Access control mechanisms must exist within an organization that allows users to utilize multiple resources in a secure manner. However, increasing the number of services requiring authentication, necessitates users to remember more sets of usernames and passwords. The users' frequent mismanagement of login credentials has raised vulnerability concerns in multi-authentication systems. Subsequently, a number of access management strategies have been developed to address the security risks of repeated logon requests. One successful implementation, which uses a solitary set of credentials to access multiple resources, is single sign-on (SSO) authentication. Consolidating the number of authentication requests, SSO allows a user to provide his or her credentials once to access multiple applications.
There are numerous benefits to SSO:
- For the end users, it reduces the responsibility of managing multiple sets of usernames and passwords.
- It improves interface usability by decreasing the number of requesting screen prompts. Network managers take comfort with lessening login tasks, as this helps patch the end user vulnerability of improper credential storage.
- It offers improved user management through a single platform for account creation or removal and controlling user rights.
- Additional benefits include the operational costs associated with login-related tech support and the productivity lost from resetting passwords
Web vs. enterprise
There are two types of SSO: Web single sign-on (WSSO) and enterprise single sign-on (ESSO). Both provide a centralized platform for user authentication management and single point of entry for accessing resources. Each approach utilizes a primary trusted system for authorization which grants access to secondary resource systems. Where they differ is in their technological structure.
Implementing WSSO as an authentication framework provides access to Web applications through a single Web portal interface. Typically, a user is required to enter their credentials through an initial login page, or redirected to a login portal after attempting to access a Web resource first. The latter requires code to reside on each Web or application server that redirects initial traffic requests to a security sever.
Behind the scenes, the server or service performing user authentication acts as a proxy for Web application usage, automatically providing the users login credentials required by each Web resource. Several types of WSSO authentication systems exist which use different security protocols. Validating user credentials can be achieved through use of digital certificates, transmitting cookies over SSL/TSL, encrypted tokens with Kerberos or using a Central Authentication Service (CAS).
Designed to leverage the user's desktop sign-on process, ESSO allows one time sign-on for access to an enterprise network environment. After desktop logon, the username and password are sent to a SSO server, which maps credentials from requesting sub-systems to a back-end credential database. User credentials traverse network boundaries, granting access to resources across different domains, virtual local area networks, servers and other enterprise resources which would normally require an additional login. Once authenticated into the network, role based access rights are often assigned to users, which correspond to their function within the organization. The actual client authentication is typically performed by SSO software on the user's desktop or through use of a token.
One common criticism of ESSO is the potential risk of using a single "key to the castle" approach to enterprise access. For this reason, it is important to use strong authentication mechanisms using a multi-factor approach.
Both WSSO and ESSO platforms provide significant improvements in system usability and network administrative management. While WSSO affords the benefit of rapid deployment and reduced cost, ESSO systems provide greater expandability and resource integration. Execution of either technique as a security component requires planning and coordination with the disparate set of platforms used within network's infrastructure. Compatibility evaluation is important to ensure that a WSSO system is supported by the portal infrastructure and an ESSO platform will work with the current desktop environment. Additional issues to consider before instituting an SSO system include compliance standards, login policies, and protocol use. However, their successful implementation can provide an additional defensive layer of security to an organization's network infrastructure.
About the author:
Noah Schiffman is a former black-hat hacker who has spent nearly a quarter century penetrating the defenses of Fortune 500 companies. He has worked as a security consultant specializing in vulnerability assessment, pen testing, cryptography, digital forensics, incident response, and defining corporate security policies and strategies. With degrees in cognitive psychology and mechanical engineering, as well as a doctorate in medicine, he has experience in advanced biometric systems, human factors, physical security, authorization and access technologies, and holds several patents. Currently, Schiffman is the CSO of Orbis, Inc., a defense contractor specializing in providing the Department of Defense (DoD) with technical and consulting services, based in Charleston, S.C.
This was first published in August 2008