Open Standard Authentication in the Enterprise, Part 3
In previous post we started to talk about different SSO solutions. This post will cover another common SSO approach.
Current Solutions
Federal Agencies employ two primary strategies to provide Single Sign On across multiple Domains, Applications and across Agency boundaries:
- Application Resource Forests; (covered in previous post)
- Password Synchronization across different directories.
Password Synchronization Across Different Directories
Federal Agencies are evaluating and implementing solutions that will allow user password synchronization between different directories and authentication sources. After implementation, such solutions can provide, as an example, the following functionality - after changing or resetting password on Active Directory user account by the user or by the help desk, the new password will be replicated to the mainframe based account for the same user. The benefit here is evident; the user does not need to remember two passwords and does not need to change his/her passwords in other directory sources.
At the same time there are multiple short term and long term issues with this approach, to name a few:
- This solution does not solve the root of the problem; it does not eliminate multiple passwords. It does not modernize applications that use its own proprietary authentication mechanisms or separate authentication directories. While it might provide short term benefits by reducing the number of password synchronization issues, in the long run it will not lead to the next generation architecture and can actually be a limiting factor in adoption of the new technologies;
- Capturing passwords on the desktop or at the server and then synchronizing them to other directories is fundamentally not a secure solution. There could be different types of attacks that could capture passwords on the desktop at the time of entry, its storage, or transmission to connected directories;
- Password synchronization does not lead to SSO solution with Strong Authentication via PIV. Authentication with PIV does not use UserID/passwords combinations and synchronization of password would do little good;
- Desktop password synchronization solutions will introduce an extra layer of security complexity on each desktop. Any new patches, software updates, and service packs may potentially introduce incompatibility issues to the desktop and will reduce Agency security posture; and,
- Password synchronization solution does not prepare Agency applications for Private Cloud or Public Cloud initiatives.
Password synchronization solution does not address the main long term requirements specified in the part 1 of these series. It doesn’t provide any new capability for PIV authentication. It does not prepare internal applications for Private or Public Clouds, and, in the long term, it does not lead to significant simplification of identity management across multiple directory sources.
In summary, password synchronization solutions should be considered as a short term solution and carefully evaluated for ROI before implementation in the production environment.