The ability of an organization to rapidly search, identify and verify who is accessing the systems is a critical aspect of meeting security and compliance requirements for the organization.
An Identity and Access Management (IAM) solutions tool is often deployed in order to achieve these goals.
In its simplest form, IAM ensures the right people get access to the right resources at the right times for the right reasons.
Technology is only one the components of IAM. Both processes and supporting tools are critical elements of an efficient IAM strategy.
I will concentrate on the technology aspect of IAM. In particular I will focus on the Single Sign-On piece in this blog . Future blogs will attempt to look at other IAM technologies.
Broadly, IAM comprises the following technology components:
- Authentication: Traditional way of authentication is by means of username and password. There are products that provide methods that are stronger than passwords.
- Authorization: Grants and enforces access
- Enterprise Single Sign-On: Enable users to authenticate once and then be subsequently and automatically authenticated to other target systems.
- Federated Identity Management: Enables identity information to be shared among several and across trust domains.
- User Provisioning: Includes creating, modifying and deleting user accounts and privileges.
- Web Access Management: offers all of the above for Web-applications.
Enterprise Single Sign-On (ESSO)
Let us for a second imagine a home that comprises of at least 15 rooms (mine is much less) and each room is always locked with a set of keys. Including the main entrance, there will be at least sixteen different keys required to gain access to all of the rooms. The more rooms one needs access to, the more keys one would need to carry.
Life will be much easier for the home owner and anyone that requires access to multiple rooms if there was a master key that can open all the doors (that one have permission to).
Take this analogy and apply it to the IT network;
- House = IT network
- Rooms = Applications on the network
- Person = Username
- The Key(s) = Password
To gain access to any IT network, one generally requires a username and password. The system combines the username and password to represent the identity of the person requesting access to the network.
Gaining access to the network does not necessarily mean that one have access to all the applications on the network. For example access to the HR applications will be restricted to only the HR personnel and this will usually mean another set of username and password.
The more applications you have, the more username and password to manage. Managing a distributed security issues associated with duplicate identity stores is a nightmare for both the end users and IT administrators.
The concept of a master key on the IT network, known as Single Sign-On, is one way of addressing the issue of multiple usernames and passwords.
Single Sign-On (SSO), sometimes called Enterprise Single Sign-On (ESSO) enables users to access all their applications with a single password.
Originally, SSO was to be achieved by developing all applications and tools to use a common security infrastructure with a common format for authentication information.
Creating a common enterprise security infrastructure to replace a heterogeneous infrastructure is without question the best technical approach. However, the task of changing all existing applications to use a common security infrastructure is very difficult. In addition there is a lack of consensus on a common security infrastructure.
SSO solution as we have it today is implemented more like a proxy; you have the SSO application usually placed between the resource to be accessed and the user (identity) who needs to access the resource.
All applications that use the SSO as a proxy, will have given the SSO application “authorisation” to check users’ credentials on their behalf. The SSO application will also have a record of all the different permissions and access levels of every authenticated user.
Some Benefits of SSO
For end users
- Only one password to remember and update, and one set of password rules.
For (IT) operations
- A single common registry (directory) of user information.
- A single common way to manage user information.
- Easier to manage and protect common registry.
- Easier to verify user security information and update when necessary rather than tracking down all operational systems. This is particularly valuable when users move to new roles with different access levels.
- Common enterprise-wide password and security policies.
- Users less likely to write down passwords since they only have to remember one.
The key to a successful implementation of SSO is planning. It is crucial that organisation choose the right solution; one that will scale and seamlessly integrate with the other IAM components.
With the ever growing list of security and compliance rules and regulations, the adoption of IAM technology amongst organization of various sizes will continue to grow.