Enterprise single sign-on: the holy grail of computing

By Jackson Shaw, Quest Software

By Quest Software. Users have many identities to remember, which leads to security, compliance, and productivity costs for organizations. Extending Active Directory to other platforms can enable true enterprise single sign-on.

We all experience this challenge: too many identities, resulting in too many passwords and user IDs to remember.

The help desk, security and compliance, and productivity costs related to this explosion of identities are significant, but are not always easy to calculate.

Help desk costs: The most definable cost to organizations is the help desk expense associated with helping users reset forgotten passwords. In fact, many organizations have separate help desks for Windows, Unix, mainframe, and applications such as SAP or Siebel; these are quite expensive to maintain because of the expertise required to staff them.
Security and compliance costs: Not as easy to calculate, but potentially greater, are the invisible costs associated with the proliferation of identities. Many organizations do not have automated provisioning systems, so user identities are often not deleted when an employee leaves the company. This creates a security and compliance issue. Other security risks include the propensity for users to use a common password across systems, write them down, or use ones that are easy to guess. With multiple systems it is also difficult to have a common password security policy or to control and audit administrative, privileged, and superuser identities.
Productivity costs: It is also difficult to calculate the lost productivity for users who must enter their credentials multiple times per day or are on the phone with the help desk resetting their passwords.

A Traditional Approach: Password Synchronization
Many organizations synchronize users’ Active Directory passwords across systems. Password synchronization is easier to extend to any given platform or application than enterprise single sign-on, and it can reduce some of the help desk and productivity costs outlined above. Users have just one password to remember, so passwords are forgotten less often. This reduces help desk costs and the associated loss of productivity.

However, password synchronization does not enable single sign-on: although users have a single password that provides access to multiple systems, they still must log on every time to each system. This reduces productivity. Moreover, not all systems easily support bi-directional password synchronization and implementation can be complex; agents are usually required on all target systems.

In addition, password synchronization does not solve most of the security challenges discussed above. Password synchronization has the following drawbacks:

• Although administrators can more easily implement a consistent password policy across synchronized systems, not all systems support advanced policies (for example, mainframe passwords are typically eight characters maximum). Therefore, organizations may have to settle for a “least secure” policy.
• There is no support for advanced or strong authentication (e.g., smart cards, tokens, and one-time passwords).
• Password synchronization does not secure or audit administrative, privileged, or superuser identities.

Although password synchronization is not a complete solution to the problem of multiple identities, it is can be an important part of a larger approach. Specifically, password synchronization is a viable solution where security policy disallows enterprise single sign-on, or where integration and enterprise single sign-on are simply not practical.

Quest Software, a leading systems management vendor, offers a product called Password Manager, which delivers password synchronization. It enables users to reset their own passwords, then it synchronizes these passwords across multiple platforms. This helps to further reduce help desk costs and improve productivity.

Active Directory: The Foundation for Enterprise Single Sign-on

The key to solving the problem of multiple identities is not password synchronization, but extending the power of Active Directory across the enterprise. Nearly all corporate users begin their day by logging into Windows and authenticating to Active Directory. In the United States, Active Directory is the primary directory for more than 75% of enterprises,  and the prevalence of Active Directory continues to increase globally.

In fact, in most enterprise users must log on via Active Directory before they can access non-Windows hosted applications such as SAP, Siebel, and Oracle; mainframe or mid-range systems; and other client-server applications. Most users do not even realize that access and authentication are being provided transparently to nearly every Microsoft server, web, and other Microsoft-hosted applications (e.g., Exchange, SQL Server, SharePoint, and IIS).
Active Directory enables true single sign-on – but only to Windows-based and -hosted applications. This single sign-on capability is enabled through Microsoft’s use of the Kerberos security protocol.

Fortunately, organizations can extend the power to Active Directory to their heterogeneous environment, using the Quest One Identity Solution.

