Implementing SSO: Myths, Errors and Best Practices

By | February 8, 2007

In the past decade or so since SSO software came into being, the merchants of doom have been predicting their imminent disappearance in the face of the integration of Kerberos within Windows, the increased Web-enabling of applications, and the development of ADFS and Liberty Alliance.

So many technologies which “would integrate SSO natively, rendering dedicated software null and void”. A prediction that is constantly contradicted by the facts! Because today the facts show that the SSO market is very far from dying out, and is in actual fact growing extremely rapidly! Each new authentication technology increases the need in SSO software.

SSO reduces security levels, because “primary password theft would deliver up the keys to an entire kingdom”… in other words, access to all applications. But this is a case of tunnel vision. With only one password to memorize, the user can choose an extremely complex – and therefore very safe – identifier; with no need to remind themselves what it is by writing it on a Post-It note on their desktop. What´s more, SSO enables and facilitates the implementation of strong authentication methods, which inherently reinforces security levels!

Today, most SSO solutions are activated for the majority of applications via a simple ´drag & drop´ action, without any need for scripting or software development work. SSO solutions are also easily deployed on a grand scale. For example, several organizations employing over 100,000 people have already successfully implemented E-SSO.

The two key mistakes to avoid

Not understanding the difference between E-SSO, Web SSO, and Federated SSO… It is vital to distinguish between internal users – where you have some control over the workstation they are using – and external users with access via the Web. E-SSO will be more suitable for the former, providing SSO to all applications (clientserver, Web, emulator, etc.). A Web, J2EE or federated SSO tool will be better suited to the latter, adding access control functions to the overall functions of the SSO tool. However, it is important that E-SSO and Web-SSO tools can interoperate, notably for nomadic users.

Failure to take real business processes into account. Users´ day-to-day business life involves very real needs to delegate to others, manage multiple accounts, share accounts, etc. In the same way, when it comes to systems administration, you have to completely separate the organizational and the technical roles.

Five keys to best practice

Achieve full integration with all the organization´s directories. Directories such as Microsoft Active Directory, Sun Java System Directory Server, Novell eDirectory and others, are at the heart of user profile management in today´s businesses. Clearly, the key is to get the most from these infrastructures and use them and your existing data to their best advantage, by choosing an SSO that natively integrates with them (without no need to duplicate this infrastructure), and that uses and capitalizes on business groups and profiles that have already been set up.

Strengthen authentication policy. At the same time as reinforcing a security system, it is vital to also strengthen its access key. Hence the importance of linking SSO in with a program of enhancing password policies: for example introducing longer passwords, or those generated automatically and changed every month. This offers a dual benefit: it relieves the user of the task of managing their own passwords, and in the meantime strengthens security. In addition, the SSO can act as an excellent support for the deployment of strong authentication technologies, speeding up ROI as a result.

Offer auditing and reporting tools to demonstrate regulatory compliance. Today´s major financial and business regulatory frameworks (such as Sarbanes Oxley, HIPAA and others) require organizations to guarantee a certain level of security when it comes to their information systems. To meet these requirements, powerful tools for generating reports (indicating which accounts belong to each application, and who has access to what, etc.) and audits (who is connected to which application, at which point in time, etc.) are essential. Nevertheless, it is important to choose an SSO tool that does not just apply to the Windows login console, but which also enables detailed and centralized analysis. Third-generation SSO provides a powerful solution in this respect.

Involve everyone, from the Chief Executive to the users, in the project. Experience shows that the main obstacles encountered when implementing SSO are rarely technical, but are instead linked to the organization or the personalities involved.

Use SSO as an entry point or a way of facilitating identity and access management (IAM) projects. Choosing to start with an SSO project enables the organization to respond rapidly, and relatively cheaply, to an immediate problem relating to security, flexibility, and regulatory compliance conformity, with rapid ROI and also paving the way for future developments and provisioning (SSO and provisioning being complementary). Another approach is to put in place SSO after (or in parallel with) a provisioning or strong authentication project, to facilitate its implementation and improve ROI.

Evidian is exhibiting at Infosecurity Europe 2007, Europe´s number one dedicated Information security event.

Leave a Reply