Successful Enterprise Single Sign-on Addressing Deployment Challenges
|
|
- Bruno Day
- 8 years ago
- Views:
Transcription
1 Successful Enterprise Single Sign-on Addressing Deployment Challenges 2015 Hitachi ID Systems, Inc. All rights reserved.
2 Contents 1 Introduction 1 2 Background: User Problems with Passwords 2 3 Approaches to Simplifying Password Management Replacing silo authentication with a directory Passing assertions about user identity from one system to another Replacing web application signons with shared infrastructure Synchronizing passwords between systems and across domains Automatically populating login prompts Other Authentication Factors and the Persistence of Passwords 6 5 Traditional Approaches to Enterprise Single Sign-on 7 6 Deployment Blockers: Encryption and Boundary Conditions Encryption, Primary Passwords and Key Recovery Devices Without E-SSO Clients Combining Approaches To Single Sign-on 11 8 Extra Security: Boundary Conditions Revisited 14 9 Summary 15 i
3 1 Introduction This document summarizes the problems users experience when managing too many passwords. It describes the various approaches available to organizations to reduce the password burden on users and to improve the security of their authentication systems. Given this background information, this document goes on to describe the basic architecture of traditional enterprise single sign-on (E-SSO) systems. It describes their strengths, along with their security, usability and cost issues. Finally, a new approach is presented, to deliver most of the same advantages of a traditional E-SSO system but without any of the traditional issues. The new approach replaces a database of stored passwords with a password synchronization process. This is the approach embedded in Hitachi ID Login Manager Hitachi ID Systems, Inc. All rights reserved. 1
4 2 Background: User Problems with Passwords Users who must manage multiple passwords to corporate systems and applications have usability, security and cost problems. Users have too many passwords. Each password may expire on a different schedule, be changed with a different user interface and be subject to different rules about password composition and reuse. Some systems are able to force users to select hard-to-guess passwords, while others are not. Some systems require that users change their passwords periodically, while others cannot enforce expiration. Users have trouble choosing hard-to-guess passwords. Users have trouble remembering passwords, because they have too many of them or because they chose a new password at the end of the day or week, and didn t have an opportunity to use it a few times before going home. These problems drive users to choose trivial passwords, to avoid changing their passwords and to write down their passwords. All of these behaviors can compromise network security. When users do comply with policy and regularly change their passwords to new, hard-to-guess values, they tend to forget their passwords and must call the help desk. Password and login problems are the top incident type at most IT help desks, frequently accounting for 25% or more of total call volume. In addition to the above security and support cost problems, users simply don t like memorizing and typing passwords. Password management is a nuisance that contributes to a negative perception of IT service. Despite all these problems, passwords will continue to be needed for years to come: 1. Passwords are significantly less expensive to deploy and support than other technologies. 2. Other authentication technologies, such as biometrics, smart cards and hardware tokens, are typically used along with a password or PIN. i.e., something you have (smart card, token) or something you are (biometric) plus something you know (password, PIN). 3. Passwords are an important backup to other authentication technologies: (a) Hardware devices can be lost or stolen or simply left at home. (b) Some devices from which users need to access corporate systems, such as smart phones and home PCs, may not support more advanced authentication methods. Since passwords are not going away and remain difficult for users to manage, solutions are needed to help users more effectively manage their passwords Hitachi ID Systems, Inc. All rights reserved. 2
5 3 Approaches to Simplifying Password Management There are multiple approaches to reducing password problems for both end users and IT organizations. These approaches are complementary organizations can and most do deploy more than one: 3.1 Replacing silo authentication with a directory Most organizations have deployed at least one enterprise-wide directory. This may be Active Directory (Microsoft), edirectory (Novell) or another LDAP-based system (typically Sun or IBM). Many applications can be configured to validate login IDs and passwords on the directory rather than locally in application-specific security databases. Doing this reduces administration burden on IT (fewer login accounts to provision and support) and on users (fewer login IDs and passwords to remember). This strategy is attractive and should be pursued wherever possible. Its limits are primarily (a) applications that do not support authenticating users against an external directory and (b) organizational boundaries that do not permit an application in one domain to authenticate users using a directory in another domain. 3.2 Passing assertions about user identity from one system to another In Windows/Active Directory networks, user workstations are assigned a Kerberos ticket when users sign in. The ticket is an encrypted file with assertions about the user s identity and security group memberships. The workstation can pass this ticket, avoiding the need for further authentication, to applications that have been configured with Windows integrated authentication. Similarly, one web site can be configured to trust another site, which has already authenticated a visiting user. The identity of the user, as claimed by one site, is passed to another site using federation protocols such as SAML, WS-Federation, Liberty Alliance and Shibboleth. The approach of having one system authenticate a user and pass assertions about the user s identity is an attractive solution where it is technically feasible to implement the trust mechanism between applications and where the trust relationship is based on real trust between the organization that operates one system and the organization that operates another. 3.3 Replacing web application signons with shared infrastructure Applications which are accessed using a web browser are especially amenable to a strategy of replacing internal authentication with a shared directory infrastructure. A whole class of web single sign-on products (WebSSO) allows organizations to replace application-specific credentials with a shared directory. WebSSO systems work by intercepting user attempts to access an application, checking whether the user has already been authenticated, possibly diverting the user to a shared login system and ultimately injecting user identity information into the web session. This may be done by adding agents on each web server or by placing a reverse web proxy server between users and web applications, which modifies the HTTP(S) data stream Hitachi ID Systems, Inc. All rights reserved. 3
