Single SignOn 101 Beyond the Hype What SSO

Single Sign-On 101: Beyond the Hype What SSO Can and Can’t Do For Your Business

Outline • • • Definitions Business Requirements SSO Technologies Authentication Methods SSO Case Studies Black. Hat Briefings Diana Kelley & Ian Poynter 2

Definition • Single Sign-On – Fantasy • One Password For Everything! – Reality • Most Systems And Applications Already Have Their Proprietary Login Functionality • Reduced Logins For Discreet Systems – Corporate Systems – Shared Intranet/Web Applications – Web Logon Aggregators Black. Hat Briefings Diana Kelley & Ian Poynter 3

Business Requirements • Is There A Problem Here? – Mushrooming Passwords – Need For Re-use – “Sticky Note” Password Cache – Unencrypted Text Files On Laptops and PDAs Black. Hat Briefings Diana Kelley & Ian Poynter 4

Business Requirements • Deceptively Intuitive – Reduce Costs – Increase Security – Increase Efficiency – Increase Convenience – My Boss Told Me I Have To Black. Hat Briefings Diana Kelley & Ian Poynter 5

Business Requirements • Be Honest About the Cost / Benefit Analysis – Use Hard Numbers • What Does it Cost to Reset a Password? • How Much Time is Spent Logging into Multiple Systems Each Morning? • What is The Real Cost of Integration? • Will Additional Authentication Methods Need to be Purchased? Black. Hat Briefings Diana Kelley & Ian Poynter 6

Business Requirements • Be Honest About the Cost / Benefit Analysis – Don’t Forget the Ease of Use Factor • Consider Training for Administrators and All Users – QA and Versioning Can Increase TCO Black. Hat Briefings Diana Kelley & Ian Poynter 7

Business Requirements • Think About the Inside and the Outside – Multiple User Populations Can Increase Costs – Tiered Authentication Levels – At a Minimum Need Secure Password Selection Training for Everyone Black. Hat Briefings Diana Kelley & Ian Poynter 8

Business Risks • Single Point of Failure – Denial of Service/Lack of Availability • Stolen Credentials via Insecure Implementations • Overly Ambitious Projects – Physical and Network – Complicated Procedures • n-factor Authentication – Square Pegs in Round Holes Black. Hat Briefings Diana Kelley & Ian Poynter 9

Business Risks • Failure to Consider the Legacy – OS/390, AS/400, Custom Client/Server Applications, RADIUS • Failure to Consider Regulatory Requirements – Financial Services and GLBA – Health Care and HIPAA – Content Providers and COPPA – International Businesses and EU DPD Black. Hat Briefings Diana Kelley & Ian Poynter 10

Authentication Methods • Declaring and Proving Who or What You Are • Sure, Signing on Once, but What With? • Becomes an Even Larger Question with SSO Because More Systems are Involved Black. Hat Briefings Diana Kelley & Ian Poynter 11

Authentication Methods • Have, Know, Are – Tokens, Passwords, Fingerprints • Single vs. Multi Black. Hat Briefings Diana Kelley & Ian Poynter 12

Authentication Methods • • • Passwords One Time Passwords Tokens and Smart. Cards PKI Digital / Machine Fingerprints Biometrics Black. Hat Briefings Diana Kelley & Ian Poynter 13

Authentication Protocols and Technologies • Dial-In Users and Wireless (802. 1 x) – RADIUS • S/390 Mainframes – RACF, ACF 2, CA Top-Secret • Unix – PAMs (Pluggable Authentication Modules) • Windows – GINA, Kerberos, NTLM Black. Hat Briefings Diana Kelley & Ian Poynter 14

SSO Technologies • • Traditional Single Sign-On Password Synchronization Authentication Platforms Web Logon Aggregators • NB: Convergence Between Traditional SSO and Authentication Platforms Black. Hat Briefings Diana Kelley & Ian Poynter 15

SSO Technologies • Traditional Single Sign-On – Allows a User to Login Once, Using a Single Authentication Method to Gain Access to Multiple Hosts and / or Applications – May Also Provide Access Control / Authorization Features • Authorization policies restrict which applications or systems a user has access • And what the user can and can’t do on these applications and systems Black. Hat Briefings Diana Kelley & Ian Poynter 16

SSO Technologies • Traditional Single Sign-On • Not an Entirely New Concept – Kerberos and Kerberized – RADIUS and Radiized Black. Hat Briefings Diana Kelley & Ian Poynter 17

Traditional SSO: How It Works • Authenticate Once To Access Many • Login Credentials (ID And Authentication) Usually Stored Locally • Transparently Presented to the System or Application When Needed Black. Hat Briefings Diana Kelley & Ian Poynter 18

Traditional SSO: How It Works • Single Credential for All Systems – Kerberos Model • Multiple Credentials – Required for Most Heterogeneous Environments Black. Hat Briefings Diana Kelley & Ian Poynter 19

