Feeds

Can single sign-on be simple sign-on?

Imprivata's Esso applicance

Seven Steps to Software Security

Review Fundamentally, Single Sign On (SSO) is a straightforward idea. You use a proxy device to authenticate a user, and the proxy then manages all the login idiosyncrasies of the applications they want to access.

Easy to describe, and straightforward to transcribe onto slideware. The devil is, of course, in the detail. For example, how do you know how all of your enterprise applications manage their login? Does the proxy do this for you or do you have to write a login script for each one individually? If you deploy the solution and the application decides it wants a password refresh, is your helpdesk buried by calls from angry users who can't get into the application and do their work?

The other thing we need to realise is that SSO is not an authentication solution in itself; the connection to the proxy can be as open or tightly controlled as you like. The ability to integrate with different authentication technologies, including tokens for example, and to accommodate two-factor authentication mechanisms, is therefore a key consideration. An SSO proxy also needs to be 100 per cent reliable, otherwise it will lock out all users from the system when it fails. Furthermore, security of the SSO solution itself is a big consideration as the proxy necessarily contains the login credentials and access rights of every user on the network.

Implemented appropriately, however, a well-executed SSO solution gives network and security managers a central point for implementing network policies, such as application access rights. This includes the provision of alternative application environments and capabilities to a user depending on the login location and available network bandwidth.

So, it all sounds pretty good, but there is a lot to think about and deal with, often causing SSO projects to turn out a lot more complicated, time consuming and costly than people first envisaged when they embarked on them. Imprivata, however, manufacturers of the OneSign Enterprise Single Sign On (Esso) solution, has set out to simplify the process of getting to the SSO vision with a straightforward no-nonsense appliance. After talking to the company and reviewing a couple of its customers, we were convinced that the Imprivata approach was different enough to be worth highlighting, so here's a bit more detail.

On set-up, the system can import existing directory information from Active Directory, NetWare Directory Services, and others. From here, it allows a variety of pre-defined security management policies to be set up and targeted at individual users or groups.

An important capability of the system is its ability to learn the authentication behaviour of applications by example, which it stores in an XML profile document, including password change procedures. The basic principle is that the system only needs to see an example of a standard login to capture it into the profile, which is then available for subsequent access to that same application. The profile is automatically modified if the application's behaviour changes, which is typically done without custom scripting.

This approach can cut down the time to implement the system dramatically, since minimal or no scripting and connector development is required to set up and maintain proxy access to the various applications.

Policy decisions by the network administrator using the associated management tool then tie users to applications, and at that point the system is ready to use. Given the design, the system can handle subsequent password resets automatically without involving the helpdesk in a live call.

In terms of security, user information is held in separate, encrypted areas of the appliance, protecting it from outside attack, and sign on messaging is also heavily encrypted. With regard to authentication, Imprivata allows the straightforward implementation of two-factor solutions from a variety of popular vendors, with provision for the use of tokens, smartcards, biometrics, etc.

And everything is monitored. Password-related user access events are stored on the appliance, providing monitoring trails that may be used as input to any compliance or other investigation. The system can reveal instances of users sharing confidential credentials, for example.

All-in-all, the Imprivata solution hides a lot of essential smarts away in its redundant configuration, providing a good option for mid size organisations, in particular, to implement convenient secure application access, password management and some important elements of compliance, with additional features that can greatly help with your network policies.

The suitability of solution for those who can't afford a large and highly specialised security staff is corroborated by the makeup of Imprivata's customer base. At the recent Infosec show, for example, Imprivata hosted a presentation from Gary Bellfield of Tayside Fire and Rescue, typical of the type of user who can benefit from the system, with a small staff on a tight public sector budget providing services to a large user community in a critical service industry.

With so many SSO projects stalling over the past couple of years or being de-scoped due to time and budget over-runs, it is good to see the industry trying to introduce more of an an element of simplicity into the process. ®

Mobile application security vulnerability report

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.