EnterSpace 7.0.4.3 Data Sheet ENTERSPACE BUNDLE COMPONENTS Policy Engine The policy engine is the heart of EnterSpace. It evaluates digital access control policies and makes dynamic, real-time decisions whether to grant or deny access. EnterSpace Portal The EnterSpace Portal is a centralized dashboard for creating and managing policies and performing administrative actions. It includes simple and advanced policy editing modes: o Simple editing mode is a graphical user interface (GUI) with a drag-and-drop policy rule builder and a Boolean logic tree containing rule expressions. This mode lets you create or change multiple policies, with a focus on resource hierarchies. o editing mode is a command string text editor for raw XACML 2.0/3.0. With this mode, you can create or change a "raw" XACML policy set, with a focus on attributes. For a comparison of the functionality in each editing mode, see Policy Manager Editing Features in Simple and Editing s. Complete technical documentation set. EnterSpace Java Development Kit (JDK). Embedded HSQL database to store policies, configurations, and logs (logs are in Common Event Format for integration with SIEM tools such as HP ArcSight and Splunk). Default embedded HSQL "HRConnector" database for basic policy creation during evaluation. Built-in configurable connectors that retrieve and enrich attribute data from external data sources: o HyperSQL (HSQL) o Microsoft (MS) SQL Server (2008, 2012) in simple authentication mode o MySQL o Oracle database o PostgreSQL o LDAP/LDAPS, including Active Directory o PKI o SAML v1.1 Attribute Query o SAML v2.0 Attribute Query Bundled Secure Token Service (STS). Bundled Central Authentication Service (CAS). EnterSpace Decisioning Service can be integrated with other RESTful authentication services, such as OpenID Connect/OAuth 2.0 to enhance Single Sign-On (SSO) with attribute based access control (ABAC). 2016 Jericho Systems Corporation. All Rights Reserved. www.jerichosystems.com 1
COMPATIBILITY HTML5, CSS3, and JavaScript. Fully tested browsers include the more current versions of Mozilla Firefox (v26) and Google Chrome (v33). Other web browsers may work, but they have not been tested. Internet Explorer is not recommended. SAML v1.1/v2.0, XACML v2.0/v3.0, and SAML v2.0 profile of XACML v2.0/v3.0. Java SE 7 and 8. COMPLIANCE The bundle is FIPS 140-2 compliant and certified as interoperable with the Department of Defense (DoD) Public Key Infrastructure (PKI) by Joint Interoperability Test Command (JITC). SYSTEM REQUIREMENTS Minimum one dual-core processor (rack or stand-alone). Keyboard, Video, Mouse (KVM) access. 2GB free space on disk to install EnterSpace Decisioning Service. This does not account for page swapping and auditing. A minimum of 2GB of application memory space. Server operating system: o Linux. On Linux systems, 64-bit for Cent/OS. Other Linux operating systems require 32-bit or 64-bit. The minimum O/S version tested: CentOS 5.9 (kernel version 2.6.18-348.6.1.el5). We recommend the latest version of CentOS Linux. o OR Server with Windows Installed. On Windows systems, 32-bit or 64-bit operating systems. The minimum O/S versions tested: Windows 7 Ultimate, Windows 7 Enterprise, and Windows Server 2008 R2 (domain membership is not required). NETWORK REQUIREMENTS Single NIC installed on machine. MAC addresses before deployment to generate the Jericho Systems production license. Evaluation licenses are set to expire. APPLICATION ACCOUNTS REQUIRED Administrator credentials to local machine. Most production installations will only provide a non- ROOT account for running EnterSpace Decisioning Service. Appropriate service accounts necessary to interrogate remote systems. 2016 Jericho Systems Corporation. All Rights Reserved. www.jerichosystems.com 2
POLICY MANAGER EDITING FEATURES IN SIMPLE AND ADVANCED MODES The Policy Editor in EnterSpace Portal provides these capabilities by policy editing mode. Capabilities Policy evaluation. Evaluates a user request based on digital policies, renders a decision, and transmits it to a policy enforcement point (PEP). Evaluation performs the same when the parent and/or child policy being evaluated is created using either editing mode. Authentication neutral. The system supports whatever authentication mechanisms an enterprise deploys; including username and password, biometrics, X.509 certificates, SAML assertions, and more. Rules-based authentication support. Allows graded authentication in which users who authenticate with two factors can be enabled to perform more functions on more resources than users who authenticate with username and password. Resource hierarchy and policy inheritance. Manages resources using a GUI with a resource hierarchy that allows policy inheritance. This can aid in categorizing large numbers of resources, for example, securing documents that are in a folder structure. Drag-and-drop policy rule builder. Builds policy rules associated with a resource-action pair using a drag-and-drop GUI. Editing Boolean logic policy rules XACML 2.0. Creates and edits XACML 2.0 policies in a text editor. XACML 3.0. Creates and edits XACML 3.0 policies in a text editor. 2016 Jericho Systems Corporation. All Rights Reserved. www.jerichosystems.com 3
Capabilities Policy reuse. Supports shared plans so that previously created policy rules can be reused in other policies. In advanced mode, policies can be reused by configuring policy setid references. Comments. Stores comments with policies. In advanced mode, comments can be included as descriptions in the XACML policy itself. Advices and Obligations. Supports advices and obligations that are stored in policies. conversion. Policies created in simple mode can be converted to advanced mode Embedded database. An out-of-the-box basic HRConnector database is provided for policy creation. You can use this for experimentation. XACML policy debugging. Allows tracing the evaluation of a XACML policy. Policy Impact Analyzer. Analyzes two different versions of a policy. Editing Policy workflow and staging Policy import and export. Imports and exports raw XACML policies into a text editor. You can use scripts for bulk import or export of policies. 2016 Jericho Systems Corporation. All Rights Reserved. www.jerichosystems.com 4
Capabilities Auditing and activity logs. Performed on policy evaluations and changes to system objects, such as policies, resources, and connectors. Configurable to allow full stack trace of the policy evaluation, with the complete request and response context detail, to a simple summary. EnterSpace Decisioning Service has out-of-the-box support for file and database audits, CAS audits, plus an API for custom audit needs. Clustering. EnterSpace Decisioning Service instances can be clustered in a domain for availability and scalability. Clusters are intended to work alongside a network load balancer. Realm Viewer. Displays information about all nodes in a cluster and their status Connector architecture. Allows Decisioning Service to look up attributes from external data sources when a policy is evaluated. Decisioning Service has out-of-the-box support for databases, LDAP directories, Active Directory, and SAML attribute responders. An API is available for custom connectors to be developed. Event triggering. When a policy is evaluated, events can be triggered, such as sending an email, instance message, and alarms, or updating data sources. Out-of-the-box, Decisioning Service provides email and JMS events. Custom events can be developed using an API. Campaigns with shared policies as children, events, and payloads N/A Editing N/A Roll-back to previous version of a policy History log. Shows details of prior versions of policies Admin User Privileges management. Implements finegrained access control over policy and connector management using EnterSpace Portal Last updated 18 December 2014 2016 Jericho Systems Corporation. All Rights Reserved. www.jerichosystems.com 5