Single sign-on options for financial services firms

Access control mechanisms must exist within an organization that allows users to utilize multiple resources in a secure manner. However, increasing the number of services requiring authentication, necessitates users to remember more sets of usernames and passwords. The users' frequent mismanagement of login credentials has raised vulnerability concerns in multi-authentication systems. Subsequently, a number of access management strategies have been developed to address the security risks of repeated logon requests. One successful implementation, which uses a solitary set of credentials to access multiple resources, is single sign-on (SSO) authentication. Consolidating the number of authentication requests, SSO allows a user to provide his or her credentials once to access multiple applications.

There are numerous benefits to SSO:

Web vs. enterprise

There are two types of SSO: Web single sign-on (WSSO) and enterprise single sign-on (ESSO). Both provide a centralized platform for user authentication management and single point of entry for accessing resources. Each approach utilizes a primary trusted system for authorization which grants access to secondary resource systems. Where they differ is in their technological structure.

Implementing WSSO as an authentication framework provides access to Web applications through a single Web portal interface. Typically, a user is required to enter their credentials through an initial login page, or redirected to a login portal after attempting to access a Web resource first. The latter requires code to reside on each Web or application server that redirects initial traffic requests to a security sever.

Behind the scenes, the server or service performing user authentication acts as a proxy for Web application usage, automatically

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Data Protection Essentials By addressing data privacy, companies avoid public scrutiny Lessons learned: The LendingTree case Lessons learned: The Countrywide Financial breach The Societe Generale fraud story: Keith White on fraud Institutionalizing risk management for ongoing management support Risk assessments: Internal vs. external Putting risk analysis into words Lessons learned: The Texas Insurance Claims Services case Lessons learned: The Montgomery Ward breach Lessons learned: The Citibank ATM breach Managing user privileges, identity federation and SSO Download presentations from Financial Information Security Decisions 2009 Identity management for financial firms in turbulent times Emerging themes in identity access management How to lay the foundation for role entitlement management Privileged password management steps to success Best practices in managing privileged access Entitlement management systems alleviate access control pain points How to secure SOA Identity federation standards ease authentication pains How to implement the NIST role based access control model Data breaches and prevention strategies Programmer accused of stealing proprietary code from financial firm Podcast: Detecting and investigating insider fraud Financial security pros expect improved funding in second half of 2009 Download presentations from Financial Information Security Decisions 2009 Banks using Twitter need to proceed with caution, experts say ATM malware used in Russia lets attackers control machines Aetna notifies 65,000 of job website breach Heartland breach cost $12.6 million, CEO says Data governance and classification Former Federal Reserve Bank employee arrested

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Governance, Risk and Compliance  (SearchFinancialSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

providing the users login credentials required by each Web resource. Several types of WSSO authentication systems exist which use different security protocols. Validating user credentials can be achieved through use of digital certificates, transmitting cookies over SSL/TSL, encrypted tokens with Kerberos or using a Central Authentication Service (CAS).

Designed to leverage the user's desktop sign-on process, ESSO allows one time sign-on for access to an enterprise network environment. After desktop logon, the username and password are sent to a SSO server, which maps credentials from requesting sub-systems to a back-end credential database. User credentials traverse network boundaries, granting access to resources across different domains, virtual local area networks, servers and other enterprise resources which would normally require an additional login. Once authenticated into the network, role based access rights are often assigned to users, which correspond to their function within the organization. The actual client authentication is typically performed by SSO software on the user's desktop or through use of a token.

One common criticism of ESSO is the potential risk of using a single "key to the castle" approach to enterprise access. For this reason, it is important to use strong authentication mechanisms using a multi-factor approach.

Both WSSO and ESSO platforms provide significant improvements in system usability and network administrative management. While WSSO affords the benefit of rapid deployment and reduced cost, ESSO systems provide greater expandability and resource integration. Execution of either technique as a security component requires planning and coordination with the disparate set of platforms used within network's infrastructure. Compatibility evaluation is important to ensure that a WSSO system is supported by the portal infrastructure and an ESSO platform will work with the current desktop environment. Additional issues to consider before instituting an SSO system include compliance standards, login policies, and protocol use. However, their successful implementation can provide an additional defensive layer of security to an organization's network infrastructure.

About the author:
Noah Schiffman is a former black-hat hacker who has spent nearly a quarter century penetrating the defenses of Fortune 500 companies. He has worked as a security consultant specializing in vulnerability assessment, pen testing, cryptography, digital forensics, incident response, and defining corporate security policies and strategies. With degrees in cognitive psychology and mechanical engineering, as well as a doctorate in medicine, he has experience in advanced biometric systems, human factors, physical security, authorization and access technologies, and holds several patents. Currently, Schiffman is the CSO of Orbis, Inc., a defense contractor specializing in providing the Department of Defense (DoD) with technical and consulting services, based in Charleston, S.C.