Authentication: Password Madness

Similar documents
Oracle Enterprise Single Sign-on Technical Guide An Oracle White Paper June 2009

Passlogix Sign-On Platform

Identity Management and Single Sign-On

Enterprise Single Sign-On City Hospital Cures Password Pain. Stephen Furstenau Operations and Support Director Imprivata, Inc.

Extending Identity and Access Management

Global Headquarters: 5 Speen Street Framingham, MA USA P F

IBM Tivoli Access Manager for Enterprise Single Sign-On

PROTECT YOUR WORLD. Identity Management Solutions and Services

Critical Issues with Lotus Notes and Domino 8.5 Password Authentication, Security and Management

Choosing an SSO Solution Ten Smart Questions

Enhancing Password Management by Adding Security, Flexibility, and Agility IBM Redbooks Solution Guide

Is your mainframe less secure than your file server? Malcolm Trigg Solutions Consultant 24 th February 2016

Google Identity Services for work

Single Sign-On. Security and comfort can be friend. Arnd Langguth. September, 2006

Allidm.com. SSO Introduction. Discovering IAM Solutions. Leading the IAM facebook/allidm

managing SSO with shared credentials

Single Sign-on (SSO) technologies for the Domino Web Server

Identity Management in Liferay Overview and Best Practices. Liferay Portal 6.0 EE

Adding Stronger Authentication to your Portal and Cloud Apps

How to Optimize Epic Clinical Workflows with Imprivata

identity management in Linux and UNIX environments

nexus Hybrid Access Gateway

The Benefits of an Industry Standard Platform for Enterprise Sign-On

White paper December IBM Tivoli Access Manager for Enterprise Single Sign-On: An overview

Server-based Password Synchronization: Managing Multiple Passwords

Simplifying Security with Datakey Axis Single Sign-On. White Paper

Citrix Password Manager 4.1

White paper December Addressing single sign-on inside, outside, and between organizations

Leveraging SAML for Federated Single Sign-on:

SchoolBooking SSO Integration Guide

Masdar Institute Single Sign-On: Standards-based Identity Federation. John Mikhael ICT Department

IBM Security Access Manager for Enterprise Single Sign-On

The Top 5 Federated Single Sign-On Scenarios

Citrix Password Manager 4.5 Partner and Sales FAQ

5 Day Imprivata Certification Course Agenda

SECUREAUTH IDP AND OFFICE 365

Installing and Configuring DB2 10, WebSphere Application Server v8 & Maximo Asset Management

ALM - Key benefits. t: +31(0) f: +31(0) Oude Oeverstraat JZ Arnhem The Netherlands. ALM Key benefits 01/01/2014 1

An Oracle White Paper December Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance

Vyom SSO-Edge: Single Sign-On for BMC Remedy

Federated single sign-on (SSO) and identity management. Secure mobile access. Social identity integration. Automated user provisioning.

STRONGER AUTHENTICATION for CA SiteMinder

Privileged. Account Management. Accounts Discovery, Password Protection & Management. Overview. Privileged. Accounts Discovery

An Oracle White Paper Sep Buyer s Guide for Enterprise Single Sign On

Security solutions Executive brief. Understand the varieties and business value of single sign-on.

Product overview. CA SiteMinder lets you manage and deploy secure web applications to: Increase new business opportunities

API-Security Gateway Dirk Krafzig

Leverage Active Directory with Kerberos to Eliminate HTTP Password

An Oracle White Paper December Integrating Oracle Enterprise Single Sign-On Suite Plus with Strong Authentication

Vyom SSO-Edge: Single Sign-On Solution for BMC Remedy

Working with Structured Data in Microsoft Office SharePoint Server 2007 (Part1): Configuring Single Sign On Service and Database

WHITE PAPER Usher Mobile Identity Platform

101 Things to Know About Single Sign On

Strong Authentication: Enabling Efficiency and Maximizing Security in Your Microsoft Environment

Active Directory and DirectControl

IBM Security Access Manager for Enterprise Single Sign-On Version User Guide IBM SC

Identity & Access Management in the Cloud: Fewer passwords, more productivity

IDENTITY MANAGEMENT. February The Government of the Hong Kong Special Administrative Region

New Single Sign-on Options for IBM Lotus Notes & Domino IBM Corporation

CA SiteMinder SSO Agents for ERP Systems

WHITEPAPER. SECUREAUTH 2-FACTOR AS A SERVICE 2FaaS

Password Self-Service for Novell edirectory. Brent McCormick Novell Corporate Technology Strategist

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 8 Authentication

Web Applications Access Control Single Sign On

Oracle Enterprise Single Sign-on Logon Manager. Installation and Setup Guide Release E

IBM Maximo technology for business and IT agility

How to Get to Single Sign-On

MarketScope for Enterprise Single Sign-On

OpenAM All-In-One solution to securely manage access to digital enterprise and customer services, anytime and anywhere.

