Tuesday, March 8, 2011

Enterprise Single Sign-On Tug of War

A desktop based Single Sign-On solution is a joy to have, if you are a desktop user. Equally, it is a pain to have if you work for an IT department and have to support it. It looks like the middle line is very thin in many organizations and the way it moved often determines success of an Enterprise Single Sign-On implementation. Here is a quick list of the typical gripes and the responses one can provide to pull the rope to the ESSO favor.
  • Desktop support team: Man, it replaces the Microsoft Gina. We need to provision it to all of the existing desktops, test it on our gold build, communicate with all the user population affected…It’ll take more than you think to implement it.
  • Business: Ok, so let’s see how well you manage your assets. If you know them, can provision them and keep them homogeneous you should not have too many problems. If not, let’s work on the asset management first.
  • Infrastructure: Users want to be automatically logged in to an enterprise app that is not covered by ESSO yet.  Now we’ve got to develop another profile. This is not easy. The development, testing and support will take a lot of time.
  • Business: Yes, it is the on-going cost of the ESSO. Either engage the vendors, get the training and do it in-house, or outsource it.
  • Infrastructure: Now we have to have staff to support another server, another database and a bunch of desktops.
  • Security: Hey, but no more sticky notes under keyboards with passwords.
  • Help desk: We are getting more calls about desktop apps incompatible with the ESSO.
  • Business: The incompatible apps will have to be worked through with the desktop support and the vendors.
  • Security: We do not want to accept the responsibility for accidentally exposing all personal logins people may store in ESSO, like passwords for web-mail, Internet banking, shopping, forums, you name it.
  • Consultant: Set ESSO up with a personal, per-user key encryption. The downside though is if a user changes their passwords and then forgets their response to a challenge question, they will loose their stored passwords.
  • Help desk: Everybody is forgetting their responses to the challenge questions. People are unhappy about having to lose their stored passwords.
  • Consultant: Set ESSO up with a global key, and let the Security department worry about an appropriate use policy and the privacy policy.
  • Security: We do not want to send people their on-boarding passwords plain-text in an e-mail or print them out.
  • Consultant: Integrate your ESSO with an identity management solution and have it automatically distribute passwords to people’s wallets.
  • Infrastructure: All the setup, configuration and support takes so much time!
  • Business and End Users: Hey, it is nice not to have to type enterprise passwords every time. Helpdesk is getting less calls about recovery of forgotten passwords. It saves so much time!
The end of the story is that for every gripe, there is a good response demonstrating the value and the benefit of having an ESSO solution.

To see the original blog entry, please click here.

Alex Ivkin is a senior IT Security Architect with a focus in Identity and Access Management at Prolifics. Mr. Ivkin has worked with executive stakeholders in large and small organizations to help drive security initiatives. He has helped companies succeed in attaining regulatory compliance, improving business operations and securing enterprise infrastructure. Mr. Ivkin has achieved the highest levels of certification with several major Identity Management vendors and holds the CISSP designation. He is also a speaker at various conferences and an active member of several user communities.