Bypassing password downfalls with single sign-on |
 |
By Eileen Kennedy, News Writer
06 Nov 2007 | SearchWindowsSecurity.com |
|
|
Windows shops are looking for a means to mitigate password protection downfalls and finding it in a single sign-on environment.
Single sign-on [SSO] products give users the ability to sign on once with a login and password to access the network and any applications they need, versus IT having to manage multiple user passwords for separate systems.
"I think in three years there will be an even more dramatic rise in [SSO] use in the enterprise," said Nick Selby, an analyst with The 451 Group, a research company based in New York City.
Providing users with the network resources they need while easing the burden on the IT desk will continue to grow its popularity, he said.
Selby said he believes the idea of a unique login and password for each application and network is becoming somewhat "quaint" because there are so many Web-based applications, mobile devices and remote workers. On top of that, many companies have to show auditors proof that only the right users are accessing networks and certain data.
IT shops have a number of technology options when it comes to tightening authentication and access controls. They can employ a single sign-on password environment by itself or harness other technologies with SSO for additional security. Multi-factor authentication uses a second or sometimes even a third way of identifying users in addition to a password. An example would be pairing the use of an SSO product, which means having a user name and password, but coupling it with a software or hardware ID token.
Noah Weisberger, a principal security consultant with technology consultancy 3t Systems Inc. of Denver, Colo., said that over the last six months, clients have shown increased interest not just in SSO products, but also in adding in multi-factor authentication.
Why is this? "People are realizing that employees often share logins and passwords and they know that this just doesn't cut it anymore, it's just not secure," Weisberger said.
Of course single sign-on does not work for everyone. Jeff Jenkins, vice president of information security with First American Corp., a large financial services company based in Santa Ana, Calif., said his organization has so many disparate systems that SSO is not practical. The company has grown by acquisition and so many divisions have their own technology.
It does provide its top executives with biometric access to all their devices and applications, using small USB fingerprint readers, said Jenkins. Although biometrics tends to be pricey, they are okay for a small part of the workforce, he said. Biometric readers have dropped in price, too, with most under $100 a piece.
While Jenkins is not allowed to publicly discuss company purchases, there are many USB fingerprint readers for Windows operating systems, including Microsoft's own line, and those made by Hewlett-Packard Co. and smaller companies, like IndentiPHI Inc. of Austin, Texas.
The company has also embraced software certificates in laptops as its main authentication for Windows network access, he said. "Most of our computers are laptops and we have many mobile employees who go from location to location," he said. "They may go from one courthouse to another looking for public records. While a certificate like this ties you down to a machine, that's why we like it. It gives us better control over our end points."
No matter what authentication tools enterprises are using in their networks, the end goals are usually the same. "It's about managing risk and to have better confidence that people are who they say they are when they can move money around or look at company secrets," said Mark Diodati, an analyst at the Burton Group, a Midvale, Utah-based consulting firm.
|
|
|
|
