Enterprise Single Sign-on (ESSO)

Transcription

1 Reference Code: TA001301SEC Publication Date: August 2007 Author: Alan Rodger TECHNOLOGY AUDIT Enterprise Single Sign-on (ESSO) ActivIdentity BUTLER GROUP VIEW ABSTRACT Enterprise Single Sign On (ESSO), from ActivIdentity, is a solution set that enables organisations to effectively combine Single Sign-On (SSO) with strong security, providing end-users with secure access to almost any type of application without remembering individual passwords. Application-specific passwords are now seen as constituting more of an efficiency problem than a security benefit, as they are a major cause of calls to an organisation s helpdesk. ActivIdentity ESSO provides multiple options to augment SSO with greater security and/or business value, via smartcard related functions, kiosk-style workstation sharing, selfservice password reset, and integration with identity provisioning systems. The solutions require a Windows client machine environment with a downloaded module running, and end-users identities are normally defined in a directory, so the solution is suitable for SSO needs within enterprises rather than in the consumer-facing Web at large. In this realm, ActivIdentity provides a leading solution that caters well for ongoing change, and incurs little commitment of technical management resources. Butler Group believes that client platform support should be extended to include mobile devices and Linux, in order to support enterprise needs of the future. There are many options for modular implementation approaches, allowing further evaluation before wholesale adoption. KEY FINDINGS Efficiency benefits, plus added value and security from strong authentication. No need to change the majority of user experience, avoiding costs of re-training. Allows customisation of end-user experience via powerful script language. Use of directory infrastructure and features confers many advantages. Client platform support should be extended, as ESSO is currently Microsoft-dependent. LOOK AHEAD 64-bit Vista and Linux support are amongst a large number of enhancements to be released during late 2007 and Butler Group. This Technology Audit is a licensed product and is not to be photocopied Page 1

2 FUNCTIONALITY Product Analysis ActivIdentity ESSO solutions provide users with access to network resources, using a single, secure log-in at a dedicated or shared workstation. This eliminates the users burden of remembering multiple passwords, an approach which can reduce helpdesk costs and improve productivity. The solution s key components include: SecureLogin SSO, which provides automated log-in capabilities to a wide range of Windows, Web, Java, and terminal emulator applications. The product works by automatically responding to application events associated with log-in or other password-related activities, prior to these appearing at the user interface. Built for directory environments, it can provide centralised policy management, and inheritance through user groups, using existing enterprise infrastructure. ActivClient, which allows the combination of SecureLogin SSO with Strong Authentication technology such as smartcards, USB tokens, biometrics, and other security methods. Implementation examples include using smartcards and Public Key Infrastructure (PKI) capabilities to enable PKI encryption of the user s SSO data store in the directory and local cache. SSO credentials can also be stored on the smartcard, enhancing work mobility. With the ActivClient smartcard middleware, users can also generate One-Time Passwords (OTPs) from the smartcard and automatically submit these for sign-on to other applications, e.g. a Virtual Private Network (VPN). SecureLogin Kiosk, which provides instant log-in and access to applications on shared workstations, and is suitable for environments (e.g. healthcare) where rapid access is an important business factor, without compromising security policy. SecureLogin Password Reset Manager, which enables users to securely reset their own Windows Domain password. It integrates seamlessly with SecureLogin SSO to enable password reprovisioning to be independent of helpdesk intervention, increasing productivity and reducing support costs. Identity Provisioning Integration, which integrates SecureLogin SSO with identity provisioning products from IBM Tivoli, Novell, and Sun Microsystems, and enables automatic provisioning and management of SSO credentials from the Identity Provisioning console. SecureLogin SSO provides the basic capability to automatically handle application-level passwords (and potentially other, non-application log-ins such as infrastructure passwords), and consequently these can be strengthened if necessary without adversely impacting the end-user experience. Since the end-user has only a single password to remember, it is feasible for the primary network password to be made more complex, thus providing higher security. It is designed to require minimal end-user intervention, and after simple installation can be used with little, if any, end-user training. The product can also be used to take the user past the authentication sequence of an application and into any sub-menu or sub-level of an application, further reducing the costs associated with application navigation. Butler Group believes the addition of strong authentication to be a wise addition to password-based SSO, in order to more securely protect the access rights that a single password confers. Complementing SecureLogin SSO, the product choices provided by ActivIdentity give many options for highly secure and flexible log-in processes to be easily adopted, including: Butler Group. This Technology Audit is a licensed product and is not to be photocopied Page 2

