AuthenticationWorld.com

SSO Strategy and Policies

Before beginning implementation of a enterprise single sign on project, a lot of thinking and planning must go on. This requires a cohesive SSO strategy and a set of governing SSO policies. Many projects don't do this and drift into unexpected security holes, SSO system and enterprise failures and frequently go over project budget. A good SSO consultant can help you avoid this.

Here are the areas a single sign on strategy must address:

Identity management

• Which systems are authoritative for each identity type i.e. employees, contractors, consultants, temps, customers, business partners, research partners, vendors and others?
• Identity data quality for each identity type - How good or bad is the data quality? Do you want to have the SSO system allowing users to access applications and/or resources when they shouldn't?
• Enterprise global id for each identity type - is there a unique enterprise global id in place? The SSO system requires this.
• Identity data update - how long does it take for a change to user data to make its way to the enterprise LDAP directory or directories? Is there a risk to SSO decisions?
• Authoritative source synchronization with enterprise LDAP directories - how frequent is the change and is this acceptable to enterprise SSO security?
• User provisioning processes- What are the costs, time and security implications for creating, modifying role changes and terminating of the user? Is there a risk to single sign on systems as a result of existing processes?
• Regulatory compliance - What are the regulatory laws and reports required by the enterprise pertaining to the user e.g. Sarbanes-Oxley, HIPPA, European Safe Harbor, etc.
• How are regulatory identity reports generated and what is the expense?

Authentication schemes

• Is there an enterprise risk assessment done?
• Does the enterprise have a set of authentication strength policies in place?
• What is the security rating for each type of authentication?
• Is there an enterprise risk analysis done for each application and resource used by users?
• Is the enterprise risk then mapped to the authentication strength required by the user?
• How is the authentication strength linked to the single sign on system?

Post Authentication Actions

• What action is required after a successful authentication?
• Is the SSO system required to supply different identity attributes from the enterprise LDAP directory to the application, portal or resource?
• What are the SSO actions for an unsuccessful authentication?

Authorization

What are the authorization actions, if any, required by the enterprise SSO system after a successful authentication?

If you are contemplating role based access control then:

• What is the number of roles the enterprise has?
• What is the frequency of change to user roles?
• What is the human resource business processes for picking up the role changes and populating these into the HRMS and then the enterprise LDAP directory?
• What is the time lag between a role change and the update into the enterprise LDAP?
• What are the privileges assigned to the roles?
• What is the management system that maps the privileges to the roles?
• How frequently do privileges change for a given role?
• How fast do role privilege changes make there way into the role based management system?
• How is all of this going to be mapped into the single sign on system?

Post Authorization Actions

What actions do you want the single sign on system to take after a successful authorization?

• Is there any enterprise LDAP directory user data that needs to be sent to the application, portal or resource by the SSO system?
• What does the SSO system do with an unsuccessful authorization?
  

System Integration

• Do you have in place a factory model for rapidly integrating applications to your SSO system?
• Are there any policies in place for exception management for applications?
• Are there environment policies set up for each environment such that the application owner understands what is acceptable and what isn't?
  

LDAP Directory Strategies

• Is there one enterprise LDAP directory for the SSO or are there multiple authoritative sources?
• What is the synchronization strategy between the directory (directories) and the authoritative source
• What is the time lag in changes in an authoritative source and the enterprise directory feeding the SSO system?
• Are virtual directories required?
  

Auditing

• What are the enterprise audit requirements for the single sign on system?
• What kind of retention data is required?
• How is the auditing system connected to the monitoring system to report real time incidents of a security or reporting concern?

Operational Risk

• What is the SSO fail over strategy for the security servers?
• What is the SSO fail over strategy for the directory servers?
• What are the monitoring systems in place at web servers, application servers, security servers and directory servers?
• How fast can you see a performance problem occurring and react before the SSO system goes down?
• How are you going to do operational maintenance on a SSO server?
• Will the SSO maintenance affect enterprise availability?
• Is the availability acceptable to the enterprise?
• Are the support people for web servers, application servers, load balancers, security servers, directory servers, network performance and help desks support cross trained to keep the SSO system from going down?
• What is the existing SSO disaster recovery plan?
• Is the SSO disaster recovery plan acceptable to the enterprise?

SSO Business Case

Password Authentication Single Sign On Authentication Access Control Authentication Authentication-Enterprise Security Authentication Strength Authentication Transaction
Authentication Management User Authentication Authentication Federation Biometric Authentication PKI Authentication Token Authentication Wireless Authentication Document Authentication Authentication - Outsourcing