Single Sign On Fact or Fiction

1
Single Sign On Fact or Fiction

• Mark Pullen
• Enterprise Account Manager

2
The Evolutionary History
Password Sync
Client
Web SSO
Agents
Federation

• Single Log on

Enterprise
3
Single Sign On is

• Single Sign On
• You log in once and get access to all
  applications based on security policy
• Single Sign On is not..
• Reduced Sign On
• Simplified Sign On
• Log in Event is a Security Process

4
Primary Drivers for SSO

• Help Desk Cost Reduction 5
• Compliance and regulatory requirements 10
• Security Concerns (non-compliance related) 31
• End user satisfaction/password management 48
• Other 4

Source RSA Webcast Is Enterprise Single Sign On
Possible Jan 27th 2005
5
Why End User Satisfaction

• Typical net user needs at least nine passwords
• Men store passwords on paper or PC
• Women use familiar names
• 30 never change passwords, 29 less than once a
  year
• 70 have forgotten a password at least once
• 35 of people use the same password for multiple
  applications
• 60 of people cycle two passwords across all
  applications

Source Forrester How Consumers Remember
Passwords June 2 2004 Benjamin Ensor
6
Species Agent Based SSO

• Unique Features
• Application Specific Agents
• Client Server Architecture
• Heavy Client
• Customised to each environment
• Limited Applications

• For
• Enabled SSO to key enterprise applications
• Against
• Not scalable
• Required substantial scripting

7
Species Agent Based SSO

• When to Use
• Not recommended

• ROI Measures
• - Touch every application
• - Version control
• - Development costs

8
Species Desktop Client Based SSO

• Unique Features
• Fat client installed on the desktop
• Screen Scrape
• Limited Management

• For
• Does not touch applications
• Enables Reduced Sign-On
• Against
• No management
• Scripting
• No end user recovery options for forgotten log on
  credential
• Not scalable

9
Species Desktop Client Based SSO

• When to Use
• Small user base work group with less than 25
  people
• Secure Access in an open environment

• ROI Measures
• Reduced password costs
• - Management over head
• - User productivity forgotten credential
• - Need to touch every desktop
• - Script maintenance

10
Species Password Sync

• Unique Features
• One unique Password
• Multiple logons
• No Desktop Component

• For
• Easy to remember one password
• Central Server
• Password can be stronger
• Against
• Lowest common denominator
• Keys to the kingdom
• Many points of entry
• Its still a password

11
Species Password Sync

• When to Use
• Low number of applications 2-3
• Applications are low risk
• Applications are common to all users
• Require a very low cost solution

• ROI Measures
• Lower password resets
• Direct integration to the application
• No desktop management
• - Does not synchronise user IDs
• - Higher risk same password
  strength

12
Species Web Based SSO

• Unique Features
• Web only not enterprise
• Multi Domain Web Single Sign-on
• Incorporates Access Control and Authorisation
• Includes session management
• Intranet or Portal
• Heterogeneous

• For
• Ease of management for large user populations
• Robust security features
• Granular Access
• Central Control
• Against
• Not enterprise
• Keys to the Kingdom
• Most web apps use passwords

13
Species Web Based SSO

• When to Use
• Large user populations
• Access Control and Authorisation
• Multiple web applications
• Web only
• Workflow
• Self Service

• ROI Measures
• Lower password costs
• Security
• Lower Development Costs
• Centralised Management
• Self Service

14
Species Federated SSO Genetic Drift

• Unique Features
• Multi Domain SSO
• Based on Industry accepted standards (SAML,
  Liberty)
• Federation works across business boundaries
• Extensible Framework (Future-proof)

• For
• Standards based Broad Interoperability
• End user ease
• ROI
• Against
• Integration
• Trust Models
• Applications

15
Species Federated SSO Genetic Drift

• When to Use
• Loosely couple scenarios
• Circle of trust exists
• Communities of interest
• Eliminate repetitive information entry
• Vertical Integration
• Privacy
• Broker environments

• ROI Measures
• Single Authentication
• Improve process flows
• Cost effective integration
• Seamless customer experience

16
Species Enterprise Client Server Based SSO

• Unique Features
• Enterprise Single Sign-on
• Distributed Architecture
• Security Policy Management
• Emergency Access
• Secure Password Management
• User Self Service Password Resets

• For
• True Single Log On
• Integration to many applications
• Off line support Emergency Access
• Password Management
• Multiple Authentication Choices
• Alternative to Identity Management
• Against
• Desktop Client
• Keys to the Kingdom

17
Species Enterprise Client Server Based SSO

• When to Use
• Enterprise SSO
• Reduce the number of passwords user
  satisfaction
• Reduce password costs
• Gain control of the security policy
• Compliance ANZ 17799
• Avoid Identity Management costs

• ROI Measures
• Significantly reduce Password Costs
• Reduce Audit costs
• Improve Security
• User Self Service
• User Productivity
• Reduce administration

18
Summary

• Single Sign On is possible today
• Balance of Cost, Security and Ease Of Use
• Security Concerns (non-compliance related) 31
• End user satisfaction/password management 48
• Enterprise SSO is different to Web SSO and should
  be treated as two separate purchases and projects
• No application modification required
• Consider Enterprise SSO as an alternative to
  Identity Management projects for smaller
  environments
• Use Stronger Authentication for targeted users

19
(No Transcript)