Any organization would want to keep its confidential information within its systems. As such, not everyone would be granted access to the computer network would grant undue access to people who do not really need the information. One way of managing this would be granting different levels of access based on the need for information of an employee within the organization. For this reason, there is a pressing need for Access Control. This would facilitate accountability and responsibility in using the facilities and the computers of the organization.
Check this video to know more on single-sign on technology and how does it work:
One effective means of securing the network is through the provision of passwords. A password can be likened to a key that a member of an organization can use to gain access to files, information and other tools and resources needed for the affairs of the organization. In this regard, a person can compose any kind of password. But passwords can be broken and hacked, especially if the number of characters is only limited. If the passwords that a person chooses are related to personal information, then such passwords can be guessed at by those who are determined to discover it.
From the perspective of network management and maintenance of an IT system, the password of users should be changed periodically to mitigate the possibility of hacking and of social engineering. Even if somebody gained access to the old passwords, they will not be able to use it if the passwords are being changed periodically. This means therefore that individuals will have a number of passwords from time to time. Recalling all of these passwords can be quite tedious especially those with short-term and long-term memory problems.
A number of attacks can be done by hackers and other individuals to pry the password of an individual. One of this is the dictionary attack. This is done by looking at the structure of the different matters included in the password such as a sequence of numbers, a name of anything or a word. Another attack is brute force attack, which relies extensively on the power of computers to crack codes and sequences.
Passwords are relatively secure yet they can still be cracked but passwords are still the first defense against the intrusion of hackers and other unwanted individuals prying for information for their personal gain. Depending on the system of an organization, a person may have anywhere between 4-10 passwords for use in different online tools and websites. It is becoming quite difficult to manage passwords because of sheer volume. Because of this, a number of websites and other technologies are offering a means to consolidate passwords through single sign-on systems. The principle behind this is that a single encrypted password can replace an individual’s passwords no matter how numerous they may be.
A single sign-on (SSO) is part of the Access Control mechanism of an organization’s IT system that allows a person to log in just once and then would have access to all of the programs, applications and other software without the need to log on again. The reverse process of this is called single sign-off. When that is done, all of the software and programs in the computer system will not be accessible anymore.
There are a number of benefits that can be gleaned from a single sign-on system when implemented correctly. The first one would be to prevent fatigue and stress from keeping too may passwords. When an employee forgets the password of the workstation, then she would have to undertake several steps so as to retrieve the password. Such activities will take a valuable chunk of her working time. Hence, too many passwords can contribute to inefficiency and additional administrative burden. If the single sign-on system were established, then such additional burden would be done away with and the employee could go on with the usual tasks assigned.
There are also instances that different software and application in the same computer system are prompted so that would entail re-entering usernames and passwords even if the ones entered previously were just the same. This would further contribute to inefficiency and time lost for doing activities that matter more.
Single sign-on technologies also support various authentication facilities. When a single sign-on system is used in the organization, this would also significantly reduce the number of calls from employees who are frantic about their forgotten passwords. If such a strategy worked well, then it would also mean that the organization can do away with a huge IT helpdesk employees because there would be fewer employees calling for their forgotten passwords.
When the single sign-on system is enforced, then the security on various levels of the organization including the entry and exit of users into the system as well as the access would be ensured, guaranteeing security without the need for users to be prompted again for their passwords. This would also make it easier to track compliance with the security clearances and establish a centralize reporting facility for the whole organization. Most of the time, single sign-on systems use a centralized authentication server which ensures that users will only have to enter their usernames and passwords once.
It is also becoming more popular to outsource authentication structures rather than hosting one in-house because of the purpose of scalability. This helps implement an authentication with consistency in the IT infrastructure of the organization.
There are those, however, who believe that a single sign-on is not possible. Instead, they refer to it as enterprise reduced sign-on. In this case, the single sign-on provides access to most of the programs and resources in the organization but the problem is that if the single sign-on password is made available to somebody else, then the increase of exposure will be greater. A thief will then have access to not only one organizational tool or resource but to the whole gamut of resources available to any member of the organization. This is the main criticism directed against single sign-on architectures. While it certainly makes like easier for most people, potentially, it can also increase the information security risk that the organization will face.
