Simplifying Security with Datakey Axis Single Sign-On. White Paper

Transcription

1 Simplifying Security with Datakey Axis Single Sign-On White Paper

2 Copyright and trademark notice 2003 Datakey Inc. All rights reserved. Version 1.0 No part of this document may be reproduced or retransmitted in any form or by any means electronic, mechanical, or otherwise, including photocopying and recording for any purpose other than the purchaser s personal use without written permission of Datakey, Inc. Datakey is a registered trademark of Datakey, Inc. Datakey Axis and Rapid Deploy Technology are trademarks of Datakey, Inc. Microsoft is a registered trademark of Microsoft Corporation. Windows, Windows 2000, and Windows XP are registered trademarks of Microsoft Corporation.

3 Introduction Passwords aren't going away anytime soon. In a recent survey by Information Week magazine, over 90% of U.S. companies reported that passwords were their primary method of access control. This number has changed very little over the years despite the myriad of strong authentication access control products available on the market. Why do passwords continue to have such predominance in the industry, even with all the vulnerabilities, user frustrations, and management costs associated with them? Because passwords have become embedded in our social and corporate cultures moving away from password-based systems would require a major shift in both our social ideology and in our corporate infrastructures. This white paper takes a closer look at the password dilemma and at the access control alternatives that have been used in an attempt to replace passwords. It then introduces Datakey Axis, a new product by Datakey, Inc. Datakey Axis uses automated Single Sign-On (SSO) enabling technology (patent pending) and integrated smart card and USB token technology to provide the broadest application coverage while reducing the administrative burden, cost, and user pain associated with password-based access controls. All this is provided while enhancing security and increasing user productivity. Surveying the Access Control and Single Sign-On Landscape Passwords aren't free. As the number of applications that each user must access increases, the cost associated with managing these passwords and their impact on the user keeps rising. IT organizations are confronted with the following realities surrounding the use of passwords: The number of systems, Web sites, networks, applications, etc. requiring user name/password authentication is increasing. Users are confronted with a growing list of passwords to remember. Passwords are subject to sniffing, sharing, brute force attacks, dictionary attacks, theft, social engineering, personal information gathering, and just plain guessing. Strong password policies are difficult and costly to enforce. A strong password typically consists of a random set of characters, is at least 8 characters long, and is changed frequently. However, the more complex the password, the harder it becomes to remember. Users either end up writing down their passwords and saving them someplace for easy access (completely undermining security) or they forget them, requiring a call to the help desk to reset their password. Significant industry statistics indicate that 30% - 50% of a help desk's resources are consumed in managing and resetting passwords. End-user resistance to strong passwords remains a major obstacle. Unless this obstacle can be removed passwords will continue to be abused and will continue to pose a serious security vulnerability. Government regulations being imposed on certain organizations are requiring their respective IT organizations to impose better access control mechanisms. At a minimum these regulations will require the enforcement of stronger password policies. Some of these regulations are listed below. Gramm-Leach-Bliley Act, Title V: Requires financial institutions to have a written, comprehensive security policy to protect the security and confidentiality of a customer's non-public, personal information. Health Insurance Portability and Accountability Act of 1996 (HIPAA): Requires that health service providers ensure the security and privacy of healthcare information. Sarbanes-Oxley Act of 2002: Requires more stringent reporting requirements, mandating internal technology controls on financial reporting systems. In response to the need to address the realities associated with passwords, a variety of access control products have become available over the past several years that have displaced traditional passwords with other, stronger authentication mechanisms. Examples include dynamic (one-time use) passwords, digital certificates, biometrics, symbol manipulation, and cookies. One goal of these products, in addition to enhanced security, is the attainment of a single sign-on solution in which the user only has to authenticate him/herself once during a session. However, the acceptance of these single signon solutions has not been universal because they have not adequately dealt with a variety of objections. These objections are the primary reason that passwords retain their widespread use. Table 1 describes a variety of approaches that are employed by existing products and the objections that restrain their wide-spread deployment. Datakey Axis Single Sign-On White Paper 1

