2. What is SSO? The Ship’s Security Officer? Standards Setting Organization? SulfolobusSolfataricus? Society of Surgical Oncology? Syracuse Symphony Orchestra? 2
7. SSO, Defined (again) Enterprise Applications Email program Benefits/HR info You ÏÐ Your computer Corporate intranet Your one SSO passcode The firewall & SSO authentication system Client Extranet 7
31. AAA = Authentication, Authorization & Accounting AD = Active Directory CAS = Central Authentication Service EISA = Enterprise Information Security Architecture ESSO = Enterprise Single Sign On HTTPS = HyperText Transfer Protocol, Secure IDM = Identity Management LDAP = Lightweight Directory Access Protocol OTP = One Time Password PII = Personal Identifying Information RADIUS = Remote Authentication Dial In User Service SAML = Security Assertion Markup Language SSL = Secure Socket Layer SSOSrv = Microsoft Single-Sign On Service TCP/IP = Transmission Control Protocol/Internet Protocol VPN = Virtual Private Network 31
Danny Kaye – “The Court Jester” – about authentication & security systems – 1956 movie
Process that permits a user to enter one name and password ONCE in order to access multiple applications (single action = access to multiple systems)One password instead of multipleMultiple independent systems instead of oneLesser known sibling: Single Sign OffSystem that stores multiple sets of credentials for various internal applicationsOften done with web-portals that interface with multiple systems “on the back end”
The Skeleton key
Utensil
Utopian, Holy grail, HolisticCost - Savings (call centers aren’t dealing with forgotten password tickets)- Reduced IT dev timeUtopian Administration - Centralized, single systemwhich is good for reporting, compliance, maintenance, managing accts, etc.- The “perfect system”ProductivityEasier to remember one password - Reduces human error (password fatigue/identity chaos) Common authentication framework for developersCan be incorporated into Security Everything’s equally protected Reduces phishing success, since users don’t usually see login/password requests and when they do it out of the ordinary and seems suspiciousReduces chance of some types of identity theft (password on sticky note)
UtopianPoorly Conceived- Major issues arise if use cases, workflow, infrastructure hasn’t been totally figured outAdministration- Authentication systems become mission-critical; if fail, DOS, no access. Thus some mission critical capabilities may need to be outside of the SSO (e.g. floor access systems)Difficult to implement - Extremely difficult to retrofit- Mission critical nature of components (8 separate mission-critical systems and none can be brought down for any length of time to align with the others)Security issuesAuthentication server is now the single point of attackRisk of giving away “keys to the castle” – protection focus shifts to user credentialsThe “walk away and someone hops on your computer” issueEnterprise Reduced Sign On (purgatory, handles most systems if not the utopian all)- Edsel – the wrong car at the wrong time
The Must have featuresAvailable 24/7/365Backup (there are spare copies in the vault if needed)Comprehensive (covers all essential applications in the network, covers all possible use cases)Integral-able (able to be introduced and play well with existing systems)Redundant (if all or part of it fails, there are systems in place that will jump in as needed)Reliable (accurate and doesn’t make mistakes)Scalable (0 to thousands of users)
Authentication (from Greek: αυθεντικός ; real or genuine, from authentes; author) is the act of establishing or confirming something (or someone) as authentic, that is, that claims made by or about the subject are true ("authentification" is a French language variant of this word). This might involve confirming the identity of a person, tracing the origins of an artifact, ensuring that a product is what its packaging and labeling claims to be, or assuring that a computer program is a trusted one. Authentication can also be used for identity delegation. Identity Delegation in IT network is an evolving field[1].A process of proving the identity of a computer or computer user. For users, it generally involves a user name and password. Computers usually pass a code that identifies that they are part of a network. - it’s a horizontal systemOften done by an authentication ServerPhysiognomy = idea that facial characteristics are indications of personality/character/psychologyBiometrics =
directory service is simply the software system that stores, organizes and provides access to information - corresponding table of names and values (eg login/password. Name, address, etc.)
Encryption (greek for “make hidden”)is a form of security that turns information, images, programs or other data into unreadable cipher by applying a set of complex algorithms to the original material. These algorithms transfer the data into streams or blocks of seemingly random alphanumeric characters. The one weakness of symmetric encryption programs is that the single key must necessarily be shared, presenting an opportunity for it to be leaked or stolen. Symmetric types of encryption schemes use a single password to serve as both encryptor and decryptor. Part of key management involves changing the encryption key often to improve security.
The process of managing individuals in a system; managing who someone is an what they have access to (technical, legal, security, social)
protocol is a set of rules which is used by computers to communicate with each other across a network - a protocol or communications protocol is a formal description of message formats and the rules for exchanging those messages. Protocols may include signaling, authentication and error detection and correction capabilities. In its simplest form, a protocol can be defined as the rules governing the syntax, semantics, and synchronization of communication - protocol (SPNEGO,[ (Simple and Protected GSSAPI Negotiation Mechanism)] Kerberos,(made by MIT) and NTLMSSP (Microsoft’s NT LAN Manager Security Support Provider) authentication protocols with respect to SSPI (A Microsoft Windows security application programming interface
communication session, is a semi-permanent interactive information exchange between communicating devices that is established at a certain time and torn down at a later time. Hypertext Transfer Protocol (HTTP) is stateless: a client computer running a web browser must establish a new Transmission Control Protocol (TCP) network connection to the web server with each new HTTP GET or POST request - The Session Layer provides the mechanism for opening, closing and managing a session between end-user application processes, i.e. a semi-permanent dialogue. More than 1 party Information is being exchanged- Across a shared meduim
The art and skill of developing a plan to achieve a goal
Who’s doing what, where – someone, somewhere, doing something for some reason, sometimesWorkflows often instructional (how to make a cup of coffee)David McCaulay – describing the workflow for how to construct something & later came up with a book called “the way things work”
Enterprise Single Sign On – that’s where the industry has been heading; SAML = used by GoogleEISA = SSO is just a component of this
Everybody loves puppiesEverybody loves the Red SoxWhen in doubt, switch the topic to puppies or the Red Sox & you’ll regain your equilibrium
Not just the technical, it’s the human component as well that’s critical