How to use single sign-on for Web access control to prevent malware

There are, however, some ways information security pros can use access management technology to reduce the likelihood of Web application infection, as well as reap some additional benefits that come with these security measures.

In particular, I recommend implementing single sign-on (SSO) and single sign-off for Web access control. Let's look at how to implement SSO for Web applications and the benefits of doing so.

Single sign-on falls right in with the t...

BROWSE BY TAG IAM Insights,   Web Authentication and Access Control,   Enterprise Identity and Access Management,   Enterprise Single Sign-On (SSO),   User Authentication Services,   VIEW ALL TAGS

RELATED CONTENT IAM Insights IAM trends: Rebuilding security with provisioning technologies Using unique device identification for bank website security Risk-based multifactor authentication implementation best practices Content-aware IAM: Uniting user access and data rights Security on a budget: How to make the most of authentication tools Making the case for enterprise IAM centralized access control Best practices for a privileged access policy to secure user accounts Best practices: How to implement and maintain enterprise user roles Kerberos configuration as an authentication system for single sign-on Identity and access management 2009: Staff cuts, insider threats Web Authentication and Access Control Yahoo login credentials at risk to hijacking attack Group to shed light on secure identity management threats IT business justification to limit network access How to confirm the receipt of an email with security protocols Schneier-Ranum Face-Off: Is Perfect Access Control Possible? Kaminsky reveals key flaws in X.509 SSL certificates at Black Hat Changing times for identity management IBM USB banking device stops keyloggers, malware Can mutual authentication beat phishing or man-in-the-middle attacks? Could someone place a rootkit on an internal network through a router? Enterprise Single Sign-On (SSO) How to use single sign-on (SSO) for a server configuration How to log in to multiple servers with federated single sign-on (SSO) Security on a budget: How to make the most of authentication tools Best Identity and Access Management Products Changing times for identity management Kerberos configuration as an authentication system for single sign-on Learn about enterprise strategy for server virtualization single sign-on Enterprise single sign-on: Easing the authentication process Exploring authentication methods: How to develop secure systems User provisioning and SSO for PeopleSoft- and Unix-based products Enterprise Single Sign-On (SSO) Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary access log  (SearchSecurity.com) anonymous Web surfing  (SearchSecurity.com) authentication, authorization, and accounting  (SearchSecurity.com) identity chaos  (SearchSecurity.com) knowledge-based authentication  (SearchSecurity.com) multifactor authentication (MFA)  (SearchSecurity.com) walled garden  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

echnologies commonly employed in an IAM program. SSO is a way to authenticate a user to a variety of disparate systems through a single set of credentials. When the user logs on to a client or terminal using his or her SSO-based username and password, the system validates that user's authenticity and logs in to the underlying systems with a username and password unknown to the end user. The passwords to the underlying applications can be more complex than typical passwords, since the end user doesn't have to know or remember them. This also prevents the user from logging directly into the applications: Because they don't know the passwords for the individual applications, access to all network resources is governed by the SSO system.

The SSO paradigm offers a number of benefits for users as well as for overall organizational information security. Among those benefits are that users must remember only one password, the password requirements for the applications can be complex and their passwords can change frequently without the end user's knowledge, and there is a centralized place to lock the end user out of all the applications if need be.

The downside is that if the end user's SSO password is compromised, it will allow access to all the applications leveraging SSO. Fortunately, this risk can be mitigated by requiring two-factor or multifactor authentication.

What is two-factor or multifactor authentication, how does it tie in to SSO, and how does it help secure Web applications? Two-factor authentication uses two variables known to the user to verify his or her identity. True multifactor authentication typically requires at least two of the following three groups: something you know, such as a password; something you have, like a token or encryption key, or something you are, namely a unique physical characteristic of a person, such as an iris pattern or fingerprint. Using two of these three authenticator types makes it much harder to impersonate an individual, giving the application owner more assurance of a user's true identity. If the company has multiple Web applications, SSO with two-factor authentication can be implemented as the authentication mechanism for all of them.

In addition to preventing unauthorized users from accessing sensitive applications and data, SSO can prevent malicious code infections as well. For instance, worms are thwarted by two-factor SSO because while it is possible to harvest a password, they can't harvest one of the other key pieces of information, such as a fingerprint or token. They also can't harvest the complex application-specific passwords because the user never knows them or types them in.

Implementing SSO for Web-based applications starts by identifying the current authentication technologies being used. For each type of application and authentication method being employed, an agent or adapter must be set up per the guidelines of the SSO framework. These adapters sign on to the applications on the user's behalf and are governed by policies. The rules for password complexity, expiration and history must be included in the policies.

Because this process as described is specific to Web-based applications, there is also the added complexity of implementing the technology in your company's DMZ. This is required because users from the outside world should not be able to access any part of the network without first being authenticated.

Although implementation requires a significant amount of up-front analysis and carefully laid out delivery strategy to minimize the effect on customers or users, the benefits to them, to the application support personnel and to the organization's security posture may make it well worth the effort.

About the author:
David Griffeth is the Vice President of Business Line Integration and Reporting at RBS Citizens Bank, a financial institution that is one of the 10 largest commercial banking companies in the United States ranked by assets and deposits. As part of his responsibilities, David manages the Enterprise Identity and Access Management group and is charged with supporting the bank's growth model while maintaining compliance with several regulatory bodies. Prior to his current position, David consulted on major information risk management projects with large companies such as Fidelity Investments and CIGNA. David earned a bachelor's degree in computer science from Framingham State College and holds several certifications including CISSP and CISA.