3 Smartcard log-in to Windows using strong two-factor authentication, with two options: the first is Smart Card Password Login, in which users insert their card and enter a PIN, unlocking their network password (stored securely on the smartcard) and submitting it to Windows. The second option is Smart Card PKI Login, which entails the same user experience, but instead of simply submitting the network password, the smartcard is verified using digital signatures based on asymmetric (PKI) keys and certificates (this option requires that an organisation has a PKI in place, i.e. Certificate Authority issuing certificates and publishing a Certificate Revocation List (CRL)). A user s application credentials (usernames and passwords) can be stored in a PIN-protected area on the card enabling easy portability of credentials for use with SecureLogin SSO on other workstations. Credentials stored on a smartcard are synchronised with the user s directory-based credentials store, and so are recoverable in case the card is lost. Encryption of user s SSO credential store on their PC and in the directory using a PKI-based certificate on their smartcard. Enforced presence of smartcard for SecureLogin SSO operations (i.e. mandatory two-factor authentication). SecureLogin and Windows session log-out upon removal of the smartcard. Product Operation A SecureLogin SSO client module, present on each user s workstation, is responsible for the automated signon functions. It watches for log-in and password related events (e.g. prompts for log-in details or password changes) for SSO-enabled applications and handles these events according to the policy logic, configured in SecureLogin by the administrator. It can deal with log-in prompts without requiring user intervention, as long as valid credentials are currently held these are retrieved from the directory, or alternatively, from the local cache for off-line or stand-alone log-ins. If no credentials are held for the user, SecureLogin SSO prompts the user for these credentials and then stores these in the repositories, from where they can be retrieved, populating password prompts for automated log-in at each subsequent application start-up. The power of having a directory platform is used in two major ways: to map SSO details onto the user structure that is defined in the directory; and to distribute the SecureLogin client modules and policy logic to workstations. Significant cost savings and other benefits are realised by customer organisations due to the solution s re-use of existing definitions of identity within the directory, and of the directory s distribution capabilities. Reinforcing the use of familiar tools and environments, administration of SecureLogin SSO is performed via administrative consoles appropriate to the hosting directory service -- for example, a Microsoft Management Console plug-in is provided for use with Microsoft Active Directory or Microsoft Active Directory Application Mode; imanager plug-ins are provided for Novell edirectory administration; and the SecureLogin Manager is provided for use with other Lightweight Directory Access Protocol (LDAP) directories. The administrator can automate the user credential population process using the interfaces that ActivIdentity supplies to provisioning applications such as IBM Tivoli, Novell Identity Manager, and Sun Java System Identity Manager. Users credentials are stored in encrypted form within the directory, under triple use of Data Encryption Standard (3DES) security, or the government-grade Advanced Encryption Standard (AES). Administrators have several options for SSO-enabling applications used within their organisation. SecureLogin comes with more than 80 pre-defined application definitions (for popular Windows, Web, and Terminal Emulator applications). For SSO-enabling other applications and Web sites, administrators are empowered with simple to use Wizards. Butler Group. This Technology Audit is a licensed product and is not to be photocopied Page 3