The Solution: A Layered Approach
Because Active Directory is so powerful and because it is so central to IT organizations today, it is logical to base any single sign-on effort around Active Directory. Quest recommends the following three-pronged approach:

• Directory and identity consolidation based on Active Directory
• Enterprise single sign-on (ESSO) as the ideal solution for applications and systems that cannot be directly integrated
• Password synchronization for situations where integration and enterprise single sign-on are not practical

Extending Active Directory to Other Platforms
Quest One Identity Solution enhances and extends the capabilities of Active Directory, including single sign-on to all platforms and applications that support Kerberos (including Unix, Linux, Java, SAP, Siebel, IBM DB2, Oracle databases, telnet, VMWare, and Apple OS X).
Quest One enables both of the following:

• Directory and identity consolidation: Extending Active Directory to support other platforms and applications in this fashion means that the directories that were previously used for authentication can be consolidated into Active Directory. This provides significant benefits, including fewer directories to manage, fewer “moving parts,” and no requirement to synchronize those old directories.
• Enterprise SSO (ESSO): For applications that do not support Kerberos for authentication, Quest offers Enterprise Single Sign-on. Users enjoy a true single sign-on experience that starts and ends with logging into Active Directory. The experience is as seamless as in a Windows-only environment. No additional log-on screens are presented.

Benefits
Extending Active Directory to other platforms reduces the following costs:
Help desk costs: Since users have only one password to remember for all of the systems and applications they need to access, calls to the help desk regarding forgotten passwords will be dramatically reduced.
Security and compliance costs: Organizations can use Group Policy to automate the enforcement of a common password security policy across the enterprise, including settings like maximum password age, minimum password length, requirements for password complexity, and multifactor authentication use. Moreover, when an Active Directory account is suspended or deleted, all access to any other platform that was extended through the use of Kerberos is automatically revoked; there is no need to de-provision accounts in those systems.
Productivity costs: Since users have only one password to remember, they will not be wasting time calling the help desk for password resets. And since they have to log in only once, they can work uninterrupted by multiple log-on screens.
Most important, the Quest One solution is easy to install and use – there are no cumbersome identity management frameworks or synchronization tools. Organizations continue to use Active Directory normally; it has just been extended to support additional platforms and applications.

Protecting “High-Value” Passwords
Neither password synchronization nor ESSO can control access to or audit the activities related to high-value identities. Quest offers solutions to enhance security and compliance in this area.

Protecting Unix Root Access
Often the password for an administrative account (such as “root” on Unix or Linux) is shared by several individuals. For both security and compliance, organizations need to know who has access to a privileged account, why they are using that account, who granted them access, and how they use the account.

Quest Privilege Manager for Unix enables administrators to delegate authority for adding accounts, fixing printer queues, and other routine job functions to individuals or groups without disclosing the root password. This protects the full power of root (such as deleting critical files, modifying databases or file permissions, and reformatting disks) from potential misuse or abuse. Privilege Manager can also record all Unix session activity to create an indelible audit trail.

Solving the “Master Key” Problem
The major benefit of  single sign-on is that each user has only one password—a “master key” that enables access to multiple systems. This may lead to a security concern: a compromised user credential opens the door to unauthorized access to any application or platform integrated into the single sign-on environment.

Therefore, multi-factor authentication is essential. There are three universally recognized factors for authenticating individuals:
1. “Something you know,” such as a password or PIN 
2. “Something you have,” such as a mobile phone, credit card, or hardware security token 
3. “Something you are,” such as a fingerprint, a retinal scan, or other biometric

To enhance security in single sign-on environments, organizations cannot rely only on a password or PIN. They need to require the second or third factor as well.
Quest Defender provides a vendor-neutral, token-agnostic authentication infrastructure that supports both two-factor and three-factor authentication. Defender integrates seamlessly with Microsoft’s Active Directory and uses Active Directory as its data repository. The familiar Active Directory users and computers administration tool is used to manage the entire Defender environment.

Summary

"The ever-increasing number of user identities means real costs for organizations, including help desk, security and compliance, and productivity costs. Active Directory solves the problem of multiple identities by providing true single sign-on – but only for Windows systems and applications. Organizations with heterogeneous IT environments will need to use a layered approach that may include any or all of the following: directory and identity consolidation into Active Directory, enterprise single sign-on or password synchronization."

Quest offers a set of solutions that can help you implement this approach and achieve the holy grail of secure single sign-on across your entire environment.

About the author
Jackson Shaw oversees product direction, strategy, and go-to-market activities for all of Quest’s Identity and Access Management products. He has been involved in directory, meta-directory, and security initiatives since 1988, and was a key member of the identity and access management marketing team for the Windows server marketing group at Microsoft. 
Shaw studied computer science and management information systems at the University of Ottawa. He is a member of the Association for Computing Machinery.

The ever-increasing number of user identities means real costs for organizations help desk costs, security and compliance costs, and productivity costs. Active Directory solves the problem of multiple identities by providing true single sign-on, but only for Windows systems and applications. For organizations with heterogeneous IT environments, a layered approach is required.