Within an enterprise business there are often lots of tools and accounts being used day to day by people within the company, such as email clients and cloud services. So how do you manage all of these identities and ensure that you can trust that a hacker is not intercepting an employee's email or online account and using it for malicious purposes? The answer is to create Digital ID's and provide individual S/MIME Certificates to each user/employee. Employees can then use these certificates to prove their ID and perform tasks like signing and encrypting emails and logging into accounts.
What is client authentication?
Client Authentication is the process by which users securely access a server or remote computer by exchanging a Digital Certificate. The Digital Certificate is in part seen as your 'Digital ID' and is used to cryptographically bind a customer, employee, or partner's identity to a unique Digital Certificate (typically including the name, company name and location of the Digital Certificate owner). The Digital Certificate can then be mapped to a user account and used to provide access control to network resources, web services and websites.
Just as organizations need to control which individual users have access to corporate networks and resources, they also need to be able to identify and control which machines and servers have access. Implementing device authentication means only machines with the appropriate credentials can access, communicate, and operate on corporate networks.
Organizations can leverage the registry information stored in Active Directory to automatically issue template-based and optionally configured certificates to all machines and servers residing within a single domain, or multiple domains in a single or multiple forest configuration.
The Digital Certificates used for client and device authentication may look the same as any other Digital Certificate that you may already be using within your organization, such as certificates for securing web services (SSL) or email/document signatures (digital signatures), but Digital Certificates are likely to have a few different properties depending on the use.
Client authentication can be used to prevent unauthorized access, or simply to add a second layer of security to your current username and password combination. Client authentication and access control also enables organizations to meet regulatory and privacy compliancy, as well as fulfil internal security policies using PKI-based two-factor authentication – 'something you have' (a GlobalSign Digital Certificate) and 'something you know' (an internally managed password).
The benefits of client authentication
Client authentication has multiple benefits as an authentication method especially when compared to the basic username and password method:
- You can decide whether or not a user is required to enter a username and password
- Encrypts transactions over the network, identifies the server and validates any messages sent
- Validates the user identity using a trusted party (the Certificate Authority) and allows for centralized management of certificates which enables easy revocation
- It is unique to the device it is installed on – cannot be ported to other devices
- Restrict access by user, group, roles, or device based on Active Directory (using GlobalSign's Auto Enrolment Gateway (AEG) solution)
- Serves more purposes than authentication such as integrity and confidentiality
- Prevents malicious attacks/problems, including but not limited to phishing, keystroke logging and man-in-the-middle (MITM) attacks
Support for client authentication
Many enterprise applications and networks natively support X.509 Digital Certificates, the standard format for public key certificates. This means with just a few configuration changes, you can enable client authentication for many popular use cases, including Windows logon, Google Apps, Salesforce, SharePoint, SAP and access to remote servers via portals like Citrix or SonicWALL.
This means:
- Minimal configuration is needed to implement strong authentication
- Easily enable two-factor authentication across multiple applications and networks
- Support a mobile/remote workforce
The below images are an example of using X.509 Digital Certificates as a method of two-factor authentication. First the user will login with their own username and password:
On the next screen the user is prompted to sign in using their Digital Certificate.
The user can then pick which certificate to sign in with:
If the organization wants to add an additional layer of security, a smartcard and pin could be used as well.
The problem comes when you need to issue multiple certificates for new employees and have them installed quickly. In larger companies you could be on-boarding multiple new employees at a time and IT departments have to take into consideration other items which may be seen as more important, such as ensuring the new employee has a computer, working desk or accounts for all tools and software they will be using.
Therefore quite often Digital Certificates for secure email and authentication, which should probably take a high priority, are often pushed back to the end of the list. A lot of time and money can be saved when using GlobalSign's Auto Enrolment Gateway solution to issue these certificates, fully ensuring the organization is protecting its resources and assets from the outset.
GlobalSign's Active Directory integration, called Auto Enrollment Gateway (AEG), acts as a proxy between an enterprise's Windows environment and GlobalSign's CA services. This means you can keep all the features and benefits of Active Directory and Windows Certificate Services, including automated provisioning, certificate templates and Group Policy, without managing your own Certificate Authority (CA).
Delegating CA Management to the experts frees your internal IT team to focus on their core competencies, while GlobalSign manages the security, high availability and CA operations, ensuring you meet SLAs and compliance audits. You also gain additional functionality, such as the ability to provision publicly-trusted certificates and certificates to non-domain-joined-objects.
If you want to find out more about how our Auto-Enrollment Gateway solution works and how it can save you 50% of the total cost of ownership, watch our webinar.