4 The Wizard approach is a one-off task of mapping applications log-in and password process- related characteristics to the appropriate SecureLogin actions. Application window features, such as title and data entry boxes, are dragged and dropped into the Wizard, which prompts the Administrator for other input necessary to create the definition of how the client module should respond. The output takes the form of a script, and the flexibility that this affords allows it to also be customised to identify and intercept any particular window arising from an end-user application, and to tailor the user interaction. For example, if a legacy application displays an unhelpful error message, or provides insufficient guidance in a message, the script can implement a replacement message or undertake replacement user interaction under control of the script, without the need to amend the end-user application. Normally, however, the script mandates that the user s password is used to log-in automatically to the application whenever it is activated by the user, hence the user s usual experience is to observe a very brief, automatic, interaction before being presented with the next interaction (after log-in) with his end-user application. For password changes, the script can be written to cater for the application s password policy, and can be configured either to prompt the user to choose a new password, or to transact automatically with the application and generate a new password that complies with the bounds set by the application s password policy. Invisible to the end-user throughout its operation, the scripting language is based on Unicode, and has the capability to use international languages, both in its recognition of characteristics in Windows being displayed, and in displaying its own messages. Scripts are held within the directory, and distributed to client machines via the directory s download mechanism. Product Emphasis ActivIdentity ESSO allows a flexible approach to be taken for sign-on and authentication. SecureLogin SSO provides the foundation of increased security by centrally managing application- or systems-specific passwords (rather than these being handled by individual users), while still protecting back-end systems and applications with the strict enforcement of native password policy. It does so by leveraging the storage and distribution benefits of the enterprise directory, as well as its repository of user structure and access rights, as a foundation for building a robust identity security policy, bringing overall benefits of efficiency and ease-ofuse. This architecture does, however, restrict the benefits to an organisation s processes relating to identities that are already known to its directory, rather than new customers registering on the Web. For organisations taking the wise step of enhancing password-based security with stronger authentication methods, ActivIdentity ESSO enables integration to be achieved more easily, and offers increased value over some competitor alternatives by providing, off-the-shelf, a set of processes that can be used as the foundation for real-world implementation of the main strong authentication technology options such as USB tokens, and smartcards. DEPLOYMENT The extent of resources required to deploy solutions depends on the size and complexity of the user base and application portfolio. While ActivIdentity states that customers installing the standard SecureLogin SSO product do not require a Professional Services (PS) engagement, ActivIdentity does offers PS packages to accelerate deployment and assist their customers in getting the full use and Return On Investment (ROI) from SSO projects. In addition, ActivIdentity Professional Services provides packages to support customers deploying SSO with strong authentication or Identity Management components, or SSO-enabling complex applications. Butler Group. This Technology Audit is a licensed product and is not to be photocopied Page 4

5 There are many ways in which a modular approach to implementation can be taken. For example, applications can be added in phases to the portfolio managed under ActivIdentity ESSO. ActivIdentity also provides product capabilities beyond SSO that enable additional identity-related features to be added, such as smartcard related functions (e.g. storage of PKI-encrypted credentials and OTP generation), advanced card management, kiosk-style rapid sharing of workstations, self-service password reset, connectors to popular identity provisioning systems, and advanced auditing features. Pre-packaged training is of a four-day, instructor-led format, and prepares participants to qualify for certification. A review of background technology (identity and cryptography technologies, including smartcards, PKI, and OTP) is followed by three days of hands-on and instructor-led training on SecureLogin SSO that includes: Managing SSO in a corporate environment (e.g. distribution of application definitions to end-user workstation). Installation of SecureLogin SSO in a corporate environment with Microsoft Active Directory and other LDAP directories. The interaction of SecureLogin SSO with smartcards and other strong authentication methods. Creating and editing application definitions for Windows, Web, and terminal emulator applications. Administration of the solution s implementation in the end-user environment is conducted within the normal administration processes for the directory system. For Microsoft Active Directory deployments, this is done via the Microsoft Management Console. On most directory systems, SecureLogin SSO is added as an additional tab to the presentation layer of the administrator s interface. This tab is used to define the options (such as those in the list below) to be made available by SecureLogin SSO, to the user population represented by the container being maintained (e.g. a user, or user group): Whether configuration access is to be available. Whether passwords can be viewed. Whether a System Tray icon is to be shown on the desktop. Whether SecureLogin SSO should be disabled. Whether access to SecureLogin SSO scripts is to be available. The ActivIdentity ESSO Management tools, and the end-user client facilities, can operate within Windows 2000 Professional SP3/SP4, Windows XP Professional (any service pack up to SP2), Windows 2003 (Enterprise and Standard Editions), and Windows Vista (32-bit, with 64-bit support available in a late- 2007/early 2008 SecureLogin SSO release). Browser-based facilities are supported on Microsoft Internet Explorer 6.0 and 7.0, and Mozilla Firefox 1.0, 1.5, and 2. The following directory products are supported as deployment environments: Microsoft Windows 2000 Sever Active Directory. Microsoft Windows Server 2003 Active Directory. Microsoft Windows Server 2003 Active Directory Application Mode (ADAM). Novell edirectory 8.7 and 8.8. Butler Group. This Technology Audit is a licensed product and is not to be photocopied Page 5

