SINGLE SIGN ON - AN UNACHIEVABLE DREAM OR A LOW-COST REALITY?

Transcription

1 FEATURE SINGLE SIGN ON - AN UNACHIEVABLE DREAM OR A LOW-COST REALITY? By Ian Kilpatrick, chairman Wick Hill Group, specialists in secure infrastructure solutions BULLET POINT SUMMARY OF FEATURE * Single Sign On has been around for a number of years but hasn t really taken off, despite a business need for it. * Reasons for the slow uptake of SSO in the past include high costs and difficulties in implementation * SSO solutions have changed. They now work with virtually any application - legacy, client, or web, with no scripting or custom-coding required; and they can be easily and quickly deployed across an organisation. * SSO solutions are now cost effective and can show a return on investment (ROI). Reducing help desk costs through less password-related calls is a major way in which SSO can achieve ROI. * Problems with passwords * The case for strong authentication * How SSO combines with strong authentication * The benefits of SSO, including stronger security, improved procedures for signing on new users and signing off departing users, facilitates compliance with data security regulations. * SSO and logical/physical security - the merging of building access and network access.

2 Introduction Many new technologies are hyped up and declared to be the greatest thing ever for improving business. Some do well and become an essential part of business life. Some don t. Others are technologies looking for a business need. Others are recognised as a good idea, but somehow they don t quite take off. Single Sign On (SSO) has been a business need for many years, but unfortunately it s been one of those good ideas which hasn t taken off. The reality has lagged far behind the need. With extremely high costs, difficult and often incomplete deployments, long delays, and cost-overruns affecting many projects, SSO has been a technology wanting but failing to be established. The ever changing nature of the IT environment has contributed significantly to this in a situation where legacy mainframe systems often coexist with IBM, HP, UNIX, Linux, Oracle and Microsoft server environments. The complexity of coding in multiple programming languages, which has been the traditional approach to SSO, in order that SSO can be set up for multiple applications, has led to organisational deployment being minimal and primarily carried out by the large systems houses. This difficulty in implementation, coupled with high costs, has meant that introducing SSO in heterogeneous environments has been restricted primarily to those organisations which have a significant regulatory requirement to have strong password controls and for whom the cost of deployment has worked out less than the cost (and security risk) of password management. Interestingly even in those organisations, many SSO implementations are not comprehensive or completed, but just cover the key applications. So here we have a real business need, with high level IT drivers, with the motivation of potentially significant cost-savings through reduced password-related help desk calls, and with the opportunity for increased security, but where deployment is severely restricted because of technical issues, costs and project difficulties. Despite long being an unrealised dream for many organisations, SSO technology has at last caught up with demand, albeit somewhat belatedly. Solutions are now available that automate the whole process of connecting to multiple systems and multiple applications, and remove the need for extensive, expensive custom programming. This is timely, as the need for SSO has increased greatly with the growing need for local and remote access to multiple applications and the consequent proliferation of passwords. Ian Kilpatrick, chairman of Wick Hill Group, specialists in secure infrastructure solutions, says SSO is going to be an essential technology for the future and he looks at the issues and benefits.

3 FEATURE Single Sign On is an authentication system which allows users to log on to a network once and gain secure access to multiple applications through that one log-in. The reason why adopting such a system has now become very desirable lies in the massive growth in the number of different applications users want to access. The problem with passwords Repeatedly logging in with different passwords to many different applications is hugely time-wasting and can be costly both in lost productivity for users and in the cost of help desk support. Perhaps more importantly, the more IDs and passwords users have to remember, the more likely the business is to have had unauthorised access. Source DTI Information Security Breaches Survey 2006 Another factor in the need to improve authentication procedures is the increasing requirement to prevent data leakage and data theft. A key component of any plan to prevent these growing problems is a good authentication system. Many companies still rely on passwords for authentication. They were once a relatively simple, effective and affordable way to ensure that only authorised users could gain access to important business applications. If passwords aren t actively managed for security, and users rely on a passive, single password, there are great risks of security breaches. Easy to remember short passwords can be broken in seconds by password crackers or they can be worked out by social engineering. The main risk is that users cannot remember several passwords, for different applications, particularly when they are changed regularly. The alternative is complex passwords where the user must often recall different types of passwords, each with its own syntax of alphanumeric characters and symbols. So they tend to write them down, or store them in accessible locations where they can be easily accessed, defeating the object. In either of the above cases the typical approach to reduce risk is to change passwords regularly. Unfortunately in either case this tends to compound the problem with either repetition of familiar passwords or increased writing down of difficult passwords. Post it notes are a popular location for mission critical passwords. Imagine a situation in a large financial environment, where there are perhaps 200 applications for which passwords have to be changed perhaps every eight weeks. You have around 1200 password changes a year across the organisation.

