Organizations are supporting far too many passwords, which leads to weakened security, inconvenienced end users, and increased cost of management and support. Several approaches are available to help companies work towards the ideal of a single sign-on, including directory synchronization, password synchronization, enterprise single sign-on, web access management, and identity federation. This Research Brief leverages the findings of recent Aberdeen research on user authentication to provide insights into the factors that should influence selection among these different approaches to a common problem. March 2008 Research Brief Aberdeen s Research Briefs provide a synopsis of the principal findings derived from primary research, including key performance indicators, Bestin-Class insight, and vendor insight. The Problem is Passwords Aberdeen's benchmark study on Strong User Authentication (March 2008) showed that virtually all (98%) respondents indicated continued reliance on username / password for authenticating users to control access to systems, networks, data and applications. Nearly half (48%), however, have also deployed at least one stronger, non-password method of user authentication (Figure 1). Figure 1: Current Password Practices (all respondents) Username / Passw ord w ith length requirements w ith complexity requirements w ith restrictions on re-use 62% 58% 71% 98% Fast Facts Recent Aberdeen research on user authentication and credential lifecycle management showed that: 88% of all enterprise users have multiple work-related passwords w ith non-dictionary requirements w ith mandated passw ord changes 36% 55% The average number of work-related passwords is between five and six Username / passw ord and 1 other method 35% Username / passw ord and 2 or more other methods Only non-passw ord method(s) 11% 2% Passw ords Only Non-Passw ords
Page 2 As shown in Figure 1, a majority of all respondents have taken steps to strengthen the security of passwords, e.g., requirements for length (71%), complexity (62%), and frequency of change (36%); restrictions on re-use (58%); and exclusion of standard dictionary terms (55%). All of these enhance the security of passwords, but at the same time they make passwords more cumbersome for end users. Passwords that are more difficult to guess are also more difficult to remember. Natural coping mechanisms include writing them down (which weakens security) and placing calls to the help desk (which increases cost). Nearly two-thirds of all respondents (64%) currently do not even require passwords to be changed, which among other things increases the risk of password sharing (bad security, and potentially a violation of software license agreements) and the risk of access remaining open long after accounts have been "orphaned" due to employee turnover. It should go without saying that none of these outcomes were the formal intent of management in setting the established password security policies. The sheer number of passwords amplifies the problem. In a typical day in the life of an average enterprise knowledge worker, she may be required to use a half-dozen passwords or more in the normal course of Windows logon, data encryption, remote access (e.g., VPN or SSL VPN), WiFi access, e-mail, web-based applications or portals, and back-office applications (e.g., HR, ERP). In addition, smaller subsets of users may use passwords to access privileged accounts (i.e., administrative functions) or to execute high-value transactions. Aberdeen's latest research indicates that about nine out of 10 (88%) enterprise users have multiple work-related passwords. Single Sign-On: Necessity is the Mother of Invention Because of the many problems with passwords i.e., not secure, not convenient for end users, and definitely not "free" in terms of total cost of ownership many organizations are highly motivated to investigate solutions designed to address these issues. In the context of this Research Brief, the term Single Sign-On (SSO) is used to indicate a variety of approaches that enable end users to authenticate once to establish that they are who they say they are, and based on that one authentication to have seamless access to multiple resources. Note that "reduced sign-on" is technically a more accurate description, since few organizations achieve the theoretical ideal of a single authentication for all access. For convenience and for consistency with current industry practice, however, we use the term SSO. In response to the many pain points related to passwords, solutions providers have developed several approaches to single sign-on, including the following: Directory integration Password synchronization Enterprise single sign-on "The security team wants a more stringent password policy, while the senior management team doesn't want any friction whatsoever in their ability to access critical business information. Who do you think wins out in this particular tug of war?" ~ IT Security Manager, Mid-size High-Tech Company "Single sign-on is an example of something that everybody wants, but nobody ever really totally achieves. Still, every reduction in the number of passwords we have to deal with is a convenience for the users and an opportunity for the company to save time and money on management and support." ~ Project Manager, Mid-size Software Developer
