Beruflich Dokumente
Kultur Dokumente
Page 2
Page 4
Page 9
Page 11
Page 12
Real-life examples
Robert Adam, Marketing
Robert has four children, dozens of relatives,
a hundred or more friends, and 15 passwords
to remember
Sarah Smith, Finance
Sarah is the only person with authorized access to
the decision support system. When she is away on
training, nobody else can use it
Brian Duval, Administration and support
Brian's team spends 30% of its time resetting passwords.
The team could be much more productive
Helen Brown, IS Security Manager
Regulatory compliance requires a robust password
policy. But when you have over 1,000 applications to
run
Eric Martin, CIO
Eric spends millions of euros each year trying to
make information systems secure. Yet his IS Security
Manager and the users are both still complaining.
Today, more and more businesses are committing to implementing SSO. But they are often
faced with the choice of several alternative solutions. With so many different architectures, disparate functionality and benefits to choose from,
how do you decide which is best? What are the
alternatives? What are the pitfalls to avoid? What
are the best practices? This white paper sets
out to answer these questions, among others.
Non-administrated users
Administered
partners and
users
Administered users
Enterprise
SSO
Source : Forrester
LAN
EXTRANET INTERNET
Client-server
Web
Web
Web
Web-services
extended to meet new federated identity standards (such as Liberty Alliance and Microsoft
Infocard, highly user-oriented, or WSFederation, which extends to the security of
'Web services') these so-called 'federated' SSO
technologies offer a very promising extension
to Web SSO. While steadily growing in sectors
such as telecoms, finance, health or industry,
this type of solution is nevertheless still emerging. It currently involves more pilot projects
than large-scale deployments.
This is achieved using highly sophisticated systems administration tools and a totally flexible
architecture that enables the SSO tool to be
adapted to mirror the realities of business processes extremely closely.
Based on a Role-Based Management (RBM)
model, the latest generation of tools fully take
account of actual businesses processes (delegation between users, multiple accounts for
one user, different means of authentication
depending on the sensitivity of each application
in terms of security or according to the user's
access point, etc.) and administration requirements (from the most delegated to the most
centralized management approaches). In other
respects, it offers the auditors powerful reporting and audit tools, themselves essential for
guaranteeing and proving regulatory compliance.
Advantages of third-generation SSO solutions:
- Productive and satisfied users.
- Support staff and systems administrators
who can finally focus more on the valueadded aspects of their role.
- Happier IT Security Managers.
- Business managers reassured about secu-
First generation
Second generation
Third generation
Architecture
Security
Cost
Centralized
Strong
High
Distributed
Medium
Low
Flexible
Strong
Low
Focus
Centered on
authentication
server
Centered around
users
Centered on
business
processes
2 - SSO reduces security levels, because "primary password theft would deliver up the keys
to an entire kingdom" in other words, access
to all applications. But this is a case of tunnel
vision. With only one password to memorize,
the user can choose an extremely complex and therefore very safe - identifier; with no need
10
3 - Offer auditing and reporting tools to demonstrate regulatory compliance. Today's major financial and business regulatory frameworks (such
as Sarbanes Oxley, HIPAA and others) require
organizations to guarantee a certain level of
security when it comes to their information systems. To meet these requirements, powerful
tools for generating reports (indicating which
accounts belong to each application, and who
has access to what, etc.) and audits (who is
connected to which application, at which point in
time, etc.) are essential.
As an IT Manager at Manpower, a world leader in the employment services industry, recalls: "Our first objective was to
implement SSO to reduce costs. But it has had additional
benefits, helping us meet other major objectives, such as
compliance with Sarbanes-Oxley legislation."
5 - Use SSO as an entry point or a way of facilitating identity and access management (IAM)
projects. Choosing to start with an SSO project
enables the organization to respond rapidly, and
relatively cheaply, to an immediate problem relating to security, flexibility, and regulatory com-
6.
Make sure users are actively involved in the project. The first sponsor of SSO
is, above all, the user. Involving users early on
in the project and taking into account the real
business processes are essential to success.
7.
Use SSO as entry point for identity
and access management projects. Choosing
an evolutionary approach, and one that is capable of integrating with IAM solutions, is important to ensure that any investment in SSO now
can deliver even more value in the future.
We hope that this white paper will make a useful contribution to businesses' deliberations
about the prospects for implementing E-SSO.
* For security reasons, and because of the sensitive nature
of their information systems, these customers wish to
remain anonymous.
