Aujas US

An IDG Ventures Company

Single Sign-On – Choosing Practical over Paranoid Security

Security with single sign-onAs various business processes are automated in enterprises, a complex IT landscape is created. Multiple applications and platforms require different authentication checks before granting user access. Users need to sign on to multiple systems, each involving a different set of credentials. As a result, accessing systems gets increasingly complicated and frustrating for users and hampers their daily tasks.

Implementing a single sign-on (SSO) security functionality can significantly simplify systems access. SSO provides a unified mechanism to manage user authentication and implement business rules determining user access. As only one set of credentials are needed to access multiple systems, SSO improves usability, increases productivity and reduces helpdesk expenses, without compromising system security.

SSO also reduces human error, because the user logs in once and gains access to all systems without being prompted to log in again for each, a major component of systems failure.

Why is SSO relevant?

The need for SSO is accentuated by several issues enterprises face including:

  • Enforcing strong security and password policies at a central level
  • Multiple helpdesks
  • Need for helpdesks to engage in more value-adding tasks rather than be consumed by resetting passwords for users
  • Management of multiple platforms and application models
  • Risk of unsecured, unauthorized administrative and user accounts

SSO types you need to know

Two of the most important types of SSO are:

Enterprise SSO

Enterprise single sign-on (ESSO) systems are designed to minimize the number of times that a user must type their ID and password to sign into multiple applications. The ESSO automatically logs users in, and acts as a password filler where automatic login is not possible. Each desktop/laptop is given a token that handles the authentication.

Web SSO

Single sign-on for web-based applications and few supported proprietary closed source web applications. It is a browser-based mechanism, with single sign-on to applications deployed on web servers (domain).

The main differences between ESSO and Web SSO approaches are given in the table below.

SSO comparison

ESSO can provide tangible benefits to an enterprise through:

  • Enhanced user productivity – users are no longer bogged down by multiple logins and they are not required to remember multiple IDs and passwords
  • Improved developer productivity – developers get a common authentication framework – developers don’t have to worry about authentication at all
  • Simplified IT administration – the administrative burden of managing user accounts is simplified. The degree of simplification depends on the applications since SSO only deals with authentication
  • Reduced password fatigue from different user name and password combinations
  • Reduced IT costs due to fewer help desk calls about passwords
  • Improved security through reduced need for a user to handle and remember multiple sets of authentication information
  • Reduced time spent re-entering passwords for the same identity.
  • Integration with conventional authentication such as Windows username/password.
  • Centralized reporting for compliance adherence like ISO 27001, etc.

Clearly, SSO functionality is a practical approach to security management in an enterprise. Its detractors highlight that once a password is breached through SSO, then other systems become highly vulnerable. However, while weighing the pros and cons of the SSO approach, its benefits in the form of lesser maintenance and increased usability far outweigh the disadvantages. It can even ensure a better protection of the single password, with stronger policies in place, which may not be practically possible if there were multiple passwords to remember. SSO can be a suitable choice for most enterprises which are struggling with the burden of managing multiple accesses.

December 7, 2010 Posted by | identity and access management, IT security, Physical Security controls | , , , , | Leave a comment

HIMSS Survey of Security Pros Is Food for Thought

HIMSS security surveyThe Healthcare Information and Management Systems Society (HIMSS) in November published results of a survey that focused on key issues surrounding the tools and policies in place to secure electronic patient data at healthcare organizations. Though your company may not be in the healthcare industry, read the results discussed below, and think about how they might compare to your organization.

The 2010 HIMSS Security Survey included feedback from information technology and security professionals from healthcare provider organizations across the U.S. Here’s an overview of respondents’ input:

Maturity of Environment: Respondents characterized their environment at a middle rate of maturity.

Security Budget: Approximately half of respondents reported that their organization spends three percent or less of their organization’s IT budget on information security.

Formal Security Position: Slightly more than half (53%) of respondents reported they have either a CSO/CISO or full-time staff in place to handle their organizations’ security functions.

Risk Analysis: Slightly more than half of respondents (59 %) who said that their organization conducts a formal risk analysis reported that this analysis is conducted annually.

Patient Data Access: Surveyed organizations most widely employ user-based and role-based controls to secure electronic patient information.

Management of Security Environment: Nearly all respondents reported that their organization actively works to determine the cause/origin of security breaches. Two thirds reported having a plan in place for responding to threats or incidents related to a security breach.

Security in a Networked Environment: Approximately 85% of respondents reported that their organization shares patient data in an electronic format.

Future Use of Security Technologies: Mobile device encryption, e-mail encryption and single sign-on and were most frequently identified by respondents as technologies that were not presently installed at their organization but were planned for future installation.

Patient Identity: Half of respondents indicated that they validate patient identity by both requiring a government/facility-issued ID and checking the ID against information in the master patient index.

Medical Identity Theft: One-third of respondents reported that their organization has had at least one known case of medical identity theft at their organization.

December 7, 2010 Posted by | Identity Theft, IT security | , , , | Leave a comment