6 WebSSO systems are also attractive, and should be used where possible. Their limitation is their platform they do not work for terminal sessions, client/server applications and any other system whose communication protocol is other than HTTP(S). 3.4 Synchronizing passwords between systems and across domains Even after directory consolidation and web single sign-on have been deployed, there often remain multiple passwords per user. Users typically continue to have a login ID and password on the network (often Active Directory), system (often Exchange or Lotus Notes), ERP system (typically SAP R/3, PeopleSoft or Oracle ebusiness Suite), a mainframe system (RACF, ACF2 or TopSecret) and possibly a variety of custom or vertical applications, which may have a Unix or database back end. Increasingly, users also have logins on externally hosted applications Salesforce.com, Google Applications, etc. An effective strategy to approaching the remaining complexity is to install a system that captures password changes on one system and forwards new passwords to other systems. This way, users still technically have multiple passwords, but they happen to be set to the same value at all times, eliminating the need to remember multiple passwords, change them in multiple places, etc. This approach is password synchronization. Password synchronization is attractive because it is relatively inexpensive to acquire and deploy. There is no need for client software, user training, etc. The limitations of password synchronization are (a) that it requires explicit integrations with each password database and (b) that users still have to type their passwords. 3.5 Automatically populating login prompts Another approach to reducing password complexity for users is to leave password systems in place but to automatically populate them when required. This moves the responsibility of remembering and typing multiple login IDs and passwords from users to an automated process. This approach is the enterprise single sign-on (E-SSO) method. Typically, a set of application login ID / password pairs is stored for every user. Storage may be in an encrypted file, in a central database or in an extension to a network operating system s security directory typically Microsoft Active Directory or Novell edirectory. E-SSO is attractive because it addresses not only the user burden of remembering multiple passwords, but also the user nuisance of having to type them repeatedly. It also allows organizations to deploy a primary authentication system such as smart cards or one-time-password tokens instead of passwords, without having to rearchitect every password-secured application. The limitations of E-SSO include: 1. Incompatibility with a variety of applications, including many Java applets and other kinds of applications that draw their user interface as a bitmap, rather than using UI elements of the operating system input fields, buttons, etc. 2. The need to store application passwords somewhere this raises security concerns and creates a 2015 Hitachi ID Systems, Inc. All rights reserved. 4
7 single point of failure. 3. The likelihood that users may not know their own application passwords, which makes users dependent on the E-SSO system. They may not be able to access applications using a smart phone, voice phone or Internet kiosk, for example Hitachi ID Systems, Inc. All rights reserved. 5
8 4 Other Authentication Factors and the Persistence of Passwords Many argue that passwords have intrinsic limitations: 1. They are awkward to use. 2. They are insecure. Both of these points are debatable for example, passwords have the distinct advantage of requiring no special hardware and being absolutely portable, and passwords that are sufficiently complex and changed often enough can be quite secure. Nonetheless, many organizations address these (perceived or real) limitations of passwords by deploying other authentication technologies. Authentication is fundamentally based on one or more of three approaches or three types of authentication factors: 1. Something the user knows but others do not often a secret PIN, password or phrase. 2. Something the user has but others do not often a smart card, one time password calculator (token) or proximity badge. 3. Something the user is but others are not this is a biometric measurement of some aspect of the user, such as a finger print, finger vein pattern, retina or iris scan, palm print, voice print or even the personal cadence with which a user presses keys on the keyboard. Authentication factors other than passwords are rarely used alone. They are usually accompanied into a multi-factor authentication system, which is considered more secure than single factor authentication. Following are the most common systems: 1. One time password (OTP) token, plus password or PIN. 2. Smart card, plus password or PIN. 3. Biometric, plus password or PIN. The presence of a password or PIN in each of the above combinations indicates that passwords (and PINs are just short, numeric passwords) normally remain in widespread use even in those organizations that replace passwords with other technologies. Most of the above systems also requires a backup authentication method. For example, a smart card user may forget their smart card at home or wish to access web-mail or another application from a device not equipped with a smart card reader. These users often have a backup, very complex passwords. Similarly, users who have trouble with their OTP token may request an emergency access code and users who wish to access an application from a device without a finger print or finger vein reader will need a backup password. These boundary condition scenarios highlight the need to continue to support passwords alone as a backup authentication method, or risk losing access to systems and applications in some situations Hitachi ID Systems, Inc. All rights reserved. 6
9 5 Traditional Approaches to Enterprise Single Sign-on A traditional E-SSO system incorporates several components: A credential database Stores encrypted application login IDs and passwords for every user. This may be in a file, the user s directory object or a database. Client software Detects when applications are launched and inserts credentials from the database into login prompts. Scripts Tell the client software what credentials to populate into which fields on the screen. These components interact in a variety of ways: Deployment The E-SSO client software is installed on user workstations. Scripts are also initially deployed and may be periodically updated. Script Development A developer, system administrator or even end users writes scripts for every application that will be integrated. A graphical framework may be provided to assist. Enrollment A script may detect a user s first use of an application and capture the user s login ID and password. Password change A script may detect when a user s password in an application has expired (i.e., the application asks the user to choose a new password). In this case, the script may either ask the user to choose a new password or may generate a random password. Regardless, the new password will be inserted back into the credential database Hitachi ID Systems, Inc. All rights reserved. 7
10 6 Deployment Blockers: Encryption and Boundary Conditions 6.1 Encryption, Primary Passwords and Key Recovery As described earlier, a key component of a traditional E-SSO system is the credential database. Since it contains sensitive data specific to a given user, it must be encrypted, and each user should have a different encryption key. To prevent unauthorized access to application passwords by anyone other than the intended user, the key is based on the user s primary authentication. This is a very important point and bears repeating: application passwords are encrypted using an encryption key derived from the user s primary authentication. This fact leads to some important problems. Different problems arise depending on how users are authenticated in the first place: Primary authentication Password Smart card One time password Biometric sample Operational and security problems that result If a user forgets his primary password, he effectively loses access to all of his other passwords. To address this, the E-SSO system must provide a second credential database, normally on a central server infrastructure, which uses a shared (not user specific) encryption key. This second credential database is used to reset forgotten primary passwords without having to recover or replace each and every application password as well. Deploying a secondary credential database adds cost to the system and raises a security risk the secondary system is an attractive target for intruders. If a user loses his smart card, he is locked out of every application, not just the primary PC login. A backup credential database is needed in this case as well, for the same reasons and with the same problems as above. There is no way to generate a static, secret encryption key from an OTP pass-code. It follows that the credential database must be encrypted using a shared or hidden key, rather than using a key calculated from something the user typed or plugged in. An intruder may be able to find the encryption key in this scenario and use it to unlock at a minimum every application password for a single user and at worst every application password for every user. There is no way to compute a consistent, static, secret encryption key from a biometric measurement of a user. This means that, as with one time passwords, the credential database is encrypted using a key that is available in the user s absence. An intruder may be able to find the key and unlock either all of the user s passwords or possibly every password belonging to every user Hitachi ID Systems, Inc. All rights reserved. 8
