Transcription
Single Sign-On: Myth or RealityThomas R. Peltier, CISSPSMDriving eBusiness Performance
Abstract As enterprise computing becomes more and morecomplex, with business systems installed acrossmultiple platforms, from mainframe to client-serverto PC, the need for a secure way to provide userswith a single authentication point becomes more andmore important. There are a number of methods andproducts on the market today which provide someform of single sign-on, and each has advantages andrisks. This session will examine what you will need to do toprepare for single sign-on. We will also identify a setof functional requirements for a single sign-onmethodology, so that attendees will be better able tocompare the products available.8/1/00Copyright 2000 Netigy Corporation. All Rights Reserved2
Objectives At the conclusion of this workshop, attendeeswill:– understand the current push for single sign-on– be able to identify what their organizationmust do to prepare for SSO– have an understanding of what industryexperts look for in SSO products– understand the basic principles ofcryptography8/1/00Copyright 2000 Netigy Corporation. All Rights Reserved3
Objectives At the conclusion of this workshop, attendeeswill:– be able to identify the current SSO players– be able to identify current SSO products andwhere to obtain additional information– understand current problems with SSOimplementation8/1/00Copyright 2000 Netigy Corporation. All Rights Reserved4
Format This workshop has been developed for you. Please feel free to:––––8/1/00ask questionsoffer adviseprovide observationsparticipateCopyright 2000 Netigy Corporation. All Rights Reserved5
Agenda 8/1/00IntroductionOverviewRequirementsSingle Sign-on BasicsSingle Sign-on ViewsCopyright 2000 Netigy Corporation. All Rights Reserved6
Agenda 8/1/00Elements of Single Sign-onCryptographyStandards Based SolutionsProblems and SolutionsReferencesCopyright 2000 Netigy Corporation. All Rights Reserved7
Introduction Single sign-on (SSO) has generally beenused as an umbrella term for theconsolidation of platform-basedadministration, authentication andauthorization functions. Can the vendor industry support a true singlesign-on process? Due to the number of varied platforms andapplications, it is unlikely and in some cases,impossible.8/1/00Copyright 2000 Netigy Corporation. All Rights Reserved8
Introduction This fact - that SSO is a misnomer - hascontributed (according to Gartner) to thefailure of the sector to achieve rapid growth,despite widespread recognition of the "toomany IDs and passwords" problem.8/1/00Copyright 2000 Netigy Corporation. All Rights Reserved9
Introduction Historically each system vendor provided anauthentication mechanism based upon itsown system requirements which wasadequate when users only needed toauthenticate to one system. Today in a heterogeneous computingenvironment vendors face a dilemma. . . howto provide single logon to their usercommunity.8/1/00Copyright 2000 Netigy Corporation. All Rights Reserved10
pComputingFortressComputer RoomUnresponsiveness leads to:Remote AccessComputing
Overview Users and administrators are greatly affectedby the problem. Users who need to remember more than oneid/password pair often use known, insecurepractices like:– writing down passwords– using one password for all accesses– using a simple password8/1/00Copyright 2000 Netigy Corporation. All Rights Reserved12
Overview Administrators face the nightmare ofmaintaining consistency and security fortheir varied user community across multipleplatforms and policies.8/1/00Copyright 2000 Netigy Corporation. All Rights Reserved13
Overview The dilemma with Single Sign-on (SSO) is thatsimple statements hide complex situations. What is implied but not stated by SSO is thatproviding a single logon involves a relationship toseveral security feature/mechanisms aside fromauthentication:––––8/1/00access controlsecurity policy(trust)encryptionkey distributionCopyright 2000 Netigy Corporation. All Rights Reserved14
Overview Enterprise systems by definition are diverse.They consist of different operating systems,networks and utilities. Enterprise environments with localauthentication consist of some combinationof:––––8/1/00local authentication,remote access authorization,network authentication, andapplication authentication.Copyright 2000 Netigy Corporation. All Rights Reserved15
ISO Open SystemsInterconnection (OSI) ModelTCP/IP Network Components7 Application6 PresentationApplication Protocols5 Session4 Transport3 Network2 Data Link1 PhysicalTransmission Control Protocol (TCP)User Datagram Protocol (UDP)Internet Protocol (IP)Network Interface Protocol(Ethernet, Token Ring, Arcnet, etc.)
