IAM Pulse Ep 9: Designing and Implementing a Secure Web Portal

Transcript:

William Papa

Hello everyone, welcome to the second episode of IAM Pulse, a podcast dedicated to discussing IAM topics brought to you by BIO-key International. Today, we’re talking about Designing and Implementing a Secure, Fully Brandable Web Portal. As more users are going remote, organizations should be looking to improve the users’ digital experience.

This is a shorter episode, more of a knowledge-based bite on the Education side of Cybersecurity. The topic also revolves around the digital environment that many students and faculty are being more involved in with the pandemic and online classes being more common or preferable to some.

[What is a Portal]

Let’s start with what is a portal?

Through simple web terms, a portal is a website that provides users with access to information from various sources in a single location. It acts as a gateway that brings the individual and required resources together with minimal external travel necessary.

In other words, think of it like your one-stop shop to access all the resources that you should have access to. If you’re a college student, you can access “my.[collegename].edu” and that is a web portal that gives you easier access to financial billing, class schedules, etc.

One of our customers had a web portal that gave them direct access to their Adobe Suite and Google Suite accounts, and I mention this today since our task was to secure their web portal.

I think recently, web portals are more now about ‘how secure can they be’ and ‘what can they do for me’. Today, many industries are requiring their own version of a web portal, but the problem is that knowing what a portal is is only a small fraction of understanding what a portal can do for you.

See, in an environment where many organizations are working remotely, using a portal helps your employees get the best digital experience given the digital environment, but now you need to know how to secure it.

So what are some examples of portals being used today?
Here are the four major types of portals. While it’s difficult to understand which portal is right for any organization, we’ll explain simply the four major categories of portals.

[Four Major Types]

So web portals come in various guises, so it can be very difficult to understand which type of portal is right for you. Simply, web portals can be categorized into four major categories.

Enterprise, Web, Captive, and Intranet

What are the similarities and differences between the portals?

Well, an enterprise portal is a centrally administered framework that provides information and access to data, tools, and programs owned or specifically required by a company or organization.

Meanwhile, a web portal is a public point of access that aggregates content like news and weather.

A captive portal is a public-facing web page that is presented to the user before granting access to the Internet. These usually require specific credentials before Internet access is granted. Like coffee shop WiFi login pages.

Intranet is similar to an enterprise portal in that it offers access to enterprise specific information and applications, but the main different is that an Intranet Portal may only access resources that are hosted directly within the enterprise environment.

The differences among all of them are the types of security. Some use SSL encryption, others use ACL Management, and few use Multi-Factor support.

[Portal Functionality]

With the notable exception of the Captive Portal, each major type of web portal focuses on varying forms of the same thing: providing end-users with relevant information. The information that is required, and therefore displayed, varies based on what information is already available to the client via intranet access, and which applications can be redirected to from within the portal itself.

The most common features in portals can be organized in the following categories

Content Management

Information Library
Project Management
Direct Communication
External Integration

But while the common features like photo galleries, file sharing, or email and weather are primarily used, the security features which are (in a remote environment) the most important have been taking a backseat.

On the basic and surface level, the security features like Firewall/ACL control, Access Control, and SSL encryption are fine, but with each year bringing about an increasing amount of drastic data breaches and cyber attacks, adequate security has become more of a necessary feature in modern portals.

So as we move forward with being more remote, we need more adequate security measures besides the ones on the basic level.

[Seamless Integrated Secure Portal]

So as noted, portals by their nature are a great way to collect, collate, and present data to the end user. Modern web portals need to address the delicate the balance between security and usability to provide the best user experience possible.

Today, especially with many users going remote, user experience (in a digital environment) is the primary driver in selecting and designing the right type of portal.

[Security Considerations]

Addressing security considerations with a portal alone is not a monumental task. Access control, ACL management, and content verification are the first steps in providing a secure portal, but security isn’t a one-stop shop. It encompasses a much wider array of access because after all, sensitive data can mean web content, application access or even downloads.

Questions like, how will credentials be verified, how will it act as an IdP?, etc, exist to consider for making a seamless and integrated secure portal.

It’s clear for us as a cybersecurity company that security should never be an afterthought when integrating a portal into your environment. Additionally, the type of user repository that you use may limit your choice for a fully integrated portal, while necessary external access may also trim your available options. It then becomes a question of whether or not your environment can make certain sacrifices for the sake of user convenience, when in reality you may not need to.