6 Sun Java Directory Server. OpenLDAP IBM Tivoli Directory Server. Integration with Microsoft s ADAM, an application-specific directory instance for non-strategic directory deployment, is also available. Microsoft Terminal Services are supported on Microsoft Windows Server 2003 Terminal Services, Microsoft Windows XP Remote Desktop, and Microsoft Windows Vista Remote Desktop (on 32-bit systems). Citrix deployments are supported as follows: Server elements can be on MetaFrame XP Presentation Server FR3 SP4 on Windows 2000, or Citrix Presentation Server (4, or 4.5) on Windows 2000 Server, or on Windows Server Client: elements on Citrix Presentation Server Client version The standard offering for ActivIdentity ESSO provides the SecureLogin SSO client and management functionality, along with built-in support for hundreds of applications, and the extensibility to support log-ins to almost any Web, Java, client-server, or host-based application. Pricing starts at US$59 per user, with volume discounting available. PRODUCT STRATEGY The solution is targeted in general at large global organisations such as the Fortune 500 and Forbes Global 2000, and although the company states that it is scalable down to the needs of smaller companies, it is usually implemented within organisations with at least several thousand employees. It is appropriate across industry sectors, although key vertical sectors are defined as government, healthcare, and financial services. The company sees a major market opportunity where companies undergoing mergers and acquisitions are often bringing together multiple networks, and have numerous applications that make managing passwordbased requests a major helpdesk problem. The company includes factors such as number of employees, the number applications they use, and past experience of helpdesk call volumes, to construct a standard calculation of ROI, which it states could reach 300% after three years for an organisation with approximately 10,000 employees, based on industry analyst estimates. SecureLogin SSO is sold directly, as well as via OEM resellers, and other partners such as global alliance partners, and a community of Valued-Added Resellers (VARs) and distributors whose technical capabilities and skills have met ActivIdentity SSO training certification criteria. Individual, well-known Systems Integrators number amongst these partners in the three major global regions, and the company has global alliances with EDS, HP, IBM, Novell, Sun Microsystems, and Verisign. Novell offers the product as Novell SecureLogin, complementing its suite of identity management offerings in over 2,000 of its customer organisations. Key technology partnerships are with Oberthur Card Systems (as well as many other card manufacturers) for smartcards, Citrix (ActivIdentity is a Presentation Server partner), Novell, Sun Microsystems, and IBM (all three as partners for Identity Management integration), Microsoft (ActivIdentity provides operating system and application integration), and Ensure Technologies (for proximity device integration). The product is licensed on a per user basis, with significant discounts available at higher volumes. Subsequent to initial licence purchase a choice of plans is available for support, both of which include the annually payable maintenance charge: Butler Group. This Technology Audit is a licensed product and is not to be photocopied Page 6