Overview In an environment where local authenticationand network authentication are provided bydifferent systems with differentimplementations and administrative policies,it is very difficult to establish confidence andconsistency in the authentication of users.8/1/00Copyright 2000 Netigy Corporation. All Rights Reserved17
Overview Most vendors provide alocal authenticationmechanism which isspecific to operatingsystems. Yet even within anoperating system likeUNIX, there isvariability in theimplementation ofauthentication.8/1/00UNIXNovellNTCopyright 2000 Netigy Corporation. All Rights ReservedMVS18
Requirements Fundamentally, enterprises need to managetheir computer resources from unauthorizedaccess. Enterprise resources consist of independentsets of (possibly individually) managedcomputer resources.8/1/00Copyright 2000 Netigy Corporation. All Rights Reserved19
Requirements One of the resources of an enterprise is itsuser community. Defining how a user is identified in theenvironment of multiple systems requires anabstraction on the notion of identity. To be successful, the SSO must have acommon understanding of the user identityacross all platforms.8/1/00Copyright 2000 Netigy Corporation. All Rights Reserved20
Requirements Requirement #1 - Identity– A common definition of what constitutes auser identity. The identity must be part of anaming convention which is complete,unambiguous and secure. It must beconsistent between the authentication andauthorization models. While each enterprise manages policy at ahigh level, there is often a requirement foreach system to influence the management ofits resources on a “host” level.8/1/00Copyright 2000 Netigy Corporation. All Rights Reserved21
Requirements Requirement #2 - Authentication– A need to allow host systems to be able to “constrain”the set of users allowed access to the host. Requirement #3 - Host Authorization– A need to allow host systems to be able to specifygranularity based on device requirements. There are inherent contradictions in this set of needs. Bydefinition each computer system understands “users” relativeto its own mechanisms. Each system trusts its ownmechanisms and distrusts anything outside its perimeter.8/1/00Copyright 2000 Netigy Corporation. All Rights Reserved22
Requirements Requirement #4 - Authentication– Need to identify a mechanism by which authenticationmechanism can negotiate an authentication sequenceon behalf of the user. Requirement #5 - Authorization– Need to define a common understanding of trustassociated with an authentication sequence. Once authentication has been established, SSO thenneeds to define how local and remote resourcesshould be accessed by users, both native and remote,based on this abstract notion of identity.8/1/00Copyright 2000 Netigy Corporation. All Rights Reserved23
Requirements Requirement #6– Need to define the relationship betweenauthentication and authorization. Authentication - an ability to identify who anindividual or system actually is Authorization - a process to allow authenticatedprograms, users or systems to access informationprocessing resources available through systems andapplications.8/1/00Copyright 2000 Netigy Corporation. All Rights Reserved24
Requirements Solving the single sign-on problem theninvolves:– Requirement # 1 - common definition of whatconstitutes a user identity.– Requirement # 2 - Need to allow host systemsto be able to “constrain” the set of usersallowed access to the host.– Requirement # 3 - Need to allow host systemsto specify granularity based of device.8/1/00Copyright 2000 Netigy Corporation. All Rights Reserved25
Requirements Solving the single sign-on problem then involves:– Requirement # 4 - Need to identify a mechanism bywhich authentication mechanism can negotiate anauthentication sequence on behalf of a user.– Requirement # 5 - Need to define a commonunderstanding of trust associated with anauthentication sequence.– Requirement # 6 - Need to define the relationshipbetween authentication and authorization.8/1/00Copyright 2000 Netigy Corporation. All Rights Reserved26
Requirements Three of these requirements involve thedefinition of a security policy for a securitydomain.– Requirement # 1 - common definition of whatconstitutes a user identity.– Requirement # 5 - need to define a commonunderstanding of trust associated with anauthentication sequence.– Requirement # 6 - need to define therelationship between authentication andauthorization.8/1/00Copyright 2000 Netigy Corporation. All Rights Reserved27
Single Sign-on Basics Why is single sign-on needed?– Lack of secure channels– Initial identification and authorization– Synchronization of identification andauthorization across the myriad of disparate,heterogeneous systems Why isn’t a complete solution available?– Security is not a priority– Economics8/1/00Copyright 2000 Netigy Corporation. All Rights Reserved28
