1 / 38

Single Sign-On 101: Beyond the Hype

Single Sign-On 101: Beyond the Hype. What SSO Can and Can’t Do For Your Business. Outline. Definitions Business Requirements SSO Technologies Authentication Methods SSO Case Studies. Definition. Single Sign-On Fantasy One Password For Everything! Reality

muncel
Download Presentation

Single Sign-On 101: Beyond the Hype

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Single Sign-On 101: Beyond the Hype What SSO Can and Can’t Do For Your Business

  2. Outline • Definitions • Business Requirements • SSO Technologies • Authentication Methods • SSO Case Studies Diana Kelley & Ian Poynter

  3. Definition • Single Sign-On • Fantasy • One Password For Everything! • Reality • Most Systems And Applications Already Have Their Proprietary Login Functionality • Reduced Logins For Discreet Systems • Corporate Systems • Shared Intranet/Web Applications • Web Logon Aggregators Diana Kelley & Ian Poynter

  4. Business Requirements • Is There A Problem Here? • Mushrooming Passwords • Need For Re-use • “Sticky Note” Password Cache • Unencrypted Text Files On Laptops and PDAs Diana Kelley & Ian Poynter

  5. Business Requirements • Deceptively Intuitive • Reduce Costs • Increase Security • Increase Efficiency • Increase Convenience • My Boss Told Me I Have To Diana Kelley & Ian Poynter

  6. Business Requirements • Be Honest About the Cost / Benefit Analysis • Use Hard Numbers • What Does it Cost to Reset a Password? • How Much Time is Spent Logging into Multiple Systems Each Morning? • What is The Real Cost of Integration? • Will Additional Authentication Methods Need to be Purchased? Diana Kelley & Ian Poynter

  7. Business Requirements • Be Honest About the Cost / Benefit Analysis • Don’t Forget the Ease of Use Factor • Consider Training for Administrators and All Users • QA and Versioning Can Increase TCO Diana Kelley & Ian Poynter

  8. Business Requirements • Think About the Inside and the Outside • Multiple User Populations Can Increase Costs • Tiered Authentication Levels • At a Minimum Need Secure Password Selection Training for Everyone Diana Kelley & Ian Poynter

  9. Business Risks • Single Point of Failure • Denial of Service/Lack of Availability • Stolen Credentials via Insecure Implementations • Overly Ambitious Projects • Physical and Network • Complicated Procedures • n-factor Authentication • Square Pegs in Round Holes Diana Kelley & Ian Poynter

  10. Business Risks • Failure to Consider the Legacy • OS/390, AS/400, Custom Client/Server Applications, RADIUS • Failure to Consider Regulatory Requirements • Financial Services and GLBA • Health Care and HIPAA • Content Providers and COPPA • International Businesses and EU DPD Diana Kelley & Ian Poynter

  11. Authentication Methods • Declaring and Proving Who or What You Are • Sure, Signing on Once, but What With? • Becomes an Even Larger Question with SSO Because More Systems are Involved Diana Kelley & Ian Poynter

  12. Authentication Methods • Have, Know, Are • Tokens, Passwords, Fingerprints • Single vs. Multi Diana Kelley & Ian Poynter

  13. Authentication Methods • Passwords • One Time Passwords • Tokens and SmartCards • PKI • Digital / Machine Fingerprints • Biometrics Diana Kelley & Ian Poynter

  14. Authentication Protocols and Technologies • Dial-In Users and Wireless (802.1x) • RADIUS • S/390 Mainframes • RACF, ACF2, CA Top-Secret • Unix • PAMs (Pluggable Authentication Modules) • Windows • GINA, Kerberos, NTLM Diana Kelley & Ian Poynter

  15. SSO Technologies • Traditional Single Sign-On • Password Synchronization • Authentication Platforms • Web Logon Aggregators • NB: Convergence Between Traditional SSO and Authentication Platforms Diana Kelley & Ian Poynter

  16. SSO Technologies • Traditional Single Sign-On • Allows a User to Login Once, Using a Single Authentication Method to Gain Access to Multiple Hosts and / or Applications • May Also Provide Access Control / Authorization Features • Authorization policies restrict which applications or systems a user has access • And what the user can and can’t do on these applications and systems Diana Kelley & Ian Poynter

  17. SSO Technologies • Traditional Single Sign-On • Not an Entirely New Concept • Kerberos and Kerberized • RADIUS and Radiized Diana Kelley & Ian Poynter

  18. Traditional SSO: How It Works • Authenticate Once To Access Many • Login Credentials (ID And Authentication) Usually Stored Locally • Transparently Presented to the System or Application When Needed Diana Kelley & Ian Poynter

  19. Traditional SSO: How It Works • Single Credential for All Systems • Kerberos Model • Multiple Credentials • Required for Most Heterogeneous Environments Diana Kelley & Ian Poynter

