This article can also be found in the Premium Editorial Download "Information Security magazine: Special manager's guide: Monitoring identities."
Download it now to read this article plus other related content.
|In the Trenches - by Ken Tyminski|
A User's Perspective
Single sign-on is about serving customers-- whether they're your employees or paying clients. As a department that provides technology services, it is important to consider the customer experience.
That's easier said than done. To be honest, IT has a hard time understanding what an end user experience is really like. As technologists, technology comes naturally to us, so it's difficult to understand the user frustration and despair.
When I was CISO at a large financial services company, we rolled out an SSO solution to 10,000 remote users a few years ago. Our field force had reached the point where they were using 15 to 25 applications, most of them in disconnected mode with different sign-on requirements. There were not many SSO solutions available that would meet our requirements. After evaluating several, we selected the v-Go Sign-On from Passlogix. It was an easy sell to the business unit CIO, as she was able to clearly see the potential of improved productivity. It was hard to measure ROI, but it was self-evident.
Creating an SSO environment turned out to be a process that needed to evolve in phases. First we started with the applications that would get us the most bang for the buck and then implemented other applications over time.
Lessons learned: Communication is critical. In users' minds, change is always more painful than the status quo. One of the smartest things we did was pre-populate their information so they couldn't wander too far astray. I would also recommend rolling out SSO in phases. Take a few applications that are meaningful and get them up and running. Don't overwhelm users with change.
In the end, we met our goal of improved customer satisfaction. Our users loved it, and we saw a dramatic reduction in the number of help desk calls for password/sign-on related issues.
Ken Tyminski is a former CISO for a large financial services organization.
How to avoid implementation snafus
[six recommendations to help a rollout go smoothly]
- Consider eSSO systems that play nice with your identity management environment. eSSO applications that interact with the existing identity management infrastructure will save time and money. For example, eSSO applications that store information in a LDAP directory can be easier to manage, particularly if the user's wallet is stored as an attribute of the user object. eSSO systems with provisioning interface enable organizations to manage the eSSO system from the provisioning system, minimizing administrative overhead throughout the user identity lifecycle.
- Test the eSSO system thoroughly. eSSO deployment horror stories are legendary; the organization kicks the eSSO system tires, but does not examine all the target applications in its environment. During deployment, several (or dozens) of applications are found to not work with the eSSO system, or require months of custom programming. Some target applications are inherently difficult for eSSO systems, particularly Java Swing applications.
- Integrate WAM and eSSO systems. If you have WAM and eSSO systems, consider integrating them. In doing so, your users get SSO to both desktop and Web applications, and potentially SSO to federated applications at your partner sites. You also get the authorization capabilities that the WAM system can deliver, which can improve overall security and compliance.
- Use stronger authentication. Stronger authentication can reduce security risks. Many vendors have integrated stronger authentication capabilities in their eSSO systems, and most WAM systems work with one-time passwords (OTP) and smart cards (via certificate). Organiza-tions must still address residual eSSO target application password risks with appropriate network security and anti-malware controls.
- Obfuscate eSSO target application passwords. Most eSSO systems can obfuscate the target application password and negotiate the password change with the target system. Provisioning system can obfuscate passwords and update both the target application and the eSSO wallet.
- Accelerate eSSO target application password aging. If the password can be obfuscated, it can be changed more frequently. While password aging policies vary, few organizations force users to change passwords more frequently than 30 days due to the associated user burden. If the organization can change the password more frequently without impacting the user, then the security of the target applications gets better. If implemented properly, eSSO and WAM systems can improve usability and compliance. Each system has different benefits, and can be integrated to provide enhanced SSO and authorization. While preparing for an SSO project may take some planning and time, it is one of the few applications where the benefits are readily apparent to the user.
"We now have more than 50 applications supported with SSO," says Enterprise Bank & Trust's Siress. "We're really excited by our progress, and the acceptance is there." At Geisinger Health System, 60,000 patients have signed up for the Web-based service, and another 700 are signing up per week, says Young. In the meantime, Good Samaritan Hospital has significantly reduced the time to log in to various applications "Our nurses have told us, 'Don't you dare take this away,'" laughs Christian.
Now that's customer satisfaction.
This was first published in August 2006