Integrating Password Management with Enterprise Single Sign-On

Transcription

1 Integrating Password Management with Enterprise Single Sign-On 2016 Hitachi ID Systems, Inc. All rights reserved.

2 Contents 1 Introduction 1 2 Background: one problem, two solutions The Problem Password synchronization and password reset Password synchronization Self-service password reset and unlock Enterprise single sign-on Strengths and weaknesses 5 4 Deployment Password synchronization Self-service password reset Enterprise single sign-on Motivation for a combined solution 9 6 Interoperability challenges and integration approaches Password reset and E-SSO Password synchronization and E-SSO Summary 11 i

3 1 Introduction This document compares two product categories that address the same business problem: password complexity. The two types of products are: 1. password synchronization and reset, and 2. enterprise single sign-on. It goes on to offer rationale for some organizations to deploy both types of technologies, and discusses integration challenges and solutions. This document is organized as follows: Background: one problem, two solutions The business problems caused by password complexity are described, and two alternate solutions to address these problems are explained. Strengths and weaknesses The strengths and weaknesses of three technologies designed to address password complexity are reviewed. Deployment Identifies the major tasks that must be accomplished in order to deploy each of the three technologies. Motivation for a combined solution Business drivers for deploying a combination of solutions are laid out. Interoperability challenges and integration approaches Password reset and enterprise single sign-on technologies can interfere with one another. Similarly, password synchronization and enterprise single sign-on technologies can conflict. Integrating the technologies is essential to eliminating these conflicts. Hitachi ID Password Manager supports both lightweight and full integration with enterprise single sign-on systems Hitachi ID Systems, Inc. All rights reserved. 1

4 2 Background: one problem, two solutions 2.1 The Problem Passwords present a number of problems for organizations: 1. Users have too many passwords, and have a hard time remembering them all. 2. Password management is exacerbated when different passwords expire on different schedules, are changed via different user interfaces and are subject to different policies. Users respond to these problems by 1. Choosing trivial (and insecure) passwords. 2. Avoiding password changes. 3. Writing down their passwords, effectively reducing logical security to be equal to physical security. Users often forget their passwords or mistype them, creating high IT support call volumes at the help desk this is both inconvenient for users and costly for the organization. The impacts of poor password management are: 1. User frustration. 2. High IT support cost. 3. Weak authentication. 2.2 Password synchronization and password reset A popular approach to tackle password problems is to synchronize different passwords, so a user only has to remember one, and empower users to reset forgotten passwords or clear intruder lockouts on their own, without calling the help desk. Hitachi ID Password Manager offers these capabilities Password synchronization Password synchronization is any process or technology that helps users to maintain a single password, subject to a single security policy, across multiple systems. Password synchronization is an effective mechanism for addressing password management problems in medium to large organizations: 2016 Hitachi ID Systems, Inc. All rights reserved. 2

5 Users with fewer passwords tend to remember them. Simpler password management means fewer problems and fewer help desk calls. Users with fewer passwords are less likely to write them down. There are two ways to implement password synchronization: Transparent password synchronization, where native password changes, that already take place on a common system (example: Active Directory) are automatically propagated through the password management system to other systems and applications. Web-based password synchronization, where users are asked to change all of their passwords at once, using a web application Self-service password reset and unlock Self-service password reset is defined as any process or technology that allows users who have either forgotten their password or triggered an intruder lockout to authenticate with an alternate method and repair their own problem, without calling the help desk. Users who have forgotten their password or triggered an intruder lockout may launch a self-service application using an extension to their PC login prompt, using their own or another user s web browser, using an app on their smart phone or through a telephone call. Users establish their identity, without using their forgotten or disabled password, by entering a PIN sent to their phone, by answering a series of personal questions, using a hardware authentication token or by providing a biometric sample. Users then either select a new password or just clear a lockout on their account. Self-service password reset expedites problem resolution for users and reduces help desk call volume. It can also be used to ensure that password problems are only resolved after strong user authentication, eliminating an important weakness of many help desks: social engineering attacks. One of the core features of Hitachi ID Password Manager from Hitachi ID Systems is self-service password reset. 2.3 Enterprise single sign-on Enterprise single sign-on (E-SSO) systems minimize the number of times that a user must type their ID and password to sign into applications. Most enterprise single sign-on systems work as follows: E-SSO client software is installed on user PCs. Users sign into their PC using a password or other primary credential. A local or network file, database or directory is used to store application login IDs and passwords for each user. This is often referred to as a "password wallet." 2016 Hitachi ID Systems, Inc. All rights reserved. 3

