Identity Management and Access Control in a Single Sign-on Environment
In this article you will learn the following information:
- How businesses manage electronic identities and provide access control to their employees, customers, and, potential partners in a single-sign-on (SSO) environment.
- Definition of identity management.
- Quick overview of SSO planning.
- Peek at a success story from John Hopkins University.
- Look at security set ups for the SSO environment offered in a VMWare environment and a brief look at Microsoft's take on SSO security.
- Discuss, in general, how open source solutions compare to commercial solutions.
- Review a list of some potential problems encountered with the SSO environment.
So let's get started:
What should you learn next?
Wikipedia defines identity management as, "...the management of individual identities, their authentication, authorization, roles, and privileges within or across system and enterprise boundaries with the goal of increasing security and productivity while decreasing cost, downtime, and repetitive tasks." In a nutshell, a business needs to be able to authenticate and authorize a user according to the role they play in an organization and assign them the least amount of privileges to do their job.
The first step, is planning for the SSO with employees, infrastructure, and partners (present or future) in mind. The plan also needs to outline all of the requirements for accessing resources including security and access control in the whole picture. Once the plan is outlined, the business needs to look at the current resources and see what voids need to be filled.
Once the business has selected a software solution, the IT team should have done a small test on the solution to ensure they have a suitable product for implementation. A success story from Johns Hopkins University states how the SSO environment improved their care and response times in the health care world. The IT team that implemented the technology learned throughout the process and how to "shadow" or meet later with the staff to understand what was and was not working.
Doing backups on the SSO server with off-line storage is a brilliant idea in case the server gets hacked, then restoring of data should only be a matter of time. At the same time, creating multiple SSOs is a good thought in case one SSO goes down ordinarily causing a denial of service. Kendrick Coleman has a good article on setting up this type of SSO environment with virtual machines. The article elaborates on the capabilities of vCenter which includes addressing the issue of passwords. The vCenter console allows the SSO administrator to set a number of parameters on passwords including 1) The lifetime of the password; 2) The number of passwords a user can reuse; and 3) The maximum length of the password.
Access control in vCenter is done by grouping users into one of three categories: Guest user, Regular user, and Administrative user. The Guest user is only allowed to change their password. Regular users can do small edits like email addresses and looking at users in the directory. The administrative user can modify anything on the SSO server.
Microsoft describes the set up for one of the key pieces of the SSO security, the "master secret server" and they also offer security tips on their website. A couple of these security tips include locking down and securing the "master secret server" and having strong passwords for the SSO administrators and their group.
Seeing the big names like VMWare and Microsoft makes a boss realize one of the nice things about commercial set ups is if you don't quite understand things, you can call someone since the business paid for it. Open source solutions can be difficult to obtain support or to hire a credentialed consultant.
Of course, like all technology, nothing is 100% secure and, what seems easy can end up being close to a nightmare. Some of the issues with implementing a single-sign-on solution include de-provisioning user accounts when the user leaves the company; considering the infrastructure where SSO will be implemented; and thinking SSO is the "end-all be-all" solution.
De-provisioning user accounts sounds fairly easy, but when thinking about the workload for the system administrators, de-provisioning could take a while or get skipped over completely. So, this can be a big security issue.
If the infrastructure is not too compatible with the SSO solution, that will delay progress with implementation. It is recommended that there be an 80/20 solution; meaning 80% of the business's infrastructure should be easily compatible (automatically) and the other 20% will require some work to make it compatible.
So, if the infrastructure is not too compatible, that typically means SSO is not the "Be-all end-all" solution. This means the business will need to prioritize their "needs" and "wants" for SSO and go from there.
In conclusion, we have looked at the definition of identity management and we took a brief look at a success story from John Hopkins University. Then, we examined some security set ups for the SSO environment offered in a VMWare environment and Microsoft's take on SSO security. There was a brief comparison between commercial and open source solutions and we also looked at problems in setting up the SSO environment. In the SSO world, there are some success stories out there, but expectation management is crucial to understanding that SSO may not be everything one wants.
References:
Kendrickcoleman.com, Multiple vCetner servers SSO and how to design for failure. Retrieved from http://kendrickcoleman.com/index.php/Tech-Blog/multiple-vcenter-servers-sso-and-how-to-designforfailure.html.
Msdn.microsoft.com, SSO Security Recommendations. Retrieved from http://msdn.microsoft.com/en-
us/library/aa560954.aspx.
Searchhealthit.bitpipe.com, Best Practices: Single Sign-On Drives Productivity, Security, and Adoption When Used with EHR at The Johns Hopkins Hospital. Retrieved from http://searchhealthit.bitpipe.com/data/demandEngage.action?resId=1364231992_846&fulfilled=true
http://en.wikipedia.org/wiki/Identity_management
What should you learn next?
http://en.wikipedia.org/wiki/Identity_management.
In this Series
- Identity Management and Access Control in a Single Sign-on Environment
- Free Valentine's Day cybersecurity cards: Keep your love secure!
- How to design effective cybersecurity policies
- What is attack surface management and how it makes the enterprise more secure
- Is a cybersecurity boot camp worth it?
- The aftermath: An analysis of recent security breaches
- Understanding cybersecurity breaches: Types, common causes and potential risks
- Breaking the Silo: Integrating Email Security with XDR
- What is Security Service Edge (SSE)?
- Cybersecurity in Biden’s era
- Password security: Using Active Directory password policy
- Inside a DDoS attack against a bank: What happened and how it was stopped
- Inside Capital One’s game-changing breach: What happened and key lessons
- A DevSecOps process for ransomware prevention
- What is Digital Risk Protection (DRP)?
- How to choose and harden your VPN: Best practices from NSA & CISA
- Will immersive technology evolve or solve cybercrime?
- Twitch and YouTube abuse: How to stop online harassment
- Can your personality indicate how you’ll react to a cyberthreat?
- The 5 biggest cryptocurrency heists of all time
- Pay GDPR? No thanks, we’d rather pay cybercriminals
- Customer data protection: A comprehensive cybersecurity guide for companies
- Online certification opportunities: 4 vendors who offer online certification exams [updated 2021]
- FLoC delayed: what does this mean for security and privacy?
- Stolen company credentials used within hours, study says
- Don’t use CAPTCHA? Here are 9 CAPTCHA alternatives
- 10 ways to build a cybersecurity team that sticks
- Verizon DBIR 2021 summary: 7 things you should know
- 2021 cybersecurity executive order: Everything you need to know
- Kali Linux: Top 5 tools for stress testing
- Android security: 7 tips and tricks to secure you and your workforce [updated 2021]
- Mobile emulator farms: What are they and how they work
- 3 tracking technologies and their impact on privacy
- In-game currency & money laundering schemes: Fortnite, World of Warcraft & more
- Quantitative risk analysis [updated 2021]
- Understanding DNS sinkholes - A weapon against malware [updated 2021]
- Python for network penetration testing: An overview
- Python for exploit development: Common vulnerabilities and exploits
- Python for exploit development: All about buffer overflows
- Python language basics: understanding exception handling
- Python for pentesting: Programming, exploits and attacks
- Increasing security by hardening the CI/CD build infrastructure
- Pros and cons of public vs internal container image repositories
- CI/CD container security considerations
- Vulnerability scanning inside and outside the container
- How Docker primitives secure container environments
- Top 4 Zapier security risks
- Common container misconfigurations and how to prevent them
- Building container images using Dockerfile best practices
- Securing containers using Docker isolation
- Introduction to container security
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
General security
Free Valentine's Day cybersecurity cards: Keep your love secure!
General security
General security