Apere's IMAG500 (Identity Managed Access Gateway) provides complete Identity life cycle management for all the Identities that exist at the applications and networks in the enterprise. IMAG500 uniquely cleanses and reconciles the identities and enforces them on the networks on a per-packet basis to provide granular access to resources both at application and network.

IMAG500’s Identity based access control bridges the two domains of application security and network security. Any update to Identities result in automatic updates of access policies in IMAG500 and in turn secures the resources.

A simple web based administration provides a centralized management for user account management, self service password, and self service account management across applications and network domains. Using unique and patent pending technology IMAG500 can quickly establish connectivity to non-AD, hosted web, custom and legacy applications with no software development and API calls. This innovative mechanism enables enterprises to quickly deploy an Identity Management and Password management solutions effortlessly in less than a week than a traditional solution that could take anywhere from one to two years to go live.

Reconciliation of Identities

IMAG500 gathers the identities from different identity stores like authentication servers and application servers in a network. These identities will be reconciled with the authoritative list (CSV) and the rules that were used to create the identities.

IMAG500’s provides connectivity to applications using a patent pending emulation mechanism to manage identity stores. This mechanism requires no API support by applications, nor any new software modules to be developed qualified to establish connectivity to applications. The connectivity to applications is built on fly using emulation technology. RapidConnector framework is divided into 3 categories infrastructure connectors like AD, LDAP, Solaris etc., RapidConnector Web and RapidConnector Client Server module.

Self Service Password management

Apere’s IMAG500 provides a simple and effective framework to provide a centralized password management. This framework takes the important benefits that identity management has to offer and combines with the security framework of password management to provide a unique and cost saving password self administration technology. A non disruptive, rapid deployment with no client agents or server agents in the form of an appliance could quickly address Security, Compliance and operational efficiencies initiatives of any enterprise

Features

1. IMAG500 provides a simple and effective way to identify all the applications within an organization, and offers the Administrator a framework to automatically discover the applications to which password self administration is required.
2. IMAG500 then provides a unique way using Apere’s Rapid Connect Technology to quickly consolidate user identities from all the applications. These consolidations provide a very quick way of identifying the benefit of self administration of password reset from cost savings.
3. IMAG500 also provides Apere’s unique rule-based reconciliation engine to identify only those authorized users who should be given the privilege of password self administration
4. IMAG500 in addition provides a unique profile creation and registration process for each user. This process enables each user to securely login to the IMAG500 portal and reset password of different user accounts across applications.
5. IMAG500 provides unique password rules across each application to make authentication stronger and locking mechanism upon authentication failures.
6. In addition IMAG500 seamlessly integrates in to the enterprise mail system to provide administrators and end users notifications upon password expiry, renewal of password, upon password change and for other alerts.

Benefits

1. Eliminates the help desk calls significantly.
2. Seamlessly creates accounts for users in applications and domains for telecommuter, contractors or mobile workers
3. Deletes unwanted user accounts.
4. Notification mechanism for renewal via email - Password management systems make sure that the organization stays compliant to the regulations ISO/IEC 27001. This was formerly known as BS 7799 and standards like ISO/IEC 17799:2005, ISO/IEC 13335-1:2004, ISO/IEC TR 13335-3:1998, ISO/IEC TR 13335-4:2000, ISO/IEC TR 18044:2004 and “OECD Guidelines for Security of Information Systems and networks.

Self Service Portal

The Self-service account portal is to allow users to request for the creation of their user accounts or update their user account information. The Self-service account request portal can be accessed by providing pertinent personal information of the concerned user.The user self help portal for requesting account creation and password reset can be accessed through internet. A simple work flow allows the user to get his request approved by the appropriate Administrator thus significantly reducing the time and effort to create new accounts. A user also has the ability to request for the account, based on the duration for which he would like to have the access [Short term or Long term]. IMAG500 also has the ability to create a password for the account requested, based on certain set of rules. An intuitive work flow makes sure that the required e-mails indicating different states of account creation are sent as appropriate to the Administrators as well as the requestors [users themselves].  Status of the account is updated on the self service account creation portal, allowing the user to be aware of the account status. IMAG500’s ability to make sure that reminder e-mails are sent on a configurable basis, be it with regards to account getting expired, password getting expired, password getting reset etc helps the user to efficiently manage his account. This also helps the Administrator to easily make sure that the corporate IT policies are met with respect to account and password management of employees, contractors, remote and external users to various applications.

The main functions of the self-service account request portal are:

• Self-service user registration
• Requesting for a new user account creation.
• Resetting passwords.
• Updating profile information.

Reporting

Reporting enables enterprises to prove security and to meet regulatory compliance. The IMAG500’s one button compliance reports provide a simple, consolidated view into the identity access information to validate security posture and compliance with regulations such as GLBA, HIPAA, Sarbanes-Oxley, etc. Dashboards give management and administration a quick glance at the health of their identity based security.