4 This is guaranteed to create problems and when they arise the user turns to the help desk. For many organisations, what was once an easy method of authentication has become a source of frustration, friction, insecurity and, perhaps more importantly, increasing cost and misuse of resources. In these kinds of environments, passwordrelated calls can make up the majority of all helpdesk calls, with the risk that passwords might be provided to unauthorised users. So there are often significant cost and security issues associated with a non-sso environment. How SSO has improved Historically, SSO was around 80% service to 20% product. However, with advances in technology and implementation, SSO product costs have fallen and the service component may now represent only a small fraction of the deployment cost. This can typically be 20% service, with 80% of the implementation being automated. The best SSO solutions now work with virtually any application - legacy, client, or web, with no scripting or custom-coding required. This eliminates months of work and the associated costs, which were previously required when skilled programmers had to write code to SSO-enable every application to be integrated in the enterprise. Imprivata s One Sign single sign on appliance, for example, can quickly and effectively solve and report on password management, security and user access issues. It can enable all enterprise applications, including legacy, client/server, JAVA and web, with needing any custom scripting, changes to existing directories, or inconvenient end-user workflow changes. Because the best SSO solutions are distributed solutions, organisations can deploy them quickly and easily across the enterprise at multiple sites and all levels from a central location, with centralised management and compliance reporting, again saving time and money. Single sign on and strong authentication The use of SSO is typically done in conjunction with strong authentication. Strong authentication comprises something you know (a password) and something you have (e.g. a token), where the token generates a one time password, minimising the risks of identity theft. Tokens are currently the most popular two factor solution, due to their low cost, ease of deployment, ease of management and the standard of security they provide. Companies such as VASCO, RSA and CRYPTOCard provide hardware tokens which generate one time passwords (OTP). The rapid fall in the price of tokens means they are now available from only a few pounds per user per year To put that in perspective, that s considerably less than the cost of ONE passwordrelated helpdesk call, which has been estimated at around 30. With passwordconnected calls making up between 30% and 50% of all helpdesk calls (depending on whose research you accept), tokens can represent a significant cost-saving as well as an improvement in security.

5 Other two factor options include soft tokens which can be sent to your mobile, swipe cards, USB-based authentication and fingerprint recognition. Proximity authentication is another variation which means that once you have authenticated and are within range, you don t need to authenticate again for another application or system. SSO greatly reduces the problems and costs associated with password management. By adding a stronger authentication factor, organisations can minimise or eliminate the need for users to deal with passwords entirely. Imprivata s OneSign platform provides SSO authentication but is easy to use with all facilities in one hardware appliance. OneSign can integrate strong authentication, application single sign on, physical access control and event reporting to provide one enterprise-wide automated employee information access policy which is managed and enforced within a single easy-to-use administrative framework. Benefits of single sign on * Stronger security. With SSO, the unauthorised user has much less chance to gain access to a network because of the improvement in authentication procedures which typically go alongside SSO. Instead of relying on users remembering passwords which are often written down or forgotten, users adopting SSO generally use strong authentication. For example, automatically produced, one time only passwords can be created with authentication tokens, which is a much more secure method. All of the security takes place behind the scenes. User accounts and application privileges are automatically created with strong, often extremely long and application-specific passwords that fortify security without requiring users to remember numerous passwords. Regular complex password changes can then take place without the user s awareness or direct involvement. When SSO first came out, some critics claimed it was too risky to allow access to all applications with one sign on. The argument was that it could give an unauthorised user the keys to the kingdom, letting them access multiple applications. However, the benefits of improved authentication outlined above mean that it is much less likely unauthorised users would be able to gain access in the first place. With SSO, direct access to applications can be secured by extremely complex passwords which are changed regularly - weekly or even daily is now possible. Security is also improved by the facilities in SSO solutions for signing on and signing off new and leaving users, as detailed below.

6 Automation of the SSO process brings another benefit by enabling security reporting and integrated user provisioning. Risks are reduced by creating a central location for login/logout activities. By reviewing these logs, any unusual behaviour on accounts can be identified, such as unusual access out of hours. Dormant accounts can be verified, and a clearer picture can be gained of the usage of key applications. This visibility helps organisations improve license management, and ensure that users have appropriate access privileges * Improved procedures for signing on new users and signing off leaving users. A good integrated provisioning/sso solution will be able to automatically provide immediate and secure access to applications and networks, from the moment an employee begins working, so full productivity is gained from day one. Users can be automatically enrolled to single sign-on and able to gain access to all applications. Ongoing change management for users and accounts can be completely automated. Revoking access rights is also a key element of a good integrated provisioning/sso solution. It s straightforward to efficiently stop access the moment the employee leaves (or earlier, if necessary). In most organisations, the provisioning and deprovisioning of application access is a key productivity and security measure. * Cost benefits and ROI There is no doubt that when it first came out, SSO was very expensive and extremely demanding, both of the time and cost of using skilled people to deal with the technical issues involved. Many implementations were not completed to time or budget and SSO gained the reputation of not being able to provide ROI and justification was based on the regulatory needs for compliance. However, that is no longer the case. Costs have come down and it s much easier to deploy and use In the identity management arena, SSO is now one of the few technologies that can provide a quick return on a low investment, while integrating very easily with other identity management services. Reducing help desk costs is a major way in which SSO achieves a return on investment. With fewer users calling to get their forgotten passwords or be reminded of their changed passwords, or requiring password resets, the total number of help desk calls can be significantly reduced as can the high cost of wasted resources associated with them. As well as saving money on help desk calls, there is a big gain in the productivity of users, who now have a simple, single sign on, so their work flow is not hampered by having to stop to deal with passwords or wait for the help desk, if they have forgotten them.

