hvl/nulli secundus 2001 designing a single sign on strategy guy huntington, president hvl derek...
TRANSCRIPT
HVL/Nulli Secundus 2001
Designing a Single Sign On Strategy
Guy Huntington, President HVLDerek Small, President Nulli Secundus
HVL/Nulli Secundus 2001
The Issue
• Single sign on (SSO) today is a common buzzword and goal for many enterprises
• It’s extremely complex once you peel away the outer layer of strategic desire and look at the system and security implications
• Do you know what to look for when considering your SSO strategy?
HVL/Nulli Secundus 2001
Have You
Thought About…
• Authentication schemes?• Identity management?• Post authentication actions?• Authorization?• Post authorization actions?• System integration?• Directory strategies?• Auditing?• Overall risk?
HVL/Nulli Secundus 2001
The Good
News Is SSO…
• Provides end user ease of use
• Can reduce or eliminate security lapses between multiple authentication and authorization systems
HVL/Nulli Secundus 2001
The Bad News Is SSO…
• Creates a potential single source of primary authentication which, if vulnerable to attack at any point in the process, can provide a malicious or unwanted person with an entrée to your systems
HVL/Nulli Secundus 2001
What’s Driving SSO?
• End users can’t handle remembering all the different passwords to access the many systems they deal with daily
• They don’t want to carry in their wallets many separate forms of authentication devices such as loyalty cards, credit cards, smart cards, employee and other forms of ID
HVL/Nulli Secundus 2001
It’s a Process, Not a
Product
• SSO isn’t something you buy, nor is it just a single password a user has to remember
• SSO is a process made up of many sub-components and system interfaces with some form of business driven security logic driving those components
• It’s only as good as the weakest link in the chain
HVL/Nulli Secundus 2001
Islands of Trust
• Most system within an enterprise weren’t built with common authentication systems in mind
• Therefore, most enterprises have many independent authentication and authorization islands
• There are generally few or no standards for these authentication systems
HVL/Nulli Secundus 2001
Different Trust
• Each of these authentication islands uses different approaches to trust
• Some have an all or none approach – They give you complete or no
access to the system/network
HVL/Nulli Secundus 2001
DifferentApproach
• Others tend to use one authentication method and several layers of authorization – As you drill towards more and
more sensitive information it requires higher levels of authorization but still uses the initial authentication
HVL/Nulli Secundus 2001
Multiple Layers of Trust
• A few system use both multiple levels of authentication and authorization – As you drill towards more
sensitive information the levels of both authentication and authorization increase
HVL/Nulli Secundus 2001
Key Question
• The core question at the heart of SSO is whether to build bridges between the authentication and authorization islands, reduce the number of islands or keep the islands separate?
HVL/Nulli Secundus 2001
Building Bridges
• You have to address:– Keeping communications secure– Creating common authentication
processes (which may not be easy between disparate authentication systems)
– Synchronizing the systems so they never get out of step
– Accepting levels of trust between systems
– Some form of directory strategy
HVL/Nulli Secundus 2001
ReduceIslands
• If you reduce the number of authentication islands, you have to re-engineer systems
• Most likely requires a modern directory strategy
• Takes time, money and effort• Potentially offers new economies
of scale• Standardize authentication,
authorization and auditing security
HVL/Nulli Secundus 2001
Separate Islands
• Enforce separate security levels for each system
• This works where the risk is high and end users accept the additional authentication process
• It fails in modern e-business solutions where end users want single sign on and simplicity for authentication
HVL/Nulli Secundus 2001
The SSO Onion
• We prefer to view the process of achieving SSO like peeling away the layers of an onion
• Each internal layer is a higher measure of trust all applications will accept with accompanying authentication, authorization and auditing components
• This should be a goal in working with vendors and reengineering your legacy systems
HVL/Nulli Secundus 2001
Reality • The reality is you’re not going to reengineer all your systems over a short period of time just for SSO
• It’s too expensive, time and effort consuming
• So you need to develop some interim solutions that get you on the road towards SSO, provide ease of use for your users and enhance existing security
HVL/Nulli Secundus 2001
Where to Start?
• Prioritize your authentication needs
• Consider a directory strategy
• Consider infrastructure tools
• Develop building blocks
• Have a global security strategy
HVL/Nulli Secundus 2001
Prioritize Your Needs
• Before you leap to vendors and product solutions, determine the SSO priorities
• What’s the cost/ease of use/risk analysis for achieving SSO for your applications?
HVL/Nulli Secundus 2001
Prioritize Your Needs
• Take a look at the current costs for maintaining independent authentication– A place to look is help desk support
required for lost passwords
– Another place to look is the cost in entering and maintaining username and passwords between systems
HVL/Nulli Secundus 2001
Prioritize Your Needs
• What’s the biggest gripe from your user community re authentication?
• What levels of inconvenience will they accept?
