Single sign On (SSO) allows end users to log in to accounts once with their credentials and thereafter enjoy immediate access to all of their applications and systems without being asked to log in again. This is extremely beneficial in reducing help desk calls since users only have to remember one password instead of many.
Though SSO can be beneficial to any company, many IT managers and security officers are skeptical about the implementation of an SSO solution. Their skepticism is the result of a number of preconceptions, which in many cases are misconceptions, about these identity and access management tools.
The following are the many incorrect common beliefs about SSO:
Implementing SSO Imposes Greater Pressure on Security
IT managers and security officers often believe that with one-time logging in to accounts security of information is immediately placed at risk. They assume that if an unauthorized person gets hold of that single log-in credential, that person will have access to all the account’s associated applications.
When using SSO, all the various access entries to applications are replaced by one access point. For example, the software allows users to use just one password for multiple accounts. Once the password is entered, all accounts are accessed. Though this does appear to constitute a risk, the log-in process is actually streamlined for the user. Having to remember just one password essentially does away with the risk that the user will scribble passwords on a piece of paper and place them under their keyboard (as is often the case) like they might if they have to remember 12 password and username combinations (the average number per user) that most users have without SSO.
This was often the case at Community Bank and Trust of Florida. Since the bank uses hundreds of different systems and applications that require complex passwords, users understandably had a difficult time remembering all of their user credentials. By implementing SSO at the bank, end users no longer have to use unsecure methods, such as writing down their passwords to remember them.
It is also possible to add extra security to the primary SSO log-in with a user card and pin code or an extra-strong password. Logging in with a card and pin code is an extremely secure authentication, and users also consider it to be very user-friendly.
An SSO Implementation is a Long, Drawn Out Project
This is often wrongly assumed because SSO implementation is part of a broader security policy. Other components might include introducing more complicated passwords, taking more care with authorizations and complying with standards imposed by the government.
Because SSO affects almost all end users and runs throughout the organization, some see implementation as taking a great deal of time to notify and prepare end users for the change. SSO brings with it a number of questions, such as:
•“How do I deal with people who have multiple log-ins on one application?”
• “What do I do if an application offered through SSO gets a new version?”
• “What happens if the application itself asks for a password to be reset?”
All these questions often cause SSO implementation to be shifted to the background. However, any potential complexity faced at implementation is no reason to postpone adding a SSO solution because it has long-lasting benefits once up and running. By starting small, say by making the top five applications available through SSO, a considerable time saving on the number of log-in actions can be achieved, justifying buying the solution.
For example, at Community Bank and Trust of Florida, an SSO solution was easily and quickly implemented to solve its password issues. It was even possible for the bank’s IT leaders to roll into production exactly what they did during their trial phase, which made their implementation process extremely convenient.
It’s Not Possible to Make Cloud Applications Accessible via SSO
Just as with all other applications, it is certainly possible to log in to cloud applications with SSO.
An SSO Implementation is Expensive
The nice thing about an SSO solution is that it’s often not necessary to set it up for all the people in an organization. SSO may be needed only for a select group of people who need to access many different applications, such as tellers. The advice here is to restrict implementations to the most critical applications and the employees who have to log in to a variety of different applications. This will control the implementation in terms of price and complexity, and offers an excellent springboard for any further growth and expansion in accordance with changing future needs.
An SSO Solution is Not Needed Because We Use Extremely Complex Passwords
Insisting on extremely complex passwords is one way to secure the network, but at the same time, it’s also one of the causes of insecure situations. This is because many end users have difficulty remembering their mandated passwords, certainly when they have to recall more than a dozen username and password combinations. Often, requiring the use of complex passwords leads to frequent help desk calls because employees tend to forget them more readily. A highly insecure and undesirable situation arises when end users write their passwords on notes and leave them lying around their computer.
Using SSO means employees only have to remember one password for all of their applications, meaning a simple solution to a complex problem, easier access to multiple accounts for all who need access to them, and fewer calls the help desk, ensuring IT staff are able to focus on more important priorities than password resets. For example, All Star Automotive in Louisiana was able to see a major reduction in time dealing with password issues by implementing an SSO solution. The IT manager at the automotive group said, “Users can now concentrate on their jobs rather than managing their own passwords.”