7 Standard Support, at 20% of licence cost, involves ActivIdentity providing support during an 8-hour period on weekdays, but with first- and second-level support being provided by partners such as the customer s reseller dealer (which also provide product upgrades within this support model). Premium Support, at 25% of licence cost, in which ActivIdentity provides 24x7 support (and product upgrades) directly to the customer, and trains and certifies two of the customer s staff on the product. A significant upgrade of Wizard functionality within ActivIdentity ESSO is in progress, and a new version may be included in a release later in Another major development is product support for Linux, which is planned for the first half of COMPANY PROFILE ActivIdentity was formed in 2005, when ActivCard took a new name following its acquisition of Protocom earlier that year. Both were established vendors in the Identity and Access Management (I&AM) market, with highly complementary portfolios: ActivCard s main focus within the market was authentication, secure remote access, and smartcard management systems; Protocom s, enterprise SSO (this being the source of the ActivIdentity ESSO product). The company is headquartered in Fremont, California, and has development centers in the United States, Australia, and France, and sales and service centers in more than ten countries. It has 314 employees, of whom 118 are based in the EMEA region, 128 in North America, and 68 in Asia Pacific. In 2006, 51.7% of its revenues arose from business in the Americas, 42.1% from the EMEA region, and 6.2% from Asia Pacific. Around 40% of the workforce is involved with Research and Development (R&D), 29% in sales and marketing activities, 16% in services or customer support, and the remainder have administrative or other operational roles. Its shares are traded publicly on the NASDAQ (ACTI), on which exchange ActivCard listed in Its financial results in recently completed financial years, showing consolidated figures of the merged companies, are summarised in Table 1. Table 1: Financial Details Year (see notes below) Revenue (US$ Million) Change on Previous Year (%) 26.5% 25.6% n/a Gross Margin: 62.9% 55% 57.5% Notes: 1 Revenues reported are for the 12-month periods ended 30 September. 2 Revenues reported are for the four quarters ended 30 September Source: ActivIdentity D A T A M O N I T O R The company has a wealth of products whose technologies combine as solutions for SSO, strong authentication, secure information, and transactions, as well as device and credential management. It offers packaged solutions that tailor its technology to the enterprise, government, financial services, and healthcare markets. Butler Group. This Technology Audit is a licensed product and is not to be photocopied Page 7

8 The convergence of the market areas addressed by ActivCard and Protocom, given the need for strong authentication security to protect the added value bestowed by SSO, provided the motivation for the acquisition, and a market opportunity for ActivIdentity. In particular, a presidential directive (HSPD-12) in the USA that decreed all Federal employees and contractors must have a Personal Identity Verification (PIV) card, expanded the market for solutions in which ActivIdentity had significant success: it won a contract to provide 10 million smartcards for the US Department of Defense, covering implementations in all three major military services. Overall, ActivIdentity has over 4,000 organisations as customers, with over 15 million users of its solutions: the company has more than 400 customer organisations that are direct users of its ESSO solutions, with over 1,000 more as customers of the Novell SecureLogin product. Major customers that use ActivIdentity ESSO include the General Services Administration (GSA), Convergys, Webster Bank, Scott & White Hospital (all of the foregoing being US-based), Royal Dutch Shell (based in The Netherlands), Saudi Aramco (Saudi Arabia), Areva (France), and Mapfre (Spain). SUMMARY ActivIdentity s dual heritage of leading SSO and strong authentication gives it a major strength in this market space, an area which customer organisations are finding increasingly meets a number of important requirements. Organisations implementing SSO have been increasingly wary of users entire access rights being protected only by a single password the range of capabilities that Actividentity offers enables customers to enhance the protection around SSO with a range of secondary strong authentication technologies, and the Actividentity ESSO solution range includes readily activated processes that provide implementation and management advantages. Table 2: Contact Details ActivIdentity Europe Avenue du Général de Gaulle Suresnes, Cedex France Tel: +33 (0) Fax: +33 (0) Corporate Headquarters 6623 Dumbarton Circle Fremont, California USA Tel: +1 (510) Fax: +1 (510) Source: ActivIdentity D A T A M O N I T O R Headquarters Europa House, 184 Ferensway, Hull, East Yorkshire, HU1 3UT, UK Tel: +44 (0) Fax: +44 (0) Butler Direct Pty Ltd. Level 46, Citigroup Building, 2 Park Street, Sydney, NSW, 2000, Australia Tel: + 61 (02) Fax: + 61 (02) Butler Group 245 Fifth Avenue, 4th Floor, New York, NY 10016, USA Tel: Fax: For more information on Butler Group s Subscription Services please contact one of the local offices above. Important Notice This report contains data and information upto-date and correct to the best of our knowledge at the time of preparation. The data and information comes from a variety of sources outside our direct control, therefore Butler Direct Limited cannot give any guarantees relating to the content of this report. Ultimate responsibility for all interpretations of, and use of, data, information and commentary in this report remains with you. Butler Direct Limited will not be liable for any interpretations or decisions made by you. Butler Group. This Technology Audit is a licensed product and is not to be photocopied Page 8