Who hasn't come into the office in the morning, booted up and logged on to a workstation, then logged on to email...
with another user ID and password, and then another application with another user ID and password, and then another, and then thought: Isn't there a better way? For midmarket CIOs, though, the thought goes away when they start to think about the complexities of implementing a single sign-on (SSO) system even on a small scale.
SSO implementations, at first glance, might seem daunting for midsized companies. There are a lot of moving parts to even the simplest SSO deployment: working with diverse systems, installing specialized software or hardware and meshing with the company's existing authentication systems.
|Joel Dubin, CISSP|
To pick the right SSO product to meet the needs of your organization, we have to first understand exactly what SSO is and how it works. SSO is a way to log on once with a single user ID and password and have access to multiple applications without logging on to each one. Though traditionally thought of as a user ID and password system, SSO systems now can be adopted for two-factor authentication, such as with smart cards, one-time password (OTP) tokens or even biometrics.
Basically, SSO works by storing the authentication credentials for all applications registered with the SSO system. Instead of logging on to the applications directly, the user is actually logging on to the SSO system, which, in turn, then logs on to the desired application for the user.
SSO can be implemented either as software modules or as a hardware appliance. Software modules have to be customized and implemented on standalone servers, which explains why larger companies go this route. Hardware appliances, while also customizable, aren't as flexible. But what's lost in flexibility is gained in ease of installation and use.
Hardware SSO devices are almost plug-and-play and don't require a lot of customization. That makes them a much better fit for a lightly staffed midmarket company.
The key issues in any SSO deployment are planning and implementation. Even at a smaller company, it can take more than a year to roll out an SSO system. The system should be deployed in phases so users get accustomed to it and glitches can be fixed without bringing down your current identity and access management (IAM) infrastructure.
Since SSO is basically an add-on to your existing access management systems, make sure it's compatible with not only your IAM infrastructure, but also your network architecture and directory services. Do you use Active Directory, Lightweight Directory Access Protocol (LDAP) or both? Will it play well with either?
A downside of SSO is that it's a single point of security failure. If the system goes down or user credentials are compromised, the keys to the whole castle are lost. Make sure when installing an SSO product that the product is both secure itself and secure on your network. SSO hardware and software should be on dedicated servers that are hardened.
Another feature to look for in SSO products is centralized management and reporting. A benefit of SSO is that it can provide centralized accounting of user logins and activity. This is vital for compliance with such regulations as the Sarbanes-Oxley and Health Insurance Portability and Accountability acts. These regulations require accounting for user access, and a good SSO system can help greatly in that regard.
Imprivata Inc. offers a good hardware product geared strictly to midmarket companies. Its products are targeted at mostly midmarket companies, municipalities and small government institutions. The SSO product comes as two pizza-boxed servers -- the additional server for failover and redundancy – that can be quickly installed. A Web-based interface for administrators allows applications and users to be easily added to the system. When a password expires and needs to be updated, the product does it automatically behind the scenes for the user.
Other similar products available for midmarket companies include SecureLogin SSO from ActivIdentity Inc. and RSA Access Manager from RSA Security Inc. Both ActivIdentity and RSA are leaders in authentication technology. And all of these products can be adapted for use with smart cards, OTP tokens and biometrics. RSA, for example, is a leader in OTP products.
An interesting SSO product that is a little different is eToken Single Sign-On from Aladdin Knowledge Systems Inc., an antiviral and access management company. The eToken securely stores the authentication credentials for all of the user's applications on a secure USB token. The token is actually a smart card the user plugs into a workstation when he or she needs access. The user has to log on only once to the token to have access to the systems he or she needs. The eToken can be backed up and doesn't require back-end integration. Everything required for SSO is right on the token.
With these products and options, no midmarket company has to be left out of the SSO party. The convenience and security afforded by SSO are within reach.
Joel Dubin, CISSP, is an independent computer security consultant. He is a Microsoft MVP specializing in Web and application security, and is the author of The Little Black Book of Computer Security, available from Amazon.com. He has a regular radio show on computer security on WIIT in Chicago and runs The IT Security Guy blog at www.theitsecurityguy.com.