"Smart Enterprise Single Sign-on (ESSO)"

If you receive errors when attempting to view this white paper, please install the latest version of Adobe Reader.

"Single Sign-On (SSO) improves usability and productivity of SAP users by providing or leveraging a single authentication service (for example Windows authentication) that allows users to logon once and then to transparently access all SAP applications on different servers."
Source: SECUDE International AG

Resources Related to Smart Enterprise Single Sign-on (ESSO):

• Single Sign-On (SSO) (Wikipedia)

Smart Enterprise Single Sign-on (ESSO)

Already working or still authenticating again, again, and again?

1. Introduction

"Passwords cost time, money and are a pain in the neck."

Authentication with username and passwords can be reduced to this provocative and simple quote. When you factor in security, the explosion in passwords to access sensitive company data and IT systems is actually reducing security. This means that the application of a Single Sign-On solution allows for greater security and highly improved user friendliness and productivity from of having fewer passwords to manage.

This kind of user authentication remains one of the most common, and companies are reluctant to introduce stronger authentication methods because they are afraid of complex integration efforts with extraordinary expense. This white paper will show how to increase security and usability of existing and alternative authentication methods, but it is also meant to be an orientation guide. This white paper describes how the requirements for a reliable and powerful user authentication can be realized efficiently, conveniently, and at a low cost.

The section Strong, Reliable User Authentication Using Secure Sign-On discusses the challenges of user authentication and describes how Secure SignOn simplifies and optimizes the process of user authentication:

• Simple, convenient user access to IT resources with Single Sign-On
• Increased user productivity through Single Sign-On
• Password-related help desk requests reduced by up to 95 percent
• Reduced administration efforts
• Streamlined password management
• Easy implementation of security policy and guidelines
• Increased access control

2. The Challenges of User Authentication

2.1. Already Working or Still Authenticating?

During a routine day of work, users will need to enter a significant number of passwords to gain access to their company’s various IT resources. For example, the Windows operating system, the SAP system, the e-mail server, and multiple web applications each provide their own authentication dialog. Typically, each application requires users to enter a combination of username and password to identify themselves. Users also need to re-authenticate themselves frequently, for example, when switching between systems, after the system has gone into standby mode or if a user session has timed out. Unfortunately, this authentication approach is time-consuming and can significantly reduce actual working time. In addition, there can be annoying delays when a user forgets a password. This happens most commonly after weekends, holidays or sick leave-especially when the company’s security policy requires regular password changes, minimum password lengths, and passwords made up of complex combinations consisting of numerical and alphanumerical characters and even combined with different duration of validity. In most companies, forgotten passwords are encountered on a daily basis. Instead of taking it directly to the administrator, however, employees will typically try to access the system using all kinds of probable and improbable combinations so they can actually start to work. If this fails, they will still need to call the help desk for support. More valuable working time is wasted before one of the administrators will have time to look into the problem and then reset the password(s) so that the employee can access relevant data or information. Gartner assumes that a user will call the company help desk on average 3.8 times per year about password issues2. If there are several hundred employees, the amount of time and money spent on password resetting is staggering. Forgotten passwords are a burden for the user and the helpdesk at the same time.

2.2. The Password Dilemma

Combining a username with a password (single-factor authentication) is still the most common method of user authentication for businesses. Although it is no longer suitable to withstand the sophisticated attacks from external hackers nor to fulfill the stringent security requirements for sensitive company data - many businesses are reluctant to give up this seemingly simple authentication method in favor of a more powerful and efficient one

In today’s world of IT, however, it is relatively easy to find out passwords, even for attackers with limited hacking experience. If there is physical access to office workstations, it can be as simple as collecting the post-it notes from the computer monitors. Practice has shown that the more passwords a user has to remember, the more likely he will write them down somewhere

Another successful approach is to simply analyze the user’s personal traits. The so-called -social engineering methods- are based on the fact that a user - confronted with a large number of passwords - usually tends to choose simple passwords that he will never or very rarely change. If there are several authentication procedures to be performed, he will often use the same username/password combination which he can easily remember

