships that support this product for sales, service, and implementation are with systems integrators and value added resellers. Global business partners include Deloitte, PWC and Accenture. Hitachi and Nissay are important partners in Japan while Deloitte, Fujitsu, CapGemini, PWC and Unisys are key partners in Europe. Relationships with specialised security boutique firms are also important in North America. Technology partners include vendors of authentication technology, Web servers, application servers, and directories, among others. CA s FlexSelect licensing program supports SiteMinder licensing. FlexSelect is a flexible system for purchase financing/licensing/leasing and is used to license all of CA s products. The licensing is based on the number of users, segmented into consumers, business partners, and employees. As would be expected from a solution of this nature, volume licensing is supported and per user costs are much lower for large volumes. The project value for a typical implementation is US$200K for product licenses and $200K for related design and implementation services. The cost of annual maintenance and support depends on the licensing approach and CA reports that, when using the perpetual software license scheme, maintenance cost approximates 20% of the license cost annually. The company introduces major releases every 2-3 years to deliver key architectural changes. New features are made available approximately once every 6-9 months via Service Packs. Minor enhancements and defect support are introduced through monthly Cumulative Releases. CA s development pipeline includes support for additional advanced authentication schemes, additional platform certifications, integration of option packs, and integration with the latest releases of related tools such as CA SSO v8.1. There are also plans for continued investment in federation technology and related security for Web services. CA s feature set and development pipeline indicate a continued focus on the extremely comprehensive requirements of the company s target market, aligned with the stated vision of distributed enforcement, and delegated policy management, with centralised auditing and administration. Butler Group. This Technology Audit is a licensed product and is not to be photocopied Page 8
In Butler Group s opinion the factors driving the WAM market, such as the need to ensure Web security; the need to automate compliance related controls and reporting in an exhaustive, verifiable, and centralised way; identity federation; and Web services security, will continue to be pressing concerns in the large enterprise and mid-market segment. Given all of the above, (and also CA s indirect channel expansion plans) in Butler Group s opinion, CA s strategy is well aligned with the needs of the target market. COMPANY PROFILE CA, Inc. (NYSE:CA), positions itself as one of the world s largest management software providers. CA software and expertise unify and simplify complex IT environments in a secure way across the enterprise for greater business results. CA calls this Enterprise IT Management (EITM ) a clear vision for the future of IT. It s how an enterprise can manage systems, networks, security, storage, applications, and databases securely and dynamically, based on a common platform and an integrated architecture, with scope to expand the footprint to cater for innovation and new areas of technology. Founded in 1976, CA is headquartered in Islandia, N.Y., has 14,500 employees, operates in more than 150 offices in 45 countries, and has achieved ISO 9001:2000 certification. Revenues and operating income for the last three fiscal years were as follows: Table 1: Financial Details Year ending 31 March 2008* 2007 2006 Revenue (US$ Million) 4,277 3,943 3,772 Change on Previous Year (%) 8 5 5 Total Net Income/(Loss) (US$ Million) 500 121 160 *unaudited figures Source: CA D A T A M O N I T O R CA has a stated policy to enhance and protect its clients IT investments by integrating a wide range of systems in heterogeneous environments. To maintain this stance it has a wide range of partnerships with technology vendors, systems integrators, and IT consultancies. CA currently serves 99% of the Fortune 1000 companies across every major industry worldwide. Butler Group. This Technology Audit is a licensed product and is not to be photocopied Page 9
SUMMARY Butler Group believes that the CA SiteMinder WAM solution presents a feature set that is among the front runners in the Web Access Management market place. In addition, CA s huge installed base, totalling over 1,300 deployment sites, has led to a rich ecosystem of complementary solutions. Butler Group would like to point out that large scale multilateral federation would typically require a separately licensable add-on. In Butler Group s opinion, the CA practice of separately licensing features that address critical or even typical requirements for large enterprises is not optimal, and it is not unique to SiteMinder or the Identity and Access Management suite. However, the solution s feature set, scalable architecture, flexible administration, and integration with related CA tools is best in class, and is extremely relevant to large companies with significant Web infrastructure. Table 2: Contact Details CA Inc. World Headquarters One CA Plaza Islandia NY 11749 USA Tel: +1 (800) 225 5224 Fax: +1 (631) 342 6800 www.ca.com CA Inc. EMEA Headquarters Ditton Park Riding Court Road, Datchet Slough Berkshire, SL3 9LL UK Tel: +44 (0)1753 577733 Fax: +44 (0)1753 825464 www.ca.com Source: CA D A T A M O N I T O R Headquarters Europa House, 184 Ferensway, Hull, East Yorkshire, HU1 3UT, UK Tel: +44 (0)1482 586149 Fax: +44 (0)1482 323577 Butler Direct Pty Ltd. Level 46, Citigroup Building, 2 Park Street, Sydney, NSW, 2000, Australia Tel: + 61 (02) 8705 6960 Fax: + 61 (02) 8705 6961 Butler Group 245 Fifth Avenue, 4th Floor, New York, NY 10016, USA Tel: +1 212 652 5302 Fax: +1 212 202 4684 For more information on Butler Group s Subscription Services please contact one of the local offices above. Important Notice This report contains data and information upto-date and correct to the best of our knowledge at the time of preparation. The data and information comes from a variety of sources outside our direct control, therefore Butler Direct Limited cannot give any guarantees relating to the content of this report. Ultimate responsibility for all interpretations of, and use of, data, information and commentary in this report remains with you. Butler Direct Limited will not be liable for any interpretations or decisions made by you. Butler Group. This Technology Audit is a licensed product and is not to be photocopied Page 10