11 Primary authentication Proximity card Operational and security problems that result It is possible to store an encryption key on a proximity card, but the key may be vulnerable to disclosure using an unauthorized RFID reader. Some implementations may also use a hidden key that as with biometrics and OTP tokens. In any case, at least the user s passwords, and possibly all passwords, may be vulnerable. To summarize the foregoing, storing user passwords in a credential database may lead to some combination of the following problems: Application passwords are lost if the user forgets his primary password; or A second credential database is required, adding to system cost and creating a security exposure; or The credential database is vulnerable in whole or in part to an intruder who figures out where the encryption key, which is not calculated based on user interaction, is stored. These are all serious problems! 6.2 Devices Without E-SSO Clients Another issue that arises when application passwords are stored in a credential database is that, over time, users come to depend on this database and may no longer know their own password. This is not a problem when users sign into applications from a computer equipped with the E-SSO software, but creates issues when a user attempts to sign into the same application from another device. Users increasingly access applications using smart phones, using their home PCs, using Internet kiosks and even using a telephony / voice user interface. In a typical E-SSO software deployment, none of these devices is equipped with the E-SSO client software, so none of these devices is able to access the credential database and use it to sign the user into applications. This creates a serious usability problem: while the E-SSO software may work well from the user s work computer, it also makes applications inaccessible on other devices. This is contrary to the trend of an increasingly mobile workforce using an increasingly wide array of devices to access the network. There are various approaches to overcoming this problem, but none of them is satisfactory: 1. Do not allow the E-SSO software to choose new application passwords when old ones expire. (a) Pro: the user chooses new passwords so hopefully remembers them. (b) Con: runs contrary to the main business driver of E-SSO reducing the number of passwords users must remember. (c) Con: relies on user behaviour to work. Users may quickly forget passwords they chose if they do not have to use them on a daily basis Hitachi ID Systems, Inc. All rights reserved. 9
12 2. Expose a user interface, such as an authenticated web page, that allows users to read their own application passwords. (a) Pro: simple infrastructure that enables users to sign into applications from their smart phones, home PCs, etc. (b) Con: frustrating human interface users must first sign into the device (which has no E-SSO client), then sign into the application password recovery application, then get the password they need, then sign into the application they actually want to access and manually type it in. E-SSO reducing the number of passwords users must remember. (c) Con: the password disclosure application becomes an attractive target for intruders. 3. Use Windows Terminal Services or Citrix Presentation Manager as a front end to all remote access to applications. Require users with non-traditional devices to first sign into a remote-control server farm and from there, with benefit of the E-SSO infrastructure, sign into applications. (a) Pro: enables users to sign into applications from their smart phones, home PCs, etc. (b) Con: very expensive server infrastructure. (c) Con: requires new client software (terminal services / ICA) on a wide range of user devices. (d) Con: does not support offline operation users can only access applications deployed this way while they are connected to the Internet or corporate network Hitachi ID Systems, Inc. All rights reserved. 10
13 7 Combining Approaches To Single Sign-on The previous sections outline some of the approaches to reducing password complexity and some of the challenges that arise with enterprise single sign-on (E-SSO) in particular. In practice, there is no reason to use just one approach. Best practice is most likely to combine: 1. Directory consolidation, typically leveraging Active Directory as the security database used by both client/server and web applications. 2. Kerberos authentication, where technically possible. 3. Web single sign-on, to consolidate authentication into farms of web applications. 4. Password synchronization, to reduce the number of remaining passwords that users must manage. 5. E-SSO to auto-populate remaining application passwords for users. A review of the deployment challenges specific to E-SSO, as described in the previous section, highlights the fact that a key challenge is building, populating, supporting and securing the credential database. With this in mind, a new approach can be considered: eliminating the credential database entirely and replacing it with a password synchronization process. This is precisely the approach taken by Hitachi ID Login Manager. Login Manager automatically fills in application login IDs and passwords on behalf of users, streamlining the application sign-on process for users. Login Manager works as follows: When users sign into their workstations, Login Manager acquires their network login ID and password from the Windows login process. Login Manager may (optionally) acquire additional login IDs (but not passwords) from the user s Active Directory profile. Login Manager monitors the Windows desktop for newly launched applications: It detects when the user types one of his known login IDs or his Windows password into an application dialog box, HTML form or mainframe terminal session. When this happens, the location of the matching input fields is stored on a local configuration file. Whenever Login Manager detects an application displaying a previously configured login screen, it automatically fills in the appropriate login ID and/or the current Windows password. The net impact of Login Manager is that login prompts for applications with well-known IDs and passwords that authenticate to AD or are synchronized with AD are automatically filled in. This is done without: Interfering with user access to applications from devices not equipped with the SSO software, such as their smart phones Hitachi ID Systems, Inc. All rights reserved. 11
14 Having to deploy a secure location in which to store application credentials. Writing scripts. Login Manager is installed as a simple, self-contained MSI package. It does not require a schema extension to Active Directory. The Login Manager architecture is illustrated in Figure 1. Windows PC What did the user type? 5 Hook Input event queues 6 Auto-fill the user s login ID & password Which apps use Windows credentials? 3 Local configuration file Hitachi ID Login Manager Acquire other login IDs 2 Corporate Directory Hook 1 Who logged in? Which window is active? 4 Hook Login: GINA subsystem Application Windows Display subsystem: windows/dialog boxes In the diagram: Figure 1: Login Manager: Internal Components / Architecture 1. All Login Manager software is local to a user s Windows workstation, and is (silently) installed using an MSI package. 2. Other than at installation time, the Login Manager client software does not interact with any server components. At most, it loads a set of alternate login IDs, associated with the same user, from the user s Active Directory object at login time. 3. The core Login Manager software runs as a privileged service, with hooks into the login system (GINA), the display system and various event queues. 4. When a user logs in, Login Manager acquires that user s Windows login ID and password. It then: 2015 Hitachi ID Systems, Inc. All rights reserved. 12
