How to Use Single-Sign-On Solutions to Your Advantage

Posted by Sabrina Sturm Tue, 26 Jun 2012 07:11:00 GMT

No day passes by without the talk being all about data security, data protection, compromised servers or hacked data. Therefore it becomes more and more important for companies to spend time on discussing how to specifically improve their own IT security.  

Even if the issue “Single-Sign-On” often sparks controversy, experts already agree: correctly executed, SSO solutions offer a great plus in security for companies.

Single-Sign-On solutions allow for access to all services and applications via solely one login (one-time user authorization), as long as the user obtains the general entitlement for access. After the one-time authentication, the SSO-solution is responsible for authenticating the user at any other points of service or applications. A separate username and password for each program therefore is omitted. The following article illuminates the pro and cons of SSO solutions and more closely discusses the possibility of Single-Sign-On with Kerberos. 

Single-Sign-On with Kerberos

Kerberos is named after the hellhound Kerberos to be found in Greek mythology; in the Homerian songs, he is described as (quote): 

"Even the Kerberos I saw, with biting teeth armed, evil he rolls his eyes, guarding the maw of

Hades. Dare one of the dead sneak past him, so he buries his teeth deeply and painfully into

the flesh of the fleeing and drags them back in agony, the evil, biting guard. " 

Single-Sign-On with Kerberos is widely spread, since it enables a secure one-time login using an insecure TCP/IP network. To do so, a Kerberos server is needed. After that, the client is authenticated to the server, the server to the client as well as the Kerberos server to the client and server itself. Man-in-the-middle attacks (an intruder engages in a communication connection, placed in between both sides and is able to manipulate the communication) are successfully prevented. 

Limitations 

  • “One-for-All” principle
    • Should an attacker succeed in receiving the login data of a user, it enables him to access the whole system, not just part of it.
    • But: without “Single Sign-On,” most users have the same passwords for their applications and services anyway, meaning that the potential hazard is just slightly increased. In comparison, a “Single Sign-On” account is fast to block. A good company policy requires a steady change in passwords.
  • 24/7 availability
    • The availability of services and applications not only depends on their availability, but also on the availability of the SSO service. Therefore, corresponding redundancies should exist to be completely safe.

Pros

Effectivity

  • Enhanced productivity of employees
    • Working processes are not interrupted by constant logins. If an employee is working with various systems, filling in passwords and usernames can consume an unbelievable amount of time.
  • Simple administration for IT administrators
    • Only one user account per employee needs to be managed, changed or deleted. This is an easy and fast way to prevent errors.
  • Time and Cost expenditures for Help-Desk are reduced 
    • Employees only need to remember one password and therefore, need to contact the help desk service less often for password issues or other difficulties experienced.

Security

  • Higher level of security through solely one password
    • Users who have to remember ten or more passwords will tend to write them down on little yellow sticky notes, post them to their monitor and pick, moreover, fairly simple user ID’s. 
  • Phishing attacks are complicated
    • The password is only typed in once at one location, which greatly decreases the risk of users typing in their passwords on a “wrong” page and becoming victims of phishing attacks.
  • Uniform authentication system
    • Kerberos SSO is platform- and system-independent and guarantees a homogenous company authentication. Clearly a plus regarding security.

Conclusion

HOB is convinced about the utility of the Kerberos Single-Sign-On solution. Therefore, most HOB solutions support this method of authentication. 

Kerberos Single-Sign-On is a great way to enhance the security of a company’s IT. Even though there are some downsides, it is still possible to eliminate them (nearly) completely, taking certain measures. The advantages can be clearly stated: more time, higher productivity and a plus in security! Contrasting the pros and cons of Kerberos Single-Sign-On, it is not to be forgotten that an authentication system without SSO is not free of weaknesses, either. 

Overall, you are doing your employees a big favor, since one password is way easier to remember than multiple ones. And a result like the one in the following cartoon is something no one is willing to risk :)

"Hello my name is Erich and I forgot my password."
"Hello, Erich!"

no comments |

You must be registered in order to write comments. To register as a new user click here.

If you're already registered, please leave a comment here

Leave a comment