Architecture for optimising efficiency
Providing maximum security and dynamic authentication does not have to impact user efficiency. This page provides an example of how you can create an architecture that provides optimum security with AuthControl Sentry®, without compromising user efficiency.
Maximum security, optimum efficiency
Not everyone has the resource or the investment to design and implement an extravagant environment to secure their data and applications, but for those wishing to tick both boxes without constraint, this could make the difference between successful deployment or friction within the workplace due to inefficiencies and frustrated users.
When deploying Swivel Secure authentication – AuthControl Sentry®, efficiency and resilience can be maximised from multiple perspectives. Not just in terms of network architecture but also in terms of reducing friction in the end-user authentication experience. An efficient design will automatically bring security benefits as well as resilience.
By their nature, efficiency and resilience are intertwined. However, before we make our services more resilient, we need to ensure that they are already operating efficiently. Below are some areas for consideration when embarking on an efficient design.
Minimising friction for end-users
There is always going to be a balance between optimising user efficiency and maximising security. Here are some considerations for keeping the process for users as efficient and as streamlined as possible.
- Risk-based authentication – reduce friction for the compliant user
- Reduce user confusion – only authentication methods should be visible
- Variable Single Sign-On – only prompt for re-authentication when the risk to data varies
- Self-service user portal – reduce user reliance upon the IT service desk and ultimately your management costs
- Ease migration pains by temporarily proxying to old solutions – allowing users to use their old tokens until they are migrated
- Timing – your old authentication solution maintenance contract will expire soon – be sure to implement AuthControl Sentry® in a reasonable time frame to avoid a change-crunch
There are some considerations that can be made when it comes to making modifications to your architecture to improve efficiency. Consider some of the points below and if they can be implemented into your current architecture. Sometimes, small changes can make a big difference.
- Preventing deep network ingress by using reverse proxy publishing servers
- Minimising network penetration by reducing zone traversal
- Reducing hops by using local points of presence for directory syncing, mail relay, database access or backing up
- Load balancing of authentication traffic using existing equipment
Separating functionality can help to reduce load. Consider providing dedicated machines within your architecture assigned to perform specific functions such as the example listed below.
- User syncing against Active Directory
- RADIUS proxying
- API functions
- Credential checking
- Identity provider and risk-based authentication
Utilisation of existing infrastructure such as Load Balancers and Databases
Sometimes budgets can be a limiting factor, especially in the public sector. By using existing infrastructure creatively, maximise efficiency without requiring lots of additional investment.
Resilience is maximised through an efficient design which is sympathetic to your existing architecture, but Swivel Secure products also have the following built in features for maximum resilience:
- Built-in data replication and a wide array of compatibility for external databases
- Configuration replication – reducing disaster recovery time
- Dedicated disaster recovery appliance
- Dedicated HA appliances
- Multiple session syncing methods
- Virtual IP where load balancing is not available
- Built-in self-monitoring
- Service-oriented architecture capability, to separate out functions across different nodes
- Perpetual license – it won’t stop working due to license expiry
Optimum multi-site security architecture
1. Ingress stops at DMZ
2. Authentication processed on LAN
3. Reverse proxy public-facing services confined to DMZ
4. Risk-based authentication profiling confined to DMZ
5. Localised directory sync and password checking
6. Localised mail routing
7. Existing external database utilisation for efficiency and redundancyView diagram