General security

Identity Management and Access Control in a Single Sign-on Environment

Stuart Gentry
October 11, 2013 by
Stuart Gentry

In this article you will learn the following information:

  1. How businesses manage electronic identities and provide access control to their employees, customers, and, potential partners in a single-sign-on (SSO) environment.
  2. Definition of identity management.
  3. Quick overview of SSO planning.
  4. Peek at a success story from John Hopkins University.
  5. Look at security set ups for the SSO environment offered in a VMWare environment and a brief look at Microsoft's take on SSO security.
  6. Discuss, in general, how open source solutions compare to commercial solutions.
  7. Review a list of some potential problems encountered with the SSO environment.

So let's get started:

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Wikipedia defines identity management as, "...the management of individual identities, their authentication, authorization, roles, and privileges within or across system and enterprise boundaries with the goal of increasing security and productivity while decreasing cost, downtime, and repetitive tasks." In a nutshell, a business needs to be able to authenticate and authorize a user according to the role they play in an organization and assign them the least amount of privileges to do their job.

The first step, is planning for the SSO with employees, infrastructure, and partners (present or future) in mind. The plan also needs to outline all of the requirements for accessing resources including security and access control in the whole picture. Once the plan is outlined, the business needs to look at the current resources and see what voids need to be filled.

Once the business has selected a software solution, the IT team should have done a small test on the solution to ensure they have a suitable product for implementation. A success story from Johns Hopkins University states how the SSO environment improved their care and response times in the health care world. The IT team that implemented the technology learned throughout the process and how to "shadow" or meet later with the staff to understand what was and was not working.

Doing backups on the SSO server with off-line storage is a brilliant idea in case the server gets hacked, then restoring of data should only be a matter of time. At the same time, creating multiple SSOs is a good thought in case one SSO goes down ordinarily causing a denial of service. Kendrick Coleman has a good article on setting up this type of SSO environment with virtual machines. The article elaborates on the capabilities of vCenter which includes addressing the issue of passwords. The vCenter console allows the SSO administrator to set a number of parameters on passwords including 1) The lifetime of the password; 2) The number of passwords a user can reuse; and 3) The maximum length of the password.

Access control in vCenter is done by grouping users into one of three categories: Guest user, Regular user, and Administrative user. The Guest user is only allowed to change their password. Regular users can do small edits like email addresses and looking at users in the directory. The administrative user can modify anything on the SSO server.

Microsoft describes the set up for one of the key pieces of the SSO security, the "master secret server" and they also offer security tips on their website. A couple of these security tips include locking down and securing the "master secret server" and having strong passwords for the SSO administrators and their group.

Seeing the big names like VMWare and Microsoft makes a boss realize one of the nice things about commercial set ups is if you don't quite understand things, you can call someone since the business paid for it. Open source solutions can be difficult to obtain support or to hire a credentialed consultant.

Of course, like all technology, nothing is 100% secure and, what seems easy can end up being close to a nightmare. Some of the issues with implementing a single-sign-on solution include de-provisioning user accounts when the user leaves the company; considering the infrastructure where SSO will be implemented; and thinking SSO is the "end-all be-all" solution.

De-provisioning user accounts sounds fairly easy, but when thinking about the workload for the system administrators, de-provisioning could take a while or get skipped over completely. So, this can be a big security issue.

If the infrastructure is not too compatible with the SSO solution, that will delay progress with implementation. It is recommended that there be an 80/20 solution; meaning 80% of the business's infrastructure should be easily compatible (automatically) and the other 20% will require some work to make it compatible.

So, if the infrastructure is not too compatible, that typically means SSO is not the "Be-all end-all" solution. This means the business will need to prioritize their "needs" and "wants" for SSO and go from there.

In conclusion, we have looked at the definition of identity management and we took a brief look at a success story from John Hopkins University. Then, we examined some security set ups for the SSO environment offered in a VMWare environment and Microsoft's take on SSO security. There was a brief comparison between commercial and open source solutions and we also looked at problems in setting up the SSO environment. In the SSO world, there are some success stories out there, but expectation management is crucial to understanding that SSO may not be everything one wants.

References:

Kendrickcoleman.com, Multiple vCetner servers SSO and how to design for failure. Retrieved from http://kendrickcoleman.com/index.php/Tech-Blog/multiple-vcenter-servers-sso-and-how-to-designforfailure.html.

Msdn.microsoft.com, SSO Security Recommendations. Retrieved from http://msdn.microsoft.com/en-
us/library/aa560954.aspx.

Searchhealthit.bitpipe.com, Best Practices: Single Sign-On Drives Productivity, Security, and Adoption When Used with EHR at The Johns Hopkins Hospital. Retrieved from http://searchhealthit.bitpipe.com/data/demandEngage.action?resId=1364231992_846&fulfilled=true

http://en.wikipedia.org/wiki/Identity_management

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

http://en.wikipedia.org/wiki/Identity_management.

Stuart Gentry
Stuart Gentry

Stuart Gentry is an InfoSec Institute contributor and computer security enthusiast/researcher. He holds a Master's degree in Information Assurance with GSEC and GCIH certifications. He has been interested in hacking since 1984 and has become more focused in software reverse engineering and malware research since September 2011. Stuart is always looking to learn new coding languages and exploitation methods. Contact Stuart via email at gentry_s1@yahoo.com or LinkedIn at www.linkedin.com/in/stuartgentry.