15 (a) Optionally, looks up the user s profile in the corporate directory, assuming the workstation is connected to the network at the time, to find alternate login IDs that belong to the same user. (b) Looks for and, if it finds it, reads a configuration file, that identifies which applications are already known to have login IDs and passwords that are the same as Windows. 5. Whenever a user launches a new application, Login Manager: (a) Checks to see if it is already a known application, and if so auto-populates credentials into the appropriate dialog. (b) If the application is not recognized, Login Manager watches to see what the user types to log in and if it detects login IDs and passwords that are identical to those from step 4, it records the application s identifying characteristics (e.g., process ID, Window title, etc.) in the configuration file mentioned in step 4b Hitachi ID Systems, Inc. All rights reserved. 13
16 8 Extra Security: Boundary Conditions Revisited In some cases, organizations have a legitimate reason to prevent users from knowing their own application passwords. For example, consider a legacy client/server application, where: 1. Users sign into the client GUI application with a login ID and password. 2. The GUI application uses the user-supplied credentials to connect to the application s back-end database. 3. The client GUI is responsible for all access control enforcement. 4. The user s password actually has unlimited privileges on the back-end database. The security flaw in this architecture is that the user could connect directly to the back end database with its native SQL client for example, sqlplus for Oracle databases, isql for Microsoft SQL Server, etc. Using this connection, the user could bypass all of the application s access control rules. While this is clearly a broken security model, applications built this way remain widely deployed. The security compromise described here can be avoided by regularly changing the user s application password and not allowing the user to know what that password is. Instead, the user is locked into the E-SSO client, which is the only entity that can retrieve the user s password and sign the user into the application. This scenario can be implemented by combining three Hitachi ID Systems products: 1. Hitachi ID Password Manager captures each user s primary (typically Active Directory) password and stores it, for future use as an encryption key. 2. Hitachi ID Privileged Access Manager randomizes every user s password on the insecure application, daily. It uses the user s primary password (captured by Password Manager) as the encryption key, to encrypt the application password and store it in the user s directory object. 3. Hitachi ID Login Manager uses the user s primary password (acquired at workstation login time) to decrypt the application password in the user s directory object. It feeds this password into the insecure application when required. The obvious downside of this scenario is that users can only sign into insecure applications from computers equipped with Login Manager they cannot sign in from a smart phone, home PC, etc. That is the price for locking down insecure applications Hitachi ID Systems, Inc. All rights reserved. 14
17 9 Summary Hitachi ID Login Manager, a module included with Hitachi ID Password Manager, is an enterprise single sign-on solution. It automatically signs users into applications where the ID and/or password is the same as what the user typed to sign into Windows. Login Manager leverages password synchronization instead of stored passwords. This means that it does not require a wallet and that users can continue to sign into their applications from devices other than their corporate PC such as a smart phone or tablet for which a single sign-on client may not be available. Login Manager does not require scripting or a credential vault, so has a much lower total cost of ownership (TCO) than alternative single sign-on (E-SSO) products. The reduced sign-on process used by Login Manager has several advantages over traditional E-SSO techniques: There is no global directory or database with user credentials: There is no target for a would-be attacker. There is no single point of failure which could cause a widespread disruption to users who wish to sign into applications. There is no need to enroll users by having them provide their passwords. There are no manually written scripts: No manual configuration is required. No infrastructure is required to distribute script files to PCs. Continued access to applications: Users sometimes need to sign into application from devices other than their work PC. Since passwords are synchronized and users know their own password, they can still sign in, even without the SSO software. In contrast, with other E-SSO products, users may not know their own application passwords. This disrupts application access using a smart phone, home PC, Internet kiosk, etc. These advantages significantly reduce the cost and risk associated with deploying and managing Login Manager. 500, Street SE, Calgary AB Canada T2G 2J3 Tel: Fax: sales@hitachi-id.com Date: File: /home/idan/work/documents/ps-sso/hid-login-manager-2.tex
Integrating Hitachi ID Suite with WebSSO Systems
Integrating Hitachi ID Suite with WebSSO Systems 2015 Hitachi ID Systems, Inc. All rights reserved. Web single sign-on (WebSSO) systems are a widely deployed technology for managing user authentication
More informationSelf-Service, Anywhere
2015 Hitachi ID Systems, Inc. All rights reserved. Contents 1 Introduction 1 2 Mobile users warned of password expiry 2 3 Reset forgotten, cached password while away from the office 2 4 Unlock encrypted
More informationOracle Enterprise Single Sign-on Technical Guide An Oracle White Paper June 2009
Oracle Enterprise Single Sign-on Technical Guide An Oracle White Paper June 2009 EXECUTIVE OVERVIEW Enterprises these days generally have Microsoft Windows desktop users accessing diverse enterprise applications
More informationCritical Issues with Lotus Notes and Domino 8.5 Password Authentication, Security and Management
Security Comparison Critical Issues with Lotus Notes and Domino 8.5 Password Authentication, Security and Management PistolStar, Inc. PO Box 1226 Amherst, NH 03031 USA Phone: 603.547.1200 Fax: 603.546.2309
More informationAuthentication: Password Madness
Authentication: Password Madness MSIT 458: Information Security Group Presentation The Locals Password Resets United Airlines = 83,000 employees Over 13,000 password reset requests each month through the
More informationCybersecurity and Secure Authentication with SAP Single Sign-On
Solution in Detail SAP NetWeaver SAP Single Sign-On Cybersecurity and Secure Authentication with SAP Single Sign-On Table of Contents 3 Quick Facts 4 Remember One Password Only 6 Log In Once to Handle
More informationIdentity Management Terminology
2015 Hitachi ID Systems, Inc. All rights reserved. Identity management is an important technology for managing user objects, identity attributes, authentication factors and security entitlements. This
More informationIBM Security Access Manager for Enterprise Single Sign-On Version 8.2.1. User Guide IBM SC23-9950-05
IBM Security Access Manager for Enterprise Single Sign-On Version 8.2.1 User Guide IBM SC23-9950-05 IBM Security Access Manager for Enterprise Single Sign-On Version 8.2.1 User Guide IBM SC23-9950-05
More information1 Hitachi ID Password Manager
1 Hitachi ID Password Manager Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications Integrated Credential Management for Users: Passwords, encryption keys, tokens, smart cards and
More informationApproaches to Enterprise Identity Management: Best of Breed vs. Suites
Approaches to Enterprise Identity Management: Best of Breed vs. Suites 2015 Hitachi ID Systems, Inc. All rights reserved. Contents 1 Introduction 1 2 Executive Summary 1 3 Background 2 3.1 Enterprise Identity
More informationRegulatory Compliance Using Identity Management
Regulatory Compliance Using Identity Management 2015 Hitachi ID Systems, Inc. All rights reserved. Regulations such as Sarbanes-Oxley, FDA 21-CFR-11 and HSPD-12 require stronger security, to protect sensitive
More informationEnterprise Single Sign-On City Hospital Cures Password Pain. Stephen Furstenau Operations and Support Director Imprivata, Inc. www.imprivata.
