A big name in the digital certificate and identity space, Entrust should be a name familiar to all security consultants, and with good reason. With its IdentityGuard product, Entrust integrates physical and logical, mobile and cloud security, all at a surprisingly low price point.
The initial setup of IdentityGuard was about as complicated as we expected, given the feature set of the tool. That said, it wasn't an especially difficult process, and the installation guide was written in such a way that we were never left wondering what the next step was. Since we were testing with Active Directory as our user repository, we needed to extend our schema with an LDIF file provided by Entrust. We then ran the IdentityGuard installer file, choosing to use the integrated Tomcat application server. After completing that process, a configuration panel appeared, which guided us through setting up the link to Active Directory, product licensing and setting up the first IdentityGuard administrator.
Supported on Linux, Solaris, Oracle and Windows servers, IdentityGuard is a highly flexible solution. Providing authentication for workstation, application and VPNs, it supports a number of different authenticators, including software and physical OATH tokens, grids, smartcards, machine identity and geolocation based on IP. The product is SAML 2.0 compliant and comes with built-in support for Salesforce, Google Apps and Office 365. An interesting innovation, however, comes by way of Entrust's Mobile Smart Credential application. Available for iOS, Android and BlackBerry, Mobile Smart Credential uses either a mobile phone's Near field communication (NFC) chip or the Bluetooth stack to emulate a smart card, allowing users to log into their workstations and applications just by having their cell phone present, with the workstation seeing the phone as a standard smart card. Considering the fact that IdentityGuard can be integrated with physical access control systems, the possibilities for its mobile technology becomes clear.
We also liked the fact that IdentityGuard offers granular lockout policies, allowing administrators to set authentication failure thresholds on a per-method level. So, for example, say a system requires a standard password and either a one-time password or a grid authentication. The end-user just can't seem to figure out how the grid works and consistently inputs the wrong information. Rather than locking the user's entire account, the system simply locks out that user's ability to use the grid and forces the one-time password method. Couple that with the product's self-service modules and users are empowered to manage their own credentials without making numerous trips to the help desk. The one thing we didn't like was that there is no built-in support for biometric readers. While biometric data can be captured through the smart card enrollment process and stored on a smart card, there's no way to simply scan a finger and login to a workstation or application without third-party utilities.
At a cost of $8 per user, IdentityGuard is surprisingly affordable, given the impressive feature set. The support plans are billed annually, with silver costing 18 percent of the total solution cost, gold costing 20 percent and platinum 22 percent.