Traditional SSO: How It Works • APIs And DLLs – Write the SSO Authentication into Each Application or System (compare to: Radiized) – Or Use Replacement DLLs • Scripts – Pieces of Code on the Client That Manage the Login Procedure to Multiple Systems • Cookies – For Web Applications Only Black. Hat Briefings Diana Kelley & Ian Poynter 20

Traditional SSO: Pros and Cons • Pros – Very Easy to Use – Reduces Support Costs – Reduces Logon Cycles • Cons – Integration of Legacy Can Be Expensive and Time Consuming – Single Point of Attack – Scripting Solutions Often Lead to Storage of Passwords And IDs on the Client Black. Hat Briefings Diana Kelley & Ian Poynter 21

Traditional SSO: Business Fit • Good Business Fit for – Companies That Want to Simplify the User Experience – Companies That Need to Reduce the Login Cycle Black. Hat Briefings Diana Kelley & Ian Poynter 22

Traditional SSO: Brand Examples • IBM/Tivoli Global Sign-On • Netegrity Site. Minder • RSA Clear. Trust (formerly Securant) Black. Hat Briefings Diana Kelley & Ian Poynter 23

SSO Technologies • Password Synchronization – Manage Passwords Across Platforms and Systems – Keeps Same Password So User Only Needs to Remember One – When User Changes Her Password, Synchronization Server Automatically Updates User Password on All Available Systems or in the Central Repository Server Black. Hat Briefings Diana Kelley & Ian Poynter 24

Password Synchronization: How It Works • Distributed – Agents Automatically Reset Passwords on Applications and Systems • Centralized – All Authentication Requests Are Forwarded to a Central Server Black. Hat Briefings Diana Kelley & Ian Poynter 25

Password Synchronization: Pros and Cons • Pros – User Has Only One Password to Remember – Usually Fairly Easy to Implement – Help Desk Can Reset Passwords to All Systems From Single Console • Cons – Does Not Reduce the Number of Logons – Only Supports Password Authentication Black. Hat Briefings Diana Kelley & Ian Poynter 26

Password Synchronization: Business Fit • Good Business Fit for – Companies That Only Use Password Authentication – Companies That Don’t Need to Reduce the Login Cycle Black. Hat Briefings Diana Kelley & Ian Poynter 27

Password Synchronization: Brand Examples • Pass. Go, In. Sync (formerly Axent/Symantec) • Courion, Password Courier Black. Hat Briefings Diana Kelley & Ian Poynter 28

SSO Technologies • Authentication Platforms – Provide a Central Point of Management for Multiple Authentication Schemes – Users Authenticate To A Gateway Using Any Combination of Authentication Methods • Smartcards, PKI, Biometrics etc. – Supports Multi-layer Authentication Policies Black. Hat Briefings Diana Kelley & Ian Poynter 29

Authentication Platforms: How It Works • Abstracts the Authentication Layer to an Authentication Gateway • All Users Login to this Gateway • Gateway Determines Level / Type of Authentication that is Required Black. Hat Briefings Diana Kelley & Ian Poynter 30

Authentication Platforms: Pros and Cons • Pros – Eases Integration With Abstracted Authentication Layer – Support for Most Authentication Factors • Cons – Does Not Reduce Number of Logins, Unless SSO is Embedded in the Authentication Platform – Single Point of Attack / Failure • Denial of Service Black. Hat Briefings Diana Kelley & Ian Poynter 31

Authentication Platforms: Business Fit • Good Business Fit for – Enterprises with Hierarchical, Complex Authentication Requirements – Companies using N-factor Authentication Solutions – Organizations with Regulated Security / Privacy Requirements • Financial Institutions, Health. Care, Government Agencies Black. Hat Briefings Diana Kelley & Ian Poynter 32

Authentication Platforms: Brand Examples • Bionetrix Authentication Server • Novell Modular Authentication Service (NMAS) • Activ. Card (formerly Ankari) – Trinity Server with SSO Functionality Black. Hat Briefings Diana Kelley & Ian Poynter 33

SSO Technologies • Web Logon Aggregators – One Login, Access Multiple Sites – User Logs into Aggregator Software or Site at Beginning of Session – All Subsequent Logins to Web Sites Visited Are Handled Transparently Black. Hat Briefings Diana Kelley & Ian Poynter 34

Web Logon Aggregators: How It Works • Credentials Are Cached Either – Locally via Cookies – On Server via State Mechanism • Automatically Presented to Sites as Needed Black. Hat Briefings Diana Kelley & Ian Poynter 35

Web Logon Aggregators: Pros and Cons • Pros – Ease of Use – Streamlines Web Experience • Cons – Web Only – Sites May Need to Opt In – Outsources Trust to 3 rd Party – Loss of Control Black. Hat Briefings Diana Kelley & Ian Poynter 36

Web Logon Aggregators: Business Fit • Good Business Fit for – Companies Providing Web Interfaces to Customers or Employees – Home Users Who Want to Streamline Their Web Experience Black. Hat Briefings Diana Kelley & Ian Poynter 37

Web Logon Aggregators: Brand Examples • . NET / Passport • Liberty Alliance (in process) • Yodlee – Account Aggregator Black. Hat Briefings Diana Kelley & Ian Poynter 38