Enterprise Single Sign-On City Hospital Cures Password Pain Stephen Furstenau Operations and Support Director Imprivata, Inc. www.imprivata.com Application Security Most organizations could completely
More informationand the software then detects and automates all password-related events for the employee, including:
Reduce costs, simplify access and audit access to applications with single sign-on IBM Single Sign-On Highlights Reduce password-related helpdesk Facilitate compliance with pri- costs by lowering the vacy
More informationLeveraging SAML for Federated Single Sign-on:
Leveraging SAML for Federated Single Sign-on: Seamless Integration with Web-based Applications whether cloudbased, private, on-premise, or behind a firewall Single Sign-on Layer v.3.2-006 PistolStar, Inc.
More informationAn Oracle White Paper December 2010. Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance
An Oracle White Paper December 2010 Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance Executive Overview... 1 Health Information Portability and Accountability Act Security
More informationLocking down a Hitachi ID Suite server
Locking down a Hitachi ID Suite server 2016 Hitachi ID Systems, Inc. All rights reserved. Organizations deploying Hitachi ID Identity and Access Management Suite need to understand how to secure its runtime
More informationPasslogix Sign-On Platform
Passlogix Sign-On Platform The emerging ESSO standard deployed by leading enterprises Extends identity management to the application and authentication device level No modifications to existing infrastructure
More informationFrom Password Reset to Authentication Management: the Evolution of Password Management Technology
From Password Reset to Authentication Management: the Evolution of Password Management Technology 2010 Hitachi ID Systems, Inc. All rights reserved. Contents 1 Introduction 1 2 In the Beginning: A Simple
More informationData Replication in Privileged Credential Vaults
Data Replication in Privileged Credential Vaults 2015 Hitachi ID Systems, Inc. All rights reserved. Contents 1 Background: Securing Privileged Accounts 2 2 The Business Challenge 3 3 Solution Approaches
More informationVPN Solutions FAQ www.aladdin.com/contact North America International Germany Benelux France Spain Israel Asia Pacific Japan
A l a d d i n. c o m / e T o k e n VPN Solutions FAQ VPN authentication is a critical link in the chain of trust for remote access to your organization. Compromising that trust can expose your private
More informationLarge Scale Password Management With Hitachi ID Password Manager
Large Scale Password Management With Hitachi ID Password Manager 2015 Hitachi ID Systems, Inc. All rights reserved. As users access ever more systems and applications, they accumulate passwords and other
More informationetoken Single Sign-On 3.0
etoken Single Sign-On 3.0 Frequently Asked Questions Table of Contents 1. Why aren t passwords good enough?...2 2. What are the benefits of single sign-on (SSO) solutions?...2 3. Why is it important to
More informationHitachi ID Password Manager Frequently Asked Questions for Help Desk Managers
Hitachi ID Password Manager Frequently Asked Questions for Help Desk Managers 2015 Hitachi ID Systems, Inc. All rights reserved. Contents 1 What kind of call volume reduction can I expect? 1 2 Can I integrate
More informationManagement of Hardware Passwords in Think PCs.
Lenovo Corporation March 2009 security white paper Management of Hardware Passwords in Think PCs. Ideas from Lenovo Notebooks and Desktops Workstations and Servers Service and Support Accessories Introduction
More informationIBM Tivoli Access Manager for Enterprise Single Sign-On
Deliver seamless access to applications with an easy-to-deploy solution IBM Single Sign-On Highlights Help simplify the employee experience by eliminating the need to remember and manage user names and
More informationHitachi ID Password Manager Telephony Integration
Hitachi ID Password Manager Telephony Integration 2015 Hitachi ID Systems, Inc. All rights reserved. Contents 1 Introduction 1 2 Functional integration 2 2.1 Self-service password reset....................................