A discussion on Information Security is necessary in order to put the issue of single sign-on into perspective. It is also a means of addressing the main criticism directed against single sign-on architectures. In this time and age where information is considered as a very important source of competitiveness, an organization cannot afford to have its confidential information leaked to others who have the intention of using such information for financial and business gain. With the technologies that are available nowadays, people have to keep a number of usernames and passwords. Some of these they will forget and there are also times that people with malicious intent take these passwords away from them. A large organization dealing with information has a big interest in keeping such information secure.
Since information is now considered as a very important business resource, it follows that organizations are protective of the information system that they have. Organizations have a certain attachment and dependence on their information systems. As they rely on their information systems, it becomes apparent then that there are also those who, armed with technical knowledge and the desire for big and easy money, will stop at nothing just to enter the information systems and gain access to anything that could help them with their malicious plans. In this regard, organizations must invest in information security to ensure that their information systems are intact and free from harm.
Competitiveness, nowadays, is based on the quality and quantity of information available to a business. Compromising the security of the information system would be tantamount to giving away trade secrets to the competition and making them more profitable and competitive. Information security, therefore, is one of the main concerns of the organization and it would be logical to allot budget and finance for hardware, software and human resources related to the establishment and maintenance of a sound and robust information security system. As an organization thinks about the best way to protect its soft assets such as information, it would be best to look at a number of the sources of security risks.
The members of the organization from top management, to mid-level managers and down to the rank and file employees are exposed to a variety of influences which can compromise the information security of the organization. An employee may entrust her password to her fiancée, a manager may leave a paper with his password on his table and the secretary sees it, a hacker may find its way through the router and into the IT system and papers scattered about as trash may contain significant information, which, if held by the wrong hands, could wreak havoc on the business. Such havoc may not necessarily be a financial inconvenience. But the inconvenience and embarrassment that it will cost will be difficult to erase. Besides, it would be tedious to make adjustments to the whole system once the damage has been done.
Any kind of security breach in the organization would be costly. As soon as a virus or malware enters one computer within the network, that single computer will endanger the security of the whole system. In extreme cases, such an attack can even paralyze the operations of the organization.
If an unauthorized person got hold of a password of any of the employees of the organization, it can also compromise the whole system because that person can gain access to hundreds of files and even to sensitive information, which can be used for the welfare of the organization. How then can an organization make a decision concerning the implementation of single sign-on architecture in its information system?
For one, the organization should undertake an audit of its operations and its security risks. By looking at the possible areas of infiltration and security breach, the organization will be able to understand its information security needs. More than that, the organization will also be able to take the necessary precaution to deal with the possible sources of a security breach.
Out of this audit of security risks and possible sources of a security breach in the organization, the management can then look at the various options available in mitigating these security risks. These options may be related to the Information Technology system of the organization. In this case, they will have to invest in new hardware and software to deal with the risks. A firewall, whether it be a packet filtering router or an application gateway, would be a great help. In addition to this, the attitudes of the employees and other members of the organization should be taken into account so as to implement a total plan for the information security of the organization. After all, equipment can only do so much, a lot of responsibility still lie on the shoulders of the people who are implementing the information security plan of the organization.
After considering the options, the organization should devote a substantial amount of money and resources to enhance the information security system of the organization. This amount then will be used to purchase equipment that will bolster the information security of the organization.
Alongside the upgrade of the hardware and software for information security of the organization, the organization should also invest in its human resources. While the equipment and the software are essential components of the information security framework of the organization, it is extremely important to educate the employees about the strategy of the organization in ensuring the integrity of its information systems. It should be explained clearly to the employees why information security is very important and how they can help in mitigating the security risks.
Important changes should also be made in the policies governing the use of equipment, computers and the surfing of Internet websites. Such changes will help create an organizational culture that is suited to the information security framework of the organization. This will also prepare the workforce for the changes to be made in the hardware and the software of the organization. As this reorientation of the values of the employees occurs, it will certainly contribute to the information security management of the organization.
Information Security Management
Before going back to the discussion on single sign-on architectures, it is important to look more deeply into information security management because this will serve as a framework by which to evaluate the single sign-on architecture. Information security management is an important process in the life of the organization because this is the ongoing efforts to preserve the value of information the organization possesses. It is about ensuring the protection of the media in which the information is contained.