11
The first of the third-generation E-SSO solutions, WiseGuard capitalizes on the entire
expertise of Evidian with regard to first and
second-generation E-SSO. Perfectly integrated with directories, applications and strong
identification resources, as well as with business processes, WiseGuard offers three distinct advantages:
- A complete and open E-SSO solution.
WiseGuard combines several modules, to
offer a complete E-SSO solution. The core
component - SSOWatch - provides a simple and secure SSO module. To further
enhance security, WiseGuard also supports the whole spectrum of strong authentication solutions, from certificates to biometrics, with its Advanced Login facility,
and can manage the lifecycle of smartcards or USB keys with Token Manager.
Finally, its Extended Manager console reinforces access administration, and facilitates administration and audit operations.
The key advantages are totally secure
SSO that further strengthens regulatory
compliance.
- A solution focused on the organization's security policy: bridging the gap
between traditional E-SSO tools and the
actual management policies adopted by
enterprises, WiseGuard enables E-SSO
management centered on actual business
and security policies. The Extended
Manager component - the most sophisticated and highly- developed consoles of
any solution on the market - enables easy
management of system administration,
delegation and audit. The advantages?
12
Better management performance, focused on business needs and user privileges, and fully aligned with the organization.
Security, regulatory compliance and user
productivity are all reinforced.
- A totally flexible and distributed solution. WiseGuard can be totally integrated
with the organization's directories - whether these are Microsoft Active Directory or
ADAM, Sun Java System Directory Server,
Novell e-Directory, IBM Directory or any
other LDAP directory - and is based on
their existing organizational structures. It
is not necessary to duplicate the infrastructure with additional authentication or
management servers, nor with appliances
that are complex to implement and synchronize.
WiseGuard's non-intrusive architecture and
its capacity to be implemented in a distributed
LDAP environment enables rapid deployment
of E-SSO for many hundreds of thousands of
users.
An open solution, WiseGuard integrates with
most industry standard identity management
solutions, including those from Oracle, Novell,
IBM Tivoli, Sun, CA and others.
WiseGuard is, of course, also integrated with
the Evidian global identity and access management suite, which provides numerous complementary functions including Web/J2EE
access control, identity management and provisioning.
SSOWatch
SSOWatch provides the core SSO functions, and adapts to each application
using 'drag-and-drop' type configuration.
No modifications to applications are needed for them to work with WiseGuard.
SSOWatch is based on distributed LDAP
architectures for storing the authentication policies and re-uses the identities
described in existing LDAP databases. It
can be installed on a workstation, a Citrix
MetaFrame sever or a Microsoft
Windows Terminal Server
Extended Manager
Extended Manager provides an intuitive
graphical interface that enables the
management of advanced SSO policies
such as:
Advanced Login
Advanced
Login
complements
SSOWatch by providing a vast choice of
strong authentication methods: smart
cards, USB keys, or biometric authentication.
Token Manager
Designed for organizations that want
to protect selected access points
using smart cards or USB keys, Token
Entry-level solution
SSOWatch
Start with
a simple SSO
solution
Advanced
Login
Token
Manager
Implement an integrated
strong authentication and card
management solution
Extented
Manager
Put in place an
advanced tool for
security policy
administratrion
13
14
15
ABOUT EVIDIAN
Evidian, a subsidiary of the Bull Group, is the European number one in SSO and identity and access management, (IAM) and among the world leaders in this area.
From E-SSO and access control to identity management and provisioning, Evidian offers a wide range of
IAM software, designed to secure the extended enterprise.
WiseGuard, Evidian's E-SSO solution, is the first true third-generation offering fully geared to support actual
business processes.
Evidian's highly scalable and flexible range of solutions enables organizations to be more responsive and
productive, while reducing their costs, successfully implementing their security policies and improving their
regulatory compliance (Sarbanes-Oxley, Basel II, HIPAA, etc.), in line with their business priorities and strategies.
Evidian's software range is used in many of the biggest organizations in Europe, Asia and the USA, in industries including telecoms, (Deutsche Telecom, Telecom Italia, Neuf-Cegetel, Telenor, etc.), the public sector (Interpol, ACOSS,etc.), manufacturing (Nissan, Total, etc.), services (Deutsche Post, Manpower,etc.), finance
(Dexia, CDC,etc.) and the health sector (CNAM, etc.).
Evidian's technology has been awarded numerous prizes and trophies, with several awards from SC
Magazine, the number one global publication dedicated to IT security.
For more information, please visit: www.evidian.com
version 1.1