More informationDIGIPASS Authentication for GajShield GS Series
DIGIPASS Authentication for GajShield GS Series With Vasco VACMAN Middleware 3.0 2008 VASCO Data Security. All rights reserved. Page 1 of 1 Integration Guideline Disclaimer Disclaimer of Warranties and
More informationSTRONGER AUTHENTICATION for CA SiteMinder
STRONGER AUTHENTICATION for CA SiteMinder Adding Stronger Authentication for CA SiteMinder Access Control 1 STRONGER AUTHENTICATION for CA SiteMinder Access Control CA SITEMINDER provides a comprehensive
More informationServer-based Password Synchronization: Managing Multiple Passwords
Server-based Password Synchronization: Managing Multiple Passwords Self-service Password Reset Layer v.3.2-004 PistolStar, Inc. dba PortalGuard PO Box 1226 Amherst, NH 03031 USA Phone: 603.547.1200 Fax:
More informationSimplifying Security with Datakey Axis Single Sign-On. White Paper
Simplifying Security with Datakey Axis Single Sign-On White Paper Copyright and trademark notice 2003 Datakey Inc. All rights reserved. Version 1.0 No part of this document may be reproduced or retransmitted
More informationCopyright Giritech A/S. Secure Mobile Access
Secure Mobile Access From everywhere... From any device... From user......to applications Page 3...without compromising on security and usability... and to my PC in the office: Secure Virtual Access Contrary
More informationIs your mainframe less secure than your file server? Malcolm Trigg Solutions Consultant 24 th February 2016
Is your mainframe less secure than your file server? Malcolm Trigg Solutions Consultant 24 th February 2016 The World s Changed What is my account balance? The World s Changed Internal Security Standards
More informationSECUREAUTH IDP AND OFFICE 365
WHITEPAPER SECUREAUTH IDP AND OFFICE 365 STRONG AUTHENTICATION AND SINGLE SIGN-ON FOR THE CLOUD-BASED OFFICE SUITE EXECUTIVE OVERVIEW As more and more enterprises move to the cloud, it makes sense that
More informationImprove Security, Lower Risk, and Increase Compliance Using Single Sign-On
SAP Brief SAP NetWeaver SAP NetWeaver Single Sign-On Objectives Improve Security, Lower Risk, and Increase Compliance Using Single Sign-On Single sign-on in the SAP software architecture Single sign-on
More informationThe Benefits of an Industry Standard Platform for Enterprise Sign-On
white paper The Benefits of an Industry Standard Platform for Enterprise Sign-On The need for scalable solutions to the growing concerns about enterprise security and regulatory compliance can be addressed
More informationWHITE PAPER. Smart Card Authentication for J2EE Applications Using Vintela SSO for Java (VSJ)
WHITE PAPER Smart Card Authentication for J2EE Applications Using Vintela SSO for Java (VSJ) SEPTEMBER 2004 Overview Password-based authentication is weak and smart cards offer a way to address this weakness,
More informationChoosing an SSO Solution Ten Smart Questions
Choosing an SSO Solution Ten Smart Questions Looking for the best SSO solution? Asking these ten questions first can give your users the simple, secure access they need, save time and money, and improve
More informationGoldKey Software. User s Manual. Revision 7.12. WideBand Corporation www.goldkey.com. Copyright 2007-2014 WideBand Corporation. All Rights Reserved.
GoldKey Software User s Manual Revision 7.12 WideBand Corporation www.goldkey.com 1 Table of Contents GoldKey Installation and Quick Start... 5 Initial Personalization... 5 Creating a Primary Secure Drive...
More informationConvenience and security
Convenience and security ControlSphere is a computer security and automation solution designed to protect user data and automate most of authentication tasks for the user at work and home environments.
More informationGlobal Headquarters: 5 Speen Street Framingham, MA 01701 USA P.508.872.8200 F.508.935.4015 www.idc.com
VENDOR PROFILE Passlogix and Enterprise Secure Single Sign-On: A Success Story Sally Hudson IDC OPINION Global Headquarters: 5 Speen Street Framingham, MA 01701 USA P.508.872.8200 F.508.935.4015 www.idc.com
More informationEnterprise SSO Manager (E-SSO-M)
Enterprise SSO Manager (E-SSO-M) Many resources, such as internet applications, internal network applications and Operating Systems, require the end user to log in several times before they are empowered
More informationReviewer Guide Core Functionality
securing your personal data Sticky Password Reviewer Guide Core Functionality Sticky Password is the password manager for the entire lifecycle of your passwords. Strong passwords the built-in password
More informationPassword Management Before User Provisioning
Password Management Before User Provisioning 2015 Hitachi ID Systems, Inc. All rights reserved. Identity management spans technologies including password management, user profile management, user provisioning
More information1 Maximizing Value. 2 Economics of self-service. Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications
1 Maximizing Value Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications Getting value from Hitachi ID Password Manager by improving user adoption. 2 Economics of self-service 2015
More informationOpen Directory. Apple s standards-based directory and network authentication services architecture. Features
Open Directory Apple s standards-based directory and network authentication services architecture. Features Scalable LDAP directory server OpenLDAP for providing standards-based access to centralized data
More informationLeverage Active Directory with Kerberos to Eliminate HTTP Password
Leverage Active Directory with Kerberos to Eliminate HTTP Password PistolStar, Inc. PO Box 1226 Amherst, NH 03031 USA Phone: 603.547.1200 Fax: 603.546.2309 E-mail: salesteam@pistolstar.com Website: www.pistolstar.com
More informationP-Synch by M-Tech Information Technology, Inc. ID-Synch by M-Tech Information Technology, Inc.
P-Synch by M-Tech Information Technology, Inc. ID-Synch by M-Tech Information Technology, Inc. Product Category: Password Management/Provisioning Validation Date: TBD Product Abstract M-Tech software streamlines
More informationCopyright http://support.oracle.com/
Primavera Portfolio Management 9.0 Security Guide July 2012 Copyright Oracle Primavera Primavera Portfolio Management 9.0 Security Guide Copyright 1997, 2012, Oracle and/or its affiliates. All rights reserved.
More informationSecurity solutions Executive brief. Understand the varieties and business value of single sign-on.
Security solutions Executive brief Understand the varieties and business value of single sign-on. August 2005 2 Contents 2 Executive overview 2 SSO delivers multiple business benefits 3 IBM helps companies
More informationAllidm.com. SSO Introduction. Discovering IAM Solutions. Leading the IAM Training. @aidy_idm facebook/allidm
Discovering IAM Solutions Leading the IAM Training @aidy_idm facebook/allidm SSO Introduction Disclaimer and Acknowledgments The contents here are created as a own personal endeavor and thus does not reflect
More informationPerceptive Experience Single Sign-On Solutions
Perceptive Experience Single Sign-On Solutions Technical Guide Version: 2.x Written by: Product Knowledge, R&D Date: January 2016 2016 Lexmark International Technology, S.A. All rights reserved. Lexmark
More informationNew Single Sign-on Options for IBM Lotus Notes & Domino. 2012 IBM Corporation
New Single Sign-on Options for IBM Lotus Notes & Domino 2012 IBM Corporation IBM s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM s sole
More information1 Building an Identity Management Business Case. 2 Agenda. 3 Business Challenges
1 Building an Identity Management Business Case Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications Justifying investment in identity management automation. 2 Agenda Business challenges
More informationDIGIPASS Authentication for Citrix Access Gateway VPN Connections
DIGIPASS Authentication for Citrix Access Gateway VPN Connections With VASCO Digipass Pack for Citrix 2006 VASCO Data Security. All rights reserved. Page 1 of 31 Integration Guideline Disclaimer Disclaimer
More informationTFS ApplicationControl White Paper
White Paper Transparent, Encrypted Access to Networked Applications TFS Technology www.tfstech.com Table of Contents Overview 3 User Friendliness Saves Time 3 Enhanced Security Saves Worry 3 Software Componenets
More informationRSA Authentication Agent 7.2 for Microsoft Windows Installation and Administration Guide
RSA Authentication Agent 7.2 for Microsoft Windows Installation and Administration Guide Contact Information Go to the RSA corporate web site for regional Customer Support telephone and fax numbers: www.rsa.com
More informationDigitalPersona Pro Enterprise
DigitalPersona Pro Enterprise Version 5.3 Frequently Asked Questions 2012 DigitalPersona, Inc. All Rights Reserved. All intellectual property rights in the DigitalPersona software, firmware, hardware and
More informationWeb Applications Access Control Single Sign On
Web Applications Access Control Single Sign On Anitha Chepuru, Assocaite Professor IT Dept, G.Narayanamma Institute of Technology and Science (for women), Shaikpet, Hyderabad - 500008, Andhra Pradesh,
More informatione-governance Password Management Guidelines Draft 0.1
e-governance Password Management Guidelines Draft 0.1 DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India. Document Control S.