The management of passwords and other pertinent information is part of the information security management system of the organization. While single sign-on architecture can help this, criteria for effective information security management should be arrived at and this will be used in assessing the appropriateness and difficulties of implementing the single sign-on system for the organization.
The information security management system of an organization is able to look at the holes of the information security and crafts strategies that will deal with these holes. The information security management will also have to be balanced with the organization’s need to make computer and network access easy enough for the employees in such a way that it will not interrupt the jobs of the employees. If protecting information security will get in the way of performing the jobs of the employees, then they will lose incentive in following such information security management system.
Ensuring information security is a tedious job and will involve the whole organization. The solution is not just one strategy. Rather, it will be a compendium of a number of strategies and will have to be effectively integrated into the operations of the whole organization until such time that it becomes automatic for all of those within the organization.
The following will be the considerations in arriving at an information security management system, especially in view of the single sign-on architecture.
- The information security management system will be integrated into the total operation of the organization. Policies, rules, and procedures will be made available to every single employee so that they are always reminded of how to protect sensitive information they have access to.
- The IT department of the organization will integrate both hardware and software into the information security management system without disrupting the regular productivity of the employees. The information security system should be as inconspicuous as possible to avoid disruption. On the part of the employees, they should exercise discretion, especially in matters relating to sensitive information in the organization.
- Human resources will conduct periodic training so as to brief both new and old employees of the value of information security so that they will always practice it whenever they are at work. The Periodic evaluation would also be necessary to ensure that the information security precautions are being observed.
- New technology and trends in information security will be looked out for. This includes testing and exploring technologies such as single sign-on architecture, new routers, and software so that the information of the organization will be kept secure and reliable.
Both the management and the employees need to collaborate in implementing this system. Without the support of the employees, the management will find it hard to protect its information and trade secrets. On the other hand, if the employees will not cooperate with management in this area, then they too will be severely affected should the integrity of the information security of the organization fail.
Pros and Cons of Single Sign-on Technology
Single sign-on architecture definitely helps in reducing the number of instances for users in the organization to type in their username and their passwords to gain access to organizational tools and software needed for their work. No matter how insignificant it may seem, they will have a chance to be more efficient at work because of the time savings generated by the single sign-on architecture. Instances of forgotten passwords and phone calls to the IT helpdesk will become less frequent. This means that the organization can become more efficient and can lower the costs associated with IT helpdesks.
The security implication of this ability to sign on only once may be seen rather obviously. The less frequently a user enters the username and password, the less frequently that someone else will watch the user to get such password. This also leads to fewer usernames and passwords to memorize. By using only one single sign-on username and password, an employee can become more efficient and more secure.
The process of authentication also becomes simpler with the Single Sign-On (SSO) technology. This would be less bothersome and will also be useful for terminals that have limited interface and resource. There are SSO technologies that can only deal with passwords and usernames. Yet, dynamic data could also be manipulated if these technologies are improved upon. An additional server may be installed and it can become the circulator distributing the values of the dynamic tokens to the vendors and service providers.
There are also a number of difficulties that must be considered. For one, significant investment in money, time and resources will be spent in implementing this system. This system will also have to be integrated with the rest of the system for it to work properly.
When the SSO technology shall have been installed, the employees will also have to gather all of their usernames and passwords and will have to input them for the SSO to recognize. The alternative would be to forget about these passwords and the IT helpdesk will have to give out a new set of passwords to the users.
While the SSO technology may reduce a complicated process for the users, it creates a whole new level of risk in terms of information security. If a user lost his or her password or access key and somebody else finds it, the level of exposure of the company to information security breach will be very serious. If there is but one username and password that a person may misplace and lose, a hacker or someone engaged in thief and hacking will only have access to one application or gallery. The SSO then will give the hacker big access to the system and information of the organization. This represents a big risk that should be assessed before fully implementing an SSO technology for the organization.
Given this level of risk, if SSO were to be implemented, there should be a means to put some additional precautions installed in computer systems and in the servers in the network. The level of training among the employees who are computer users will have to be more intense and strict.