6 When a user launches an application, the E-SSO client software automatically fills in the ID and password fields in the login screen with credentials from the aforementioned "wallet." The password wallet is often encrypted, normally with a key derived from the user s primary password. Where users sign into their PC with a smart card, a private/public key pair is used to encrypt the wallet. Where other types of credentials, such as proximity badges or biometrics, are used to sign into the PC, wallet encryption is necessarily based on a retrievable password and the overall scheme is insecure. E-SSO software acts as a surrogate for the user: storing, retrieving and typing in the user ID and password on behalf of the user. The user continues to have multiple ID/password pairs, but does not have to type them manually and may not know what they are. When applications prompt users to change their passwords, E-SSO systems often choose a new, random password and store that in the password wallet. This results in a situation where users no longer know their own application passwords, so are totally reliant on the E-SSO system to sign into applications Hitachi ID Systems, Inc. All rights reserved. 4

7 3 Strengths and weaknesses Each of the three technologies has its own strengths and weaknesses: Solution Strengths Weaknesses Password synchronization Reduces both password problem frequency and help desk call volume. Easily deployed no client software, limited server-side agents. Compatible with different types of end point devices (Windows PCs, Macs, Android, ios, etc.). Can improve the quality of all passwords. Users still have to sign into each system separately. All passwords are the same a compromise of any one leads to a compromise of all. Some systems may have to be left out of scope, because of limited support for strong passwords or insecure password storage or transmission. Self-service password reset (SSPR) No matter what solution is deployed, users will eventually have login problems. Self-service helps address this. Easily deployed while client software is commonly used, it is not particularly invasive and users can still work without it. Some types of problems, such as when users forget their primary password while off-site, cannot be resolved by the help desk but can be addressed using SSPR. Ensures strong, secure authentication prior to changing passwords. Does not by itself address the frequency of password problems only diverts resolution away from the help desk. Requires user cooperation to be effective Hitachi ID Systems, Inc. All rights reserved. 5

8 Solution Strengths Weaknesses Enterprise single sign-on (E-SSO) Eliminates repetitive sign-ons by users. Typically maintains different passwords on every system. Compromise of one application password does not lead to compromise of another. Does not require deployment of software on target systems. Suitable even when target systems store or transmit passwords insecurely, since this does not compromise the security of other applications. Smart cards are a reasonable alternative for primary PC login, to be used instead of passwords. Costly and risky deployment of quite invasive client software to user PCs. Locks users into their PCs they cannot sign into their applications from a Mac or their smart phone or tablet, as there is usually no equivalent E-SSO software on these clients, able to retrieve and inject application passwords. Single point of failure: if the E-SSO system is down, users can t sign into anything. Compromise of a user s primary PC login password compromises all application passwords. If a user forgets their primary password, then none of their application passwords can be decrypted. This calls for a complex and risky password recovery scheme Hitachi ID Systems, Inc. All rights reserved. 6

9 4 Deployment 4.1 Password synchronization A password management system, such as Hitachi ID Password Manager, requires a profile of login IDs for every user, on every system. This must be constructed at the outset of the deployment project, and maintained over the life of the system. Where login IDs are consistent across systems, constructing and maintaining these profiles is easy. If login IDs belonging to the same user are different on some systems, some work is required, either centrally or by each user, to connect different IDs back to their individual owners. In general, no client software deployment is required. In general, little or no target-system software deployment is required. In general, little or no ongoing system maintenance is required. Password synchronization systems can be quite fast to deploy. For example, Password Manager has been deployed in organizations with as many as 90,000 users, to synchronize passwords over a dozen systems, in just 5 days. Password Manager has been deployed to organizations with as many as 300,000 internal users and as many as 5,000,000 consumer-users. 4.2 Self-service password reset In addition to the login ID profiles described above, a self-service password reset system, such as Hitachi ID Password Manager, also requires secondary credentials for each user. The most common credentials to use when users forgot or locked out their passwords are mobile phone numbers and security questions. The self-service system sends a random PIN to the user s phone, which the user must type, after which the user is asked to answer a series of security questions. In a typical deployment, this method means that enrollment of mobile phone numbers (or personal addresses) and security questions is required, as this data is rarely available prior to deployment. Additionally, most password reset systems include the installation of client software on each PC, to enable users to reset or unlock their primary OS login password, from the PC login screen. For example, on Windows Vista and later, this is an extension to the Credential Provider OS subsystem. Such client software is relatively simple to deploy. Other popular options with password reset systems are to: 1. Integrate the client software with the corporate VPN, so that off-site users who forgot their primary password can resolve their login problem; 2. Integrate with full disk encryption software, so that users can unlock their filesystem in the event that they forgot their pre-boot password; 3. Offer access to self-service using a mobile phone; which requires installing an app on each phone and setting up a proxy server in the cloud or DMZ; 2016 Hitachi ID Systems, Inc. All rights reserved. 7

