Single sign-on (SSO) is a form of technology that eases the authentication process for users and IT administrators. Through SSO, a user can enter his or her username and password once for access to
Continue Reading This Article
Enjoy this article as well as all of our content, including E-Guides, news, tips and more.
SSO systems improve security by centralizing authentication on dedicated servers. All authentication credentials must travel through a dedicated SSO server first, which then passes along the specific authentication credential it has stored for an individual user. This centralization is more likely to weed out malicious access than single-factor authentication systems. Additionally, SSO systems usually provide stronger storage of sensitive material, since they are usually protected by corporate firewalls.
SSO is also helpful in documenting the logging and monitoring of user accounts -- i.e. extermination of inactive employee accounts, tracking user activities -- that not only improve organizational security, but are also requirements of the Sarbanes-Oxley Act (SOX).
Although single sign-on can be a huge convenience to users and IT administrators alike, it can also present several risks to enterprise security. If a malicious hacker gains control over a user's SSO credentials, the hacker may be granted access to multiple applications rather than just one, which increases the amount of potential damage. In order to prevent malicious access a thoroughly detailed implementation and deployment procedure is a must, as well as secure transmission and storage of data.
SSO: Implementation and deployment
When preparing for a single sign-on (SSO) implementation, the size of the organization and risk levels of corporate systems need to be considered. It's important for an organization to develop its SSO system based on its unique needs, architecture and infrastructure.
In order to avoid malicious access, it's essential that every aspect of SSO implementation is coupled with an in-depth look at an organization's authorization and access control policies. It's important to ensure current polices are, in fact, protecting sensitive information. A compromised SSO credential coupled with a weak authentication model can result in unauthorized access to a slew of sensitive information.
Administrators also need to be aware of what type of authentication corporate systems need and what directory services the systems are currently using before they begin the implementation process. There must be a firm understanding of where and why SSO is being implemented. Is it for network access, Web access or both? Is it being implemented in hardware, software or both?
Software-based SSO systems are more favorable among large enterprises. These systems, comprised of various functional modules, can be slightly more difficult to configure and require dedicated hardware. Alternatively, a hardware-based implementation requires compatibility with the network architecture, but is much easier to configure, which often makes this type of system more appealing to smaller companies.
Once it is established where and why the organization is implementing SSO, it must be determined which systems will require SSO access. The best way to make this decision is to look at the systems employees most commonly use. By examining employee activity, administrators can determine which systems need access control and what technology is needed for implementation, depending on whether users are accessing applications or network systems.
Lastly, it is important that SSO deployment is planned and comes in stages. If the process isn't carefully handled and something goes wrong, the corporation could risk the simultaneous collapse of its entire access management infrastructure.
EXPLORING AUTHENTICATION METHODS
What is authentication?
ID and password authentication
Biometric authentication devices, systems and implementation
Enterprise single sign-on: Easing the authentication process
PKI and digital certificate authentication and implementation
Security token and smart card authentication
This was first published in November 2008