Single Sign-On BasicsNon-IntrusiveCheapCure Common*Network SecurityConcernsCoexist WithOther Authentication andAuthorization ServicesRuns on ALLPlatformsCredentials Acceptedby ALL ServicesOS - PlatformIndependentRuns in ALL BorderEntry PointsExpensive to AttackMustScaleAdministration:- Central- Remote- DistributedRobustTrustworthyMutualAuthentication
Single Sign-on Basics What should a single sign-on productinclude?– Identification, authorization, andauthentication– Client / server and distributed systems– Mainframe applications– Host security– Workstation security– Network security– The entire infrastructure8/1/00Copyright 2000 Netigy Corporation. All Rights Reserved30
Single Sign-on Current Players The SSO market is very active: From 1997 to current, some long-heraldedproducts became available:– Memco* and IBM Others matured significantly:– Platinum*, Unisys and CKS8/1/00Copyright 2000 Netigy Corporation. All Rights Reserved31
Single Sign-on Current Players The SSO market is very active: Niche products were developed:– CyberSafe’s TrustBroker,OpenVision/Veritas Axxion Authenticate,OpenHorizon Connection Deployments continue and are increasing,and users remain interested. However, there is movement in the sectortoward mergers and acquisitions.8/1/00Copyright 2000 Netigy Corporation. All Rights Reserved32
Single Sign-on Current Players Vendor and Product Names Axent Technologies (www.axent.com) Enterprise Resource Manager Bull (www.bull.com) - AccessMaster Century Analysis Inc. (www.cainc.com) - CAINet Computer Associates International(www.cai.com) - Unicenter SSO CKS (www.cksweb.com) -MyNet CyberSafe (www.cybersafe.com) - TrustBrokerSecurity Suite and Defensor8/1/00Copyright 2000 Netigy Corporation. All Rights Reserved33
Single Sign-on Current Players Vendor and Product Names Computer Associates Inc. (www.cai.com) Platinum family Hewlett-Packard (www.hp.com) - Praesidium SSO IBM (www.ibm.com) - Global Sign-On iT SEC - iT SecureSignOn Proginet (www.proginet.com) - SecurPass RSA Security (www.rsasecurity.com) - BoksSSO/SecurSight Manager Softools (www.softools.fr) - SoftSSO Unisys (www.unisys.com) - Single Point Security8/1/00Copyright 2000 Netigy Corporation. All Rights Reserved34
Single Sign-on Current Players Century Analysis Inc. (www.cainc.com) CAI-Net CAI-Net III offers end users a workplace that allows them to,through a single master password per end user, gain seamlessaccess to multiple applications simultaneously, independentof the workstation being used or the applications beingaccessed. Computer Associates International(www.cai.com) - Unicenter SSO The Unicenter TNG Single Sign-On Option providesan easy point-and-click Windows-based interfaceenabling end users to access multiple, enterprise-wide,network applications with a secure single sign-on CKS (www.cksweb.com) -MyNet8/1/00Copyright 2000 Netigy Corporation. All Rights Reserved35
Single Sign-on Current Players CyberSafe (www.cybersafe.com) - TrustBrokerSecurity Suite and Defensor The TrustBroker Suite features multi-platform, single signon authentication, including both Public Key and Kerberosencryption. It secures your organization's intranet andextranet against inside and outside threats, even when usingunsecured networks (such as the Internet). It is scalable,interoperable on virtually any business platform, and flexiblethrough its support of multiple authentication mechanisms(passwords, certificates, token cards, smart cards, etc.). The Defensor Family of products was added to theTrustBroker Security Suite in December 1998. Defensorallows secure end-to-end communications between clients,servers, gateways and mainframes, regardless of theapplication, network technology or geographic location ofthe communicating parties. Authenticated users get secure,on-demand, above-the-network communications with theirauthorized applications based on "Who Can Do What" rules.8/1/00Copyright 2000 Netigy Corporation. All Rights Reserved36
Single Sign-on Current Players Hewlett-Packard (www.hp.com) Praesidium SSOHP Praesidium/Single Sign On (SSO) has beenspecially developed to address the problems of multiple sign-onswhich have arisen over the last few years from the development andever-increasing use of client/server architecture in enterprise-scalebusinesses. This trend has resulted in an equal increase in thenumber of issues facing three different groups of people within theenterprises: the users, administration, and security; the majority ofthese issues arise from the number of passwords required to accesseven the most basic information. IBM (www.ibm.com) - Global Sign-On 8/1/00IBM Global Sign-On is a secure, easy-to-use product that grantsusers access to the computing resources they are authorized touse—with just one logon. Designed for large enterprises consistingof multiple systems and applications within heterogeneous,distributed computing environments, Global Sign-On eliminates theneed for end users to manage multiple logon IDs and passwords.Copyright 2000 Netigy Corporation. All Rights Reserved37
