Companies from all industries and sectors largely rely on a wide spectrum of desktop and web applications, including both general-purpose and specialized software.
General-purpose software is widely used in the Electronic Document Management Systems (EDMS), Enterprise Resource Planning (ERP) Systems, and accounting systems. On the other hand, specialized applications often serve as software components for Automated Process Control Systems (APCS), Customer Relationship Management (CRM) and Warehouse Management Systems (WMS). That said, specialized applications are often custom-made.
All these services can be used for addressing a variety of corporate tasks – offering government services, ensuring legal compliance, or engaging in revenue-generating activities. Most of such systems require authorization.
It is important to keep in mind that some software solutions cannot be easily integrated with a domain directory service such as Active Directory. Many services also maintain internal user databases, and therefore require separate authentication. Sadly enough, applications that support sign-on options other than password-based authentication are still uncommon.
That said, password-based authentication has several widely known disadvantages:
- You need a security incident to actually occur to learn that your password has been compromised, while intruders will do their best to disguise their presence in your IT infrastructure.
- The risk of theft and illegal use of passwords for malicious activity intensifies in the case of remote work.
- Passwords are highly vulnerable to social engineering techniques when users are coerced to directly or indirectly disclose their password to the intruder.
- Regular users may find it hard to meet all password security requirements, especially when they have to use separate user accounts for different services.
Given the prevalence of broadband Internet access and the growing popularity of remote connections, these disadvantages may become a critical vulnerability for both your corporate applications and the entire company. After all, if the credentials of one of your accountants were to fall into the hands of intruders, this may have quite serious implications for your company, including total shutdown of its operations.
The choice of desktop and web applications may be enormous, even if we talk about one single industry, which makes the development of individual connectors (special modules enabling pass-through authentication) for each target app extremely challenging. This is not an easy task even when it comes to most popular services. Likewise, the development of connectors for your custom applications may prove quite expensive; not many companies can afford this.
Different kinds of software implementing Single Sign-On technology are widely used for ensuring secure unified authentication across all corporate desktop and web applications. Products of this class are also designed to build centralized authentication and password management systems (its functionality being similar to Password Manager software).
You can build a reliable unified authentication system by using a Single Sign-On product that supports a variety of target desktop and web applications.
Indeed Access Manager features a specialized module, Enterprise Single Sign-On, that supports all types of applications. This module enables SSO login by intercepting GUI login and password entry forms and inserting relevant credentials.
A special utility helps to create an ESSO template for each target application. The template contains application-specific instructions for the ESSO agent: where to enter the credentials and which button(s) to click in order to log in. This means that the system can support almost all types of desktop and web applications with their own authentication systems. The ESSO agent is a client component that can be installed both on a workstation running Microsoft Windows or a Microsoft Remote Desktop Server.
The scenarios that can be deployed with the Enterprise Single Sign-On software are discussed below.
- Secure remote connection to a single point of entry: MS RDS with a pre-installed ESSO module enables pass-through authentication across all terminal applications.
- Password management for pass-through (transparent) authentication: the module will store your logins and passwords and automatically insert them into relevant fields whenever a desktop or web application is launched.
- Passwords hidden from the user: passwords can be assigned by an administrator or by using an Identity Governance & Administration (IGA) solution.
- Extension of the above scenario: the ESSO module can intercept the GUI password entry forms, automatically insert the old password, generate a new one, insert it into relevant fields, and “click” the OK button. This way, the users will not be able to bypass Indeed AM when logging into an application.
- Strong authentication factors: you can enable various strong authentication methods (from one-time passwords to biometrics) across all scenarios. The hidden password scenario combined with strong authentication for all corporate applications ensures top-level security across your entire IT infrastructure.
All ESSO parameters can be customized via access policies. A relevant policy can be applied to a specific unit in your organizational structure (for example, an OU in Active Directory), and the settings for all users located in this unit or its child objects will be aligned with this policy. The scope of a given policy can be fine-tuned by filtering it with user groups.
- Active Directory
- Microsoft Windows
- Microsoft Remote Desktop Server
Desktop and web application security settings
- Hierarchy: policies applied at the level of all applications, at the level of individual apps, and at the level of user groups
- Password management: password storage only or hidden passwords with password renewal (via the application’s password renewal form)
- Authentication: strong authentication for all applications or pass-through authentication (without using additional authentication factors)
- Biometrics: fingerprints, palm vein pattern, and face geometry (2D and 3D)
- Hardware devices: contactless cards, USB tokens, iButtons, and RFID cards
- One-time passwords: TOTP/HOTP applications, OTP tokens, one-time password delivery via SMS, Telegram and email
- Other methods: push authentication app (Indeed Key)
Third-party tool integrationn
- Workstation security solutions: Secret Net Studio
- Permission and user account management tools: Solar inRights, 1IDM, Cube, Microsoft FIM, and IBM Tivoli Identity Manager
- Public key infrastructure management tools: Indeed Certificate Manager
- Tools for information security event monitoring and correlation: SIEM solutions