Single Sign-on Systems and Implementation, Essay Example

Issues related to access control and securities are paramount in virtually every tyoe of public or private organization, regardless of the size or mission of the organization. Along with physical access to buildings or to secure areas within a given facility, the issue of access to computers, databases, and other IT-related systems requires employers and mangers to implement security measures to ensure that access is limited only to those with proper authorization or credentials. This can lead to a range of issues for employer and employees alike, as the need for different passwords for different systems taxes the memory of employees and the patience of IT departments. With these issues in mind, many organizations are utilizing Single Sign-On (SSO) approaches to access control which allow users to enter a single password or other credential to gain access to a range of systems. While SSO has some obvious advantages, its use can also lead to new security vulnerabilities, making it necessary for SSO systems to be used judiciously. There are a number of different authentication systems that fall under the larger category of SSO; the following paper provides an overview of several types of SSO and examines some of the benefits and potential downsides of implementing these systems.

While there are a number of different types of SSO and a number of ways that authentication can be determined, their most prevalent use is in the context of enterprise. Employees who require access to multiple systems and networks are often faced with the daunting prospect of creating and remembering a variety of different passwords, each used for access to specific services or systems. This approach can underpin a wide range of problems and security issues; among them are problems associated with weak passwords, or with employees using the same password for access to different systems, which ultimately defeats the purpose of requiring different passwords (Villanueva, 2014).  The use of weak or similar passwords can make systems vulnerable to hacking from dictionary attacks , brute force attacks, and other such hacking techniques (Buecker, 2012).

For users who endeavor to use more complex or sophisticated passwords that are less vulnerable to hacking, the very complexity of those passwords can make them difficult to remember. Users who must routinely enter complex passwords may be inclined to write them down or otherwise save and store them for easy and regular retrieval, a habit which can leave the passwords themselves easy to find. This leads to the “password paradox” (Buecker, 2012) wherein strong passwords are required to alleviate the threat of weak passwords while the risks associated with strong passwords must alas be dealt with.

Beyond just the issues related to avoiding weak passwords and remembering string passwords, organizations that do not use SSO systems may face a number of other problems associated with multiple-password security approaches. Regardless of the relative strength or weakness of any specific password, the use of multiple passwords will inevitably lead to employees making requests for IT to remind them of their passwords or reset them if they have been forgotten (Lencioni, 2014). The issue of forgotten passwords can have a ripple effect, as employees who are spending time retrieving forgotten passwords or resetting compromised passwords are using time that could be spent on more productive tasks. The same is true for members of the IT staff, who could be devoting their time to more productive endeavors that retrieving or resetting passwords. The use of multiple passwords across different systems also leads to the possibility of more specific points of vulnerability at the entry-point to each system. Systems that require multiple passwords are also more vulnerable to phishing scams; if employees are conditioned to enter a password only at one point, they may be less likely to inadvertently enter it into a phishing site.

SSO authentication can be achieved using several different approaches. Active Directory (AD) approaches allow users to access a range of systems by entering a single password in a way that is easy for the user. The AD is a system developed by Microsoft that is used in Windows-based environments, and as the name implies, the active directory handles the authentication tasks by checking credentials entered by a user against the systems the user is authorized to use or access (Buecker, 2012). The benefits of AD are that it provides a centralized system of control over all objects in a network and provides a simple and easy system for users (Stewart, n.d.).  Because of the complexity of the communication and configurations tasks associated with AD system however they can be problematic for IT under some conditions.

Lightweight Directory Access Protocol (LDAP) is an industry standard approach to directory services and is commonly used in SSO systems (Huntington, 2014). In the SSO context the LDAP system deploys a database and maintains an identity marker for any user who will have access to any part of the system, and the LDAP database keeps track of which parts of the system each user can access. Users may have different passwords or IDs for different systems and services, and the LDAP database ties the individual identification code for the user to all these different passwords, user names, and other authentication I.D.s. Users enter a single password at the main entry point to the computer system, and that is passé to the LDAP server which checks this single ID against all the authorizations granted to the user. This system can work very well for SSO, but it also requires that databases have up-to-date information I order to ensure appropriate access for authorized users and to avoid allowing unauthorized users to take advantage of outdated identifications and authentications.

In a Kerberos configuration of an SSO authentication system the user enters a combination of a single password and user name. This information is passed along to an authentication server and subsequently to a key distribution center where the identification information of the user name and password is uniquely encrypted and time-stamped for access to a requested network or service. This encrypted information is sent along the network as a Ticket Granting Ticket (TGT) which identifies the user typically for a specified time, at which point the ticket expires. This encryption process offers an additional layer of security to the SSO system. Another means by which security of SSO systems can be enhanced is through the use of smart cards. Smart cards contain chips which hold identification information, and are used with Kerberos-based identification systems. One of the advantages to smart cards is that they alleviate the possibility of multiple-log-ons using the same credentials, and they allow users to use the card instead of entering user names and passwords, while deterring users from allowing anyone else to use their cards. The cards themselves are typically authenticated with a PIN or fingerprint scanner, making it all but impossible for someone else to use the card if it is lost or stolen.

Kerberos-based systems and smart card systems are understandably more expensive ways to implement SSO, through their extra layer of security measures makes them desirable in many situations. According to Microsoft, their proprietary smartcards cost approximately five dollars each, while card readers cost twenty dollars each (technet.microsoft.com, 2014). These costs may be prohibitive for some organizations, but the easy configurability and safety features of these systems makes them attractive to many organizations. Simpler SSO systems may still be vulnerable to security risks associated with users who purposefully or inadvertently share their passwords, but the security features of even the most basis SSO systems can provide valuable protection to networks and computer systems.

References

Bu?cker, A. (2012). Enterprise Single Sign-On design guide. 1st ed. Poughkeepsie, N.Y.: IBM Corp., International Technical Support Organization.

Huntington, G. (2014). SSO and LDAP. [online] Authenticationworld.com. Available at: http://www.authenticationworld.com/Single-Sign-On-Authentication/SSOandLDAP.html [Accessed 15 Aug. 2014].

Lencioni, J. (2014). The Benefits of Single Sign-On (SSO). [online] Webservices.blog.gustavus.edu. Available at: https://webservices.blog.gustavus.edu/2009/09/16/the-benefits-of-single-sign-on-sso/ [Accessed 15 Aug. 2014].

Stewart, J. (2014). Pros and cons of Microsoft Active Directory. [online] Searchwindowsserver.techtarget.com. Available at: http://searchwindowsserver.techtarget.com/tip/Pros-and-cons-of-Microsoft-Active-Directory [Accessed 15 Aug. 2014].

Technet.microsoft.com, (2014). Smart Cards. [online] Available at: http://technet.microsoft.com/en-us/library/dd277362.aspx [Accessed 15 Aug. 2014].

Villanueva, J. (2014). 5 Big Business Benefits of Using SSO (Single Sign-On). [online] Jscape. Available at: http://www.jscape.com/blog/bid/104856/5-Big-Business-Benefits-of-Using-SSO-Single-Sign-On [Accessed 15 Aug. 2014].