Page 3 Web single sign-on (web access management) Identity federation These topics, which are discussed in more detail later in this report, are planned to be addressed as full-fledged benchmark studies in future Aberdeen research. Note that when companies are successful at implementing SSO solutions, they have potentially created a new security risk, traditionally referred to as the "keys to the kingdom" problem. When there is only one logon that provides a user with seamless access to multiple resources, many reason that this should be a stronger authentication method than username / password. See the upcoming Strong User Authentication benchmark report for more insights regarding leading non-password methods. Directory Integration In the June 2007research brief Dealing with Directories: Fewer Fuels Faster and More Efficient Operations, Aberdeen described how companies with top performance have implemented explicit strategies to reduce the total number of directories used for authentication and identity management. Figure 2 provides an update to these findings, based on the Strong User Authentication benchmark report. About two out of five respondents (39%) in the study indicated that they had consolidated to a single authoritative repository for user identities. Of those using Microsoft Active Directory (AD), such consolidation had been achieved by more than half (54%). Maintaining multiple directories requires the development of additional policies and processes for keeping these separate identity repositories in synch. Figure 2: Number of Directories for User Authentication 50% 25% 0% 54% 27% 42% 34% 5% 2% 12% 1 2 to 5 6 to 10 11 to 15 >15 15% 3% 16% 21% 41% 15% 4% 18% 39% 35% 11% 4% 12% Active Directory LDAP Database All Types We wanted everything to hinge on our established Active Directory environment, while making things less confusing for our users, simpler to manage for our administrators, and more secure for our business with features such as stronger passwords and consistent group policies. ~ Enterprise Architect, Utilities Industry
Page 4 Even in an AD-centric environment, however, the material presence of non- Windows systems (e.g., Unix, Linux, Mac, Java) requires most companies to develop explicit strategies for integration of non-windows systems as well. Directory integration solutions that integrate non-windows systems as part of the AD domain provide several benefits: Support for single sign-on. The same credential generated at Windows log-on can also grant access to the other systems that now participate within the same realm of trust. Consistent policies. The ability to apply "group policy" to both Windows and non-windows systems enables consistent security policies across all systems, managed centrally through AD Reduced cost. Elimination of separate identity stores and authentication mechanisms not only reduces ongoing management cost, but also provides the operational and security benefits of more effective user provisioning and de-provisioning. See Dealing with Directories: Fewer Fuel Faster and More Efficient Operations June 2007, Provision or Pay: Employee Down Time Costs Companies Millions; April 2007, and Provision and Reset Passwords Quickly for Productivity and Quantifiable ROI; May 2007, for more details on quantifiable results achieved by top performers in these areas. Password Synch Password synchronization solutions are designed to help enterprise end users establish and maintain a single password for access to multiple systems. This common password would be subject to a consistent security policy (as noted earlier, this typically includes requirements for length, complexity, frequency of change, restrictions on re-use, and exclusion of standard dictionary terms), and the synchronization solution would keep it updated on a defined schedule across multiple systems and applications. To the extent that users find a single password (albeit a more complex one) easier to remember, they are less likely to write it down or place expensive calls to the