Intranet Journal
The online resource for intranet professionals
If you believe that $32 per password reset is an accurate figure, then you can see just how much money a company could lose over the course of a year. Most users will require a couple of password resets per year, and others chronically forget passwords every couple of weeks. If you figure that on average a user will need four password resets per year then an organization of 5000 users will waste $640,000 per year on password resets.
As you can see, purchasing a single sign-on product for a 5000 user organization costs less than continuing to reset passwords. However, if you do decide to purchase a single sign-on solution, don't expect the product to save your organization any money the first year, as roll out costs can be considerable. Some single sign-on products require an entire team of developers to link the product to the various applications. You can also expect to spend a considerable number of hours deploying the product to users, and further educating the users on how to use the product. Over time however, the return on the investment will surpass the operational loss of continuous password resets.
Given Tivoli Global Sign-on's $2000 per server and $75 per client license price tag, I had high hopes for this product. However, I found it extremely difficult to get information about Tivoli Global Sign-on. The Tivoli Web site is very vague, and most of my phone calls to IBM went unreturned. When I finally reached someone at IBM, they refused to give me any information and specifically requested that Tivoli not be included in my review.
Needless to say, after all of this I suspected that IBM had something to hide, but then I found the smoking gun right on IBM's Web site. The IBM Web site contained links to several third party reports that included incriminating evidence against Tivoli Global Sign-on. One such report at http://www.gartner.com/reprints/ibm/101623.html said "Customers began complaining about a lack of code reliability, sales force arrogance, poor customer support and implementation complexity/time-to-value. In fact, a substantial percentage of Tivoli's product sales were never deployed successfully." While this report speaks of the Tivoli product line in general rather than specifically discussing Tivoli Global Sign-on, it does raise some serious concerns about Tivoli.
More specifically, other contacts at large security integrators mentioned Tivoli Global Sign-On as a very complex and unstable product that often failed to be deployed successfully. As a result, my contacts said they continued to integrate many Tivoli security products, but had stopped to propose Global Sign-On to their customers. A further evidence that this product may not be a fully bullet-proof legacy SSO solution today.
What's so impressive about Novell's single sign-on product is that the core product runs at the client end. Only the actual database runs on the server. According to Novell, this configuration means that there is no limit to the number of supported clients or to the number of passwords that can be stored. Additionally, SecureLogin is designed to be easy to deploy and many common applications are automatically recognized and integrated into the single sign-on software.
The product is also part of a large security offer, "Secure Access" recently launched by Novell. This product line includes user provisioning, access control, web SSO, firewall… Novell obviously fights to raise its profile as a prominent security solution vendor.
The only real downfall to Novell's single sign-on solution is that it does not support the leading Unix flavors (AIX, Solaris) on the client side, and that - because the product does run on workstations rather than on a server- the product must be individually installed on every single workstation.. Additionally, the $79 per user price tag seems to be a little steep. This product is also primarily dedicated to users of Novell environments, including eDirectory. Many users have made the choice to rely on other directories such as Microsoft Active Directory or Sun ONE Directory. As a result, the Novell solution is a very good fit for existing Novell's customers, but others will have to consider migrating in the mid term to eDirectory if they chose this SSO product.
Access Master SSO's biggest claim to fame is that it provides seamless SSO for the entire application chain, from web to legacy, and offers native integration with user provisioning and PKI management (with modules called AccessMaster Security Policy and PKI Manager). It also benefits from drag-and-drop automated configuration tools that let the security administrator define SSO procedures without the scripting or specific developments that most other SSO products require.
AccessMaster has been deployed to dozens large customers and, for at least one of them, over 70,000 users in a real world, production environment. According to my research, no other single sign-on has been deployed to anywhere near this many users in a real world, PC environment. Evidian is able to achieve these large-scale deployments because of the unique way that Access Master SSO is designed. The product runs primarily on the server, and a self-learning mode helps Access Master SSO quickly detect applications and integrate the detected applications into its database. Although Access Master SSO does require a client component to run on the workstations, the client component can be simultaneously deployed to thousands of PCs with only a few mouse clicks. Once deployed, AccessMaster also performs security audit and tracking, and offers high availability and load balancing.
The downfall to Evidian's single sign-on solution is its low presence in the US market, compared to Novell, Tivoli or Computer Associates. Until today, the company developed mostly in Europe and Asia. However, some US security integrators now propose Evidian products.