According to Gartner, federated single sign-on (SSO) will be the predominant SSO technology needed by 80% of enterprises through 2016. Analysts at the company highlight how a well-executed SSO strategy can reduce password-related support incidents and provide users with improved convenience and more efficient authentication processes than remembering numerous passwords.
“Organizations implementing SSO, particularly to systems that hold sensitive data, should implement risk-appropriate authentication methods with the SSO system,” says Gregg Kreizman, research vice president at Gartner. “Solutions are not ‘one size fits all’ and solutions that provide SSO to all target systems may be deemed too expensive. Therefore, a best practice is to identify the tactical and strategic approaches that reduce enough of the problem space over time and within budget.”
Hence, progressive enterprises, including financial institutions, must implement a sound SSO strategy that not only adopts appropriate best practices that mitigate risks efficiently and cost-effectively but also overcome ‘keys to the kingdom’ issues.
Gartner has recommended steps to scope the target solution.
Organizations must first identify the user population that a solution should cover; the logical locations of users and target systems that must be accessed; the applications and use cases that experience authentication-related issues; and the architecture for each application in the SSO project.
Next, the organization must plan for anticipated changes to the applications in the SSO initiative and identify possible authentication options based on identified common architecture and use case patterns.
Organizations can also leverage existing tools to reduce the problem. One suggestion offered by Gartner analysts is to use an established password synchronization tool or authentication to a common LDAP-accessible directory to provide reduced sign-on (RSO).
Also, when multiple directories are used for authentication, disparate identity sources can be joined by directory synchronization or virtual directories for a standardized view of identity to multiple applications or authentication services.
Finally, since application designs are moving toward web architectures, the need for SSO to support these architectures should be prioritized.
A non-intrusive approach
An enterprise SSO may allow users to provide credentials a single time per session, and then gains access to multiple applications and systems without having to sign in again during that session. But this approach requires all systems to trust the same authentication service and applications must be modified to trust that same service.
A more purpose-driven and non-intrusive approach is to enable a user to access multiple systems – web, Windows, terminal server/Citrix, terminal emulator/host, Java applications and applets-based applications – after one-time authentication and without changing target application source code. The primary login could be a password, PKI smart card, USB token, biometric scan, proximity card, or combination of supported methods that provides users SSO to business systems they are authorized to use.
AccessMatrix USSO distinction
To ensure a well-executed SSO strategy, Gartner has also suggested a best practice “to identify the tactical and strategic approaches that reduce enough of the problem space over time and within budget.”
Achieving that requires organizations to provide a seamless user experience in authentication processes accessing various types of applications with strong authentication for the master login.
Addressing these objectives, i-Sprint Innovations’ AccessMatrix Unified SSO (USSO) platform covers Enterprise SSO, Web SSO, Federated SSO and Mobile SSO, as part of an integrated suite of identity, credential and access management solutions. For example, the Federated SSO identity federation module supports popular identity protocols such as SAML and OAuth for cloud and mobile applications. Being extensible, it can embed strong authentication solutions.
The USSO platform enables a single login process across multiple operating platforms, including mobile devices. It supports advanced authentication methods, from one-time password tokens and smart cards to biometrics.
For one of Japan’s top three automobile makers, these capabilities offered a way to manage the complexity of accessing multiple legacy applications and security silos rapidly and efficiently with minimal risk.
The manufacturer chose the AccessMatrix Enterprise SSO solution to handle its 29 business applications, including a mainframe emulator, without any application changes. This allowed the company to achieve its SSO objectives within 10 weeks. Integrated with an existing LDAP-based ID management system, the SSO server supports the company’s VMware environment.
One of Thailand’s strongest banks, which employs more than 10,000 employees, also deployed the Enterprise SSO solution. Its bank officers can now log in to multiple legacy applications by using only one username or password.
A bank employee that logs in to Enterprise SSO server does not need to remember or key in the required user ID and password for the target business application.
The single sign-on platform has enabled the bank to consolidate user access privilege information, and reduce helpdesk support cost with minimal password reset requests and account lockouts.
Singapore bank’s feat
Another bank, one of Singapore’s most profitable, also enjoyed similar benefits in deploying i-Sprint’s AccessMatrix as its standard SSO platform. The bank achieved its SSO objectives to provide an intelligent desktop for all front-office staff and lower the cost and complexity of multiple applications security silos rapidly, safely and efficiently in a matter of weeks.
This has led the bank to match benchmark global institutions in customer service and quick response to client enquiries and to respond to fast-changing customer attitudes and requirements. A security consolidation methodology was applied throughout the project to implement and deploy the AccessMatrix solution.
i-Sprint Innovations was positioned by Gartner in the Niche quadrant of the Magic Quadrant for User Authentication in 2013 and the industry advisor regards i-Sprint as a viable solution for large enterprises.
Meanwhile, as SSO becomes a critical component of both on-premise and cloud services, concerns around ‘keys to the kingdom’ that a compromised SSO credential could provide must be addressed. This is where some enterprises deploy multi-factor authentication as an additional security layer and end-to-end encryption to protect user credentials in their SSO implementations.
This is a QuestexAsia feature commissioned by i-Sprint Innovations.