For more information, please visit our website.
Friday, February 22, 2013
Friday, February 15, 2013
3 ways to use Identity & Access Management software for audits
HIPAA, Basel II, SarBox… and the list goes one. Organizations are evaluated for compliance with various standards, legislations and regulations. These evaluations are called audits and sooner or later, your organization will be one. If you are an IT manager and faced with an audit, you should be able to demonstrate you have your network fully under control. Among other things, this means that you:
- Must be able to demonstrate at any time who is allowed to do what in the network, and when network actions have been performed (authorizations and reporting). For instance, you should be able to indicate which employees are allowed to approve and pay invoices and who reset employee X’s password and when.
- Must have implemented a strong password policy.
The Identity & Access Management (IAM) solutions by Tools4ever provide you with additional support in legislative and regulatory compliance, to wit:
Who can do what?
Role Based Access Control (RBAC) is a technique for setting up authorization management in an organization and for providing insight into the questions of ‘who is and is not allowed to do what in the network’. With RBAC, authorizations are not assigned to individual staff members but to RBAC roles, which in turn comprise the employee’s department, title, location and cost center. RBAC reduces the chance of error because network actions and changes can only be performed by people who are authorized to do so based on their role/title.
Many organizations already use RBAC to a greater or lesser degree: discovery, project, implementation, population or management. Tools4ever assists dozens of organizations in setting up an RBAC authorization matrix. This is a hugely labor-intensive, complex and costly process. Tools4ever’s smart software makes it possible to automate the majority of the population of the RBAC authorization matrix.
Using UMRA, the so-called organizational roles - the way in which employees are designated in the HR system, particularly in terms of their title, department and cost center - are matched against the technical roles - applications and folders - present across the organization. Tools4ever can help organizations match their HR system and network, as well as analyze the current authorizations for each organizational role. This allows the organization to decide which HR attributes should be used for each role.
The result of this alignment could be, say, that 90% of a particular role, e.g. the role of nurse at the Cardiology department, involves particular authorizations. The logical step would then be to automatically assign all new employees in this role the same authorizations. By letting the majority govern the assignment of authorizations, a first step can be made towards populating the RBAC matrix in a very simple way. This approach can save you a great amount of time and money.
Strong password policy
Many laws and regulations require the implementation of a strong password policy (strong authorization). To achieve this, it is possible to activate the complexity rules in Windows Active Directory. However, you should first ask yourself whether this complexity is desirable for your organization, as this may have major consequences for your end users.
The default Windows Active Directory password complexity rules are often insufficient. Systems administrators need a more flexible solution that, among other things, makes it possible to determine individually, which rules are applied and when. For this type of scenario, Tools4ever offers Password Complexity Manager (PCM). PCM makes it possible to implement different security levels for different types of end users, based on their organizational roles and titles.
As mentioned, earlier, implementing a stricter password policy has major implications for end users as well as the organization as a whole. End users will need to remember more complex passwords and since most of them will have trouble in doing so, the helpdesk is bound to receive more password reset calls.
To reduce the number of password reset calls, Tools4ever offers Self Service Reset Password Management (SSRPM), which lets end users reset their passwords independently by providing answers to a series of simple, predefined questions.
A stricter password policy also has consequences for the productivity of employees. They will have to remember more complex passwords for all of their applications, and will be far from happy with the situation. For this reason, many organizations choose to implement a SSO solution to cater for the needs of their end users.
Our Enterprise Single Sign On Manager solution (E-SSOM) - allows end users to log in once, after which they are automatically assigned access to all applications and resources across the network, without having to log in again. E-SSOM functions as an additional software layer that handles all login processes and automatically enters the required credentials (automatic login). E-SSOM also ensures that, in addition to Active Directory, a strong password is automatically used for all the underlying applications.
For organizations that do not use SSO but nevertheless want to make sure their end users are less hindered by a stricter password policy, Password Synchronization Manager (PSM) is an eminently suitable solution. It allows end users to use a single password for each system or application. When an end user’s Active Directory password is reset, PSM ensures that all linked systems and applications receive and use the new password.