This makes it relatively easy for attackers to guess the passwords; typically, a password is a reference to the user’s personal life, such as the partner’s or child’s name or even birthday. Innocent small talk in the staff lounge or on the telephone is often enough to reveal an employee’s vital personal details. The internet is a popular source of information to find out more about people and to guess potential passwords. In addition, the internet also offers numerous tools and manuals on how to bypass and crack passwords. In the wrong hands, even commercial password recovery tools can easily be used to obtain passwords. That is why passwords are security obstacles only to the unsophisticated.

Security measures to increase the password security often result in the so called -Password Dilemma-. An enterprise is trying to make its network access as secure as possible. With the knowledge that simple password are easy to crack, they introduce a new password policy to enforce complex passwords consisting of numbers, letters and special characters. But complex passwords are difficult to remember by the users. They therefore tend to write down complex passwords somewhere because they cannot remember these in their heads. But this is actually weakening the security because written down passwords are vulnerable to simple attacks such as -shoulder surfing.- Password policies to enforce complex passwords often result in the "Password Dilemma" cycle.

3. Strong, Reliable User Authentication Using Secure SignOn

To prevent hacker attacks, user authentication must be secure and absolutely reliable. At the same time, it should be user-friendly so that the users will easily accept it. Secure SignOn liberates both the users and the administrators from having to deal with password problems. With Secure SignOn, businesses will be able to easily deal with numerous passwords and move to a more powerful and reliable methods of user authentication when required.

3.1. Ease of Use Instead of Endlessly Authenticating

With Secure SignOn instead of having to memorize numerous passwords, users now only need to remember one. The employees are relieved and can focus on their personal workload instead. Help desk staff and IT administrators are also relieved, as the number of password-related queries and issues is significantly reduced

Secure SignOn provides Single Sign-On (SSO). Single Sign-On means that a user only has to sign-on only once to the system to access all data, applications and services he is authorized for-without requiring to repeat authentications over and over again. Whenever an application or system environment requires a new user authentication, SSO automatically signs on the user in the background without requiring any further (manual) input

With the automatic password change feature, it is possible to introduce complex and long passwords. Since they are automatically generated and changed without user interaction, they can be as complex as desired and can also be changed very frequently without decreasing the user experience

As a result, Secure SignOn offers maximum convenience. This is very important in terms of user acceptance; many employees and in particular management are not willing to engage in complex technologies, even if this technology improves the company’s IT security level. Secure SignOn, however, never meets with any user resistance, as it offers users a much simpler alternative to multiple passwords and greatly speeds up the authentication process. In fact, user response to this solution has been positive thanks to its simple, easy-to-use conception. Users don’t even need to be trained in how to work with Secure SignOn-acceptance and satisfaction are guaranteed

The user passwords are locked in an encrypted vault stored in the users’ profile. Since the file is encrypted, it is protected from access by unauthorized users. Secure SignOn also supports Roaming Profiles on Windows if they are enabled.

3.2. Secure SignOn Reduces Costs and Increases Productivity

With username/password authentication, password issues occur on a daily basis. According to Gartner, a user contacts the help desk up to 19 times per year. In the average 3.8 times of these contacts are related to password issues3. According to Forrester4, a password reset costs about $38, which means that the password-related costs add up very quickly. Even with a more conservative estimate of a password reset cost of $10–$15, the total sum is still staggering.

Reason enough to adopt a more cost-efficient and reliable authentication method!

Secure SignOn takes the administrative burden off users by introducing Single Sign-On, and at the same time helps businesses to cut down on their costs. According to IDC, Single Sign-On reduces the amount of password-related help desk queries by 95 percent.