Examples of Single Sign-On Technologies
Oracle Single Sign-On Suite
The Oracle Single Sign-On Suite has five integral components designed to help users in managing their workstations as well as their usernames and passwords. The components of the Oracle SSO are the Logon Manager, the Authentication Manager, Password Reset, Provisioning Gateway and Kiosk Manager.
Oracle SSO will sign on to the applications and computer programs needed by the user without the need to modify anything in the process. This system also eliminates the need for password sharing because the generated passwords tend to be hidden, strong and randomly selected. With the use of Oracle, even end users can reset Windows passwords and enjoy savings with what they had saved.
This SSO technology also has Access Manager and Identify Manager. The former delivers easy navigation and functionality in access control and web SSO. The management of the user’s profile is also easily done with this program. The latter, on the other hand, manages the monitoring of compliance to the solution of creating systems and updating records. The Identify Federation feature allows SSO even in cross-domain. Oracle Internet Directory manages the list of users and other important data or file within the network.
Liberty Single Sign-On Technology
Liberty SSO Technology makes use of the federated identity concept. This concept simply states that organizations already offer a mean to manage identities and passwords online and in their respective networks. The problem, however, is that these identity and password management systems do not seem to be linked together. In order to enjoy seamless integration of these systems, it would be necessary to link them together for better password management.
Federated identity ultimately leads to single sign on. Even if one person only has one username and one password for different websites and other applications, the user still has to input this on each of the applications he wants to use. With Liberty Alliance SSO, that will not be necessary anymore and one authentication will be enough. The Liberty Alliance SSO works best with Java’s API and platform.
The Liberty Alliance Project is far from being complete and being widely accepted. Yet, more and more companies are realizing the importance of the ease with which they can manage passwords and minimize calls to IT Helpdesk requesting for password resets.
Windows Live ID
Windows Live ID used to be called Microsoft Passport, which was meant to be an SSO technology for various commerce transactions on the Internet. It received a number of criticisms, however. Apparently, Microsoft Passport did not adhere to a number of principles in protecting privacy and identity on the Internet. While Microsoft passport was positioned as a Single Sign-on for every web commerce transaction previously, Windows Live ID is no longer making that claim. It is now being positioned as one of the many SSO technologies available for people who have a lot of web commerce transactions.
Microsoft Passport was also criticized previously by Deborah Pierce of the Electronics Frontier Foundation because it was meant to have control and usage of the customer information that they have access to. In addition to this, there were also a number of security issues that made Microsoft Passport less than ideal as an SSO technology of choice.
Windows Live ID is the product of the improvements made to Microsoft Passport. It is a Single Sign on online service made available by Microsoft. With Windows Live ID, a user can log onto a number of websites using only one account. The number of websites being supported by the Windows Live ID, however, tends to be limited to Microsoft sites such as MSN, Xbox Live, .NET messenger service, Hotmail and Zune among others. There are also Microsoft affiliated products using it such as Hoyts and Expedia. To promote the widespread use of Windows Live ID, Microsoft released the Web Authentication SDK to enable developers and web platforms to use Windows Live ID for authentication. This SSO technology also supports OpenID, another SSO provider on the Internet.
Whenever a new user logs on to the Internet and goes to websites, particularly those with e-commerce capabilities, they will be asked for a username and password with a connection secured by SSL. If the username and the password matches, then a cookie will be stored and then the transaction proceeds with the exchanges between the remote and local computers facilitated by the Kerberos protocol. As soon as the user logs out, the cookies will be removed.
Imprivata is another SSO technology that engages in automating policy implementation in passwords. It can help create strong passwords that will help an organization manage its information security management. The list of features of Imprivata is rather long and it can help facilitate the single sign-on and secure network authentication. Moreover, biometrics can be included as part of its features to strengthen security. Smart cards, as well as lifecycle management, are also part of the system including a centralized monitoring and reporting system. If there is a need for employees to use remote access, it can also be done securely. Password changes are also automated for fewer hassles and disruptions on the part of the employees.
Imprivata also supports various authentication methods whether they be ID tokens, passwords, smart cards or biometrics. It also provides monitoring services so that any password changes are listed by the system for tracking and reporting. Such a system would work well for an organization continuously monitoring its information security system.