Best Practices: Single Sign-On Drives Productivity, Security, and Adoption When Used with EHR at The Johns Hopkins Hospital

<Insert Picture Here> Oracle Identity And Access Management

VMware AlwaysOn Point of Care Desktop. with Indigo Identityware software for Fast Access & Strong Authentication with Roaming Desktops

Identity Management Basics. OWASP May 9, The OWASP Foundation. Derek Browne, CISSP, ISSAP

IBM Tivoli Federated Identity Manager

Advanced Authentication

A brief on Two-Factor Authentication

OVERVIEW. DIGIPASS Authentication for Office 365

ORACLE ACCESS MANAGER

Speeding Office 365 Implementation Using Identity-as-a-Service

Administration Guide. SecureLogin 8.0. October, 2013

Oracle Enterprise Single Sign-on Logon Manager. Installation and Setup Guide Release E

Redpaper Axel Buecker Kenny Chow Jenny Wong

Linux Single Sign-on: Maximum Security, Minimum Cost

MarketScope for Enterprise Single Sign-On

Remote Authentication and Single Sign-on Support in Tk20

Open Directory. Apple s standards-based directory and network authentication services architecture. Features

Transcription:

Authentication: Password Madness MSIT 458: Information Security Group Presentation The Locals

Password Resets United Airlines = 83,000 employees Over 13,000 password reset requests each month through the IT Service Desk Intranet, email and one other system make up approximately 75% of all password resets Voice of the User Passwords expire too often They must remember too many passwords Password authentication is too strict

Why is it that it s harder to get into my email box at United than my Chase bank account? ~SFO Flight Attendant

Single Sign-On

This ain t your parents SSO The old way of thinking about SSO Requires modification of target apps Lengthy and costly implementation A new way of thinking No modifications required. Apps are trained to sense sign-in screens. Out-of-the-box implementations (3 to 6 months) Cost effective

Advantages for the User Provides user with one username and one password for accessing multiple systems Reduces time spent on login/logout activities Eliminates password fatigue by reducing the number of usernames and passwords to be maintained Can reduce incidence of phishing attacks, since users know they shouldn t be entering passwords

Advantages for the Admin Simplifies user account management by reducing the number of accounts and passwords Centralized management of user credentials allows for more efficient identity management New user setup done once and propagated across enterprise Authentication/password rules, account lockout and auditing policies are enforced more effectively with relatively reduced cost and effort Easier to detect anomalous behavior thus improving security of network

How SSO Works Types E-SSO, Web, and Federated Features Enables user to log in/out only once in a given session User can access all systems that he or she is authorized to access within that session without multiple login/logout activities Access to multiple apps/systems are authenticated with a single set of credentials

How E-SSO Works Setup/configuration Graphical wizard used to train the product to recognize various sign-on, password change, postsign-on automation and sign-off events. Wizards write scripts or XML parameter files Back-end repository Active Directory LDAP Relational database management systems (RDBMSs)

How E-SSO Works Architecture Two-tier, where E-SSO agents interact directly with directory infrastructure N-tier, where E-SSO provides middle layer between agents; brokers interactions with directory Reporting Log entries provide basic information about application access Canned reporting functionality Export log data to third-party reporting or system management tools

Options Windows integrated authentication (i.e. Kerberos) Password synchronization Software packages PassLogix, acquired by Oracle (Oct 2010) Imprivata OneSign SSO IBM Tivoli Unified Single Sign-On And of course, SSO for the Cloud, SinglePoint Universal Sign-On from Symplified

If the USPS can do it 800,000 employees 157,000 computers in 20,000 buildings 1000 internal applications 6000 external applications

USPS chose PassLogix Does not require application modification or scripting Initial configuration completed in 30 days Testing and engineering took 90 days Total roll-out time was 8 months Applications included in deployment: Web applications Win32 applications Mainframe applications VAX applications Java applications Windows Terminal Services +

What does it cost? Depends upon size and scope Analysis by Gartner (Sept 2010): Scenario 1: Regional Hospital 4 locations. If a location fails, it must be handled by another location. Scenario 2: Manufacturing Company 1 location 1,000 users 5,000 users Exchange, SAP, Lotus Notes, six thick-client Windows apps and six Web apps Standard Web, Windows and terminal applications

What does it cost? Regional Hospital Shared kiosk/workstation support for 500 of the users Passive proximity card integration for all users The average price was $69,000, down from $86,000 in 2008-2009. Average $69/user. Manufacturing Company Remote access required for 1,000 of the users on unmanaged machines No new authentication methods or shared kiosks The average price was $219,000, down from $264,000 in 2008-2009. Average $43.80/user.

Industry Applicability Cross-industry problem, cross-industry solution Best in environments with multiple applications/login that cannot be fixed to integrate with directory services Particularly useful in health-care industry Clinical environments with mobile users logging into arbitrary workstations Need quick login Sentillion - SSO provider specifically for health care. Recently acquired by Microsoft.

Limitations Current packages struggle detecting login screens with web technologies Rich Internet Applications Flash Java Keys to the castle if user credentials are breached Combine with additional security (smart cards, biometrics, etc.) With only one password to remember, can force strengthening of passwords SSO server becomes a single point of failure/bottleneck

Business Consequence Enterprises that adopt ESSO products must incorporate ESSO testing into the enterprise change management process. Automated sign-on logic can fail when sign-on or password update prompts change with new releases of target applications or operating systems. Administrators must then retrain the ESSO product to recognize the new prompt.

Legal Consequence The ESSO solution and target apps must be in compliance with various privacy regulations US Privacy Act of 1974 protects records that can be retrieved from a system of records by personal identifiers such as a name, social security number, or other identifying number or symbol. Health Insurance Portability and Accountability Act of 1996 (HIPAA) protects the privacy of individually identifiable health information

Trends OpenID Created in 2005 by the open source community The driver s license for the entire Internet. You control how much information is shared. Facebook Connect Launched in December 2008; code owned by Facebook Users take their Facebook identity, network, and privacy settings with them as they browse sites. Users interact with their Facebook friends on other websites, and can stream their activity back into the Facebook news feed.

Trends Biometric Coupling Biometric input devices coupled with SSO framework provides a much more secure solution Fingerprint biometric technologies Proximity badges One-time password (OTP) tokens Smart cards

Conclusion: SSO at United Moving from edirectory to Active Directory Pick apps from United and Continental that will use AD for SSO Cost Timeline: Migration planning has already commenced Migration is to be completed by the end of 2012

Thanks.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information