Tuesday, July 10, 2007

Single Sign On - Reduced Sign On


SSO provides flexibility to the user so they don't have to enter the credentials again and again for accessing different applications. Every one of us are happy about it but there is a side effect of this solution. For example if you are logged into the system which works on SSO and does the SSO to the payroll site. What will happen you signed into this portal and went for a cup of coffee with your friend and forget to lock the system. Your neighbour who is always intrested to know how much you are earning gets a chance to move his chair to your desk and get that information quickly.



This was just an example, there could be multiple secure applications which reside in enterprise portal and are critical for you. That's the reason organizations are adapting the concept of Reduced Sign On.



Reduced Sign On: This concept handles the above scenario by prompting another set of verification when you try to access critical applications. This extra layer of authentication could be any one of below list:



1) Challenge Question



2) Digital Certificate



3) Hardware Token number



4) Smart Card



5) Biometrics



Reducing users' sign-on complexity problems requires a balance between user satisfaction and security. If the scale swings too far toward security when trying to prevent a breach, user satisfaction decreases. Similarly, if the scale swings toward user satisfaction, you can compromise IT security.






2 comments:

Anonymous said...

We can even expand from Reduced Sign-On to Enterprise Single Sign-On with advanced management capabilities such as:

- Application access control based on the PC (or workstation) location. For instance R&D applications can be reached only from an R&D PC or an accounting application can be reached only from the PC of the current user.

- Specific authentication policy for extranet access. For instance the identifier and the password can be obtained via a "virtual keyboard" when a user connects to enterprise web applications via a web gateway from a cybercafé.

- Specific access policy for extranet access. For instance, target URL can be used to control access to resources.

- Delegation authorized or not. When you go for training, you can delegate your application access to a colleague who will be bale to use your identifier and password without knowing it. This possibility can be authorized or not, depending on the target application.

- You can use E-SSO log to create SarBox reports. With E-SSO access log, you can demonstrate that your access policy is effectively implemented. One exception, you cannot demonstrate that “segregation of duties” is implemented in the target applications themselves.

Ultimately, you can use the E-SSO access log to create your Access Policy to feed your central Policy Manager.

In fact, SSO is just a feature whereas Enterprise SSO is a full solution for complex organizations.

William Davis said...

Good informative blog on single sign on solutions. Thanks for sharing this blog with us.Keep Blogging!!