SSO Strategy Implementation Considerations

July 8, 2010

Agenda• Why listen to this @jfbauer guy on SSO?• Agree on Terminology• Current Landscape• SSO Utopia• Application – Framework View• Future State• Roadmap

Why listen to this @jfbauer guy on SSO?

SSO Related Speaking Engagements• Nov. 2008 CA World, Identity and Access Management• Sept. 2008 Oracle OpenWorld, Identity and Access Management• Aug. 2008, CA IAM Conference, Houston, TX• July 2008, Medical Mutual IAM Conference, Cleveland, OH• Nov. 2007, Gartner Identity and Access Management Conference, Los Angeles, CA• Nov. 2007, Oracle OpenWorld, Online Real-time Fraud Detection• Aug. 2007, Oracle NEO Enterprise Architecture Quarterly• June 2006, NACHA Authentication conference, Reston, VA

Agree on Terminology

Single Sign-On?LDAP vs. Active Directory?

Authentication vs. Authorization?

Build vs. Buy?

Vendor Solutions?

TAM vs. SiteMinder vs. OAM?

Security = Inverse of Convenience?

Directory of Record?

How/When to “Integrate?”

Roadmap?

Entitlements?

IAM?

Agree on Terminology• First step, establish definitions for terminology so

we can all speak the same language

Agree on Terminology• Single Sign-On = Ability for a single individual

to use one single set of credentials (ex. user name + password) to access multiple applications they use with applications

• Authentication = Simply an individual providing credentials to prove who they are– I’m really Bob, not Mary

Agree on Terminology• Authorization = Simply verifying if an

authenticated individual has been granted access to an application– I’m Bob and I can access Application X

• Audit = Recording in a log file what just occurred– Bob successfully accessed Application X login page

on 7//7/2010 at 9:01am EST

Agree on Terminology• Entitlements = Now that an individual has

been authenticated and is authorized to access an application what can and can’t they do/see within that application– I’m Bob, I can access Application X and within

Application X I can view planning data and reports but I can’t change anything

Agree on Terminology• LDAP = “Lightweight Directory Access Protocol

is an application protocol for querying and modifying data using directory services running over TCP/IP”*

• Directory = “is a set of objects with attributes organized in a logical and hierarchical manner.”*

*Source = http://en.wikipedia.org/wiki/LDAP

Agree on Terminology• Active Directory = “is a technology created by

Microsoft that provides a variety of network services, including: … LDAP”*

• Kerberos = “a computer network authentication protocol, which allows nodes communicating over a non-secure network to prove their identity to one another in a secure manner”** or one way to authenticate stuff

*Source = http://en.wikipedia.org/wiki/Active_Directory**Source = http://en.wikipedia.org/wiki/Kerberos_(protocol)

Agree on Terminology• IAM = “Identity and Access Management” or

the IT/Security industry discipline that encompasses all this stuff (analogous to PMO for projects or ITIL for systems management, etc.)

Current Landscape• Second step, agree on how this are currently done

so we all are working from the same baseline understanding

Current Landscape• Everyone solves the 3 A’s within their own

solution domain– 3 A’s = “Authentication, Authorization and

Auditing”– Each project has to invest

time/energy/$$$/resources to solve the same AAA problems over, and over, and over

– Post project, per application AAA workflows provide on going support costs

Current Landscape• Um, err, business case here???

– International Data Group reports that an average user in a 10,000-employee company has 14 separate passwords.

– Forrester, “Password problems and resets generally constitute between 25% and 40% of total help desk incidents”*

*Source = Twenty-three Best Practices For the Customer Service Center, Chip Gliedman, Forrester, 10/11/2005

Current Landscape• Long story short … if an organization

continues to grow without an SSO strategy + solution, the costs associated with managing user application access (AAA) will proportionally increase

SSO Utopia

• Common service for external SSO• Common service for internal SSO• Self Service credential reset• Standard SSO integration path for all project

solutions/applications• TOC for IAM reduced across the enterprise• Raises for everyone in IT

Application – Framework View• More realistically:

Approach Pros ConsIn-House Developed Solution

•Control over entire feature set•Lack of vendor dependencies•Deep internal SME over solution

•Will take longer •Will require a larger team to execute.•Longer delay to benefiting from ROI•Lack of inherent competency in this space.•Resource attrition takes away irreplaceable knowledge thus reducing initial approach value

Purchase Vendor Framework

•Already mature product options in the marketplace•Top tier vendors investing in this space (CA, Oracle, IBM, etc.)•Faster realization of outlined benefits•Leverage vendor expertise to augment internal resources as needed

•Will incur licensing and support cost from selected vendor.•Will involve normal vendor product lifecycle management challenges (version upgrades, product road maps, custom feature sets)

Future State

Roadmap1. Agree on definitions2. Agree on SSO utopia future state3. Agree on strategic Auth and Az stores

– Example: LDAP for all external users?– Example: AD for internal/employees?

4. Agree on initial SSO integration approach– New project designs w/SSO after X date– or retrofit N existing applications– or “Major project Y and then …”– or some other criteria???

Roadmap• Evaluate/RFI/RFP vendor landscape

– Short list• Example: CA, Oracle and IBM• Consider Gartner “magic quadrant” and existing vendor

relationships• Vendor POC including “integration service”

modeling– Legacy/Project integration criteria– FTE/staffing to support

• Production deployment• Integrations!

?

Graphics blatantly stolen with approval from @jurgenappelo