  20. Traditional SSO: How It Works • APIs And DLLs • Write the SSO Authentication into Each Application or System (compare to: Radiized) • Or Use Replacement DLLs • Scripts • Pieces of Code on the Client That Manage the Login Procedure to Multiple Systems • Cookies • For Web Applications Only Diana Kelley & Ian Poynter

  21. Traditional SSO: Pros and Cons • Pros • Very Easy to Use • Reduces Support Costs • Reduces Logon Cycles • Cons • Integration of Legacy Can Be Expensive and Time Consuming • Single Point of Attack • Scripting Solutions Often Lead to Storage of Passwords And IDs on the Client Diana Kelley & Ian Poynter

  22. Traditional SSO: Business Fit • Good Business Fit for • Companies That Want to Simplify the User Experience • Companies That Need to Reduce the Login Cycle Diana Kelley & Ian Poynter

  23. Traditional SSO: Brand Examples • IBM/Tivoli Global Sign-On • Netegrity SiteMinder • RSA ClearTrust (formerly Securant) Diana Kelley & Ian Poynter

  24. SSO Technologies • Password Synchronization • Manage Passwords Across Platforms and Systems • Keeps Same Password So User Only Needs to Remember One • When User Changes Her Password, Synchronization Server Automatically Updates User Password on All Available Systems or in the Central Repository Server Diana Kelley & Ian Poynter

  25. Password Synchronization: How It Works • Distributed • Agents Automatically Reset Passwords on Applications and Systems • Centralized • All Authentication Requests Are Forwarded to a Central Server Diana Kelley & Ian Poynter

  26. Password Synchronization: Pros and Cons • Pros • User Has Only One Password to Remember • Usually Fairly Easy to Implement • Help Desk Can Reset Passwords to All Systems From Single Console • Cons • Does Not Reduce the Number of Logons • Only Supports Password Authentication Diana Kelley & Ian Poynter

  27. Password Synchronization: Business Fit • Good Business Fit for • Companies That Only Use Password Authentication • Companies That Don’t Need to Reduce the Login Cycle Diana Kelley & Ian Poynter

  28. Password Synchronization:Brand Examples • PassGo, InSync (formerly Axent/Symantec) • Courion, Password Courier Diana Kelley & Ian Poynter

  29. SSO Technologies • Authentication Platforms • Provide a Central Point of Management for Multiple Authentication Schemes • Users Authenticate To A Gateway Using Any Combination of Authentication Methods • Smartcards, PKI, Biometrics etc. • Supports Multi-layer Authentication Policies Diana Kelley & Ian Poynter

  30. Authentication Platforms: How It Works • Abstracts the Authentication Layer to an Authentication Gateway • All Users Login to this Gateway • Gateway Determines Level / Type of Authentication that is Required Diana Kelley & Ian Poynter

  31. Authentication Platforms: Pros and Cons • Pros • Eases Integration With Abstracted Authentication Layer • Support for Most Authentication Factors • Cons • Does Not Reduce Number of Logins, Unless SSO is Embedded in the Authentication Platform • Single Point of Attack / Failure • Denial of Service Diana Kelley & Ian Poynter

  32. Authentication Platforms: Business Fit • Good Business Fit for • Enterprises with Hierarchical, Complex Authentication Requirements • Companies using N-factor Authentication Solutions • Organizations with Regulated Security / Privacy Requirements • Financial Institutions, HealthCare, Government Agencies Diana Kelley & Ian Poynter

  33. Authentication Platforms:Brand Examples • Bionetrix Authentication Server • Novell Modular Authentication Service (NMAS) • ActivCard (formerly Ankari) • Trinity Server with SSO Functionality Diana Kelley & Ian Poynter

  34. SSO Technologies • Web Logon Aggregators • One Login, Access Multiple Sites • User Logs into Aggregator Software or Site at Beginning of Session • All Subsequent Logins to Web Sites Visited Are Handled Transparently Diana Kelley & Ian Poynter

  35. Web Logon Aggregators: How It Works • Credentials Are Cached Either • Locally via Cookies • On Server via State Mechanism • Automatically Presented to Sites as Needed Diana Kelley & Ian Poynter

  36. Web Logon Aggregators: Pros and Cons • Pros • Ease of Use • Streamlines Web Experience • Cons • Web Only • Sites May Need to Opt In • Outsources Trust to 3rd Party • Loss of Control Diana Kelley & Ian Poynter

  37. Web Logon Aggregators: Business Fit • Good Business Fit for • Companies Providing Web Interfaces to Customers or Employees • Home Users Who Want to Streamline Their Web Experience Diana Kelley & Ian Poynter

  38. Web Logon Aggregators:Brand Examples • .NET / Passport • Liberty Alliance (in process) • Yodlee • Account Aggregator Diana Kelley & Ian Poynter

More Related