Not Your Father's SSO

By Allen Bernard

(Back to article)

For years enterprise single sign-on (eSSO) solutions were bulky, hard-to-use and administratively heavy applications that failed as often as not to simplify users' lives and secure the corporate network.

Today, however, a new crop of vendors has hit the scene with updated versions of eSSO solutions that actually work. A poster child for such solutions is the U.S. Postal Service's (USPS) install of Passlogix's v-GO SSO, which it finished rolling out in October of this year.

With 7,000 applications and 165,000 employees accessing 157,000 PCs in 20,000 facilities around the country, USPS was experiencing a major helpdesk headache and spending millions every year on password resets. By implementing v-GO, this is no longer a problem, Bob Otto, USPS's CTO, said in a case study.

"Passlogix delivered on its promise to help solve the USPS' most critical end-user problem -- forgotten passwords," said Otto. "The ability to leverage our current infrastructure and deploy v-GO SSO without modifying applications or completing any integration was especially important to us."

Older eSSO solutions required a great deal of scripting and writing of custom APIs to change the sign-on interface of every application the eSSO touched. Today's vendors use a mixture of client-side tools for capture login scripts and server-based authentication services to eliminate this custom coding, said Phil Schacter vice president and service director for the Burton Group.

"Heavyweight, complex stuff tends not to not work when you try to roll it out in larger enterprises," he said. "It's problematic, it's hard to administer and, overall, it wasn't worth anything."

In the case of Passlogix, users simply authenticate to v-GO and v-GO fills in administrator-generated passwords (usually far more complex than anything anyone could remember) every time the user opens an application. In this way, the user need only remember one password and v-GO, like other solutions, does the rest.

"You are making all the other passwords pretty much impossible to get and impossible to break [even] if you get the password file ... because you can just make them really difficult (to crack)," said Forrester Analyst Jonathan Penn. "This is something that we've been really trying to educate people, our clients on, for over a year now -- that they need to take a new look at this."

For companies looking to move to two-factor authentication, new eSSO solutions make this objective far easier to achieve, said Penn, since you only have to authenticate to one application, the eSSO solution, versus porting all your existing apps to accept a token or smartcard.

While more secure than a desk covered in password inscribed Post-It notes, there is still a risk with eSSO schemes in that a hacker need only secure one current user name and password to get into the network, said Gartner's John Enck, vice president of Research, Information Security.

But, countered Penn, unless the hacker has access to a network-connected machine, this is no more an issue than current password security problems. And, once a hack is detected, system administrators simply need to delete one password at eSSO and the rest of the applications remain secure.

Modern eSSO solutions also simplify adding and removing employees from the network, a major security issue at many large corporations and a chore most IT departments struggle to keep up with.

Still, while Enck agrees solutions have come a long way from the early attempts at eSSO, he is not 100% convinced the eSSO nut has been cracked. His advice is cautionary. Enterprise IT environments are very complex with multiple competing protocols and platforms that do not lend themselves to easy integration at any level, he said.

"I may be looking at this a little broader than just SSO," he said. "I tend to look at the systematic problem. It's not just 'Is the technology pretty cool and effective today?' Yeah, I'll agree with that. But that doesn't necessarily mean it addresses the full deployment issue in terms of getting the technology rolled out there; especially in these large, global deployments."

Enck does concede, however, that in less complex IT environs, say companies with fewer than 5,000 employees, solutions like those offered by Imprivata, Protocom, Passlogix, Novell and others do a very good job.