4 Table 1: Single sign-on approaches and objections Approach Password Synchronization Objections Limited SSO application coverage. Each application or server needs an agent installed on it. Single point of weakness. Use of the same password for all applications reduces security. Strong password must still be memorized. Limited to password-based security levels. Must still enter a password for each access request. Authentication Server Limited SSO coverage. Agents need to be installed on each application, host and server. Also, solutions are generally limited to network, VPN, and remote access authentication. Tokens, which are bulky and inconvenient to carry, are limited to providing a single security function. Need to configure separate server(s) and often separate user databases. Time consuming for the user to generate and enter a one-time password response. Complex management. Expensive recurring costs. Web Access Management Provides SSO coverage for Web enabled applications only. Requires Web server and/or application plug-ins to be installed. Need to configure separate server(s). Proximity (RFID) Card Single factor (weak) authentication. Expensive reader technology. Servers need to be installed and configured. Reliability issues exist when multiple card holders are in close proximity. Certificate-based Requires a PKI to be installed (complex and expensive). Private key protection is always a concern. Growing but still limited set of applications are PKI enabled. Traditional Client-based Approach Weak credential protection with software based security or memory smart cards and tokens. No central management control. The end-user controls password management. Scripting often required for expanded application coverage imposing time and expertise demands on IT resources. 2 DatakeyAxisSingleSign-OnWhitePaper

5 Simplifying Security and Single Sign-On Single sign-on solutions do not have to be complex, limited in their application coverage, or a burden on the end user. The single sign-on solution that IT is looking for and which removes the objections to existing products is here today. It is Datakey Axis, which provides IT with: Comprehensive SSO application coverage. Centralized management of application access and password policy. Simple and fast set-up and deployment not requiringanitproject. Acceptance by the user community, removing the burden from the user to remember or manage multiple passwords. Enhanced security with two-factor authentication and automated enforcement of strong password policies. Immediate cost savings that will allow deployment within existing budgets. Datakey has made this simplified security and single sign-on solution possible with the integration of two key technologies: Datakey s smart card technology and Datakey's Rapid Deploy Technology. Each of these technologies is discussed in detail in the following sections. Smart Card Technology Smart card technology is now a mature technology that has opened up tremendous new opportunities for enhancing and simplifying security solutions. Because of their familiar and acceptable form factor (either a credit card-sized card or a USB token), their processing power and storage capacity, and their certified mechanisms for securing digital credentials and other data, smart cards are becoming a preferred approach for securing access to on-line services and applications. Microsoft has validated this belief with their greatly expanded smart card support in Windows 2000, Windows XP, and the Windows Server 2003 product suites. A smart card (and its USB token equivalent) is a hardware device that is used to store private information. The information stored on the smart card cannot be accessed unless the owner of the card logs on to the card with a pass phrase or PIN, much the same way a person enters a PIN to use an ATM card. Smart cards enable what is known as "two-factor" security: something that you have (the smart card) and something that you know (the passphrase). Two-factor security controls access to the card's cryptographic functions and private information. Typically, smart cards have only been deployed as vehicles to provide secure storage for private keys and certificates in PKI and VPN environments. Cryptographic smart cards have been the perfect complement to VPN solutions for enterprises that needed secure remote access to enterprise networks. However, multi-function smart cards, such as those provided by Datakey, have many additional capabilities that enable stronger, yet simpler, security solutions while providing organizations with increased value-add and benefits. Some of these benefits include: Security: Independently certified protection (FIPS Level 2) for your private information. Portability: Your digital credentials and private information go wherever you go. Flexibility: A smart card can be used to store a variety of information and be used for a variety of security functions such as cryptographic functions, credential storage, physical access control and logical access control. Simplicity: Your many passwords can be stored securely on a single smart card. In addition, you are less likely to lose a smart card than forget a password. Ease of use: Simple insertion of a smart card into a reader and the entry of a passphrase unlocks a variety of automated security functions when used in conjunction with Datakey Axis. Upgradeability: Smart cards are easily upgraded to support biometrics, PKI and other security functions without needing to replace existing user cards. Datakey s Rapid Deploy Technology Datakey's Rapid Deploy Technology features an intuitive drag and drop "training" mechanism (patent pending) for collecting the intelligence needed for recognizing the application login or change password dialogs. It forwards that intelligence into an "information store" for use by the user client software. This "training" process incorporates technology and processes that are unique in the industry and that has the ability to address the various types of GUI technologies employed by applications without being dependent upon costly and time-consuming scripting. This provides the administrator with the ability to rapidly set-up single sign-on coverage for all applications. Datakey Axis Single Sign-On White Paper 3