help desk. Password synchronization solutions can also take advantage of the trend towards consolidation around a single authoritative repository for user identities, as discussed earlier. When passwords are changed natively in the common repository (e.g., in AD), the password management system can automatically propagate these changes to other systems and applications. Enterprise SSO Enterprise Single Sign-On (E-SSO) refers to client-side software that learns and automatically manages subsequent user logins to a wide range of enterprise applications, typically including desktop, e-mail, groupware, client / server, web-based, and mainframe applications. After the initial login, the E-SSO solution transparently logs the user in to all learned applications, and manages all subsequent password changes according to the established policies. Because the E-SSO solution shields the end user from any Our students, faculty and staff have user-id s and passwords for multiple systems, including the general university domain, mainframe, e-mail, and Unix systems. Password synchronization helps our users reset their own passwords, maintaining a higher level of service without crushing our help desk. We still have to work hard at educating users to choose good passwords, though. The personal questions used as part of the self-service web site are another challenge for example, should we really have to explicitly say not to put 'what is today's date?' as a personal question? Believe it or not, today's date changes on a daily basis." ~ Systems Administrator, Mid-size University
Page 5 additional burden, password policies can be made more stringent (in terms of requirements for length, complexity, frequency of change, etc.) on an application-by-application basis. Typical implementations leverage the standard Windows logon to identify the user to the E-SSO client software, which handles all subsequent authentications. To address the keys to the kingdom problem, a stronger form of authentication (e.g., smart card, biometric, or one-time password) is often used for the initial authentication. E-SSO server software is also deployed to provide management and administrative functions such as directory integration, application integration, user management, password policies, and reporting. Figure 3: Current / Planned Use for Selected SSO Solutions Identity Federation Enterprise Single Sign-On Web Access Management Currently Use Planning Deployment <12 months Evaluating 9% 5% 21% 26% 14% 39% 11% 26% 16% 0% 20% 40% 60% With several thousand users and more than 100 applications, we were dealing with way too much end-user frustration over passwords. Most are using up to 10 applications on a regular basis, and each application currently has its own policies and standards for user authentication. For us, Enterprise Single Sign-On was the most expedient starting point because users now have to remember only their Windows password, and the rest is taken care of by the software. They get their work done more quickly, and we spend a lot less time helping them reset forgotten passwords." ~ IT Security Director, Healthcare Industry As shown in Figure 3, recent Aberdeen research indicated that about onefourth (26%) of all respondents are currently using E-SSO solutions, with another 14% planning deployments in the next 12 months. While current deployments are skewed towards large enterprises (defined by Aberdeen as $1B or higher in annual revenues for the last fiscal year), the data shows that planned deployments and current evaluations for E-SSO are strongest among mid-market companies (between $50M and $1B in annual revenue), as shown in Figure 4. Figure 4: Current / Planned Use by Company Size - E-SSO 2.5 2.0 1.5 1.0 0.5 0.0 Currently Use Planned Deployment <12 months Evaluating 2.42 1.50 1.50 1.67 1.00 1.00 1.00 0.76 0.43 Small (<$50M) Mid-Size ($50M-$1B) Large (>$1B) Indexed to Large Enterprise = 1.0
Page 6 Web SSO (Web Access Management) Most companies (52% in our recent research) report growing numbers of supported users, both internal and external, and a growing number of enterprise resources are being made available through web-based mechanisms. Web Access Management (WAM) solutions are specifically designed to provide streamlined access to web-based applications, including intranets, extranets, web portals, and exchange infrastructures. WAM solutions help to ensure that once authenticated, users can access only those web-based resources to which they have been given privileges, based on the established policies and business rules. As shown in Figure 3, web SSO solutions are currently more broadly deployed than E-SSO solutions (39% versus 26%), with another 