The power of one password

For John Taft, information systems manager at the Nevada Division of Welfare and Supportive Services, password proliferation had become more than annoying: It was slowing information technology modernization. The division was moving from mainframe applications, which users could often access from one log-in, to Web and Windows software.

'We didn't realize they would need a lot more log-ins,' Taft said, noting that some users had as many as 15 IDs and passwords. 'It was unmanageable for those people.'

So the division bought Novell Access Manager ' then called iChain ' a single sign-on (SSO) system. As a result, Taft, who previously dedicated three of his highest-salaried employees to security, has redirected two to other tasks.

A self-service feature has further relieved the help desk. Password calls dropped about 30 percent, users are happy and 'it was one of the few times we ever got thank-you notes in our department,' he said. Security is also enhanced because minimizing the need for users to memorize passwords has allowed more secure, 14-digit ones.

Avoiding labor costs

Perhaps the biggest benefit of SSO comes from avoiding labor costs of help-desk employees, who spend on average 25 percent of their time handling password-reset requests, according to reports collected by Novell. But the potential labor savings for users are also significant. They save time logging in several passwords, and productivity increases because instead of waiting weeks for access to applications, they get almost immediate access through SSO-enabled provisioning systems. Security risks diminish as employees stop posting passwords on sticky notes and choosing passwords that are too short.

'People should move from a concept of single sign-on to reduced sign-on,' said Ivan Hurtt, Novell's director of product marketing. 'If you can reduce 20 log-ins to three, it's still not single sign-on, but then you can still get substantial savings. If you only use an application once a month, does it make sense to have single sign-on for that? At some point, the [return on investment] runs out.'

SSO actually comes in two main flavors. Plain SSO typically operates outside organizational firewalls and usually handles log-ins only for Web sites and applications, often adding self-service password management ' the familiar feature that lets you set up your own password and authentication mechanisms. Often, users go to a Web portal to log in to all their applications, sometimes even legacy software.

Mainframe issues

Enterprise SSO (ESSO) typically operates inside firewalls and adds non-Web legacy applications. Some of the trickier applications to handle are mainframe programs, which often lack graphical front ends for authentication, instead employing scripting and batch processing, so ESSO tools require screen captures and other workarounds. ESSO products typically provide their own log-in boxes that pop up on each application's screen, superseding the original log-in.

Not surprisingly, the leaders in portal-equipped Web platforms ' BEA, IBM, Oracle and Sun Microsystems ' also tend to dominate SSO, although IBM has a strong ESSO offering under its Tivoli brand, and Oracle competes here, too. But both readily state that they get their ESSO features by licensing v-GO technology from PassLogix, which says Sun and network-management vendor BMC have similar arrangements.

Peter Doolan, Oracle's vice president of sales consulting, said many federal agencies first got into Web-centric SSO by adding it to their internal Oracle portals. But they have realized the value of adding ESSO to extend the benefits of simplified log-ins enterprisewide. States and local jurisdictions such as school districts tend to have different needs.

'They have large populations of users, especially where those users are seasonal,' said Doolan. 'There is a tremendous churn of identity that's required.'

Demand also comes from motor vehicle departments, which reacted to the national Real ID mandate by examining its impact on their security infrastructure. Many are planning to offload traffic from traditional locations that issue driver's licenses to ESSO-driven kiosks at shopping malls and other widely dispersed sites, Doolan said.

ESSO is almost always done in software installed on client or server PCs; the only hardware solution to speak of is Imprivata's OneSign appliance.

Imprivata focuses on state and local markets. The company has no federal sales force but says it expects to draw more interest as the feds move to merge their logical IT with physical-access systems such as smart-card readers.

A few other vendors sell simple, client-oriented tools that aren't enterprise quality. And some offerings from top-tier vendors, such as Microsoft Windows Terminal Server and Cisco Systems' security access control lists, have minimal administrative, policy and integration features. They provide only reduced sign-on, said Jeremy Weiss, a network-security engineer at CDW-Government who sells SSO solutions from several vendors.

Appliances can appeal to agencies with small IT departments and network teams accustomed to rack-mounting their solutions. Appliances obviate the need to buy hardware, install software and harden the resulting system's security, said Gerry Gebel, vice president and service director at Burton Group, a research firm.

Easy to roll out

'It's a relatively easy way to roll out the product and then to scale it,' Gebel said.

Nelson Martinez, systems support manager for Miami Beach, Fla., said OneSign unified about 90 percent of log-ins, which helps his part-time help desk avoid password-reset requests, reducing them by nearly 80 percent. Martinez also likes OneSign's ability to store user information securely. 'It takes all that personal information ' that identity information ' out of the loop,' he said.

OneSign, a hardened appliance with a Linux-based operating system, also integrates nicely with the city's Windows applications and minimizes their security risks. 'It's a lot more secure than having a Windows machine out there serving up this kind of functionality,' Martinez said, adding that he is especially concerned about running Web applications on Windows because the platform's Active Directory only allows passwords that are too long and complicated to remember or too short to be secure enough.

Martinez said OneSign is nearly problem-free. Imprivata's service team spent a week on installation, he added, mostly developing the profiles that control sign-ons for each application. 'Every time you try to establish a single log-in profile for an application, it's like starting from scratch,' he said, but after training, his staff found it easy.

Larger IT departments, in contrast, may be better equipped to install ESSO as middleware on their own servers, then extend it with a strong authentication component, such as smart cards, that complies with Homeland Security Presidential Directive 12, Gebel said.

Many ESSO vendors sell the core sign-on component bundled with two closely dependent modules: strong authentication tools and provisioning. Strong authentication tools contain digital certificates along with public-key infrastructure and other technologies for ensuring that users are who they claim to be. Provisioning, also known as identity-management, automates adding new employees and partners to the security system, setting up their rights to resources, and making sure access is revoked when they leave.