10 4. Integration with a ticketing system, to track SSPR activity; 5. Integration with , to invite and remind users to enroll. In general, little or no target-system software deployment is required. In general, little or no ongoing system maintenance is required. Simple password reset systems can be rolled out in 1 2 weeks. More complex ones, with many and varied integrations, can take 2 3 months to roll-out. 4.3 Enterprise single sign-on An enterprise single sign-on (E-SSO) system requires not only login ID profiles for each user, but also current passwords for each user, on each application. The enrollment process is consequently more invasive, as users are prompted by the E-SSO software asking whether each password they type should be remembered. E-SSO systems require client software, by definition. This client software can be quite invasive so careful compatibility testing is required with each application and whenever client operating system configuration changes or patches are pushed out. E-SSO systems require a wallet of credentials for each user. This is often done using a directory schema extension, which typically requires extensive change management. As mentioned earlier, if a user forgets their primary password, all their application passwords will be lost. To avoid this, a password recovery system is needed, which adds complexity and security risk to the system. Since E-SSO systems are generally Windows-specific, non-windows users need some way to sign into their applications. E-SSO systems therefore necessitate a way for non-windows users to remote into a Windows desktop, typically on a farm of Citrix or Windows Remote Desktop Services servers. A sufficiently large farm of such servers can be very expensive, both in terms of hardware and software licenses. The consequence of all of the above is that E-SSO systems are often as much as 10x more costly than credential management systems Hitachi ID Systems, Inc. All rights reserved. 8

11 5 Motivation for a combined solution As explained in Section 3 on Page 5, both password reset/synchronization and an enterprise single sign-on systems have their merits. Combining E-SSO with password synchronization and reset can address some of the shortcomings of each approach: Device independence The biggest problem with E-SSO is that users are tied down to their work PC. Increasingly, users need to access their various accounts from other contexts web portals, phones, tablets, their home PC, etc. With traditional E-SSO, this is a problem, because users often don t know their application password. By introducing password synchronization between primary and application passwords, this problem is eliminated users sign in with the same password everywhere. Users who forget their primary E-SSO password Even users who have an E-SSO system sometimes forget their (primary) password. A robust solution to resolve these login problems is still required, and that s self-service password reset. Automated collection of application passwords One of the challenges when deploying E-SSO is the process of collecting application passwords from users. Where application passwords are synchronized with users primary passwords, this problem is eliminated all the passwords are the same Hitachi ID Systems, Inc. All rights reserved. 9

12 6 Interoperability challenges and integration approaches When both a password management system and an E-SSO system are deployed, the following integrations are mandatory. Failure to integrate the two will invalidate the contents of password wallets whenever users change their known or reset their forgotten passwords. 6.1 Password reset and E-SSO If a user forgets their primary E-SSO password, their application passwords cannot be decrypted from the password wallet. When a password reset process is used to reset the user s primary password, since the old primary password is not involved in the process, there is no way to decrypt the wallet using the old password before re-encrypting it with the new password. This means that another copy of the password wallet is required, keyed to something other than the user s primary password. The password reset system needs to integrate with this backup wallet, to retrieve application passwords and re-encrypt them at the end of each password reset process. 6.2 Password synchronization and E-SSO A synchronized password change will typically modify both the user s primary password and application passwords. Every password change needs to integrate with the E-SSO password wallet, to replace old application passwords, encrypted using the old primary password, with new application passwords, encrypted with the new primary password. Additionally, as mentioned above, E-SSO systems require a backup password wallet, encrypted using a different (likely static) key. Password changes mediated by a password synchronization process have to integrate with this backup password wallet as well, to inject the new primary password and new application passwords Hitachi ID Systems, Inc. All rights reserved. 10

13 7 Summary Password synchronization and single sign-on address the same business problem: password complexity leading to cost, productivity and security issues. Both approaches to this problem have their strengths and weaknesses: Password synchronization is relatively easy to deploy, because it is architecturally unintrusive, and does not need access to user password values. With password synchronization, users must still sign into each application separately. Enterprise single sign-on requires more intrusive software and more sensitive data and is consequently more expensive to deploy. Its main technical drawback is that it makes access to applications from non traditional devices (i.e., other than each user s work PC) more difficult. When both types of solutions are deployed into the same organization, they must be integrated, because the operation of one interferes with the operation of the other. Integration means that password changes and password resets must inject new credentials into each user s password wallet. 500, Street SE, Calgary AB Canada T2G 2J3 Tel: Fax: sales@hitachi-id.com Date: File: / pub/ wp/ documents/ i-sso/ i-sso-4.tex