• Do you have current risk analysis for your existing systems?
• What’s the risk analysis if you went to SSO?
HVL/Nulli Secundus 2001
Prioritize Your Needs
• Does SSO give you a competitive advantage?– Would it be perceived by your
customers as an advantage over your competition?
• Could you use it to leverage workflow with your business partners and customers coming in via portals or the webs?
HVL/Nulli Secundus 2001
Directory Strategy
• SSO is very hard to achieve without a directory strategy
• Directories are good for fast lookups like authentication and authorization
HVL/Nulli Secundus 2001
Directory Strategy
• Directories operate to global IETF LDAP standards
• They can help integrate authentication, authorization and auditing for the network and back office systems such as ERP, HRIS and data warehouses
• You need some sort of coordinating hub for SSO to work
HVL/Nulli Secundus 2001
Directory Strategy
• Even such basic concepts of username and password are hard to coordinate between systems without a directory
• Most systems use different syntax, length, management and storage policies for username and password
HVL/Nulli Secundus 2001
Directory Strategy
• A directory is also key in coordinating form, certificate and biometric authentication schemes between your many systems
• It can both store and replicate data to and from the authentication systems
HVL/Nulli Secundus 2001
Identity Management• A big challenge is coordinating the
identity knowledge between systems• How do you synch up the
management of identities of potentially millions of customers, thousands of business partners’ employees and thousands of your own employees?
HVL/Nulli Secundus 2001
Identity Management• You need to not only
synchronize systems but push secure identity management down to the appropriate level
• This may include end user self service for maintenance of their basic information and password
HVL/Nulli Secundus 2001
Coordinating Authentication Schemes
• How are you going to handle different authentication methods for each application?
• Are you starting to deploy form, certificate and biometric authentication?
HVL/Nulli Secundus 2001
Coordinating Authentication Schemes
• Are you using or considering SSL/TLS and hashing algorithms to secure authentication?
• How are you going to maintain state between applications given the internet is stateless?
• How are you going to mesh this all together and manage it?
HVL/Nulli Secundus 2001
Coordinating Authentication Schemes
• How are you going to recognize different levels of trust between applications?
• Are you going to accept common levels of trust?
• How are you going to handle users from different domains?
• How are you going to handle different authentication timing actions?
HVL/Nulli Secundus 2001
Post Authentication• When a central system authenticates,
what are the post authentication actions between it and each of your other islands?
• Are you passing HTTP headers, servlets, applets, or Javascript between them?
• How are you going to handle integration to your portals, data warehouses, NOS’s, directories, ERP, HRIS and other systems?
HVL/Nulli Secundus 2001
Authorization• How are you going to handle
authorization?• Are you going to centralize some of
it, while also meshing it with the business and authorization logic in your ERP, HRIS or other systems?
• What authentication and authorization information do you need passed from the SSO central hub that will allow the level of trust to be approved?
HVL/Nulli Secundus 2001
Post Authorization
• What happens when an authorization succeeds?
• Do you need to pass attributes in HTTP headers or launch applets, servlets, etc?
• What if authorization fails? What happens to the user and in your auditing between systems?
HVL/Nulli Secundus 2001
Auditing Systems
• How do you presently audit events?
• Is it granular enough?• How are you going to synch up
different auditing systems and events from the firewalls, NOS’s, ERP, HRIS, data warehouses and other systems?
HVL/Nulli Secundus 2001
Scaling Systems• How are you going to scale SSO
within your enterprise? Between you and your business partners? With your customers?
• How do you scale and coordinate the identity management, authentication, authorization and auditing systems on a local, regional, continental and global scale?
HVL/Nulli Secundus 2001
Consider New Tools
• Having directories is not enough• You must synch up the disparate
identity, authentication, authorization and auditing systems with something that is secure, scalable and manageable
• This isn’t easy to do on your own• E-Business infrastructure tools from
companies such as Oblix, Netegrity, Entrust, IBM/Tivoli are essential
HVL/Nulli Secundus 2001
Oblix NetPoint• In our practice we use Oblix
NetPoint• Manages the identity piece with
delegatable administration down to the end user if desired
• Coordinates different authentication, authorization and auditing required at different levels of resource and identity granularity
HVL/Nulli Secundus 2001
Oblix NetPoint• Delegate policy administration
• Scales quickly and securely using different forms of authentication, encryption, web and directory servers
HVL/Nulli Secundus 2001
SSO is Not a Panacea• SSO is a process that needs to be
very carefully thought out before embarking down the vendor and product solution road
• The process needs continual review, testing and monitoring to ensure integrity
• It requires standards and well thought out work-arounds between disparate systems
HVL/Nulli Secundus 2001
I’d Like to Learn More …Guy Huntington, HVL:• [email protected]• www.hvl.net• 604-921-6797
Derek Small, Nulli Secundus• [email protected]• www.nulli.com• 403-270-0657