Scale out your identity management
BigDataMatters is focused on the issues faced when processing and managing large amounts of data. In light of this, it would be a crime not to blog about the security of this data. Over the next few weeks, I will write a series of posts focused on Identity management in the enterprise. Before you read any more, how is your identity secured?
Does your working day start with logging into your workstation? Then your email with another user ID and password, and then another application, another .... Isn't there a better way? Yes, single sign-on (SSO). So why are some enterprises still using a single account per service model?
The main reason is simplicity and a lack of forward thinking. If a new service is to be introduced quickly, it is easier to implement it out of the box using this model. The downsides are 1) users suffer from password overload and end up scrawling access details on bits of paper for all to see 2) administrators don't have a single point of management and end up creating custom scripts to manage user access for each service. A strength of this model is that each service works independently and if one goes down, the others remain operational. However, if you have this kind of security model then you shouldn't say it loudly. I suggest you ask your IT “why?”.
The first step to SSO can be made using a centralized account model - you access company services using a single account. In small enterprises it is the recommended model as it is simple to set-up and the centralization of accounts streamlines administration. But, with this simplicity comes a catch - a single point of security failure. If the authorization system fails or is compromised, no user can access their services. Work comes to a grinding halt! Fault tolerance and high security is a must in such systems. Such architectures can be easily created using LDAP, Kerberos or Active Directory.
Greater SSO functionality is provided by a decentralised account model - not only can you access services in your own enterprise using a single account, but also those in other enterprises. This allows Doctors who often work in multiple hospitals to simply, securely and rapidly access patient information. The underlying concept of this model is a trust relationship. Much like the passport system - one country issues it and all others trust it.
Implementing a decentralized account model is non-trivial and requires careful planning. Existing services need to be incrementally integrated to allow glitches to be fixed without bringing down your existing identity access management. This architecture can be achieved using technologies such as Oracle Identity Managment, OpenSSO, Shibboleth, ADFS or Kerberos.
I have provided a quick overview of how to implement SSO, but is it more secure? The simple answer is yes. You only authenticate once, using either your password, certificate, smartcard or even biometric methods (voice recognition, iris recognition etc.). After authentication, you get a token which you use to access other services. For security, this token is usually time limited meaning that you can only use services for a period of time. It is the most secure system, because only you and the authorization server know your password.
To follow ...
For the next post, I want to share my experience of implementing decentralized SSO with Kerberos. Let me know if you want me to address any topics or questions?
Subscribe
The first step to SSO can be made using a centralized account model - you access company services using a single account. Yeah, you blog structure is so simple, I like the style. I also like writing something if my spare time. So I can learn something from your article. Thanks.
Posted by: Tote Bags | November 17, 2010 at 04:58 AM
Very cool space! I love your taste and it looks like it'd be so much fun to poke around in there.
Posted by: MBT Men's Sandals | May 19, 2011 at 05:53 AM
Wow, you might say that the technology is very good! Photo, so beautiful, very clear, wish you good luck, create the future together! And I share my blog http://www.mbt-onsales.com/
Posted by: buy mbt shoes | June 02, 2011 at 09:15 AM
At Directory Services, inc., we build our GreyTower product on the vision of Scale Out Identity Management, or the ability to scale your deployment in a agile way.
In your article, I see lots of reference to SSO tools and methods, but I'm not seeing your concept of Scale Out IDM.
I'd like to give support to the Scale Out IDM concept, and I invite you to take a look at our articles on the subject as well.
http://www.directoryservicesinc.com
Posted by: Marc Potter | June 09, 2011 at 12:26 AM
Much like the passport system - one country issues it and all others trust it.
Posted by: men glasses | June 16, 2011 at 11:53 AM
This is a wonderful article. The things mentioned are unanimous and needs to be appreciated by everyone.
Posted by: sell websites | July 11, 2011 at 03:41 PM
In order to keep my account safe,I need do more work now ...
Posted by: KM Wigs | August 16, 2011 at 10:58 AM
I just couldn't leave your website before saying that I really like this article. there's a good chance to receive a perfect concept in your mind. the quality information you offer to your visitors.
Posted by: digital LED watch | August 23, 2011 at 11:47 AM
I am happy to find information useful to many here in the office, we have a more technical work in this direction, thanks for sharing.
Posted by: saw cut through any thing | August 30, 2011 at 12:27 PM
I found this is an informative and interesting post so i think so it is very useful and knowledgeable.
Posted by: Billy Elliot Tickets | September 15, 2011 at 12:28 PM