11% of all respondents planning deployments in the next 12 months. Figure 5 illustrates that although current deployments of web SSO are similarly skewed towards large enterprises, both planned deployments and current evaluations for web SSO are significantly higher among mid-market and small (under $50M in annual revenue) organizations. This no doubt reflects not only the relative maturity of the WAM market compared to the E-SSO market, but also the relatively higher focus companies have given to addressing security and access management for external-facing, web-based applications compared to internal users. Rightly or wrongly, respondents were nearly two-times more likely to identify "risk associated with external users" than "risk associated with internal users" as a leading pressure driving current investments (34% versus 18%). Our challenge is to balance faster and more convenient access for patients and caregivers, while also protecting sensitive patient information and addressing all compliance regulations. Our web-based patient portal provides the common access and ease of use our users are looking for, while the web access management system addresses our requirements for security, integration, flexible administration, and compliance reporting." ~ IT Director, Healthcare Provider Network Figure 5: Current / Planned Use by Company Size - Web SSO 4.0 3.0 2.0 1.0 0.0 Currently Use Planned Deployment <12 months Evaluating 3.83 3.00 1.78 1.56 1.00 1.00 1.00 0.66 0.76 Small (<$50M) Mid-Size ($50M-$1B) Large (>$1B) Indexed to Large Enterprise = 1.0 Internet SSO (Identity Federation) Identity federation or federation of identity refers to standardized mechanisms for making information about user identities portable across autonomous security domains. From the end user perspective, this enables
Page 7 them to authenticate themselves to one domain and then to access the data or applications from another domain, seamlessly and securely, without the inconvenience of having to log on again. From an organizational perspective, this means that one entity (the 'identity provider') authenticates the user based on its own policies and standards, and then produces standardized assertions about that user's identity and access privileges which can be evaluated and acted upon by the second entity (the 'service provider') whose resources are to be accessed. While it is a reasonably simple concept, identity federation is a sophisticated topic, worthy of future coverage in its own Aberdeen benchmark report. Topologies include enterprise-controlled, business-to-business scenarios on the one hand, and end user-controlled, consumer-centric scenarios on the other. Technology standards for exchanging authentication and authorization data between security domains include the Security Assertion Markup Language (SAML), Web Services Security (WS-Security) and WS- Federation specifications, and Active Directory Federation Services (ADFS). Taken together, Figure 3 and Figure 6 reflect the relative immaturity of the identity federation market compared to E-SSO and web SSO. Just 9% of all respondents indicated current use of federated identity solutions, with another 5% planning deployments in the next 12 months. Current deployments are significantly skewed towards large enterprises, with planned deployments roughly comparable between large and mid-size organizations. As technical issues of technology and interoperability are steadily resolved through the industry standards process, business issues of liability and trust across disparate organizations must also be surfaced, addressed, and standardized. The technical specifications, implementations, and interoperability aspects of federated identity systems seem to be getting worked out by the industry's leading solution providers. Beyond the technical issues, however, leveraging identities between companies and their business partners raises key legal issues of risk and liability that must be adequately addressed if the process is to be generalized and scaled. Over the next couple of years, most crossdomain federation efforts are probably going to continue to be individually crafted in this regard. ~ Partner, US Law Firm Figure 6: Current / Planned Use by Company Size - Federation 1.5 1.0 0.5 0.0 Currently Use Planned Deployment <12 months Evaluating 0.76 0.53 0.34 0.37 1.07 1.42 1.00 1.00 Small (<$50M) Mid-Size ($50M-$1B) Large (>$1B) Indexed to Large Enterprise = 1.0 1.00 Solution Landscape The diversity of approaches to single sign-on is reflected by the broad range of vendors that provide a solution in one or more of the areas discussed in this Research Brief. Table 1 provides an illustrative list.
