Messaging Newswire
Follow Us on Twitter
Facebook Page
Google Plus Page
RSS feeds
Single Sign-On: Real World Advice
Widgets & RSS FeedsMessaging is the core of any business. Email and instant messaging are staples in most offices, but, often, they are only two among many applications employees must access daily, each requiring its own unique username and password. All these identities create havoc for employees who have to remember them, as well as fundamental insecurity for the enterprise when employees write down or select passwords that are easy to hack.
Ironically, the need for tighter system security is generally the reason for this explosion of identities. Vandalism, fraud, cyber-crime and espionage, all threats that can impact a system via messaging tools, have never had as much impact on IS as they do today. Add in ever-increasing industry and government regulations, and you end up with the need to control access on a wide range of systems and applications.
Today, three general types of single sign-on (SSO) solutions exist to simplify identity and access management: directory and identity consolidation based on Active Directory; enterprise single sign-on (ESSO) for applications that cannot be directly integrated; and password synchronization. SSO solutions reduce the number of passwords employees must remember and use, while minimizing security breaches and satisfying business objectives and security policies. As an example, let’s examine the way Microsoft Exchange interacts with Active Directory for SSO. Prior to the advent of Active Directory, a user logged onto a Windows server with one password, onto another server with another, and onto their messaging platform with a third. With Active Directory, the SSO security protocol, Kerberos, enables one login to the directory, providing secure authentication and authorized access to any other Windows resource within the Active Directory “trusted realm”. This is true SSO—no additional logins are required. This type of SSO is now achievable for a high number of non-Windows platforms and applications, but not all applications and systems can be part of the AD “trusted realm”.
For those non-Windows systems and applications that cannot be integrated into the Active Directory “trusted realm,” ESSO provides the ideal SSO solution for internal business to employee (B2E) environments. The most powerful ESSO offerings strike a perfect balance of security, compliance, and user friendliness. They provide access control by allowing users to identify themselves just once, at the start of a work session.
Finally, in organizations where integration or ESSO are not practical, synchronization of disparate passwords with the Active Directory password enables users to access multiple systems with the same password. While synchronization reduces both help desk costs associated with forgotten passwords and the associated loss of productivity, it does not enable true SSO because users still must log on to each system individually, even though they can use just one password.
Choosing an SSO Solution
SSO is rapidly evolving. The following five best practices will help you choose and implement the best security solution for your enterprise:
- Integrate fully with all your directories; pull as much as possible into the Active Directory “trusted realm”
- Strengthen your authentication policy
- Use robust auditing and reporting tools to prove regulatory compliance
- Make sure all users are actively involved in the project
- Use SSO as an entry point for identity and access management projects
A clear determination of the needs of the enterprise and the various applications and systems to which users log on, and accounting for the actual business policies and processes of the enterprise also are essential keys to effective SSO implementation. The right solutions will offer many benefits, including increased productivity, lower support costs, enhanced security and an improved ability to satisfy compliance demands.
About David Miles
David Miles has over 23 years of experience in the technology industry. He began his career in software engineering, working on a wide variety of network and communications systems projects. He joined PassGo, a leading provider of access and control applications, in 1992 and was recruited to expand the company’s product portfolio to encompass a wide range of non-mainframe systems. This expansion made PassGo a supplier of truly heterogeneous solutions. David joined Quest Software with the acquisition of PassGo in 2008.