Two-factor authentication
When implementing a strong password policy is insufficient in itself (e.g. because end users end up jotting down their passwords), it is possible to use strong (two-factor) authentication. Rather than entering their user name and password, users will log in by holding a card against a card reader and entering a PIN code. This results in strong authentication, as two-factor authentication is based on something the user has (the card) and knows (the PIN code). In this set-up, the card ID is linked to the user’s Active Directory credentials.
It is also possible to implement strong authentication without having to purchase additional hardware. In this scenario, the use of smartphones takes on an important role. This is because smartphones offer various authentication capabilities, such as facial recognition (using the camera), voice recognition (using sound recordings) and geographical positioning (using GPS). This type of Low Cost Authentication is the latest trend in the field of authentication.
Automated logging
The solutions by Tools4ever ensure that all processes leave an audit trail. For each action, the system automatically logs who has performed which management activity at which moment. In this way, the organization can verify previous processes at any time and evaluate these retroactively. This is indispensable, as sound registration is a precondition for a successful audit.
For more information, please visit our website
Friday, February 8, 2013
Single Sign On: Regulating access cards
By now, many organizations and employees are aware of the advantages of Single Sign On (SSO). Employees benefit from SSO because they only need to remember a single, complex password rather than dozens of passwords. As a result, the IT department receives far fewer password reset calls, while the organization can meet auditing requirements.
After the number of passwords has been reduced to a single complex password, organizations often want to replace the remaining password as well. SSO makes this possible by replacing the remaining username and password with an access card and a PIN code. Any type of user card can be used for this, e.g. an ID or access card. Users will be logged in automatically by placing their card in or near a card reader. The card’s unique ID is linked to the holder’s username and password via a self-service enrollment wizard.
This is very user-friendly service for employees. But we often find that organizations do not want employees to use random card types. Instead, they only want to use cards issued by the organization itself. Tools4ever is premier supplier offering organizations the ability to only accept cards within a certain number range. In other words, certain cards can be excluded from self-service enrollment, so that access cards are only allowed if they are issued internally.
E-SSOM, the Single Sign On solution by Tools4ever, also offers the ability to only allow active cards. When a card is issued, e.g. when a new employee enters service, it is activated by an administrator. By setting up a link with the key card system, it’s possible to only accept cards that are used actively within the organization. The main advantage is that the existing facility management process will govern both physical and logical access. When employees leave service, their access cards will be revoked and/or disabled, after which the card is also disabled in E-SSOM.
One might go a step further and only accept cards of employees who are physically present within the premises. Another option is to link access cards to the HRM system. When the HRM system indicates that an employee has left service, that user card will be disabled so that it can no longer be presented to obtain physical or logical access.
Single Sign On combined with a access card offers a variety of options for integration with other systems. Fro more information, please visit our website.
After the number of passwords has been reduced to a single complex password, organizations often want to replace the remaining password as well. SSO makes this possible by replacing the remaining username and password with an access card and a PIN code. Any type of user card can be used for this, e.g. an ID or access card. Users will be logged in automatically by placing their card in or near a card reader. The card’s unique ID is linked to the holder’s username and password via a self-service enrollment wizard.
This is very user-friendly service for employees. But we often find that organizations do not want employees to use random card types. Instead, they only want to use cards issued by the organization itself. Tools4ever is premier supplier offering organizations the ability to only accept cards within a certain number range. In other words, certain cards can be excluded from self-service enrollment, so that access cards are only allowed if they are issued internally.
E-SSOM, the Single Sign On solution by Tools4ever, also offers the ability to only allow active cards. When a card is issued, e.g. when a new employee enters service, it is activated by an administrator. By setting up a link with the key card system, it’s possible to only accept cards that are used actively within the organization. The main advantage is that the existing facility management process will govern both physical and logical access. When employees leave service, their access cards will be revoked and/or disabled, after which the card is also disabled in E-SSOM.
One might go a step further and only accept cards of employees who are physically present within the premises. Another option is to link access cards to the HRM system. When the HRM system indicates that an employee has left service, that user card will be disabled so that it can no longer be presented to obtain physical or logical access.
Single Sign On combined with a access card offers a variety of options for integration with other systems. Fro more information, please visit our website.
Friday, February 1, 2013
Tools4ever’s E-SSOM
is an easy-to-deploy solution for reducing the number of required logon
credentials from many to one. This product provides the ability to
define which applications can be single-sign on (SSO) enabled and what
users are able to utilize SSO for those applications.
