Recently Blog Entries
- Why Your Kanban Workflow Should Be More Than “In Progress”
- Two Questions to Help You Understand if You’re Doing Kanban
- Spike Abuse
- My Latest Article on Agile and Security
- Essentials of the Scaled Agile Framework
- A Possible Solution to the Issue of Test Data
- Project Sauron: A Long-lived, Stealthy and Likely State-sponsored Malware
- CCTV cameras used in massive botnet
- Sprint Planning: The Case for Finishing What You Start
- Scrum Retrospectives: Start, Stop… Continue? One of these things is not like the others…
Subscribe
RSS
Categories
Polls
Loading ...
Archives
- May 2017
- April 2017
- September 2016
- August 2016
- June 2016
- May 2016
- April 2016
- March 2016
- February 2016
- January 2016
- December 2015
- October 2015
- September 2015
- July 2014
- January 2014
- March 2013
- February 2013
- January 2013
- December 2012
- July 2012
- May 2012
- April 2012
- January 2012
- November 2011
- October 2011
- September 2011
- August 2011
- April 2011
- October 2010
- August 2010
- July 2010
- June 2010
- May 2010
- March 2010
- February 2010
- January 2010
- December 2009
- November 2009
- October 2009
- September 2009
- August 2009
- July 2009
- June 2009
- May 2009
- April 2009
- March 2009
- February 2009
- December 2008
- November 2008
- September 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
Admin
Search
Feb
14
Corporate IT departments are incorporating a new way of meeting corporate IT needs, called Software as a Service (SaaS). SaaS promises outsourced application management, reduced infrastructure costs, and easily terminated services if needs change. Whether SaaS delivers on these promises is the subject of another post, but it’s certain that SaaS presents some compelling reasons, to both the providers and consumers of services, to adopt cross-domain single-sign on (SSO).
The SaaS Model
SaaS was popularized by services such as SalesForce.com, and has been making slow and quiet inroads into the corporate environment. The fundamental SaaS business proposition is this: rather than purchase a software package and install it within the corporate enterprise, I lease access to the services provided by the software on a month-to-month or yearly basis. For me as consumer, this has a number of attractive features:
- It eliminates my need to buy hardware to host the application, it’s hosted by the provider
- It eliminates my need to maintain the hardware as well
- I don’t have to hire administrators to manage the application, it’s managed by the provider
- I don’t have to come up with a large initial investment, SaaS licensing costs are typically modest when compared to traditional licensing fees
- I can discontinue my use of the product at any time, should the product either not meet my needs, or if my needs change
This business vision is compelling, but SaaS presents challenges around security, challenges to both the provider and the consumer of the services. These challenges are best answered by the use single sign-on, where the user’s credentials are managed by the consumer rather than the provider of services.
Single Sign-On
Single sign-on allows users to enter their credentials once (at the start of the day) and then have systems coordinate so that the user’s identity is passed from one system to the next. Single sign-on solutions are built on trust relationships between systems. Users aren’t asked to enter their logins and passwords again, the systems keep track of who they are.
SSO has been around for a while now, probably the best known systems being CA’s Siteminder, Oracle’s CoreID, and IBM’s Tivoli Identity Manager. There are also a couple of interoperability standards in play as well as pure proprietary solutions, OASIS’ Security Assertion Markup Language (SAML) and OpenID.
I blogged earlier about the addition of some large players to the OpenID board, which makes it an interesting protocol to consider, and I provided a custom implementation of the OASIS Security Assertion Markup Language (SAML) for a company that was providing business-to-business services on line over the Internet. I also wrote an article for CSO Magazine’s online column Caveat in 2006, explaining the fundamentals. Beware of that article, it’s dense reading: there was a word limit, and lots of facts to get across.
To date, single sign-on solutions have not gained widespread adoption because they didn’t really provide a compelling business proposition. The advent of Sarbanes-Oxley in the United States has provided some incentive to implement SSO, as it mandates strong controls on access to information, and this is most easily achieved with SSO in place. The move towards SaaS provides organizations moving this way with compelling reasons for single sign-on as well.
SaaS Consumers Want SSO
SaaS presents security professionals within the business with a new spin on existing challenges. Security professionals talk about two concepts: authentication and authorization. Authentication is the process of proving a user is who they say they are. Users present some form of credentials to authenticate themselves. In many enterprises, these credentials are your login and a password.
User authentication credentials are one of the most important things that an IT department manages. The logins and passwords, or other authentication components are literally the keys that unlock information within the enterprise. It’s no surprise that IT departments want to exercise strict control over these credentials. This includes enforcing such things as
- how often a password must be changed
- how soon a password can be changed again
- how complicated it has to be
- whether you can reuse a password, and how soon
- whether it can be a dictionary word
IT departments don’t want to provide copies of the authentication database to anyone, even their own employees, let alone an outside provider of services. Providing this information to anyone is asking that they abuse it, and the right to access it is usually extremely limited.
IT departments want to be able to quickly and easily remove access for an employee who no longer needs it, for whatever reason.
All of this argues for these departments keeping close control over this information, and so it would be much simpler for the consumer if the SaaS service provider simply could accept their assurances that a user is authenticated, and to allow the consumer to provide what their rights are. This is the definition of single sign-on.
Service Providers Want SSO
SaaS providers also want single sign-on, for many of the same reasons that subscribers do, and some additional reasons of their own.
While providers could create their applications with all the same sorts of rules around password complexity, reuse and other controls that we outlined above, frankly those are a lot of rules, with a lot of permutations to get right. That increases the risk to their product, and in turn increases their liability should they get something wrong in the implementation. Then there’s always that next subscriber, with yet another control that you don’t already have, such as “password must contain mixed case” or “password must contain at least one non-letter”. Since the subscriber has already implemented these rules for themselves, and they want to take responsibility for authenticating their employees, better to let them.
As we already mentioned, IT departments are justifiably hesitant to provide copies of their database of authentication credentials. It simply runs against the grain for a corporate security officer to allow a complete copy of their authentication information out the door, under any circumstances. It’s like sending someone a copy of all the keys to your building. Implementing an SSO solution makes this unnecessary.
Finally, without an SSO solution, the SaaS provider faces a significant challenge in trying to synchronize their subscriber’s database (all of their subscribers’ databases, in all the various forms they can take) with their own database of users, and to keep it up to date with regular additions, terminations, and changes in access rights. This challenge is fraught with peril, and there is a much easier way, let the subscriber manage the information.
Single sign-on is a nice tool for an enterprise, in the sense of “that’s nice, but do we really need it”? Once that enterprise starts to use SaaS, single sign-on moves from a nice tool to an essential one. Without it, you’re only making life difficult for yourself and your subscribers.
Comments
1 Comment »
Blogroll
- Ars Technica
- Dark Reading - IT Security
- Help Net Security
- InformIT
- SANS Internet Storm Center
- Schneier on Security - Dr. Bruce Schieier’s blog
- Security Info Watch
- What to Fix - Daniel Markham, fellow consultant
- Wired Gadget Lab
- Wordpress Documentation
- WordPress Planet
- Wordpress Support Forum
Heck, employees want SSO. All those bullet-tick requirements for passwords, combined with an ever-increasing number of things wot want authentication means that some employees will spend literally hours several times a year just changing passwords, and (the worst of all possible sins) writing them down as there’s no possibly way to remember 20 different passwords on different systems and applications, some of which may not have been touched since the LAST password dance. As a wild guess, any corporation that can manage to roll ALL of its authentication into a single system will probably end up saving at least a man-day per employee of time spent otherwise dealing with passwords, including remembering, resetting, changing and updating password-related documentation.