6 Datakey's Rapid Deploy Technology also integrates additional technologies to address IT s need for simplicity, cost reduction, and user transparency. These additional technologies include: A client-based architecture that does not require any applications or hosts to be "touched" by agents or plug-ins, or for new server components to be installed and maintained. The leveraging of the Microsoft Installer (MSI) installation standard for easy and automated deployment and automated updates of policy client software. The centralized management of application access privileges and of credential and software update maintenance. Datakey Axis is the first product to tap into the full potential of smart card technology and redefine the way smart cards are used, enhancing the strength of security solutions and bringing simplicity to all involved (administrators and end users). The Datakey Axis Solution General capabilities Datakey Axis is a smart card-based solution that simplifies access control. Organizations that are not in a position to displace their current password-based security infrastructure, but who need relief from the cost of managing these passwords, can get that relief while at the same time enhancing security with automatic enforcement of stronger password policies. Additionally, with Datakey Axis, you can take advantage of a variety of additional uses for smart cards within your organization, both in PKI and non-pki environments. An organization may wish to enhance their password-based access control within their current non-pki environment, but leave open the possibility for migrating to a PKI-based access control solution or a biometrics solution in the future. Datakey Axis allows this migration to occur with ease. It also enables an organization to use the same smart card for employee badging and/or facility access control purposes. Single Sign-On capabilities Datakey Axis provides one of the simplest, and broadest application coverage, single sign-on solutions available on the market. It allows a user to log on to their smart card and then never have to worry about entering another user name and password. The user names and passwords are all stored securely on the user's smart card and automatically retrieved as needed when the user requires access to a service or application. The Datakey Axis client software has the intelligence to recognize the login dialog box for each application. It automatically retrieves the necessary login information from the smart card, enters the information into the proper fields, and then submits the login response on behalf of the user. If a change password dialog appears, this too is automatically recognized by Datakey Axis. A random, strong password is generated and stored as the new password on the user's smart card. The user no longer needs to remember (or even know) their passwords, since they are managed automatically without user involvement. With Datakey Axis, users are given an access control solution that enables them to be a security advocate. The user no longer needs to write down passwords, put sticky notes on the PC monitor, or pack their wallets with critical organization security codes. The only item in their wallets or on their desks is a secure, tamper proof smart card. How Datakey Axis Works Datakey Axis is a client-based product that an administrator can configure and install from his/her workstation. A powerful Datakey Axis Management Center allows the administrator to easily integrate with Microsoft Active Directory for user/group definitions and to bind them to the applications they are allowed to access. The Microsoft Certificate Authority is also automatically engaged if digital certificates are needed. Support for additional Directories and Certificate Authorities is planned in the near future. The Datakey Axis Policy Client software that is installed on the user's workstation is pre-configured by the administrator with the permitted functionality plus application access privileges. The Datakey Axis Management Center includes patent-pending "training" technology that enables the administrator to use a simple drag-and-drop process to interrogate the login and change password screens for each application and insert the captured intelligence into the user's Policy Client software. This enables the client software to automatically recognize the login and change password screens for each application, retrieve the appropriate user credentials from the smart card, insert them into the appropriate fields and submit the response back to the application. Once the user's Policy Client software is pre-configured it is then automatically distributed for installation on the user's workstation via Microsoft GPO, SMS, or some other 3rd party MSI-compliant dis- 4 DatakeyAxisSingleSign-OnWhitePaper