The software comes pre-loaded with dozens of definitions for the most commonly utilized applications and provides an intuitive, wizard-based template for creating new definitions. The use of card readers or biometric devices can ease the burden of remembering credentials even further while providing an additional layer of security.
In Use
A small client side application is pushed out to the desktops and allows end user to enroll their credentials for authorized applications. The first time a user logs into an application or website, they are presented with a screen to enter their username and password.
Going forward, any time they launch the application or visit a password protected website, the E-SSOM application automatically provides the appropriate credentials. Should an application require a new password after a defined time period, E-SSOM can automatically provide the new password or prompt the user for one.
If card readers are utilized, a user simply swipes the card, enters an optional PIN, and are automatically logged into the computer and all appropriate applications are launched. An “offline” mode is available for use on laptops or home computers that are not connected directly to the domain.
Technology Employed
Tools4ever is a Microsoft Certified Gold partner and guarantees compatibility with all desktop and server operating systems releases from Microsoft. E-SSOM resides on a standard Windows 2008 server and integrates seamlessly with Active Directory. A SQL database is recommended to insure high availability, replication and redundancy. The small client application is typically deployed via Group Policy Object (GPO) but any standard software deployment tool can be utilized. Security of credentials is insured by utilizing Triple DES encryption on the database and all communications are handled utilizing Microsoft’s RPC transport mechanism.
Ease of Use, Configuration and Deployment
E-SSOM is an easy to configure and quick to deploy solution. Installation of the base application, client side component and initial configuration is usually accomplished with a half day. Configuring of predefined applications can be accomplished in as little as five minutes while new product definitions might require up to one hour. Once all definitions are set, authorizing applications to individuals can be done via groups or OUS or the entire domain.
Advantages
E-SSOM from Tools4ever is easy to use application that eliminates the headache of physicians and clinicians to remember multiple sets of login credentials. Adding a second factor of authentication, such as a proximity card, increases overall security of the network as well.
The software comes pre-loaded with dozens of definitions for the most commonly utilized applications and provides an intuitive, wizard-based template for creating new definitions. The use of card readers or biometric devices can ease the burden of remembering credentials even further while providing an additional layer of security.
In Use
A small client side application is pushed out to the desktops and allows end user to enroll their credentials for authorized applications. The first time a user logs into an application or website, they are presented with a screen to enter their username and password.
Going forward, any time they launch the application or visit a password protected website, the E-SSOM application automatically provides the appropriate credentials. Should an application require a new password after a defined time period, E-SSOM can automatically provide the new password or prompt the user for one.
If card readers are utilized, a user simply swipes the card, enters an optional PIN, and are automatically logged into the computer and all appropriate applications are launched. An “offline” mode is available for use on laptops or home computers that are not connected directly to the domain.
Technology Employed
Tools4ever is a Microsoft Certified Gold partner and guarantees compatibility with all desktop and server operating systems releases from Microsoft. E-SSOM resides on a standard Windows 2008 server and integrates seamlessly with Active Directory. A SQL database is recommended to insure high availability, replication and redundancy. The small client application is typically deployed via Group Policy Object (GPO) but any standard software deployment tool can be utilized. Security of credentials is insured by utilizing Triple DES encryption on the database and all communications are handled utilizing Microsoft’s RPC transport mechanism.
Ease of Use, Configuration and Deployment
E-SSOM is an easy to configure and quick to deploy solution. Installation of the base application, client side component and initial configuration is usually accomplished with a half day. Configuring of predefined applications can be accomplished in as little as five minutes while new product definitions might require up to one hour. Once all definitions are set, authorizing applications to individuals can be done via groups or OUS or the entire domain.
Advantages
- Standard application definitions included for common applications.
- Support for virtually any card reader for strong authentication.
- Cost effective, scalable SSO solution for any size facility.
- Excellent support from U.S.-based offices.
E-SSOM from Tools4ever is easy to use application that eliminates the headache of physicians and clinicians to remember multiple sets of login credentials. Adding a second factor of authentication, such as a proximity card, increases overall security of the network as well.
Subscribe to:
Posts (Atom)