Page 8 Table 1: Solutions Landscape (illustrative) Company Directory Integration Password Synch Enterprise SSO Web SSO (WAM) Internet SSO (Federation) Centeris www.centeris.com Likewise Centrify www.centrify.com DirectControl Quest Software www.quest.com Courion www.courion.com M-Tech www.mtechit.com Proginet www.proginet.com ActivIdentity www.actividentity.com Beta Systems www.betasystems.com Citrix www.citrix.com Imprivata www.imprivata.com i-sprint Innovations www.i-sprint.com Passlogix www.passlogix.com Sentillion www.sentillion.com Evidian www.evidian.com CA www.ca.com IBM www.ibm.com Oracle www.oracle.com Entegrity www.entegrity.com Vintela Authentication Services InSync Password Courier P-Synch SecurPass Quest Enterprise Single Sign-on SecurAccess SecureLogin SSO SAM esso XenApp Single Sign-On, Password Manager OneSign AccessMatrix Universal Sign-On v-go Single Sign-On expresso Evidian Enterprise SSO CA Single Sign-On Encentuate (acquired 3/08) Oracle Enterprise Single Sign-On Suite Webthority Evidian Web Access Manager CA SiteMinder Web Access Manager Tivoli Access Manager Oracle Access Manager AssureAccess Vintela Single Signon for Java (ADFS) CA Federation Tivoli Federated Identity Manager Oracle Identity Federation
Page 9 Company Directory Integration Password Synch Enterprise SSO Web SSO (WAM) Internet SSO (Federation) Entrust www.entrust.com GetAccess GetAccess RSA, the Security Division of EMC www.rsa.com Access Manager Federated Identity Manager Sun www.sun.com Access Manager, Role Manager Federation Manager Ping Identity www.pingidentity.com PingFederate Symlabs www.symlabs.com Federated Identity Suite Recommendations The many faces of single sign-on reflect the complexity and heterogeneity of current computing environments. While the motivation for SSO is clear, common and compelling, selecting an approach for investment and ultimately deployment is a function of several factors which are unique to each organization: Is the scope of control regarding the infrastructure for security, authentication, and authorization (such as directories and other identity repositories, or client-side software) entirely within the enterprise? Are the end users primarily internal, external, or both? Are the applications primarily web-based, or a mixture of Windows, web, client-server, mainframe, and other? Is the scope of control regarding policy for security, authentication, and authorization entirely within the enterprise, or does it span multiple organizations? These environmental factors are the logical starting point for more detailed evaluations and investigations into SSO solutions based on directory integration, password synchronization, enterprise SSO, web SSO, and / or identity federation. Understanding these requirements and constraints will naturally lead towards conversations with the most appropriate subset of solution providers. Although their respective starting points may differ, many organizations have deployed or will deploy more than one of these approaches to SSO to address their unique blend of infrastructure, user segments, applications, and policies. For more information on this or other research topics, please visit www.aberdeen.com.
Page 10 The 2008 Aberdeen Report; March 2008 Strong User Authentication; March 2008 Logical / Physical Security Convergence; December 2007 Dealing with Directories: Fewer Fuel Faster and More Efficient Operations; June 2007 Related Research Provision and Reset Passwords Quickly for Productivity and Quantifiable ROI; May 2007 Provision or Pay: Employee Down Time Costs Companies Millions; April 2007 Identity and Access Management; March 2007 Author: Derek E. Brink, Vice President and Research Director, IT Security (Derek.Brink@aberdeen.com) Since 1988, Aberdeen's research has been helping corporations worldwide become Best-in-Class. Having benchmarked the performance of more than 644,000 companies, Aberdeen is uniquely positioned to provide organizations with the facts that matter the facts that enable companies to get ahead and drive results. That's why our research is relied on by more than 2.2 million readers in over 40 countries, 90% of the Fortune 1,000, and 93% of the Technology 500. As a Harte-Hanks Company, Aberdeen plays a key role of putting content in context for the global direct and targeted marketing company. Aberdeen's analytical and independent view of the "customer optimization" process of Harte- Hanks (Information Opportunity Insight Engagement Interaction) extends the client value and accentuates the strategic role Harte-Hanks brings to the market. For additional information, visit Aberdeen http://www.aberdeen.com or call (617) 723-7890, or to learn more about Harte-Hanks, call (800) 456-9748 or go to http://www.harte-hanks.com This document is the result of primary research performed by Aberdeen Group. Aberdeen Group's methodologies provide for objective fact-based research and represent the best analysis available at the time of publication. Unless otherwise noted, the entire contents of this publication are copyrighted by Aberdeen Group, Inc. and may not be reproduced, distributed, archived, or transmitted in any form or by any means without prior written consent by Aberdeen Group, Inc. 010908a