Single signon emulation by means of password synchronization

Scope

This page discusses the call to provide single signon facilities as support for easy yet controlled access to complex enterprise infrastructures, and the necessity for their being an integral part of an enterprise's user management procedures. In the real world, password synchronization is an alternative to single signon when used for managing the security of single or multiple enterprise business applications running on the large, multi-user IT service supported by a Unix and Windows infrastructure.

The single signon problem

Organizations rely upon their workforces interacting with computers. The proportion of the workforce having access to business critical software continues to increase as does the number of applications to which those users must have access.

In the past, a user may have required access to a single application residing on a single system. Now, a user may have to be registered on a number of different servers of different operating system types, various databases and multiple business applications. Registration of each user with each facility is needed to control and prevent unauthorized access.

The problem is made worse by staff moving within the organization, demanding the modification of access rights and the creation of new ones. Factors such as the global distribution of systems, the disabling (closing) of accounts for those leaving the organization and the everyday issues of forgotten passwords, temporary staff, new applications and new systems, and the problem is evident.

Applications consist of several layers - for example an ERP package may require access to a UNIX database server, Windows application servers, an ORACLE database and the ERP package itself. Ensuring a user population has reliable and continuous access to applications and their supporting operating systems is therefore vital. Yet such access must be properly controlled.

Security considerations

Most security problems are caused by staff rather than those outside the organization, so this must be addressed first. The ideal solution is one package which supports the administration of both the user population and their security profiles at the same time.

From time to time, operating systems and applications will enforce password changes; passwords may also be forgotten. For each of these occasions, users must remember many different passwords and associated login-names. This need usually results in the use of a note with all the login names and passwords written down, a security risk in itself, or in a call to the help desk to get forgotten passwords reset.

It would be much better if each user could maintain one password for use across all the facilities to which she/he needs access. Password synchronization is a "must have" for the modern, complex environment, and is the pragmatic alternative to the ideal.

In addition to the large community of application users, the smaller class of privileged users (commonly system administrators) present their own problems for which single signon software should be the solution. They frequently have unrestricted access to resources and data and, yet more problematic, their activities are neither monitored nor recorded for possible auditing. At the same time, privileged users often need to be able to turn their attention rapidly from machine to machine. OSM supplies software products which close this gap. See also www.cosduty.com.