Aujas US

An IDG Ventures Company

Single Sign-On – Choosing Practical over Paranoid Security

Security with single sign-onAs various business processes are automated in enterprises, a complex IT landscape is created. Multiple applications and platforms require different authentication checks before granting user access. Users need to sign on to multiple systems, each involving a different set of credentials. As a result, accessing systems gets increasingly complicated and frustrating for users and hampers their daily tasks.

Implementing a single sign-on (SSO) security functionality can significantly simplify systems access. SSO provides a unified mechanism to manage user authentication and implement business rules determining user access. As only one set of credentials are needed to access multiple systems, SSO improves usability, increases productivity and reduces helpdesk expenses, without compromising system security.

SSO also reduces human error, because the user logs in once and gains access to all systems without being prompted to log in again for each, a major component of systems failure.

Why is SSO relevant?

The need for SSO is accentuated by several issues enterprises face including:

  • Enforcing strong security and password policies at a central level
  • Multiple helpdesks
  • Need for helpdesks to engage in more value-adding tasks rather than be consumed by resetting passwords for users
  • Management of multiple platforms and application models
  • Risk of unsecured, unauthorized administrative and user accounts

SSO types you need to know

Two of the most important types of SSO are:

Enterprise SSO

Enterprise single sign-on (ESSO) systems are designed to minimize the number of times that a user must type their ID and password to sign into multiple applications. The ESSO automatically logs users in, and acts as a password filler where automatic login is not possible. Each desktop/laptop is given a token that handles the authentication.

Web SSO

Single sign-on for web-based applications and few supported proprietary closed source web applications. It is a browser-based mechanism, with single sign-on to applications deployed on web servers (domain).

The main differences between ESSO and Web SSO approaches are given in the table below.

SSO comparison

ESSO can provide tangible benefits to an enterprise through:

  • Enhanced user productivity – users are no longer bogged down by multiple logins and they are not required to remember multiple IDs and passwords
  • Improved developer productivity – developers get a common authentication framework – developers don’t have to worry about authentication at all
  • Simplified IT administration – the administrative burden of managing user accounts is simplified. The degree of simplification depends on the applications since SSO only deals with authentication
  • Reduced password fatigue from different user name and password combinations
  • Reduced IT costs due to fewer help desk calls about passwords
  • Improved security through reduced need for a user to handle and remember multiple sets of authentication information
  • Reduced time spent re-entering passwords for the same identity.
  • Integration with conventional authentication such as Windows username/password.
  • Centralized reporting for compliance adherence like ISO 27001, etc.

Clearly, SSO functionality is a practical approach to security management in an enterprise. Its detractors highlight that once a password is breached through SSO, then other systems become highly vulnerable. However, while weighing the pros and cons of the SSO approach, its benefits in the form of lesser maintenance and increased usability far outweigh the disadvantages. It can even ensure a better protection of the single password, with stronger policies in place, which may not be practically possible if there were multiple passwords to remember. SSO can be a suitable choice for most enterprises which are struggling with the burden of managing multiple accesses.

Advertisements

December 7, 2010 Posted by | identity and access management, IT security, Physical Security controls | , , , , | Leave a comment

Physical Security Controls – Where Are We Lacking?

Physical securityIn the world of increasing security threats, we’re attacked at both the physical and logical fronts. Logical damages hit organization reputations, goodwill, and company brand and trust, whereas physical damage at macro level impacts human lives and the economy. The Mumbai attacks in 2008 (often referred to as 26/11), the London public transit attacks in 2005 (often referred to as 7/7), and of course 9/11, are the real life examples that pointed to deficits in physical security controls.

When we closely examine and measure many current physical security controls, we often identify weaknesses and realize that the controls really do not provide the reliance we are looking for. It’s become important for an organization to adopt a layered approach when building its physical security controls.

Many physical security controls are reactive in nature and often times the responding professionals may not be as skilled when following a standard operating procedure for a response.  To address this situation, if the organization implemented a layered approach to physical security controls, response to complex incidents in real-time will probably reduce the risk.

Here’s a macro view of a layered approach:

  • Level 1 – Basic controls in place
  • Level 2 – Converging physical security in a single integrated system with automated standard operating procedures
  • Level 3 – Enable systems on an IP backbone and build strong IT security controls
  • Level 4 – Building KPI framework for physical security controls

With these levels, we are building a maturity framework for physical security systems, starting with basic physical security controls followed by convergence of the same on a single integrated platform that can be accessed, monitored, SOP enforcement on a web interface from any Web enabled IP device. With this Web advancement it’s important to build an IT security layer around physical security controls.  This results in a true state where there is convergence of both physical and logical controls.

Benefits to an organization by following this approach typically include:

  • Integration of current hybrid physical security controls in a single unified framework that delivers enforcement of procedures on the ground across systems
  • Delivery of strong coordination during incident management
  • Compliance with regulatory physical security control needs
  • Delivery of audit trail from systems that helps in delivering forensic investigation in real-time
  • Monitoring and improvement of physical security control operations
  • Delivery of real-time incident analysis, operation analysis

Attacks are distributed across the enterprise both at a physical and logical level. For security to be effective, it must be organized to react quickly to resolve issues across the enterprise. There is a definite need for systems that can enable a rapid response to security breaches and prompt investigation of events.  Convergence may be the answer!

November 15, 2010 Posted by | IT security, Physical Security controls, Risk management | , , , | Leave a comment