ORLANDO, Fla. -- Jason Mortensen has done enough penetration testing to know it's not hard to steal passwords,...
pretend you're someone else and do all kinds of nasty things online.
He said attackers triumph all the time by manipulating predictable Web session IDs, guessing passwords, stealing and replaying cookies, keystroke logging, network sniffing and tricking users into clicking on malicious links.
"Far too many times I've found that developers put plaintext information in cookies, URLs or HTML hidden fields as a way to manage sessions," said Mortensen, an IT security engineer with Motorola's information protection services division. "This is really scary, a horrible practice since the information can easily be modified by an attacker."
Enterprises can blunt these attacks by enforcing strong password rules, educating users, implementing stronger session management and exploring alternative ways to authenticate users, he said. Alternative methods like federated identity management and other single sign-on options got plenty of attention at this week's InfoSec World conference.
Federated identity management enthusiasts predicted the technology is moving closer to widespread use, thanks in part to stronger standards like Security Assertion Markup Language (SAML) 2.0. SAML 2.0 passed a series of interoperability tests and was approved as a formal draft last month by the Organization for the Advancement of Structured Information Standards (OASIS). On its Web site, the organization said SAML 2.0 "adds key functions to create and manage federated networks that combine and appropriately share pre-existing repositories of identity information."
But some conference attendees said federated identity and single sign-on in general is still too young for widespread use; that countless legacy applications would have to be adjusted for everything to work right.
During a panel discussion, Patrick Harding, vice president and security architect for Fidelity Investment's enterprise architecture division, said the company has benefited greatly from its adoption of federated identity management.
"Internally, it means a more rapid integration of acquisitions, better coupling of ID islands across divisions, reduced cost and better employee productivity," he said. "It's great because employees don't have to remember multiple passwords."
Externally, he said the benefits include a richer integration of partners, a faster and cheaper coupling through standards; a simplified customer experience; deeper service offerings and better protection of customer information. "We manage your money and we're very sensitive about protecting you," he said. "We're taking on ownership of your 401K and payroll information, and customers should be able to seamlessly access that information."
Christopher Ceppi, business development director for Ping Identity Corp., a Denver-based federated identity software and services firm, said the technology is vital in an age where business is becoming increasingly virtual and decentralized.
"With the Internet you need ID portability," he said. "That's what federated identity is about. And with the world we're in now, the technology supporting it is a reality -- mobile technology, decoupled systems."
Jeffrey Rozek, senior manager of Ernst & Young's Security & Technology Solutions division, said there are plenty of reasons for businesses to look at single sign-on technology:
For employees there are fewer passwords to remember and consistent log-in credentials. For customers there's a need to only log in once and trust in knowing their data isn't spread across a complex array of systems. For enterprises there's more consistent security, including a centralized audit trail, data and application protection and other features to help ensure regulatory compliance.
Unfortunately, he said there are also a lot of reasons why true single sign-on can't happen: Implementation is usually too costly. There are too many mixed environments to tie together. Proper infrastructure components don't always exist. The technology is still maturing, and it's difficult to define the core identity.
Even with improved standards like SAML 2.0, some worry federated identity management will never be ready for prime time because IT shops will never be able to tweak every legacy application on their networks that may be incompatible.
"If we put this technology in, but all the legacy applications still expect to do their own ID management, then what happens?" asked Donald Walker, technology risk manager for Wichita, Kansas.-based Koch Business Solutions. "How do we deal with all the time and cost of dealing with those applications? No matter how much standards improve, those applications will always be there and I don't see how we can get past that."
It's difficult to predict whether every enterprise will be using some form of single sign-on two years from now. But Chris Louden, chief technology officer for Alexandria, Va.-based e-government/security consultancy Enspier, predicts Uncle Sam's plans for federated identity management will have big consequences.
"For the average end user, the next couple of years will move us to the point where everything you do with the federal government will be done through online transactions and will be done through federated identity," he said. "I think federal adoption of this will be the tipping point for the technology."
He said agencies like the Department of Health and Human Services (HHS), the National Science Foundation (NSF) and the United States Department of Agriculture (USDA) are ready to do online transactions. More agencies will be ready through the Federal e-Authentication Initiative, he said.
While he doesn't think true single sign-on can exist, Rozek believes reduced sign-on can. He said companies could target its highest-impact applications for single sign-on; that Web-based single sign-on is more mature. But it may not be necessary for all applications, he said. In fact, he added, some should have additional sign-on to reduce overall risk.
Does Mortensen think the technology is the answer to all the attacks he outlined?
"I'm not sure," he said. "There are definite benefits, but you also trust other companies to do the right thing as they federate. We'll have to wait and see."