With such a significant reduction in password problems, employees and IT administrators alike can focus on more important tasks than password resetting. This is not just a matter of workload efficiency and company expenditures-seeing that IT departments are very often chronically understaffed and hacker attacks are always on the rise, it means there is more time for analyzing data from intrusion detection or intrusion prevention systems, implementing counteractive strategies, and improving the overall security of the company’s IT environment.

3.3. Multi-factor Authentication for the Most Demanding Environments

Highly secure user authentication can be achieved through a combination of multiple authentication factors. In addition to the support of traditional username/passwords Secure SignOn can be optionally extended to support many forms of stronger multi-factor authentication methods as described below.

We have seen in the section The Challenges of User Authentication that an attacker does not necessarily need to know the password of a user. He may find it written down at the workplace, he may obtain it using -Social Engineering- or he may simply guess it. If all this does not work, a -Dictionary Attack- or even a -Brute Force- attack frequently gets the job done

If the target is, for example, the notebook of the CEO or the Firewall of an enterprise, the effort of such an attack pays off quickly in most cases. Unfortunately, enterprises underestimate the danger and this is readily apparent when you can read the many embarrassing reports in the press

Secure SignOn supports the extension of single-factor password authentication ("What You KNOW") with a second factor ("What You HAVE") or even a third factor ("What you ARE") to accomplish "Two Factor" or even "Three Factor" methods of authentication. This increases the authentication’s reliability dramatically

Depending upon the physical device employed (e.g., a smart card) the user passwords can be stored on the device itself. These security devices are able to perform complex encryption algorithms and secure the passwords against third-party access, even when the smart card or token is lost or stolen

Another advantage of typical two-factor authentication is that users notice very quickly when their smart card or USB token is lost or stolen-in contrast to compromised or hacked passwords which when stolen are not knows to the user. The smart cards or tokens employed for authentication can be further used to safely store private keys and certificates, for example, secure e-mail, digital signatures or other security relevant information

Smart cards and tokens are small, easy to use, and greatly simplify access to terminals, networks, and applications. For authentication the user only needs a smart card or a USB token (the "What You HAVE" factor) and the password that unlocks the card or token (the "What You KNOW" factor). Successful authentication is only possible when the minimum required factors are present.

4. Scalable Security for Individual Security Requirements

4.1. Single Sign-On With and Without a Smart Card

Secure SignOn offers Single Sign-On and powerful authentication for practically every application. It supports conventional authentication with Windows Credentials (username/password) as well as certificate-based authentication with digital certificates. Secure SignOn may be used with smart cards / tokens or without them. If the solution is used with security devices like smart cards or USB tokens, then the application passwords will be saved in a PIN protected location of the token.

4.2. Integration with Existing Identity Management Solutions

In addition to the seamless integration in heterogeneous IT landscapes, Secure SignOn also integrates easily into existing Identity Management Systems. As the identity management system assigns the proper roles and privileges, the employee is also provisioned for strong authentication and Single Sign-On. When the users signs on to the network with or without a security device he can only access those defined systems, resources, and applications for which he was provisioned. This combination of access rights via the identity management solution and access security by means of smart cards delivers a very high level of security to the enterprise.

4.3. Web Single Sign-On

More and more applications are available through a web browser over the Internet or the Intranet. Secure SignOn provides Single Sign-On to web sites requesting user authentication. Toolbars integrated with the Microsoft Internet Explorer and Mozilla Firefox browsers provide a secure and convenient login to such sites. Only a few mouse clicks are required to register a site for Single Sign-On.

4.4. Broad Support of Smart Cards and USB Token

Thanks to PC/SC, PKCS#11 and Microsoft CSP support, you can smoothly integrate Secure SignOn into virtually any PKI environment. A wide range of smart cards and USB tokens from different manufacturers are supported. The PKCS#11 interface works with smart cards from manufacturers such as Siemens, Giesecke & Devrient, and Aladdin, as well as JavaCards compliant with the GlobalPlatform Specifications such as GemPlus, IBM, Axalto/Schlumberger, and Oberthur. A great variety of the USB tokens supplied by these manufacturers are also compatible. Additionally, Secure SignOn supports a wide range of PC/SC-based card readers.

