Passwords remain the most widely used method of user authentication, despite the obvious risks. Increasing number of information systems, the users are to have access to imposes significant workload on the information security service in the aspect of user password management. Migration to new authentication technologies requires much effort. Business critical applications are often legacy ones and therefore they do not support modern technologies. The information security employees have to solve the problem of password usage while waiting for the opportunity to migrate to new authentication technologies . The Enterprise Single Sign-On class systems facilitate the task and provide for the mechanism of centralized user password management.
The password usage risks lead to both direct financial losses as a result of confidential information being stolen, and to less efficiency of frontline employees’ and IT service work. One can single out the following main negative factors of password usage:
High password maintenance costs
Users forget their passwords now and then, losing access to the business applications as a result. This imposes additional workload on the IT service. Its employees have to spend a fair share of their working time on resetting user passwords and restoring their access to applications. Informational security policies make the situation even worse, as they toughen the requirements to password complexity and change frequency. The solutions designed for automatic resetting of passwords require additional financial and time expenses to select and purchase the software, as well as to train the administrators and frontline employees to use it.
Risks of unauthorized access to business applications
New technologies, such as SAML, OAuth, OpenID Connect etc. allow for solving of authentication problems. However, adaptation of those to business applications by developers is quite a slow process. Besides, updating of already deployed applications is also expensive and time-consuming procedure. Thus, the companies have to maintain hybrid infrastructure and legacy applications that support password authentication only. As a consequence, the risks persist that password can be mined by intruder.
Unauthorized access by insider
The employees might - and they often do so - write down his or her password immediately at workplace. Moreover, they often pass their passwords to colleagues on purpose, asking them to send a report while they are out. This makes it possible for dishonest employees to lay hands on account data of other people and gain unauthorized access to applications.
The main requirements to implementation of Enterprise Single Sign-On class system can be stated as follows in order to solve the password problem:
- A centralized solution is required for storage and management of user account data.
- The solution must not require modification of the target applications used
- The solution must allow for keeping the account password in secret even from the employee.
- The solution must support the following operations with the target applications:
- Logon to application
- Unlocking the application (after the period of inactivity)
- Change of application password (upon the application request)
- Support of logon to applications working as per thick client principle, as well as via browser.
- Support of two-factor authentication for logon to application.
- Support of an opportunity to delegate an employee access to account data of another employee (requires permission by the administrator).
To solve the described tasks, the Indeed Access Manager (Indeed AM) software suite is used. The Indeed AM Enterprise Single Sign-On (ESSO) component is used to organize a single access point within the suite.
The Indeed AM Enterprise SSO implements the single sign-on approach enterprise-wide. The system provides for centralized storage of user passwords to applications that require authentication and pastes them in automatically when the application requests to do so. The ESSO technology can be used with any application types (Windows, Web, .Net), irrespective to the architecture - be it single-tiered, two-tiered, three-tiered, thick client or terminal applications.
The Indeed AM Enterprise SSO relieves the employees from memorizing the passwords and keeping those in secret, entering them with keyboard and changing the passwords manually in accordance with password security policies.
The ESSO allows for integration to the target application without software interference with the application operation. To do so, interception of login, password unlock and change forms is used for an application. The interception is performed by the ESSO agent, installed onto user workstations. When the logon form of the target application is displayed, the screen is locked and the ESSO Agent either fills the form in automatically or prompts the user to authenticate first: place the finger onto scanner etc. and, if authenticated successfully, fills in the form.
The general scheme of the solution is given below.
The following main components provide for operation of Indeed AM Enterprise SSO:
Indeed AM Server (Server) is the server component of Indeed Access Manager infrastructure. The server provides for centralized storage and protection of user data and carries out user authentication procedure. It also receives and processes the requests from client components and administrator tools. The Server presence guarantees а user that the data is available from any PC. The Server also makes it possible for administrator to configure access parameters for an employee or a group of employees, as well as to make global changes to the system.
Indeed AM ESSO Agent is the client software installed onto employee workstations. The Agent receives the list of systems and accounts that constitute the personal access profile of the employee from the Indeed Enterprise Server. As soon as the employee activates the icon of an application requiring username and password, the ESSO agent intercepts the login window of the application, hides it from user and fills it in automatically (pastes in the account username and password received from the server). Then it controls the procedure of gaining access to application environment. As a result of the operation, the system event log register either successful or failed access attempt.
Indeed Access Manager database. The database stores system settings and data for strong authentication of users, as well as employees’ ESSO profiles. The data is stored in encrypted form.
Access log. All events that occur in the system are recorded in the log. The log registers the date, time, Active Directory account name, account name in the target system, the fact of account data usage, the fact of logon to target system etc. The log also registers the way and the type of authentication technology used by the employee to gain access to the system.
Indeed ESSO IDM Connector is a connector to Identity Management systems that allows for automatic synchronization of user account data in ESSO database. Accounts are created using IDM and saved in the ESSO system immediately.
Indeed AM ESSO features
The Indeed AM SSO solution has the following features, besides the immediate SSO mechanism and implementation of access to business applications:
Strong user authentication
The ESSO might prompt the user to authenticate before granting access to application. The solution supports a wide range of authentication technologies: two-factor authentication, biometric authentication, smart cards, one-time passwords. The administrator can assign different authentication technologies for applications.
Employee substitution mode
This mode allows for granting the substitute user access to ESSO profile of the substituted user. This might be useful when it is necessary to gain access to the system on behalf of the unavailable (due to being on leave or ill, for example) user promptly. At that, the system log explicitly records who exactly accessed the system. For instance, user Taylor logged to Lotus notes user Miller account. This enables the administrator to know what exactly is happening and to avoid abuses. The administrator also can limit the user substitution period (e.g., by duration of leave).
Integration with IDM
The Indeed AM ESSO supports integration to the most of popular IDM systems: Microsoft FIM, IBM Tivolli IDM, Solar inRights. The integration has the following benefits:
- The company information security level increases due to complete automation of user password life cycle: passwords are created, entered and changed automatically, without user or administrator intervention.
- The procedures are shortened to the minimum for granting and gaining access by employees. A user gains password free access to all the necessary systems immediately after registering a new user (e.g., in HR system) and automatic synchronization.
The ESSO administrator can permit a user to work in offline mode, if required, when enterprise network and ESSO server are unavailable - e.g., in case of networking problem or while being on business trip. In this mode, the user ESSO profile is temporarily stored on his or her PC. This offline profile is used, when the server cannot be connected to. The validity period of local profile is defined by the administrator. When this period expires, the local copy of the profile is deleted.