Manage Learn to apply best practices and optimize your operations.

What components should an application security management system (ASMS) have?

Is there one product that will solve all of your ASMS needs? Maybe not, but Identity Management and Access Control expert Joel Dubin reviews the three components that should be included in any application security management system, in this Ask the Expert Q&A.

My company would like to buy an application security management system (ASMS), which would control our security processes and manage our Web-based applications. Ideally, the system would implement online registration for different online applications, including Internet, intranet or extranet. It's important that the ASMS system provides single sign-on features for both internal authenticated users and external users. Is there a product out there that will satisfy our needs?
There are three different components that you should incorporate in any application security management system (ASMS): an authentication method to verify and allow access for legitimate users, an application-level firewall to protect your Web sites and a single sign-on ( SSO) product.

That's a pretty tall order for one product. You may want to take a look at a combination of some of the following products, each of which has one or more of the elements you require.

A flexible Web authentication product is NetSwift iGate from SafeNet Inc. This product is a hardware appliance that sits between your Web server and your firewall. Users then need a token and a PIN to access Web-based applications. The product can control external access to your Web applications, as in an extranet, or it can also function with corporate intranets. The product is only meant for accessing Web applications, not an entire company's network, but this authentication tool would still be compatible with many of your existing applications. NetSwift iGate uses SSL for all connections but isn't an SSL VPN, which is a yet another authentication option you might want to consider.

If you're in need of an SSL-VPN tool, consider using an Aventail Corp. product as their line can be fine-tuned to allow access to only selected portions of your Web applications. You can then customize your access controls as you see fit. Aventail products can also be integrated into Active Directory, and are then compatible with Windows environments. However, because an SSL VPN enables only remote or external access, to meet your internal needs, the network will have to be combined with another product.

As for application-level firewalls, Breach Security Inc.'s BreachGate WebDefend offers application-level security for Web programs. This product uses a series of threat-detection engines to analyze and look for malicious traffic, even after it has passed through your firewalls and intrusion detection systems (IDS). The engines use a variety of techniques to match threat signatures, analyze HTTP protocol misuse and check for known Web and application attacks.

In terms of the SSO piece of your setup, a suitable lightweight product is OneSign from Imprivata Inc. This device is a hardware-based SSO product. Unlike traditional SSO products, which use software modules installed on existing servers, this is a stand-alone device. Depending on the size of your organization -- Imprivata's products are geared toward SMBs -- these highly customizable products may be what you're looking for. As new applications are developed, they can be added to the product via its Web-based interface.

However, before jumping into a range of products, it would be best to carefully evaluate your needs, your organization's size and the compatibility of these products with each other, your network and your Web servers.

For more information:

  • Attend our Identity and Access Management Security School and learn the keys to establishing a more effective identity and access management plan.
  • Learn how SSO can help enterprises.
  • This was last published in October 2006

    Dig Deeper on Single-sign on (SSO) and federated identity