Stronger authentication

'As you start granting multisystem access through that one password, you might want to move toward strong authentication,' said Joe Anthony, IBM's program director of identity management.

Proponents say SSO's main vulnerability is that it creates a single point of failure that security threats can exploit. Improving physical-access security through strong authentication then becomes an enabler of SSO, not just an add-on. 'The solution is to have a good security policy, and know who are you letting into the room,' Weiss said.

Integration can be challenging, considering the number of applications that must fit into the SSO scheme ' and many agencies still have a handful of specialized programs that require separate log-ins.

Stephane Fymat, vice president of product management and sales operations at PassLogix, summarized the competitive advantages of software not closely tied to a particular type of hardware or operating system. 'Our software is between everything you want to run,' Fymat said. 'It's like electricity. ESSO does not live, in our opinion, on an island. It really has to live in the fabric of your network.'

Another important category is kiosk software, which is designed to handle the unique challenges of terminals or PCs that must accommodate multiple users without compromising privacy or security. Hospitals were early adopters, because doctors need to quickly access patient data without waiting for boot-ups or for applications to load. Anthony said hospitals often use workers' proximity cards or badges as the second authentication factor, outfitting the kiosks with sensors that know when the devices ' and presumably the people they belong to ' are close by.

Federalism revisited

Federation is perhaps the most important emerging technology in SSO for governments worldwide. It is largely driven, sources say, by the need to make unconnected departments that must nonetheless collaborate, along with their equally divided IT resources, securely accessible via the Web to constituents through a single point of contact. Federation 'gives people the ability to establish multienterprise levels of trust,' said David Ting, Imprivata's chief technology officer.

The main champions of federation are the Liberty Alliance and the Organization for the Advancement of Structured Information Standards (OASIS). They jointly support an Internet language called Secure Access Markup Language (SAML), which was designed to extend single sign-on across organizational boundaries using a federated model. 'Federation itself is about the portability of identity,' said Brian Campbell, a software engineer at Ping Identity, which makes federation software, and co-chairman of the OASIS technical committee that worked on SAML. 'What SAML seeks to do is allow users to carry identities between Web sites. It encodes, in a sort of XML security token, a message about the user's identity, based on trust. There is a [digital] certificate involved in most of the profiles.'

Campbell said the trust is established between the organization that issued the original certificate and the receiving organization, not between individual users.

SAML minimizes the need for custom integration each time an application is added to an SSO system or Web portal, said Roger Sullivan, president of the Liberty Alliance Management Board and an Oracle vice president. 'When you want to add a new resource, you only need to ensure the inbound and outbound identity assertions are SAML-compliant.' For nearly five years, the Alliance has tested products for conformance to the standard. There are no immediate plans for major upgrades to SAML, now in Version 2.0, he said.

In the federal government, the push to integrate homeland security agencies internally is the biggest driver of interest in federation, Sullivan said. 'We actually see the majority of uses as within agencies or between agencies,' Anthony said, adding that most federal customers who use Tivoli Access Manager's federation feature use it internally.

Federation is the key technology in E-Authentication, an effort by the General Services Administration to test and certify product interoperability, and Sullivan said GSA is working on government extensions to SAML.

The certification program was originally based on SAML 1.0, but Campbell said the agency recently updated it for SAML 2.0.

Still, Gebel and Weiss both said federation technology is somewhat immature and agreed with Fymat that adoption will hinge instead on hammering out policies on how to merge business processes.

Microsoft offers a competing standard, WS-Federation, that is now being considered by an OASIS working group. Campbell said that although it is a longer specification, it was originally based on OASIS technology, uses SAML 2.0 tokens and has 'a lot of overlap.' WS-Fed, however, is the basis for a Microsoft federation server that does not fully support SAML, he said, and formation of a working group in no way implies OASIS' blessing. Still, Microsoft's participation in the organization's process is taken as a good sign.

The next major phase of SSO is likely to be extending it to machine-to-machine authentication. 'Web services are seemingly on everyone's agenda,' Gebel said. The Liberty Alliance in October released a standard, the Identity Web Services Framework along with SAML 2.0 that facilitates sensitive, automated financial transactions among Web services.

David Essex is a freelance technology writer based in Antrim, N.H.There are a number of issues to consider when drawing up a request for proposals for a single sign-on system.

The most often-cited advice is to give prospective vendors a list of applications that fully describe your situation. If some are mission-critical, must-have programs, be sure to include them on the list. But go a step further and specify how people access them ' via remote-control software, for example. Also include those that burden your help desk with the most password-reset calls. Don't fall for checklist-ware ' products that only claim to support most of your key applications. You won't know for sure until the vendor proves it with a real demo and tells you how they do it.

Run a couple of detailed workflow scenarios past respondents, and expect detailed answers. It's a great way to detect boilerplate offerings.

When choosing an appliance or central server, devote close scrutiny to availability features such as built-in failover, redundancy and clustering, which can minimize risk.

Ask for references from customers with similar installations, and talk to them. Don't be fooled by claims of units sold; demand to know how many people actually use the product daily.

Evaluate the tool's auditing and reporting features for adherence to your specific regulatory requirements.

Beware of products geared too much to a single platform, such as Windows, if your needs are more heterogeneous. Ample connectors to third-party platforms are a good indicator.

Look for rule-based, distributed administration, which can speed a tedious process without risking security by granting too much access from remote sites. It also sets up a chain of command that boosts accountability by establishing supervision at the top.

Be sure graphical interfaces are easy not only for users, but also for administrators who oversee policies and decide on user privileges.