The Access Control/Identity Management products that advertise single sign-on capabilities provide benefits that dramatically enhance a company’s technology infrastructure. These benefits focus on the ability to build a common centralized security infrastructure for the web based assets.
The resulting infrastructure provides a company with: Centralized policy management, Common auditing, Reduced development costs, Common utilities for enforcing timeouts, logoffs, and session management.
Centralized Policy Management
First, Access Control/Identity Management (AC/IM) products provide a centralized control panel used to enforce access control policies. Many times security administrators may not have an easy way to control application access. Utilizing an Access Control/Identity Management (AC/IM) system can provide the enterprise with a centralized policy based system to enforce user access without re-engineering applications.
These centralized policy stores enable security to be enforced quickly and with user level granularity. In addition, most AC/IM will integrate with existing user stores and enable further control over the user while merging Internet rights with network access rights.
These tools extend the capabilities to manage user’s access rights by taking advantage of access control methodologies that base decisions on the user’s role, existing rules, or combinations of the two. These types of controls are a requirement for managing large user populations.
Having the centralized enforcement of a security policy becomes an important asset that reduces time to make changes, allows for more flexibility, and becomes an extensible tool that makes it possible to enforce the enterprise security policies.
Second, auditing is a huge asset for tracking usage and changes to the security controls that are protecting company assets. Knowing who created or changed a policy, and who accessed a resource is information that should be considered critical. Implementing this type of security control provides the logging necessary to track security events. Auditing regulations included in Sarbanes-Oxley require companies to have this resource in place.
These tools provide auditing that can meet the requirements to be compliant with regulations today. In most cases, they come with integrated access to the security logs. Having the logging built in can make the job of reading and comprehending the results easily understood without much expertise. Further, the security logs can be utilized or combined with existing metrics to understand end user usage patterns.
Reduced Development Costs
Reducing development time is a return on investment that many security products have difficulty proving because they compare their costs to the amount of damage an attacker could create. However, in this case calculate how much money would have been spent on developing the logging, creating multiple login screens for each application, and developing a secure way to manage the sessions created by a user login. These are items that are going to be developed, and may need to be re-engineered every time a website grows or adds new functionality. The new common security infrastructure resolves these issues and reduces the costs of items that represent real costs to development.
These tools make use of web server APIs (Application Programming Interface) in the same way. The Access Control/Identity Management products hook to the web servers and then enhance them further with their own APIs. Access Control/Identity Management tools provide standard server side variables that can be read only by server side code. These server side variables can be customized and then provided to any application being protected. Server side variables can be accessed without the need of any database connection by the application, and are considered secure because they are only available to resources inside of the protected enclave of the Access Control/Identity Management software.
Finally, session management, a system wide session logoff, and timeout enforcement are all capabilities that enable web sites to appear as one unified system. It is the appearance of the unified system that allows for single sign-on to take place. Removing the responsibility for sessions from the application layer is the main factor for single sign-on.
A unified security environment allows new timeout values to be enforced uniformly across the enterprise. With the centralized policy management controlling timeouts the guesswork is removed. The timeouts are easily verified by checking the settings of the system and without having to double check deployed code.
These tools enhance the timeout possibilities by differentiating between idle or maximum timeouts. The idle timeouts are in place to protect against a user walking away from their browser and leaving sensitive information displayed. The maximum timeouts will limit the length of any one session and force a user to authenticate once this timeout is reached.
Closing sessions is overlooked but it is a relatively simple control to implement. To fully complete a user session the AC/IM tools include the capabilities to remove sessions from the environment. This is a good practice and should be included in any web application architecture.
Finally, single sign-on generally gets the most press but Access Control/Identity Management applications represent much more in capabilities and will prove their value in many different ways once implemented. By providing centralized policy management, auditing, reducing development costs, and adding utilities to enforce timeouts, logoffs, and session management the system becomes more than single sign-on.
The end results of all of these capabilities are what enable the single sign-on functionality. Without the unified sessions, centralized user management single sign-on cannot be achieved. Unfortunately, it is single sign-on that receives the press and has become a term generally used to refer to an industry that actually provides many other important security capabilities to an enterprise.