Wednesday, November 5, 2008

can we escape from password hell ?

You know the drill, ever so often (30 days ? 45 days ? 3 months ?) you are required to change your password in each and every business application. Sometimes you're lucky and some applications share a common directory, good for you but most often this is not the case. If this drill is accompanied with a requirement for complex Pa$$w0rd5 , sticky notes are your saviour whether your CISO likes it or not. And we're back to square one, welcome to password hell.

In comes the holy grail : (enterprise) SSO. Finally there's an application that takes over the management of all your passwords, leaving you with one (preferably complex) password to logon to your computer and no headaches afterwards. But is this really true ? What are the caveats ? What should you look for in an eSSO solution and what are the problems you might face during rollout ?

What is eSSO ?
enterprise Single Sign-On solutions allow you to reduce the # of times your users have to provide a username and password to an application (any application ?). Most of the solutions work through technology that 'recognizes' logon screens which is matched to a specific userid+password combination in a password safe.

Who are the competitors (I only list the top 4 in the Gartner magic quadrant
  1. Imprivata
  2. Citrix
  3. Passlogix
  4. Evidian
* disclaimer : I do not comment on the specific vendors solutions. It is up to the reader to
select the solution that best fits his/her needs.

What does it offer ?
a) your users don't have to worry about changing several passwords anymore. They keep one single password that allows them access to their workstation, then the eSSO software takes over. Simple, easy peasy (or maybe not).
b) Obviously this will reduce the time your helpdesk people spend on password resets, how much that is greatly depends on your organisation. Quantifying this cost is often difficult.

And now ?
We don't really care about users do we ? Why would we want a solution that makes their life easier? Well there's a number of reasons.

A. You might be driven by compliance regulations. While your applications might not support detailed user access logging, your eSSO solution can do that for you, uniformely over all your applications.
B. Your users' drawers (desks !!) look like craigslist.com for passwords. Passwords are traded, especially during holiday seasons, when specific responsibilities are informally delegated. Some solutions allow formal delegation among users without disclosing the password. This is a powerful tool and worth considering.
C. You have decided to implement an Identity and/or Access Management solution, while eSSO certainly isn't IAM, it may prove an important part of the puzzle. A properly deployed eSSO solution will get you buy-in from the workfloor and allow you to embark on the long and hard journey that your IAM roll-out will be.
D. You actually care about your users, productivity and the protection of your information resources.

Ok, so tell me now, where is the bad stuff you refuse to tell me ?

Different vendors, different solutions. Almost all of them will offer you a replacement for the microsoft GINA (msgina.dll), which means they come and mess in the basic login process of your windows environment. Call it a corporate wide Man in the Middle attack if you will, it is what it is. Take a good look at this GINA during PoC, because some might not have all functionality implemented (I've seen GINA replacements that didn't include a password expiration/rotation function !!!). Additionally, take a careful look at what your needs are. If you take this project on, define your goals and don't submit to scope creep (your worst enemy), nifty features might be tempting, but featurism can get you (and your project) killed. It's better to work in short cycles, adding functionality in every cycle than ending up in a high-speed vortex that leaves you and your users with a broken solution.

Appliances, appliances, they look shiny and tempting. Yet, that box represents a single point of failure. Yes you can have 2 boxes and make them redundant, how redundant depends on the solution, do they support Active/Active failover ? Some of the solutions work with middleware installed on a server while all properties are stored in the LDAP directory of your choice. Cool, your corporate directory is already redundant and there's no black box to be worried about. Transparency FTW !!! Consider it.

Make an application inventory and start of with a PoC for your most critical applications. Most vendors will tout to support any application. They don't.
Java applications are the most work-intensive. There's some very special magic to be performed to make them work with SSO. Sometimes simply installing the SSO client can already break all your Java-based apps (don't get me started over Oracle Forms, Oracle Frommels for the Dutch speaking).

To conclude this installment, there's the possibility of adding 2-factor authentication (2FA) to the solution. Yes, I'm talking the "something you have/know/are" combination, but not in the RSA, Vasco, (add OTP vendor here), sense of the word. Most of the companies I know use RFID badges for Access Control, it is fairly easy to also use them in any eSSO solution so users need their card and their password (or a pincode) to logon. I know RFID is broken beyond repair, I know it has been haXored, don't worry ... I'm aware.
Make sure you only use them for identification and let the authentication of the user depend on either the "something you know" (password/pin) or "something you are" (biometry) factor.

I will elaborate on the possibilities of 2FA in eSSO solutions later this week, talking about smart cards, active and passive RFID, eID and PKI. For now, I hope you enjoyed the read. Stay safe !

No comments: