If you receive errors when attempting to view this white paper, please install the latest version of
Adobe Reader.
"OneSign®
Single Sign-On provides a solution that is radically easy to implement - streamlining and tightening security without
requiring any scripting, modifications to existing directories or applications, or inconvenient changes to end-user
workflow. OneSign SSO enables convenient access to any and all enterprise applications efficiently and easily."
Source : Imprivata
Single Sign-on (SSO): Truths and Myths
Single Sign-on is also known as :
Single Sign-on,
Compare Single Sign On,
Web Single Sign In,
Enterprise Single Sign On,
Single Sign on Made,
Best-in-Class Single-sign-on,
Single Sign-on Solution,
Single Sign-on Definition,
Single Sign on Solutions,
Bolt Single Sign-on,
Web Single Sign On,
Shared Sign-on,
Single Sign-on Service,
Open Single Sign-on,
Single Sign-on Sharepoint,
Build Single Sign-on,
Implement Single Sign-on,
White Papers on Single Sign On,
Alternative to Single Sign-on,
Achieve Single Sign-on,
Benefits of Single Sign-on,
Secure Single Sign On,
Single Signon Protocol,
Single Sign-on Leverages,
Universal Single Sign-on,
Configure Single Sign-on,
Single Sign-on System,
Decentralised Single Sign-on,
Single Sign-on Using,
Single Sign-on with Etoken,
Single Sign-on Software,
Single Sign-on Using,
Single Sign-on Products,
Single Sign on for Users.
Executive Summary
Technology products always seem to come “out of the box”
strong and then wither amidst strong scrutiny. This was the case
with Single Sign-on (SSO). What is sometimes ignored, however,
is that any product with a strong need will reinvent itself to
address the problems it contains.
It is time for individuals to evaluate (or re-evaluate) SSO for their
enterprises. There are a number of myths that are now overcome
by the technology:
- You can get true SSO.
- User account risk is reduced.
- ROI is attainable.
- Customers are happy with their solutions.
This paper describes interviews and research associated with the
value of single sign-on. It discusses key myths that were
associated with SSO in the past and no longer apply to today’s
technology.
Introduction
Every new product brings with it high hopes and leaves behind bitterness before it
evolves into the promising solution it can be. Single Sign-On (SSO) was introduced
to security years ago along with distributed applications and infrastructures. It
became necessary due to the disparate technologies in use; these technologies
increased risk by multiplying the number of attack points, and strong security
principles dictated the need for strong user account credentials.
But SSO had its failures in the past. The question now is, can it be revisited with
lessons learned to provide the value it had promised and previously failed to live up
to? Spire Security interviewed a number of SSO users to get their perspectives on
four key issues surrounding SSO:
- Can we really attain true SSO?
- Does SSO increase or decrease risk?
- Can we attain ROI from SSO?
- Is customer regret the exception or the norm?
These are the pertinent questions that keep SSO at bay in some organizations.
Introducing the Companies
With the help of Imprivata, Spire Security identified SSO users and interviewed
them about their deployments of SSO within their enterprises. The benefit is clear –
real organizations will weigh in on real issues:
- A $400 million (assets) Midwestern credit union with over 100 employees and about 500 user accounts on over 30 applications. The company has integrated all
organization-wide applications into Imprivata’s SSO solution.
- A $3 billion (market cap) Northeastern pharmaceutical company with over 1200 employees. The company offers Imprivata’s SSO solution as a convenience to end users.
- A Midwestern mental health center serving over 4000 patients with more than 250 users and 12 applications under management. The organization deployed
Imprivata for both security and convenience.
- A Southeastern hospital with over 140 beds and 1000 employees. The hospital deployed Imprivata to address regulatory requirements associated with shared workstations.
- A Northwestern regional hospital with over 3,500 employees, 2,000 desktops, and over 100 applications. The hospital deployed Imprivata for regulatory and convenience reasons.
In addition to these five primary interviewees, opinions and analysis from other
interviews and research by Spire Security will be integrated into the content.
True SSO – Fantasy or Reality?
The Myth
Because SSO has been around for so long, it has had its
chance for hype, failure, and reduced expectations. For
seven or eight years now, even purveyors of SSO
solutions have watered down their discussions to
something that provides “reduced” or “simplified”
sign-on. Since SSO is the primary value proposition,
this approach minimizes the value of the solution.
No enterprise should buy a solution for SSO that
markets itself as “reduced” or “simplified.” There may
be other reasons to buy the solution, but certainly SSO
isn’t one of them. These vendors recognize the
technology weaknesses of their products up front and
don’t want to live up to a promise that has been broken
in the past.
The Reality
"The vast majority of profile generations take less than
thirty minutes--many of them only fifteen minutes! The
most challenging SSO integration application was one
that presented two different layers of authentication...it was a challenge of an hour." –NW Hospital.
“There is nothing keeping us from getting complete single sign-on except our internal
priorities.” – Pharmaceutical Company.
“We attained SSO immediately upon installation for the bulk of our applications.
True SSO is definitely feasible.” – Credit Union.
The companies interviewed all expressed a reasonable comfort level with their SSO
solutions. In the past, technical barriers were the problem with gaining true SSO.
Today, an organization can incorporate as many applications as they’d like to
include in their SSO solution. It doesn’t happen magically – though the easiest offthe-
shelf applications are integrated immediately, the most difficult ones may take a
week or two – but it is reasonable to expect and possible to attain.
Clearing up some Confusion
Single sign-on is first and foremost a tool for end-users. It provides a way for the users to log into systems without separately having to remember
all of their user IDs and passwords. In a sense, it is acquiescence to user complaints about security being unwieldy and burdensome to legitimate users.
In addition to SSO, many solutions in the Identity Management discipline have other functions. Two primary functions include automating
administrative tasks by tapping into the user management features of individual applications and automating the request and fulfillment
process of user administration.
The Spire Verdict
Technology has always been the obstacle to true single sign-on. That is no longer the
case. Now, the barriers are the logical ones – minimal-user applications with nonstandard
authentication requirements. The opportunity for SSO is even more
apparent with midsized companies that have dozens of applications rather than thousands. There is always a level of practicality involved when dealing with those
applications that only have a handful of users, but that decision is one of resource
allocation, not technical impossibility. Got a concern? The best way to protect your
interests is to ensure that any SSO software company provides some level of
guarantee to meet the needs of your organization.
One of the first objections to SSO when it came out was that it provides a “keys to
the kingdom” problem that actually increases risk. The argument asserts that the
reduction in number of credentials and their corresponding passwords creates an
opportunity for an attacker, should he gain access to the credentials. Well, there is no
denying that an SSO solution, if compromised, leads to the compromise of multiple
credentials. However, it is important to consider risk within context and changing
dynamically (think market capitalization of a public company changing all the time).
“We implemented a much stronger password policy using single sign-on.” – Mental Health Center.
“Just eliminating frequent interaction with the help desk makes me more comfortable about risk.” - Credit Union.
By reducing the password count, OneSign allows IT to enforce stricter password standards and controls. Accountability goes way up and auditing becomes simpler.”– NW Hospital.
Risk is a dynamic notion that ebbs and flows as controls are turned off and on. In
this case, there are a number of ways to reduce risk using SSO:
- The key way that SSO can reduce risk is first to provide for stronger password
selection. Many applications do not provide any constraints around password
selection, resulting in kid’s names, birthdays, and sports team names reigning
supreme as passwords of choice. An SSO solution should enforce policy
restrictions that strengthen passwords by making them harder to guess.
- The second way SSO reduces risk is to minimize the likelihood of a user writing down his/her passwords. This is the backlash affect from requiring strong
passwords. If it is enforced everywhere, users must eventually write down their passwords. While this is possible to do with some level of control, it introduces a
new variable into the security equation that isn’t easily managed.
- The third way that risk is reduced is by providing a consolidated place to disable and/or terminate users. With the many odds-and-ends applications out there, it
can be extremely difficult to identify all of a user’s accounts when he or she leaves the company. Because SSO requires this kind of reconciliation and
matching, an enterprise receives better assurance that the outgoing user’s accounts have all been disabled.
- The final way that SSO reduces risk is to create a central location for login/logout
activities. By reviewing these logs, organizations can identify anomalous
behavior associated with accounts, can verify dormant accounts, and generally
get a better handle on the usage of key applications.
The Spire Verdict
Let’s face it – users are highly likely to be picking the same passwords for all of their
applications anyway. To the extent that they aren’t, it is likely they are employing
some weak practice to keep track of everything. To top things off, when they forget
their passwords, it often involves interaction with other people or a requirement for
online validation that is weaker than the password itself.
Finally, it is unlikely that users are picking different user accounts and passwords to
begin with; it is very common for end users who are overloaded with IDs and
passwords to create their own system of consolidation and synchronization to
minimize the number of accounts and passwords that must be remembered.
Is there ROI in SSO?
The Myth
Security professionals often lament about there being no Return on Investment (ROI)
in security. They discuss security measures as insurance or overhead and assume
that organizations will make appropriate decisions about protecting their assets and
resources. In the best case, this is the situation and an enterprise remains secure. In
most cases, however, even security professionals must justify the cost of new
security solutions.
The Reality
“We’ve reduced the amount of password resets being performed by our help desk from
about 20 a day to 1 or 2.” – Credit Union.
“In our cost justification for OneSign, we calculated a very low return on
investment. Still, the solution paid for itself within eight months.” – NW Hospital.
“We didn’t buy the solution for ROI; we bought it for convenience.” –
Pharmaceutical Company
The need for ROI mirrors the personality of the organization. The question of ROI is
really one of cost effectiveness – for the amount you are spending, are you getting
your money’s worth? In this case, ROI comes from cost savings compared to money
that is currently being spent (often, people neglect reduced costs as a way to gain an
ROI, only focusing on increased revenue).
With SSO, the potential for ROI comes from the reduction of calls to the help desk
for password resets. In this case, recovering the productivity costs associated with help desk employees and end users who are temporarily unable to work can quickly
point to ROI. And a real stickler for detail can even add in the time saved during
each individual login process (not recommended for those with skeptical bosses).
The Spire Verdict
The test for ROI in SSO is three-fold:
- You have to believe you can attain ROI from reduced costs rather than increased revenue. If you don’t believe this, then you likely can’t get
ROI from SSO, but you can’t get it in legal, admin, or non-revenue IT either.
- You must currently be spending money on user account management. This is a necessity in today’s organizations – new employees all must
have accounts created; leaving employees all must have accounts disabled; and in-between it is highly likely that ongoing management
will be required.
- You must believe that improvements in efficiency are possible.
Ultimately the question of ROI comes down to the cost of purchasing, deploying,
and managing the system compared with current costs of password resets and
account termination, with some benefit potentially coming during audit and review
cycles.
Do Customers Regret Their Purchase?
The Myth
In the technical world, skepticism reigns supreme. It is common to be wary of new
products and their new claims. But there is a certain level of expectation that remains
for any product. If this expectation isn’t met, it is relegated to the back corner of the
cubicle where it becomes “shelfware” (this is in the best case for underperforming
software). Because of its early challenges, SSO became regarded as one of shelfware’s
many flavors, leaving the purchaser with a damaged reputation within the
organization.
The Reality
“Imprivata is in use and effective at its task. We are very happy with the purchase.” –
Mental Health Center.
“Our users enjoy the convenience of having an SSO solution to offset the pain they
felt with numerous passwords.” – Pharmaceutical Company.
“Nobody has been able to do what Imprivata has done for us for SSO.” – SE
Hospital.
Not surprisingly, once the barriers of technical integration, impact on risk, and cost
are addressed, customer satisfaction attains a high level. All of the customers
interviewed were pleased with their purchases. There is an obvious sample bias here
(it is unlikely that unhappy customers would be offered as references) but that isn’t
the point. In the past, finding happy customers deriving real SSO value were few
and far between. Now, it is simply a matter of reviewing a list of references and
contacting those that most mirror your enterprise.
The Spire Verdict
No surprises here. It is fairly common for “technology enthusiasts” to have a go at a
new product and report misgivings about it. The nature of SSO was practically selffulfilling
in this regard – it needed to integrate with the technology and the
organizational culture.
The Imprivata Effect
The SSO market has changed its look and its prospects. Imprivata is one SSO
company that has contributed to the paradigm shift in SSO. The shift itself involved:
- Agents on the clients and not on the server. In the past, agents were installed where the applications were. Imprivata installs an agent on the client that
monitors and mimics user activities.
- No change to the users’ behavior. Users are running on application overload to
the extent that one more application creates a training and support burden.
Imprivata seamlessly integrates into the existing login scenarios and performs
the authentication behind-the-scenes.
- An appliance form factor rather than software solution. Previously, enterprises
needed to build and support an SSO solution by installing the operating system,
database and application. The appliance form factor is self-contained, providing
both a pre-configured total solution and consolidated support.
- An application profile generator. The way Imprivata gets true SSO for legacy
and other custom applications is through its intelligent engine that monitors an
application and builds out its authentication sequences and constructs.
These new qualities, along with the capability for true SSO, reduced risk, ROI
potential, and customer satisfaction, provide a full-fledged opportunity for any
organization currently reviewing its authentication process.
Spire Viewpoint
It is clear from speaking with the organizations in this report that SSO can be used
successfully and provide great value to an enterprise It is common for technology to be hyped before it is ready. That is what happened
with SSO (as well as many other security technologies). When demand already exists to address a problem – in this case, the conflict between user convenience and
enterprise security objectives – solution providers bear down and address the technical difficulties. That is what happened with SSO. At some point, the technical
difficulties are overcome by new and unique architectures along with a deeper understanding of applications. That is what happened with SSO. It is time to review
your authentication needs and let SSO happen for you.
Table of Contents
- INTRODUCTION
- INTRODUCING THE COMPANIES
- TRUE SSO – FANTASY OR REALITY?
- The Myth
- The Reality
- The Spire Verdict
- DOES SSO INCREASE RISK?
- The Myth
- The Reality
- The Spire Verdict
- IS THERE ROI IN SSO?
- The Myth
- The Reality
- The Spire Verdict
- DO CUSTOMERS REGRET THEIR PURCHASE?
- The Myth
- The Reality
- The Spire Verdict
- THE IMPRIVATA EFFECT
- SPIRE VIEWPOINT
Contact Spire Security
To comment about this white paper or contact Spire Security, LLC about other security
topics, please visit our website at www.spiresecurity.com.
This white paper was commissioned by Imprivata®, the makers of OneSign. All content
and assertions are the independent work and opinions of Spire Security, reflecting its
history of research in security audit, design, and consulting activities.
Imprivata can be reached at www.imprivata.com.
About Spire Security
Spire Security, LLC conducts market research and analysis of information security
issues. Spire provides clarity and practical security advice based on its “Four Disciplines
of Security Management,” a security reference model that incorporates and relates the
functions of identity management, trust management, threat management, and
vulnerability management. Spire’s objective is to help refine enterprise security
strategies by determining the best way to deploy policies, people, process, and
platforms in support of an enterprise security management solution.
This white paper was commissioned by Imprivata®, the makers of OneSign. All content
and assertions are the independent work and opinions of Spire Security, reflecting its
history of research in security audit, design, and consulting activities.
Imprivata can be reached at www.imprivata.com.