Single sign on may be the solution

Transcription

1 Whitepaper Single sign on may be the solution by Martijn Bellaard Martijn Bellaard is lead architect at TriOpSys and an expert in security. The average ICT environment has slowly grown into an environment with multiple applications. Furthermore, security has become more important, thus more and more applications require a username and password. Hence, a typical user is faced with multiple usernames and passwords, and each system has its own username and password policies. Therefore, a user must remember them all, which may be difficult. This results in writing down usernames and passwords on a Post-it. This 'system' neutralizes security, since all information is now easily accessed by anyone. The 'Post-it' problem is not new and can be solved with a single sign on, but a few things have changed on the sso-playing field. In this whitepaper, I will explain this.

2 The ideal solution The ideal solution is one central authentication source. Each application and system uses this central authentication source. A user logs into the workstation and based on these credentials, he receives access to the other systems. You can already see this within a Microsoft-only environment: Active Directory is used as a central authentication source. Systems like Windows File Server, Exchange and/or SharePoint, subsequently allow you to 'automatically' log in based on their Active Directory account. This support can be extended to systems that support the techniques to be interfaced with Active Directory, using Kerberos, LDAP, ADFS or SAML. For systems that do not support this, an add-on, such as Quest Authentication Services, might be a good choice. One user, one password Not every system uses these principles, thus there are still many applications in which the user has to come up with and remember a different username and password. In that case, it is possible to apply synchronization to the usernames and/or passwords. After that, the user has the same username and password for each system and does not need to remember different ones anymore. This is simply done with a password synchronization tool. Here, the password is equalized between the different systems. Tools4ever has such a solution, but it is a relatively simple one. It becomes considerably more complex when you work with an identity manager. In that case, the password as well as the username is equalized. It is possible to apply synchronization to the user names and/or passwords with a password synchronization tool. There are several suppliers on the market with an idm (identity management) or iam (identity access management) solution. Big forces such as Microsoft, Oracle and IBM have an iam solution. But also smaller forces such as Tools4ever have their own iam solution. There is a wide range of options, but all of these products are difficult to implement. Page 2 of 5

3 Each application has its own special rules regarding the username and password, which first have to be equalized, in order to start with iam. Furthermore, one should assess whether iam can be interfaced with the different systems. What drivers need to be developed to introduce a username and password within a system? Also, password changes or other modifications need to be incorporated in all systems. The iam must be programmed by action, by application, for example, the producers for inservice, out-of-service and change in job function. An iam does not prevent a user from logging in to each application again, but does ensure the similarity of the data everywhere. A user has to remember less information and therefore will be less likely to write data randomly on a note. E-sso With iam/idm, it is necessary to have the right to read and write in each system. This is not always possible. It may not be technically possible, but more often it is a question of rights. If you use an authentication system that is managed by another organization, you may not have writing permissions in that system. In that case, an iam is not working. When this challenge presents itself, you can use an enterprise single signon solution (e-sso). The difference between sso and e-sso is that sso refers to a work infrastructure solution. Sso is about using one username and password to access all the information. Sso does not explain anything about the technique being used. In an e-sso, a client is running on the workstation of the user, which intervenes when a request comes for a username and password. Subsequently, the e-sso client fills in the requested information. Hence, e-sso is a special technique to achieve sso. In practice, these two abbreviations are used interchangeably, thus it's always good to check what someone means when talking about sso. The difference between sso and e- sso is that sso refers to a work infrastructure solution. Page 3 of 5

4 Now, e-sso runs as a client on the user s desktop. There is no difference between a fat client, Citrix server or vdi. The first time an application is running, the e-sso client will monitor and store the username and password. Each time the application reruns, the e-sso-client will automatically fill in the username and password and press enter. When an adjustment has to be made to a password, the e-sso can do this. The disadvantage is that the user no longer knows his password. The advantage is that more complex passwords are possible. The e-sso will generate a random password. As administrator, you are able to decide the rules for creating the password. Known e-sso-solutions are SecureLogin from NetIQ, sso from Imprivata, e- ssom from Tools4ever and e-sso from Quest. Basically, all of these tools work the same. At a central console, the administrator defines the various applications. Here, he identifies the logon fields, the fields for modifying a password, etc. These definitions are then distributed to the e-sso client. Each solution has its own additional features that extend these solutions. Sso is safe!? Sso increases security, because users are no longer faced with a lot of passwords. A user will only have to remember one password, which is the one of his primary login account. At the same time this is the main weakness of sso. If I know the information of someone s primary login, I am able to access all the systems to which this person is entitled. It is therefore wise to make use of two factor authentication within sso. Sso solves the 'Post-it' problem, but has no knowledge of the systems behind the login. Sso solves the 'Post-it' problem, but has no knowledge of the systems behind the login. At the moment the user is past the login, the sso will do nothing more. A user is still able to copy information in the system and distribute it. Sso is a part of the information security policy and may increase the security, provided that it is used correctly. Page 4 of 5

5 Conclusion The type of sso that best suits an organization depends on the ICT infrastructure. It is possible to work with one single central authentication source, if all the applications are from a single vendor. This is not the case for most organizations and therefore it should be considered whether the different sources can be interfaced. It is especially important to look at what access methods are available to different sources. Is it possible to equalize usernames and passwords by using an iam? An iam ensures the similarity of all usernames and passwords everywhere, and the modification of the adjustments to a user account everywhere. The implementation of an iam, however, can prove itself complex and costly, and is not achieved quickly. An e-sso solution is particularly a good solution in environments in which the various authentication sources cannot be interfaced. About TriOpSys TriOpSys is specialised in designing, building and managing mission critical IT systems, which are software systems that may never be offline. Examples of these software systems are traffic and emergency centers (on land, water and in the air), bulletin call centers, command centers, command and control systems. Our services cover three fields of expertise: IT Consultancy, Software Development and Mission Critical Services, in three domains: Traffic Management, Defense & Aerospace and Public Order & Safety and Security. Als u wilt dat uw What type sso best medewerkers het suits an automatiseringsproject serieus organization depends on the ICT nemen, moet u infrastructure. duidelijk maken dat de organisatie dit ook doet. Do you want more information about this whitepaper? Or are you looking for advice? Please contact us at: info@triopsys.nl Page 5 of 5