4.5. Enhanced Security Using Smart Cards

4.6. Biometric Authentication

Biometric authentication solutions are becoming increasingly popular. On the one hand, the procurement costs for biometric solutions have decreased, on the other hand the error rate of fingerprint recognition, for example, has improved significantly. With Secure SignOn, businesses can select their security devices according to their own requirements, and even retain their existing cards and tokens – the protection of their investments is assured. Even future generations of PKCS#11-based security devices can easily be integrated without further efforts. This is why the solution is fully future-proof.

4.7. Multifunctional Smart Cards

And finally, the use of multifunctional cards lets you extend your security devices’ functional range well beyond the scope of secure authentication and data encryption/decryption. For example, you can not only store personal data such as passwords and private keys on multifunctional cards and multifunctional USB- but also parameters for access control to buildings or particular departments. If issued with the user’s photo and name, a smart card can also double as an employee ID card. By providing miscellaneous other functions such as logging the working time or even the user’s cafeteria account balance, multifunctional cards can greatly streamline, simplify, and speed up daily processes for employees and administration alike. That is why the use of multifunctional cards and tokens does not only make sense from the security point-of-view but in particular from the cost effective point-of-view.

4.8. Easy Administration and Comprehensive Support

Secure SignOn can simply be integrated into an existing IT infrastructure and features an easy and timesaving administration throughout its entire lifecycle. When business security requirements are revised, the administrative effort involved in updating authentications is minor and requires only very little manual input. According to the company’s security policy Secure SignOn allows the passwords to be as long and as complex as required. Passwords can also be changed whenever necessary without requiring user input because passwords are centrally generated and allocated without any user interference. This way, even the most demanding security requirements are facilitated in a very user-friendly manner. Comprehensive support functions ensure that in cases where users forgot their smart card or token or lost their security device or PIN can quickly resume productive work without lots of administrative efforts. Secure SignOn also supports businesses in their compliance efforts. Organizations are committed by national and international data protection laws and industry regulations and guidelines to dealing accurately with personnel and customer data and to providing a reliable protection of such data against unauthorized third-party access. It ensures compliance with legislations such as SOX by providing safe access to systems. This is a functionality that every auditor will definitely check. With several hundreds of thousands of users around the world, Secure SignOn offers businesses a reliable and practice-proven security solution.

5. Conclusion

Secure SignOn provides organizations with a reliable and powerful Single Sign-On and when required two-factor authentication that ensures system integrity at all times. The implementation of Single Sign-On dramatically reduces password-related issues, reducing costs while increasing employee productivity. Secure SignOn is a straightforward and convenient application that also ensures a very fast user acceptance. Due to comprehensive support of all common authentication standards, Secure SignOn can quickly be implemented in any IT infrastructure. The wide range of functionalities and supported security devices of Secure SignOn lets organizations implement tailor-made solutions for their specific IT security demands and requirements.

6. Glossary

Authentication
A predefined procedure, such as the entry of a PIN or the matching of a fingerprint, to verify a person’s identity and his/her authorization to access a computer system and/or the data stored on it

Verification
Verification is used to check whether a file or message indeed originates from the person or organization that claims to have sent it

CSP
Cryptographic Service Provider: A software module that provides smooth access of Microsoft CryptoAPI-based applications to cryptographic security devices such as smart cards. This is Microsoft’s alternative to PKCS#11

GlobalPlatform Specifications
A standard published by an international specifications board representing a wide range of manufacturers. The aim of GlobalPlatform specifications is to provide easy communication between different devices

ITSEC E4
Information Technique System Evaluation Criteria (ITSEC): A European standard for the evaluation and certification of software and computer systems, specifically their functionality and reliability in terms of data integrity and computer security. In Germany, ITSEC certification is issued by BSI (Federal Office for Information Security).