More informationThe Convergence of IT Security and Physical Access Control
The Convergence of IT Security and Physical Access Control Using a Single Credential to Secure Access to IT and Physical Resources Executive Summary Organizations are increasingly adopting a model in which
More informationNetIQ Advanced Authentication Framework - Client. User's Guide. Version 5.1.0
NetIQ Advanced Authentication Framework - Client User's Guide Version 5.1.0 Table of Contents 1 Table of Contents 2 Introduction 4 About This Document 4 NetIQ Advanced Authentication Framework Overview
More informationHow To Get A Single Sign On (Sso)
Single Sign-On Vijay Kumar, CISSP Agenda What is Single Sign-On (SSO) Advantages of SSO Types of SSO Examples Case Study Summary What is SSO Single sign-on is a user/session authentication process that
More informationHow To Secure Your Data Center From Hackers
Xerox DocuShare Private Cloud Service Security White Paper Table of Contents Overview 3 Adherence to Proven Security Practices 3 Highly Secure Data Centers 4 Three-Tier Architecture 4 Security Layers Safeguard
More informationProduct Information. bi-cube SSO Comprehensive Overview. T e c h n o l o g i e s S o l u t i o n s T r e n d s E x p e r i e n c e
Product Information bi-cube SSO T e c h n o l o g i e s S o l u t i o n s T r e n d s E x p e r i e n c e Table of contents 1 SUMMARY...4 2 BI-CUBE SSO: REQUIREMENTS AND INITIATED SCENARIOS...4 2.1 Intrinsic
More informationWhite paper December 2008. IBM Tivoli Access Manager for Enterprise Single Sign-On: An overview
White paper December 2008 IBM Tivoli Access Manager for Enterprise Single Sign-On: An overview Page 2 Contents 2 Executive summary 2 The enterprise access challenge 3 Seamless access to applications 4
More informationFlexible Identity. Tokenless authenticators guide. Multi-Factor Authentication. version 1.0
Flexible Identity Multi-Factor Authentication Tokenless authenticators guide version 1.0 Publication History Date Description Revision 2014.02.07 initial release 1.0 Copyright Orange Business Services
More informationCentralized Self-service Password Reset: From the Web and Windows Desktop
Centralized Self-service Password Reset: From the Web and Windows Desktop Self-service Password Reset Layer v.3.2-007 PistolStar, Inc. dba PortalGuard PO Box 1226 Amherst, NH 03031 USA Phone: 603.547.1200
More informationAdvanced Authentication
Architecture Overview Authasas Advanced Authentication Strong Authenticating to Novell edirectory using Domain Services for Windows November, 2011 Authasas Advanced Authentication Asterweg 19D12 1031 HL
More informationnexus Hybrid Access Gateway
Product Sheet nexus Hybrid Access Gateway nexus Hybrid Access Gateway nexus Hybrid Access Gateway uses the inherent simplicity of virtual appliances to create matchless security, even beyond the boundaries
More informationAn Oracle White Paper December 2010. Implementing Enterprise Single Sign-On in an Identity Management System
An Oracle White Paper December 2010 Implementing Enterprise Single Sign-On in an Identity Management System Introduction Most users need a unique password for every enterprise application, causing an exponential
More informationPassword Management Buyer s Guide. FastPass Password Manager V 3.3 Enterprise & Service Provider Editions
Password Management Buyer s Guide FastPass Password Manager V 3.3 Enterprise & Service Provider Editions FastPassCorp 2010 FPC0 FastPassCorp 2010. Page 1 Requirements for Password Management including
More informationAchieving HIPAA and HITECH Compliance. with Enterprise Single Sign-On
Achieving HIPAA and HITECH Compliance with Enterprise Single Sign-On Achieving HIPAA and HITECH Compliance with Enterprise Single Sign-On 1 TABLE OF CONTENTS The Challenges of HIPAA and HITECH Compliance
More informationRSA SecurID Two-factor Authentication
RSA SecurID Two-factor Authentication Today, we live in an era where data is the lifeblood of a company. Now, security risks are more pressing as attackers have broadened their targets beyond financial
More informationIBM Security Access Manager for Enterprise Single Sign-On
IBM Security Access Manager for Enterprise Single Sign-On Simplify password management, strengthen access security and demonstrate compliance Highlights Achieve faster time to value and higher ROI with
More informationKony Mobile Application Management (MAM)
Kony Mobile Application Management (MAM) Kony s Secure Mobile Application Management Feature Brief Contents What is Mobile Application Management? 3 Kony Mobile Application Management Solution Overview
More informationSAP NetWeaver Single Sign-On. Product Management SAP NetWeaver Identity Management & Security June 2011
NetWeaver Single Sign-On Product Management NetWeaver Identity Management & Security June 2011 Agenda NetWeaver Single Sign-On: Solution overview Key benefits of single sign-on Solution positioning Identity
More informationTable of Contents. Page 1 of 6 (Last updated 30 July 2015)
Table of Contents What is Connect?... 2 Physical Access Controls... 2 User Access Controls... 3 Systems Architecture... 4 Application Development... 5 Business Continuity Management... 5 Other Operational
More informationWhite Paper. McAfee Cloud Single Sign On Reviewer s Guide
White Paper McAfee Cloud Single Sign On Reviewer s Guide Table of Contents Introducing McAfee Cloud Single Sign On 3 Use Cases 3 Key Features 3 Provisioning and De-Provisioning 4 Single Sign On and Authentication
More informationPassword Management Best Practices
2015 Hitachi ID Systems, Inc. All rights reserved. Contents 1 Introduction 1 2 User authentication and passwords 2 2.1 Definitions.............................................. 2 2.2 Authentication technologies....................................
