Access control by means of password synchronization
Scope
This page discusses the need for access control software to be an integral part of an enterprise's user management facilities. Access control software includes the facility of password synchronization as an alternative to single sign on when used for managing the security of one of more enterprise business applications in the large, multi-user IT service supported by a Unix and Windows infrastructure.
The problem
The proportion of the workforce having access to business critical software continues to increase as does the number of applications to which those users must have access.
In the past, a user may have required access to only one application residing on a single system. Now, a user may have to be registered on a number of different servers, operating system types, databases and business applications. Registration of each user with each facility is needed to control and prevent unauthorized access.
The problem is made worse by staff moving within the organization, demanding both modified access rights and new ones. Factors such as the global distribution of systems, the disabling (closing) of accounts for those leaving the organization and the everyday issues of forgotten passwords, temporary staff, new applications and new systems, and the problem is evident.
Applications comprise several layers - for example an ERP package may require access to a UNIX database server, Windows application servers, an ORACLE database and the ERP package itself. Ensuring a user population has reliable and continuous access to applications and their supporting systems is therefore vital. Yet such access must be properly controlled.
Security considerations
So, the problem remains of preventing registered users from accessing facilities to which they have no right, and of preventing any access by non-registered users including those from outside the enterprise.
Most security problems are caused by staff rather than those outside the organization, so this must be addressed first. The ideal solution is a single package which supports the administration of both the user population and their security profiles at the same time.
From time to time, operating systems and applications will enforce password changes; passwords may also be forgotten. On each of these occasions, users must remember many different passwords and associated login-names. This need usually results in the use of a note with all the login names and passwords written on it, a security risk in itself, or in a call to the help desk to get forgotten passwords reset.
It would be much better if each user could maintain a single password for use across all the facilities to which she/he needs access. Password synchronization is a "must have" for the modern, complex environment, and is the pragmatic alternative to the ideal of a single sign on (single sign-on or single signon) mechanism.