JavaCard
A card equipped with a microprocessor that runs a simplified version of Java as its operating system. Due to a special software updater, JavaCards can be loaded with new software at any time

(Chip) Card Reader / Card Reader Units
Card readers supply power to chip cards (smart cards) and enable the communication with the computer.

PC/SC
Personal Computer / Smart Card (PC/SC): A specification designed for the integration of chip cards and card readers. It ensures that the computer and the smart card (card reader) can easily communicate

PIN
Personal Identification Number: PINs are usually employed for smart cards (as well as bank cards and credit cards). A PIN can be a combination of numerical and alphanumerical code that identifies the cardholder (with a card or a token).

PKCS#11
Public Key Cryptography Standard: A platform-independent interface standard developed by RSA. It is used to provide access to cryptographic devices such as smart cards or tokens

Security Device
A smart card or USB token that stores encrypted personal user data such as passwords, private keys, and certificates to protect them from unauthorized third-party access

SSO / Single Sign
On Single Sign-On provides an authentication process whereby the user only needs to identify himself once during startup with only one single PIN. All other sign-ons are performed automatically in the background without any further user input

Smart Card
A plastic card with a built-in microchip that may contain embedded integrated circuits, memory, or a microprocessor. The card’s microprocessor can be individually programmed, which means that functional scope of a smart card is limited only by the available memory and the processor’s limitations. Microprocessors are frequently used to perform cryptographic operations to protect the stored data from unauthorized third-party access

Cryptography / Encryption
A process where plaintext is converted into a secret code using an encryption algorithm. Encryption employs one or several keys to encode the data. The algorithms for encryption and decryption do not need to be the same.

About FinallySecure

FinallySecure is the Data Protection Division of SECUDE AG and was formed in 1996. FinallySecure is headquartered in Switzerland, and operates out of the SECUDE offices in the US, Europe, the Middle East, and Asia with partners and sales channels all over the world.
For more information, please consult www.finallysecure.com

About SECUDE

SECUDE AG is a market leader in the areas of authentication & authorization, encryption, data integrity and the management of digital identities, delivering a higher level of IT Security to organizations around the world. We offer solutions in single SignOn, role-based access control, and the security of documents, applications and transactions. SECUDE AG was formed in 1996 from a partnership between SAP AG and the Fraunhofer Institute in Darmstadt, Germany. This partnership resulted in the Secure Network Communication (SNC) module for SAP AG. SECUDE is headquartered in Switzerland, and has offices in the USA, Germany, Netherlands, Spain and United Arab Emirates.
For further information, please consult www.secude.com

Copyright
Copyright SECUDE AG 2009.
SECUDE is a registered trademark of SECUDE AG.
Microsoft is a registered trademark of the Microsoft Corporation.
Other product and company names mentioned herein serve for clarification purposes and may be trademarks of their respective owners.
Sales: info@secude.com
Technical support: support@secude.com
Documentation: documentation@secude.com
www.secude.com / www.finallysecure.com

Table of Content

• 1. Introduction
• 2. The Challenges of User Authentication
  • 2.1. Already Working or Still Authenticating?
  • 2.2. The Password Dilemma 5
• 3. Strong, Reliable User Authentication Using Secure SignOn
  • 3.1. Ease of Use Instead of Endlessly Authenticating
  • 3.2. Secure SignOn Reduces Costs and Increases Productivity
  • 3.3. Multi-factor Authentication for the Most Demanding Environments
• 4. Scalable Security for Individual Security Requirements
  • 4.1. Single Sign-On With and Without a Smart Card
  • 4.2. Integration with Existing Identity Management Solutions
  • 4.3. Web Single Sign-On
  • 4.4. Broad Support of Smart Cards and USB Token
  • 4.5. Enhanced Security Using Smart Cards
  • 4.6. Biometric Authentication
  • 4.7. Multifunctional Smart Cards
  • 4.8. Easy Administration and Comprehensive Support
• 5. Conclusion
• 6. Glossary