In terms of securing sensitive data, your portal should be a place where the worlds of the public portal and private portal collide into a seamless and single experience. Private information should never be accessible in the same way that public information is provided to users, and using a lot of login portals will increase user frustration rather than reduce it.

When it comes to securing sensitive data though, the main focus is on how users will be granted access to it. If the main goal is to improve user experience, streamlining application access is a major factor. A top consideration for this security measure is using industry standard protocols.

Like for example, using SAML for SSO or the equivalent would help thread the needle between security and usability for application access.

Designing a portal with SSO capabilities offers admins and users alike a great many benefits. Having a central access point to web apps allows users the convenience of maximizing their portal experience and efficiency. Things like jump pages, icon trays, frames are some ways to do it.

And again, each has their own set of advantages and drawbacks and understanding them is a key consideration to securing your portal.

Of course, there are many security related questions that present themselves when it comes to securing sensitive data alongside publicly available content, and each organization will have to carefully consider them based on their own merits.

The underlying takeaway is that providing secure access does not necessarily need to become an obstacle in providing the optimal portal experience. Addressing these questions initially will allow you to avoid issues in compliance, design, and integration considerations as well.

[Compliance Considerations]

Regardless of your industry, security requirements feed directly into compliance considerations. These two are often treated as one in the same, as they rely so heavily on one another. If you’re in financial, you have to deal with PCI-DSS, or maybe you’re in the healthcare sector and need to deal with HIPAA. There’s also internal corporate policies and these together have a major influence on the design and overall implementation of your integrated portal.

Things to consider for your portal are:

Internal policy requirements, like password management, complexity, expiration.

If there’s a full range of auditing capabilities built into the software to track portal access records? Is there a track of successful or failed attempts, typical time of access, etc.
And is the portal compatible with MFA?

[Portal Integration Points]

Understanding and addressing security and compliance requirements is good, but also the design and integration that your portal has is as important. While the portal meets all other requirements, the functionality of the portal will go a long way to determine whether or not users will be willing to use it.

In this direction, you should consider, if you want a fully integrated login form on an existing page or a separate login page for access? Also, branding is important here too, since most portal users would be more willing to use a portal if its branded for the same company they work for.

Integration is about bringing everything a user may need without the extra hassle, so when installing a portal, this should be kept in mind. Not only does the portal need to integrate well with your existing website, software, and applications, but it must also integrate with the multitude of needs surrounding appropriate implementation and end-user experience.

[End-User Considerations]

Speaking of branding, customization and brandability are huge benefits for a portal’s integration that not only improve the usability but also give the end users the consistent look and feel while navigating through familiar territory. Flexibility to adjust the location of the login screen and streamline access can help take some of the frustration out of the necessary security and compliance related measures as well.

And even though we talk about how important the security and compliances measures are, the UI and content are important too, especially for the end-user. Specifically, we talk about branding, color schema, and fonts which all serve to convey a reassuring message of corporate consistency and engender trust on the user’s behalf.

The integration considerations and design elements can be a huge step towards addressing these potential user considerations. Subtle design elements can make a big difference in a portal’s success.

[Technical Considerations]

Last, but not least are the various technical considerations that go into implementing and servicing a new portal. If everything else has been designed, analyzed, etc... the technical aspects still need to bring everything together into a cohesive whole.

Having a well-designed and highly secure portal are certainly the primary goals of any IT implementation but there are many “behind the scenes” elements that also need to be considered.

If you plan on hosting this portal on-prem or in the cloud?
If the portal comes with failover protection

Does it handle traffic spikes
How will you host this portal?

It is unwise to assume anything in terms of appropriate software integration, and making sacrifices at this stage can lead to spending more money down the road, and a whole host of unnecessary frustrations on both the end-user and the administration side of things.

[Conclusion]

The digital marketing place is a continually evolving community of applications and services that exist to improve every facet of life for the end-user. Everyone has their own set of needs, and the perfect solution must be up to the challenge.

Typical web portals provide a variety of options aimed primarily at convenience, and convenience is great, but security should never be reduced to an afterthought. With the evolution of the digital environment, there’s no reason to settle for simple convenience when your portal can also be packaged with strong security in the same package.