7 tribution tool. The end-user is left with a simple initial enrollment process that captures their existing application login information. All subsequent access control needs are automatically provided for via the smart card and Datakey Axis. is able to remove the objections encountered with other SSO products. Table 2 summarizes the many features and benefits of Datakey Axis. Because the Datakey Axis architecture and design is built upon proven smart card technology, Datakey Axis Table 2: Datakey Axis Features and Benefits Datakey Axis Features Comprehensive single sign-on coverage. Virtually all Windows, Java, custom, mid-size/mainframe applications as well as internet and intranet sites. Win32, Java and HTML GUIs Citrix/Terminal Server Terminal emulators Rapid Deploy Technology that provides: Patent pending drag & drop administrator control (and optional user control) of client software training for automated applications login. Client based architecture that works out of the box. Windows installation standards (MSI) compliant automated deployment. Centralized management with administrator control over application access. Integrated smart card technology that provides: Certified (FIPS Level 2) secure containers for user credentials and data. Multi-function flexibility Non-PKI and PKI environments Easy integration with physical access security systems Datakey Axis Benefits Reduced administration costs - a single product supports SSO to all applications. Increased security with the ability to enforce a consistent and strong password policy across all applications. Increased user productivity by reducing the number of passwords a user needs to remember to one (no longer a need to write them down). Drastic reduction to the Help Desk resource burden for resetting passwords. Simplified deployment (does not require an "IT Project"). Also, provides an ROI in 6-12 months. Reduced cost of deployment and maintenance - no additional servers or agents/plug-ins to install and is non-intrusive to existing infrastructure. Centralized management control of password policy enforcement and application access Increased user productivity with transparent automated updates of client software and user credentials. Reduced deployment costs with highly automated set-up and installation Security solution flexibility and portability. Easy migration paths from passwords to stronger access control solutions such as PKI and biometrics. Enables use of a single ID badge for building and computer access. (Cont d) Datakey Axis Single Sign-On White Paper 5

8 Table 2: Datakey Axis Features and Benefits Conclusion Datakey Axis Features Automated credential management that provides: Automated password changes Automated updates of user credentials and client software. Automated and transparent PKI certificate issuance SSO support for multiple authentication mechanisms: User name and Password PKI Digital Certificates One-time passwords Biometrics Standards-based implementation: ISO 7816 GSC-IS V2.1 PKCS #11 V2.0 Microsoft CAPI V2.0 Microsoft MSI PC/SC Previous access control products have not adequately addressed the needs of IT organizations for a single sign-on solution that is simple and fast to deploy, enhances security, removes user resistance and is able to integrate with existing access control infrastructures. Passwords will continue to be the primary means of access control, despite all their deficiencies, because they are so deeply entrenched into the infrastructure and culture. Therefore, rather than attempt to replace them, access control products must embrace them and remove the deficiencies surrounding them. Datakey Axis Benefits Drastically reduced administrative costs to manage and enforce password changes. Reduced security vulnerabilities with automated strong password changes. No impact on your users resulting in increased user productivity Preserves investment in tokens and software as organizations add new applications and authentication mechanisms No user impact to migrate to PKI enable applications Ease of integration and interoperability with other infrastructure components Datakey Axis has been designed just for this purpose. Its client-based approach leverages the strengths of smart card technology to enhance security while removing the user burden of having to remember numerous and complex passwords. Datakey Axis is easy and fast to deploy, doesn't impact server software management, and provides the administrator with centralized control of access to applications and the enforcement of strong password policies. The mixture of technologies integrated by Datakey Axis makes it the ideal single sign-on solution for most organizations. Datakey Corporate Headquarters 407 West Travelers Trail Minneapolis, MN Phone: (952) Toll-free: Fax: (952) Web: info@datakey.com 6 DatakeyAxisSingleSign-OnWhitePaper