• User Access Rights
• What are the applications the user has access to?
  • e.g.  Jim Collins represented as “JCollins” in Oracle Database has an access right to use the database with port no 1443
  • e.g.  Andy Smith represented as “Andy_Smith” in salesforce.com has an access right to use the application with port no 8080
• What are the entitlements for the user with in an application?
  


• Applications/Servers
• What are list of applications in the network?
• What is the name of the application, its IP address and Port on which the service resides?
• What is location, type of application and organizational unit of the application?
  • e.g. Finance Server  which is a database application residing in San Jose
• Which applications are in protect mode, monitor mode or bypass mode?
• Who are the users of these applications?
  
  
• User Account Status
• Who are authoritative users in the organization and their names, employeeIDs and roles in the company?
• When were these accounts created and current state of the account?
• What were the authorizations associated with creation, deletion, disabling and enabling of these accounts?
• Which are active accounts, disabled account and orphan accounts for an application?
• Account access details by aging
  • e.g. Accounts accessed in 30,60, 90 days

IMAG500 Access Control

IMAG500’s Identity based access control bridges the two domains of application security and network security. Any update to Identities result in automatic updates of access policies in IMAG500 and in turn secures the resources. A simple web based administration provides a centralized management for access control, user account provisioning. Administrators manage and delegate tasks through the same web interface. Apere has a unique, flexible, low cost, high performance patented solution that will redefine how enterprises handle network security. IMAG500 as a security solution bridges application and network layer security.

Access policies are created within IMAG500 based on user ID, Access to applications based on port/protocol. Once the ID consolidation and reconciliation is done, access policy is created on a per user basis. At this stage, IMAG500 is fully aware of the user rights in the enterprise in terms of which applications the user is entitled to access, the access methods in which the user will be allowed to access etc. This access information is used to create rules that are loaded into the access tables within IMAG500. Once this information is loaded, on a per packet basis, by looking at the headers at L2/L3/L4, IMAG500 will determine, whether the packet can be allowed to reach the destination.

IMAG500 acts as an authentication proxy and gets triggered upon a successful login. The access tables for the UserID are loaded and depending on the mode the policies are applied on a per packet basis.

There are two types of logins

1. Proxy:  For example if the users logon to Active Directory (AD)  the logs from AD will be pushed to IMAG500
2. NTLM:  User logon to the network through an IMAG500 Web URL and then accesses the applications.  IMAG500 will generate the logs for all access to the applications.

The IMAG can set the network access level to Bypass or Monitor or Protect Mode.
Bypass ON mode is where the traffic is running through IMAG500 from client to the servers and IMAG500 will act as bump in the wire. All the traffic will pass with no policy enforcement.
Bypass OFF:  In this mode Access Control policies are used to either monitor and report or protect by resources by enforcing them.

In Monitor Mode access policies are checked but there are not enforced. The access violations are reported.
In Protect Mode the access policies are enforced. Hence the access violations are dropped and logged.

The Application Severs can also be kept in different modes.

1. Bypass mode: In this case all the access to this server from any UserID is allowed.
2. Protect mode: Only the reconciled users for the applications will be allowed to access.

Several of Application Identity Management functions are very repetitive. All repetitive functions error prone if they are performed manually. IMAG500 Rapid Connector centrally administers all the application identity management functions thereby eliminating errors, simplifies administration and provides a method to centrally record all application identity management functions.

Rapid Connector Appliance provides patented and unique mechanism to interface with any applications in less than 2 hrs compared to 6 months life cycle based on conventional methods.

RCA mechanism breaks ROI enigma to bring the low cost enterprise application under centrally managed effectively increasing ROI.

Rapid Connector offers a very comprehensive mechanism to centrally manage various types of Application services to a very granular level. Accounts can be created or deleted, or provisioned to a granular level for controlled access.

Apere’s unique patented emulation mechanism establishes a quick and easy connectivity to any type of applications that can be centrally administered. A field Application Engineer from Apere or Qualified Partner can build connectors in 2-3 hours. Managing identities can be done without having in depth knowledge of the API’s to connect to the applications. IMAG500’s Rapid Connector completely automates the Administrative accesses to applications.

IMAG Identity Manager resides non-intrusively in the network. IMAG Identity Manager using its web based user interface allows administrators to connect to different applications in the network. Administrator has to provide the access rights to the applications and IMAG IdentityManager using its patented Rapid Connector will connect to the applications to perform the identity management functions such user ID consolidation, addition of new user to a application, deletion of a user from a application, disabling and enabling of user access to application and other identity management functions. IMAG Identity Manager also consolidates all the identities and actions performed thereof to provide centralized reports such as list of all users in a application, list of application accounts for a specific user, state of the user account in the application etc. These reports can be either generated as a canned report or as a PDF file.

IMAG500 Rapid Connector Appliance enables connectivity to client server applications. IMAG500 does provide a single window to manage RCA appliances.