It would be nice – and convenient – if we could standardize all of the authentication methods for our enterprise on a single product or, at least, product type. But the fact is that we cannot. For example, a bank might have very strong authentication for system administrators, another type of strong authentication for senior managers, ID and password for most other employees, and some form of simple, but strong, authentication for customers of the online banking system. That is at least four different types of authentication. Add some layered methods – such as strong authentication for the database administrators and passwords to the applications for the same administrators – and the authentication scheme starts to get a bit complicated.
The thrust of ActivIdentity 4TRESS is to allow a diverse array of authentication methods – as well as provide a policy-driven tool for managing authentication – all in a single appliance. The management piece is very nice. The policy approach allows administrators to manage user profiles down to a fine granularity, and those policies are consistent across multiple service channels and lines of business or user communities. Thus, the authentication process becomes part of the enterprise's infrastructure rather than part of an application.The secret is that 4TRESS abstracts away from the application and deals only at the user level. That means that no matter what the app requires, if a user is authorized on it, the authentication requirements are tied to that user.
Another benefit of the 4TRESS appliance is simplicity of deployment. A typical deployment consists of appliances with load balancing across a cluster of applications. Users can be associated with their authorized applications through an application programming interface (API) or through standard mechanisms, such as RADIUS. Since the 4TRESS appliance can connect to multiple user repositories – Active Directory, among others – this tool is ideal for bringing diverse environments together.
Setting up users is simple. User profiles contain all credentials and rights associated with those credentials. Virtually any type of authentication is accepted, including static passwords, smart cards, USB tokens, one-time passwords, certificates, out-of-band transaction verification and transaction signing. Of course, any particular user can have multiple methods and password policies associated.
4TRESS is reasonably priced, especially considering what it does and the environment – banking – in which it does it. The website is plain and simple to navigate with quite a few resources – from managed services, such as consulting information, to application notes, case studies and white papers.
There are two available support options. The standard option includes eight-hours-a-day/five-days-a-week support and free upgrades. The premium option expands support availability to 24/7, again with free upgrades.
Overall, this is a very good product – one that is somewhat unique in its capabilities, especially in the nuances of how it executes those capabilities. The tool is well thought-out, and the requirement it addresses is real. I liked it and, really, could find no fault with it. As with all systems that interact with users and the enterprise, though, one needs to understand one's goals in deploying it thoroughly. That said, there is no question that the ActivIdentity 4TRESS Authentication Appliance for Banking paradigm is to bring the functionality of authentication management solidly inside the enterprise infrastructure, rather than thinking of it as a standalone security application.
Product: ActivIdentity 4TRESS Authentication Appliance for Banking v 7.0
Price: Starts at $7,500 for 4TRESS Authentication Appliance; $33,000 for 4TRESS Authentication Appliance with embedded HSM, plus per user SW license fee
What it does: Provides a single authentication-method-agnostic appliance that also allows management of users' access control requirements
What we liked: This tool is a one-stop shop that manages user authentication, user access policies and everything associated with access control.
What we didn't like: Nothing. The only caveat is that before one deploys this product it is necessary to know what is desired, especially if some enterprise-centric authentication already is in place that needs to be integrated into the new system.