More informationIdentity Management and Single Sign-On
Delivering Oracle Success Identity Management and Single Sign-On Al Lopez RMOUG Training Days February 2012 About DBAK Oracle Solution Provider and License Reseller Core Technology and EBS Applications
More informationSecurity+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 10 Authentication and Account Management
Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 10 Authentication and Account Management Objectives Describe the three types of authentication credentials Explain what single sign-on
More informationFor Managing Central Deployment, Policy Management, Hot Revocation, Audit Facilities, and Safe Central Recovery.
Investment and Governance Division 614.995.9928 tel Ted Strickland, Governor 30 East Broad Street, 39 th Floor 614.644.9152 fax R. Steve Edmonson, Director / State Chief Information Officer Columbus, Ohio
More informationThe Convergence of IT Security and Physical Access Control
The Convergence of IT Security and Physical Access Control Using a Single Credential to Secure Access to IT and Physical Resources Executive Summary Organizations are increasingly adopting a model in which
More informationCHOOSING THE RIGHT PORTABLE SECURITY DEVICE. A guideline to help your organization chose the Best Secure USB device
CHOOSING THE RIGHT PORTABLE SECURITY DEVICE A guideline to help your organization chose the Best Secure USB device Introduction USB devices are widely used and convenient because of their small size, huge
More informationIdentity Access Management: Beyond Convenience
Identity Access Management: Beyond Convenience June 1st, 2014 Identity and Access Management (IAM) is the official description of the space in which OneLogin operates in but most people who are looking
More informationWorking with Structured Data in Microsoft Office SharePoint Server 2007 (Part1): Configuring Single Sign On Service and Database
Working with Structured Data in Microsoft Office SharePoint Server 2007 (Part1): Configuring Single Sign On Service and Database Applies to: Microsoft Office SharePoint Server 2007 Explore different options
More informationExtending Identity and Access Management
Extending Identity and Access Management Michael Quirin Sales Engineer Citrix Systems 1 2006 Citrix Systems, Inc. All rights reserved. Company Overview Leader in Access Infrastructure NASDAQ 100 and S&P
More informationResco Mobile CRM Security
Resco Mobile CRM Security Out-of-the-box Security 1. Overview The Resco Mobile CRM application (client) communicates directly with the Dynamics CRM server. The communication uses standard Dynamic CRM Web
More informationStrong Authentication: Enabling Efficiency and Maximizing Security in Your Microsoft Environment
Strong Authentication: Enabling Efficiency and Maximizing Security in Your Microsoft Environment IIIIII Best Practices www.gemalto.com IIIIII Table of Contents Strong Authentication and Cybercrime... 1
More informationEnhancing Organizational Security Through the Use of Virtual Smart Cards
Enhancing Organizational Security Through the Use of Virtual Smart Cards Today s organizations, both large and small, are faced with the challenging task of securing a seemingly borderless domain of company
More informationidentity management in Linux and UNIX environments
Whitepaper identity management in Linux and UNIX environments EXECUTIVE SUMMARY In today s IT environments everything is growing, especially the number of users, systems, services, applications, and virtual
More informationFlexible Identity. OTP software tokens guide. Multi-Factor Authentication. version 1.0
Flexible Identity Multi-Factor Authentication OTP software tokens guide version 1.0 Publication History Date Description Revision 2014.02.07 initial release 1.0 Copyright Orange Business Services 2 of
More informationThe increasing popularity of mobile devices is rapidly changing how and where we
Mobile Security BACKGROUND The increasing popularity of mobile devices is rapidly changing how and where we consume business related content. Mobile workforce expectations are forcing organizations to
More informationProtectID. for Financial Services
ProtectID for Financial Services StrikeForce Technologies, Inc. 1090 King Georges Post Road #108 Edison, NJ 08837, USA http://www.strikeforcetech.com Tel: 732 661-9641 Fax: 732 661-9647 Introduction 2
More informationSalesforce1 Mobile Security Guide
Salesforce1 Mobile Security Guide Version 1, 1 @salesforcedocs Last updated: December 8, 2015 Copyright 2000 2015 salesforce.com, inc. All rights reserved. Salesforce is a registered trademark of salesforce.com,
More informationOracle Enterprise Single Sign-on Logon Manager. Installation and Setup Guide Release 11.1.1.2.0 E15720-02
Oracle Enterprise Single Sign-on Logon Manager Installation and Setup Guide Release 11.1.1.2.0 E15720-02 November 2010 Oracle Enterprise Single Sign-on Logon Manager, Installation and Setup Guide, Release
More informationThe Encryption Anywhere Data Protection Platform
The Encryption Anywhere Data Protection Platform A Technical White Paper 5 December 2005 475 Brannan Street, Suite 400, San Francisco CA 94107-5421 800-440-0419 415-683-2200 Fax 415-683-2349 For more information,
More informationIntroduction to Computer Security
Introduction to Computer Security Identification and Authentication Pavel Laskov Wilhelm Schickard Institute for Computer Science Resource access: a big picture 1. Identification Which object O requests
More informationGuide to Evaluating Multi-Factor Authentication Solutions
Guide to Evaluating Multi-Factor Authentication Solutions PhoneFactor, Inc. 7301 West 129th Street Overland Park, KS 66213 1-877-No-Token / 1-877-668-6536 www.phonefactor.com Guide to Evaluating Multi-Factor
More informationMulti-Factor Authentication Protecting Applications and Critical Data against Unauthorized Access
Multi-Factor Authentication Protecting Applications and Critical Data against Unauthorized Access CONTENTS What is Authentication? Implementing Multi-Factor Authentication Token and Smart Card Technologies
More information