Single sign-on: Sensible security on scale

Single sign-on is no longer the preserve of large companies. With the right tools, midmarket companies can also enjoy the benefits and convenience of one password.

Who hasn't come into the office in the morning, booted up and logged on to a workstation, then logged on to email with another user ID and password, and then another application with another user ID and password, and then another, and then thought: Isn't there a better way? For midmarket CIOs, though, the thought goes away when they start to think about the complexities of implementing a single sign-on (SSO) system even on a small...

scale.

SSO implementations, at first glance, might seem daunting for midsized companies. There are a lot of moving parts to even the simplest SSO deployment: working with diverse systems, installing specialized software or hardware and meshing with the company's existing authentication systems.

Joel Dubin
Joel Dubin, CISSP
But SSO is no longer the preserve of just large companies, nor should it be. Midmarket companies can also enjoy the benefits and convenience of SSO. And there are options and tools that put it within reach. That isn't to say there won't be pain involved with even a small-scale SSO implementation, but here are some ways to make it work sensibly at a reasonable cost and without overstretching your already thin IT staff.

To pick the right SSO product to meet the needs of your organization, we have to first understand exactly what SSO is and how it works. SSO is a way to log on once with a single user ID and password and have access to multiple applications without logging on to each one. Though traditionally thought of as a user ID and password system, SSO systems now can be adopted for two-factor authentication, such as with smart cards, one-time password (OTP) tokens or even biometrics.

Basically, SSO works by storing the authentication credentials for all applications registered with the SSO system. Instead of logging on to the applications directly, the user is actually logging on to the SSO system, which, in turn, then logs on to the desired application for the user.

SSO can be implemented either as software modules or as a hardware appliance. Software modules have to be customized and implemented on standalone servers, which explains why larger companies go this route. Hardware appliances, while also customizable, aren't as flexible. But what's lost in flexibility is gained in ease of installation and use.

Hardware SSO devices are almost plug-and-play and don't require a lot of customization. That makes them a much better fit for a lightly staffed midmarket company.

More information security tips
Laptop theft easily preventable while on the road

Information security requires organized teams
Here are some things to consider when planning an SSO implementation. First, do a complete inventory of frequently accessed systems that would be candidates for an SSO program. Think about how many users will need access to these systems, which departments they're in and how easy it will be to bring them up to speed on the system.

The key issues in any SSO deployment are planning and implementation. Even at a smaller company, it can take more than a year to roll out an SSO system. The system should be deployed in phases so users get accustomed to it and glitches can be fixed without bringing down your current identity and access management (IAM) infrastructure.

Since SSO is basically an add-on to your existing access management systems, make sure it's compatible with not only your IAM infrastructure, but also your network architecture and directory services. Do you use Active Directory, Lightweight Directory Access Protocol (LDAP) or both? Will it play well with either?

A downside of SSO is that it's a single point of security failure. If the system goes down or user credentials are compromised, the keys to the whole castle are lost. Make sure when installing an SSO product that the product is both secure itself and secure on your network. SSO hardware and software should be on dedicated servers that are hardened.

Another feature to look for in SSO products is centralized management and reporting. A benefit of SSO is that it can provide centralized accounting of user logins and activity. This is vital for compliance with such regulations as the Sarbanes-Oxley and Health Insurance Portability and Accountability acts. These regulations require accounting for user access, and a good SSO system can help greatly in that regard.

Imprivata Inc. offers a good hardware product geared strictly to midmarket companies. Its products are targeted at mostly midmarket companies, municipalities and small government institutions. The SSO product comes as two pizza-boxed servers -- the additional server for failover and redundancy – that can be quickly installed. A Web-based interface for administrators allows applications and users to be easily added to the system. When a password expires and needs to be updated, the product does it automatically behind the scenes for the user.

That isn't
to say there won't be any
pain involved with even a small-scale SSO implementation, but here are some ways to make it work sensibly.

,
Another popular product is v-GO Single Sign-On from Passlogix Inc. The product is easily deployed on a company's existing infrastructure and can use Active Directory, LDAP or a SQL database to store user credentials. The client-side software asks users with an alert box if they want to enroll an application on the system. If the user chooses to enroll the application, all he or she has to do is enter a user ID and password into the alert box. V-GO works with Windows, Java, Unix and Web applications and encrypts credentials with TripleDES or Advanced Encryption Standard. It can even be configured to enforce password policies stronger than those of the applications to which it authenticates.

Other similar products available for midmarket companies include SecureLogin SSO from ActivIdentity Inc. and RSA Access Manager from RSA Security Inc. Both ActivIdentity and RSA are leaders in authentication technology. And all of these products can be adapted for use with smart cards, OTP tokens and biometrics. RSA, for example, is a leader in OTP products.

An interesting SSO product that is a little different is eToken Single Sign-On from Aladdin Knowledge Systems Inc., an antiviral and access management company. The eToken securely stores the authentication credentials for all of the user's applications on a secure USB token. The token is actually a smart card the user plugs into a workstation when he or she needs access. The user has to log on only once to the token to have access to the systems he or she needs. The eToken can be backed up and doesn't require back-end integration. Everything required for SSO is right on the token.

With these products and options, no midmarket company has to be left out of the SSO party. The convenience and security afforded by SSO are within reach.

Joel Dubin, CISSP, is an independent computer security consultant. He is a Microsoft MVP specializing in Web and application security, and is the author of The Little Black Book of Computer Security, available from Amazon.com. He has a regular radio show on computer security on WIIT in Chicago and runs The IT Security Guy blog at www.theitsecurityguy.com.


This was first published in May 2008

Dig deeper on Security and risk management for Small Business

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCompliance

SearchHealthIT

SearchCloudComputing

SearchMobileComputing

SearchDataCenter

Close