Single Sign-On, Multiple Benefits

May 1, 2005 12:00 PM, By Jacqueline Emigh

Physical security professionals once pulled out a shiny metallic “master key” whenever an employee accidentally locked himself out of an office. Today, however, employees are just as likely to lock themselves out of computer systems as physical office spaces — and an information security technology called “single sign-on” (SSO for short) can help.

“People are talking a lot about single sign-on today — even people who don't know much about computer networks,” says Mark Boroditsky, president and CEO of SSO vendor Passlogix.

Organizations that have recently installed SSO systems range from Telhio Credit Union, a financial cooperative based in Columbus, Ohio, to the U.S. Post Office and huge oil conglomerates.

“Single sign-on is a term that is easy for just about everyone to understand,” Boroditsky says. “You sign in with a single password — and then you get access to all your computer-based applications.”

Experts also point to regulatory pressures and cost-containment issues as factors driving single sign-on.

Without single sign-on, employees need to use different passwords for various computer applications — often difficult on a large and complex network.

“Many corporate computer users have eight passwords or more,” says Omar Hussain, senior vice president of product management at Imprivata, another SSO vendor.

In selecting their passwords, users tend to choose terms that are easy for them to remember — but are also a breeze for others to guess.

“They pick the ‘Yankees,’ or their dogs' names, or the maiden names of their wives, for instance,” Hussain says.

People also tend to put passwords in easy-to-find places, where they are likely to be too visible to others — such as on sticky notes.

Before the era of HIPAA and the Sarbanes-Oxley Act, many organizations turned a blind eye to such employee gaffes. But now, with fines from federal regulations looming, information security departments are getting tougher about password security.

Meanwhile, organizations are also discovering that dealing with password issues can be expensive.

According to recent research by Enterprise Management Associates (EMA), password management costs $250 per year, on average, for every computer user in an organization. So, if an agency has 10,000 employees, it is shelling out $2.5 million annually just for assisting staffers who have lost or forgotten their passwords.

The Post Office has rolled out SSO to 150,000 people, who use the system to get easier access to more than 1,000 applications on the agency's computer network.

Centralized password management

But SSO does have one big drawback, and ironically, it is the same as its biggest strength: centralized access to password management.

To prevent hackers from gaining password control, virtually all SSOs also support additional network security mechanisms, such as high encryption levels and use of a smart card, biometric or other technologies as supplemental ways of proving identity.

Passlogix, for example, is now working with Schlumberger Information Systems (SIS) on computer sign-on systems that combine SSO and smart cards for large oil and gas drilling companies. One of their mutual customers has 162 geographic sites around the world, Brodkitsky says.

Although the rationale behind SSO is easy to grasp, the underlying technology is much more difficult. To begin with, there is more than one type of SSO. In technology known as “enterprise single sign-on” (ESSO), a user can access any application with a single password, but only when those applications are running on a single enterprise network.

Conversely, in “Web single sign-on” (WSSO), the applications can be running on different computer networks, but all of the applications must be browser-based.

With ESSO, an organization might need to engage in extensive systems integration to allow newer Windows-based systems to talk back and forth with older mainframe or Unix systems, for instance.

Web-based single sign-on, on the other hand, uses quickly evolving, standards-based software technology known as “Web services” for communications among applications on different computer systems.

WSSO is still most familiar for its use on the Internet, where it might allow a user to move from one company's travel site to another company's airline reservations system with just a couple of clicks of a mouse.

But more and more, WSSO is showing up on internal networks at corporations and government agencies.

Many get single sign-on confused with a couple of other terms — “provisioning” and “federated identity” — which are related to single sign-on, but mean somewhat different things.

“Provisioning” is technology that typically goes hand-in-hand with single sign-on. Essentially, provisioning is the job that enterprise systems administrators perform when setting up users' accounts on computer networks. Traditionally, the account includes a user name and password, as well as access rights to particular applications.

SSO eliminates the need for a separate user name and password for each application. But the access rights set up by the administrator can remain in effect anyway, says Matthew Gardiner, product manager at Computer Associates (CA).

“Federated identity” refers to single sign-on across specified computer systems being operated by multiple enterprises. In federated identity systems, applications are able to stay on the networks where they already “live,” instead of being moved to another network.

Federated identity crops up most among organizations that share some sort of “trading relationship.”

“Instead of becoming unified and centralized, as it is in single sign-on, identity information is confidentially shared, with the (trading partner's) permission,” explains Eric Norlin, vice president at federated identity specialist Ping Identity Corp.

For example, an organization might have an “employee benefits” Web site that features a link to a 401K plan operated by a bank. Under these circumstances, federated identity technology might be used to let the user access information about the 401K plan, even though this information is running on a computer outside of the original organization's enterprise network.

The Federal E-Authentication Initiative will actually revolve around federated identity, Gardiner says.

What else is around the corner for SSO?

In one new trend, organizations are starting to integrate ESSO systems into WSSO and other Web-based computer systems.

NetManage, a company that provides software for Web integration and enablement, has teamed with Tria-Works on a system to provide SSO across both long-time applications running on old IBM AS/400 minicomputers and newer Windows-based applications.

Some of the AS/400 applications being integrated are used for booking hotel reservations, for instance, says Jim Raisio, director of product management for NetManage.

Also on the horizon is integration between SSO and physical access control systems, Broditsky adds. Under this approach, employees would be able to access all authorized computer applications — as well as designated physical spaces such as offices and parking lots — with just a single smart card and password.

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

Story Missing Your Link?

• Unexpected Crisis Spark Opening of Georgia Training Facility
• New Technology Facilitates Planning For Active Hurricane Season
• Iris Readers Speed Travelers Through Security