7 The expensive, trained help desk staff can use their valuable skills elsewhere. If your help desk is outsourced and you pay per call, then the savings are dramatic. It also saves fractionally on the time used during each individual login process. With automated SSO solutions, administrative and maintenance costs are typically significantly lower than with traditional systems. Ongoing operating costs remain low because administration and maintenance can be centralised and performed via a web browser, without any specialised expertise. User training costs are also minimised with SSO because the authentication process is completely automated. With the best SSO solutions, unskilled users can log on instantly and usually without any training. Compliance issues With the ever growing number of government regulations, companies are looking for ways to strengthen their IT security. They need to prove that this has been done and strong authentication, typically with SSO, not only secures but also provides demonstrable compliance in the form of audit logs that record all relevant activity. The Data Protection Act demands that companies should safeguard data which provides information on employees and customers. Yet, data loss and data leakage is a major problem, with the many famous names or government organisations being embarrassed recently through the loss of confidential data. Hackers stole 45 million customer records from TK Maxx s parent company, by breaking into the company s wireless LAN. WEP had been used to secure the wireless network but WEP is one of the weakest ways of securing wireless and it didn t stand up to the attack. If SSO and strong authentication had been used, this would have been much more difficult. And, if the customer records had been correctly encrypted, the customer data would have been safeguarded. There can be a huge cost to these leaks. Costs could be in the form of fines, paying to restore security (for example by changing passwords and deploying encryption) and informing those whose information has been compromised. And, of course, there s the cost to an organisation s reputation. It s not unknown that a serious incident could cost as much as 2 million. SSO, accompanied by strong authentication can provide a stronger front door against entry by unauthorised users. Encryption can also prevent leaked data being read. Integrating logical and physical security One of the things driving the adoption of SSO is the increasing desire of companies to integrate physical and logical security. By merging the security process of gaining physical access to a building (through using swipe cards for example) with the security process for gaining entry to the computer network, companies can increase their overall security while reducing costs. SSO fits easily and effectively into this scenario. Imprivata is one supplier providing solutions which offer physical/logical integration.

8 Progress on merging these securities has been slow in the past because they have been managed by separate parts of a company and use different technologies. Now, however, the ubiquity of IP means that solutions are becoming available which can merge the two. You don t have to start all over again if you want these two environments to be integrated. In many cases, it is possible to use the existing physical access infrastructure and integrate building access with network access. Some of the benefits of this kind of integration include the elimination of tailgating, where employees can come into the building alongside an employee with an entrance card. With a physical/logical security system, a tailgating employee can be denied access to company IT systems. Among the many issues that tailgating can lead to are access to unauthorised areas, breaches of safety regulations, and the inability to prove compliance with access regulations. Where companies have PCI compliance needs, preventing and reporting on access restrictions to key areas is a fundamental requirement. Another area where integration of physical and logical is important is that of protecting against impersonation. For example, if an employee is in another part of the building, and a log-in is attempted either remotely or from the user s machine, recognition of the divergence of physical presence and login attempt means this will be classed as an invalid access attempt and the relevant response can be carried out. Conclusion SSO was over-hyped in the past. It consistently proved costly and resource-intensive with time and budget overruns and a failure to live up to expectations. Technology has moved on and SSO can now be easy-to-use and cost-effective. It has the potential to improve security, help with compliance, reduce costs and increase productivity. SSO can now provide a good return on investment, and as a by-product, deliver a security and access system that is easier to use and more acceptable to staff. ENDS Bio Ian Kilpatrick Ian Kilpatrick is chairman of value added distributor Wick Hill Group plc, specialists in secure infrastructure solutions. Kilpatrick has been involved with the Group for more than 30 years. Wick Hill is an international organisation supplying most of the Time Top 1000 companies through a network of accredited resellers. Kilpatrick has an in-depth experience of computing with a strong vision of the future in IT. He looks at computing from a business point-of-view and his approach reflects his philosophy that business benefits and ease-of-use are key factors in IT. He has had numerous articles published in the UK and overseas press, as well as being a regular speaker at IT exhibitions.