Making the case for Single Sign On (SSO) and Biometric authentication

May 15, 2008

I started to discuss Enterprise Single Sign On (ESSO) with credit unions three years ago, and since then I have been to Burton Group to learn about Identity Management from the inside out. I learned about how I could integrate identity management with existing security practices for “budget constrained” credit unions. The key that I was looking for was a simple, easy, and properly built solution that could be integrated into medium-to-large credit union environments for less than $25,000-$35,000 — including services. I was looking for non-script based and non-programmed solutions since I knew that cost escalation would kill SSO efforts for credit unions very quickly.

Definitions:

Enterprise Single Sign On (ESSO) – ESSO is simple since it is a non-programmed way to handle SSO, thus making it much easier and less complex.

Single Sign On (SSO) SSO is a programmed method of performing SSO with the key difference of having the added functionality to handle forced role-based authentication directly into applications themselves from the network. This is the Holy Grail – for the big boys and serious budgets!

I look at ESSO as “the poor man’s single sign on”, however don’t be fooled into thinking ESSO is of lesser quality to SSO. ESSO is incredibly powerful and quite a compelling approach to what I would call “Reduced Sign On” versus “Single Sign On”. Credit Unions should consider ESSO/SSO options when experiencing the following problems or increased needs:
1) The help desk is having to handle too many password reset requests. I once worked with a credit union that justified costs due to this issue alone.
2) IT (believe it or not) is handling an extraordinary number of passwords.
3) The desire exists to integrate physical and network security (very cool and doable these days).
4) Compliance Drivers, meaning you have a desire to monitor, track and perform forensics on network and application access.
5) A need for increased security due to IT being unable to enforce a demanding password policy.
6) A need for increased security that will not see employees leaving passwords lying around their office on notepads.
In summary there is the coolness factor to SSO and ESSO, but for me the credit union winning punch here is the compliance win and the ability to integrate biometric authentication with the solution. I am not sure I believe entirely in the concept of SSO and this is why I like ESSO since the application still drives the final layer of security.

ESSO has the ability to layer biometrics on top of the authentication, making it an appealing solution since one gains the compliance uplift, plus the added “I know who you are” factor from the biometric stand point. Ultimately, my vision has always been to concentrate on the directory security needs in an organization. For my credit union clients this is usually accomplished via Microsoft’s Active Directory. From a de-provisioning perspective, it is quite appealing that once a user account is killed in AD then they are in effect “locked out” of the network. It is very nice indeed to have all devices on the network just as directory-aware. Furthermore, if you are allowing Citrix or another remote access, this centralized AD security approach works well since once an employee or contractor is terminated then all IT must do is terminate the account in AD and the remote access is terminated as well. For credit unions with overburdened IT personnel this makes for simple, effective and clean security.

Advertisements