As the complexity of enterprise systems increases, users are often forced to remember more and more passwords. As the demand on users increases, many users choose to write down their passwords, and by doing so, jeopardize security. Even if the users never do anything to compromise the organization's security, they are more likely to forget passwords when multiple passwords are required. The resulting constant password resets can amount to an unprecedented cost. The solution to this problem is for organizations to implement single sign-on software across the enterprise. In this article, I'll be comparing five leading non-web based single sign-on products to see which is the best.
What is Legacy Single Sign-On?
Like Web single sign-on, legacy single sign-on is a technology that allows a user to use a single password to access all resources that are available to them. However, while Web single sign-only controls Web based applications, legacy single sign-on extends the single sign-on functionality to other types of applications and network resources, typically within an organization's own intranet. For example applications running in terminal emulators or Windows GUI based applications.
THE ISSUES
Comparing software products is rarely as simple as just picking the product that seems to work the best. Usually, as is the case in this comparison, there are a plethora of issues that must be compared. In the sections that follow, I've explained the most important issues that anyone who's considering buying a single sign-on product should consider.
Supported Platforms
The first issue that must be taken into account is the issue of compatibility with the existing infrastructure. Not all single sign-on products will work with all server platforms or with all client platforms. Additionally, not all legacy single sign-on products are able to perform authentication for every application.
Scalability and high availability
The next issue that you must consider is scalability. Traditionally, many single sign-on products simply don't scale well for larger organizations. Although each single sign-on vendor publishes some sort of scalability information, I've found that it's just as important, if not more so, to examine real world deployments as it is to look at the manufacturer's scalability information. Although the information isn't available for each product, I've included some information on the largest real world deployment for some of the products later in this document. High availability is also essential. SSO is a business critical application, because employees are not able to respond to enquiries when a non-highly available SSO is down. Therefore, SSO high availability is a critical feature !
Smart Card Support
If used improperly, single sign-on products can actually weaken an organization's security. After all, if an intruder happens to figure out a user's single sign-on password, they will gain access to everything that the user has access to, regardless of other password check points that may be in place.
One way of helping to counter potential vulnerabilities is to combine single sign-on technology with smart card technology. Therefore, when making a purchasing decision, it's wise to check to see if the product that you're considering supports smart cards, and if so, then which smart card vendors are supported. Likewise, some single sign-on products offer PKI and biometric support.
Personalization
Although not an essential feature from a functionality standpoint, personalization features disserve some level of consideration. Personalization features vary from product to product, but are typically aimed at making a user's experience easier. Some personalization features provide the user with a custom desktop or application list composed only of resources that they have access to. Other personalization features might include support for roaming profiles in a single sign-on environment.
Pricing
Any time that you're making a purchasing decision for an organization, price should be a consideration. Most single sign-on products require the purchase of a server license and of client licenses for each user who will be using the single sign-on product.
Although this review focuses solely on the cost of the software itself, you must remember that you'll need at least one server (and often two servers, for highly available configurations) on which to run and administer the single sign-on backend installation. Therefore, when building a single sign-on product into your budget, be sure to plan on purchasing the necessary hardware.
Ease of Deployment and Management
Another major issue when purchasing single sign-on products is ease of deployment. Some single sign-on products require you to install an agent or a client component onto each workstation. It's important to determine ahead of time if this is an automated or a manual process, as manually deploying the product can really cut into your implementation budget. Many products also require you to write complicated scripts that link the single sign-on database to the legacy applications.
Another important feature is the SSO solution capability, once deployed, to securely, easily and automatically transfer the existing user´s passwords into its SSO repository.
Last but not least, once deployed, it's important that solution is able to monitor and report on user accesses and administrative activity. For example, identify security attacks, dormant accounts, etc…. and issue alarms in case of suspicious activity.
Does It Use True Password Synchronization?
Perhaps the most important issue to consider when comparing single sign-on products is whether the product performs password synchronization. The reason why this issue is so important is that password synchronization dramatically weakens security. For example, suppose that a user within an organization had ten different applications that required individual passwords. If this organization were to implement a form of single sign-on that relied on password synchronization, then each of these ten applications would have the same password as the user's primary network authentication password. This means that if someone were to figure out the password, e.g. through a sniffer or protocol analyzer from the Internet, they could manually log into the network or into any one of the applications!
Some single sign-on products allow each application to maintain a separate password. These passwords are stored in a protected database. When a user logs into a single sign-on client, the database is made available to them. When the user attempts to access an application that requires a password, the password is pulled from the database.
Multiple password single sign-on is much more secure than synchronized passwords, because in this scenario, the possibility of exposing all applications with one password theft or breach is eliminated. If someone happens to crack the password for one application, they won't have a password that works on every other application as well. Sure, if a rogue user were to figure out a user's single sign-on password, they would gain access to all password-protected applications, but that's why I recommend using smart cards in conjunction with single sign-on products.
Why Use Legacy Single Sign-On?
As you read through the various issues involved in acquiring and implementing a single sign-on solution, you've probably noticed that implementing a single sign-on solution is a big undertaking. First, single sign-on products are expensive, costing anywhere from about $200,000 to $400,000 in a 5000 user organization. These applications can also be difficult to deploy and can create some tricky security issues. With all of these factors working against single sign-on products, you may be wondering if implementing a single sign-on product is really worth the cost and effort.
What might not be obvious at first glance, implementing a single sign-on solution isn't just a way of making the user's lives easier. Single sign-on products can actually save enterprise class organizations signification operational costs over the long term.
Few people will deny that most helpdesks receive more phone calls for password resets than for any other issue. In fact, a report from Gartner Group indicates that in the year 2000, a full 30% of helpdesk calls were password related. The report went on to suggest that each password reset cost the average company about $32.
At first, $32 for a password reset seems like an excessively high figure. However, when you consider the amount of money that the company is paying the helpdesk staff and the person who needs their password, you can see how much money can be wasted on non-productive time. The time that the user spends trying to guess their password, phoning the helpdesk, and waiting for the reset can easily be translated into wasted money. Likewise, the time that the helpdesk staff spends dealing with the password reset could better be spent assisting others who currently are unable to be productive due to more serious issues. Other factors that lead to the $32 per password reset figure are business opportunities that may be lost while the users are waiting for help.