Single Sign-on Current Players Axent Technologies (www.axent.com) Enterprise Resource Manager Axent - ERM - Provides enterprise-wide user and resourceadministration, one-time authentication and single sign-onacross distributed computing platforms. Bull (www.bull.com) - AccessMaster ISM is a suite of tools for systems management that is brokenup under 6 main functionality headings. AccessMaster is thesecurity management component and one of ISM's highlights.There are two main components - a single sign-on product andstandard authentication features built around a central data baseof user profiles. The single sign-on capability allows a user toaccess multiple systems through the use of a single identifierand password combination. This is then used to access the userprofile, and to show only the applications that he or she isauthorized to see. This desktop lockdown is the fundamentalbasis for many security solutions where sensitive applicationsare restricted, so that only those that need them have access.8/1/00Copyright 2000 Netigy Corporation. All Rights Reserved38
Single Sign-on Current PlayersProginet (www.proginet.com) SecurPass helps corporate security administrators, help desk staffand end users manage the complexities of multi-platformenvironments. SecurPass "harmonizes" native MicrosoftWindows NT security with standard IBM mainframe, Novell,and UNIX security systems, providing password synchronizationbetween different environments. SecurPass is the only solution ofits kind which does not require code at every desktop.Security Dynamics (www.securitydynamics.com) Boks SSO/SecurSight ManagerSecurSight products are a family of plug-in security solutions forthe enterprise. They include SecurID authentication, and theSecurSight Desktop, Manager, Agents and Agent Toolkit. Theyintegrate the vendor's ACE/Server security software with publickey cryptography and digital certificate security technology fromRSA Data Security.8/1/00Copyright 2000 Netigy Corporation. All Rights Reserved39
Single Sign-on Current PlayersSoftools (www.softools.fr) - SoftSSOUnisys (www.unisys.com) - Single PointSecurityUnisys offers a comprehensive approach to managingidentity across large, heterogeneous environments. SinglePoint Security product line integrates hardware and softwarefor global single sign-on (SSO), biometrics identification,user management, and protected communication acrosspublic networks with a full set of information securityconsulting services.8/1/00Copyright 2000 Netigy Corporation. All Rights Reserved40
Single Sign-on CurrentPlayersMainframesProductHPAxent - ERMXBull - AccessMasterCA - Unicenter SSOXCKS - MyNetXCyberSafe - TrustBroker XIBMXXXXUnisys DECXXOtherXXX
yersNetworksProductAxent - ERMBull - AccessMasterCA - Unicenter SSOCKS - MyNetCyberSafe - XXXXX*XXXX* Other networks (Axent - Iris, Solaris, CKS - DOS, TrustBroker DOS, Macintosh)X
Single Sign-on Current Players8/1/00Copyright 2000 Netigy Corporation. All Rights Reserved43
Single Sign-on Current PlayersChallengersAbilitytoExecuteLeaders CA IBMSecurity Dynamics Proginet CyberSafe Softools CAI Niche PlayersPlatinum Bull Axent CKS Unisys IT SECVisionariesCompleteness of visionSource: Gartner Group8/1/00Copyright 2000 Netigy Corporation. All Rights Reserved44
Single Sign-on Current Players What makes up Vision:– Does the vendor have a strategic plan?– Is it in line with industry trends?– Does it match third-party beliefs in what isappropriate for the industry?– Is the vision comprehensive enough toestablish a broad install base?8/1/00Copyright 2000 Netigy Corporation. All Rights Reserved45
Single Sign-on Basics Users can use resources anywhere in thenetwork no matter where they are. User profile knows what applications areauthorized and where they can be found. With a single UID/password, a user canlogin to the enterprise network and access allnetwork services and applications that theyneed to perform their jobs. Eliminate the need for users to have multipleusernames and passwords.8/1/00Copyright 2000 Netigy Corporation. All Rights Reserved46
Single Sign-on Current Players In looking to a vendor, you might want toconsider:– Their financial strength– Their ability to continue to improve theproduct– Marketing and sales capabilities– Integration abilities– Strategic alliances8/1/00Copyright 2000 Netigy Corporation. All Rights Reserved47
Single Sign-on Considerations SSO and ACL rules often must be developedand administered separately.z Security administrators often must knowsyntax rules for multiple platforms.z Audit reports often must be defined andadministered outside of products.z Complete solutions require an integration ofseveral products.z Many products have limited proven maturity.z Trained staff are not always readily available.8/1/00Copyright 2000 Netigy Corporation. All Rights Reserved48
Single Sign-on Considerations Using only o
Oct 19, 2000 · Computer Associates International (www.cai.com) - Unicenter SSO The Unicenter TNG Single Sign-On Option provides an easy point-and-click Windows-based interface enabling end users to access multiple, enterprise-wide, network applications with a secure
