Single Sign-On 101: Beyond the Hype

advertisement
Single Sign-On 101:
Beyond the Hype
What SSO Can and Can’t Do For Your
Business
Introductions
• Diana Kelley, Baroudi Group
– diana@baroudi.com
• Ian Poynter, Security Consultant
– ianpoynter@yahoo.com
BlackHat Briefings
Diana Kelley & Ian Poynter
2
Outline
•
•
•
•
•
Definitions
Business Requirements
SSO Technologies
Authentication Methods
SSO Case Studies
BlackHat Briefings
Diana Kelley & Ian Poynter
3
Definition
• Single Sign-On
– Fantasy
• One Password For Everything!
– Reality
• Most Systems And Applications Already Have
Their Proprietary Login Functionality
• Reduced Logins For Discreet Systems
– Corporate Systems
– Shared Intranet/Web Applications
– Web Logon Aggregators
BlackHat Briefings
Diana Kelley & Ian Poynter
4
Business Requirements
• Is There A Problem Here?
– Mushrooming Passwords
– Need For Re-use
– “Sticky Note” Password Cache
– Unencrypted Text Files On Laptops and PDAs
BlackHat Briefings
Diana Kelley & Ian Poynter
5
Business Requirements
• Deceptively Intuitive
– Reduce Costs
– Increase Security
– Increase Efficiency
– Increase Convenience
– My Boss Told Me I Have To
BlackHat Briefings
Diana Kelley & Ian Poynter
6
Business Requirements
• Be Honest About the Cost / Benefit
Analysis
– Use Hard Numbers
• What Does it Cost to Reset a Password?
• How Much Time is Spent Logging into Multiple
Systems Each Morning?
• What is The Real Cost of Integration?
• Will Additional Authentication Methods Need to be
Purchased?
BlackHat Briefings
Diana Kelley & Ian Poynter
7
Business Requirements
• Be Honest About the Cost / Benefit
Analysis
– Don’t Forget the Ease of Use Factor
• Consider Training for Administrators and All Users
– QA and Versioning Can Increase TCO
BlackHat Briefings
Diana Kelley & Ian Poynter
8
Business Requirements
• Think About the Inside and the Outside
– Multiple User Populations Can Increase Costs
– Tiered Authentication Levels
– At a Minimum Need Secure Password
Selection Training for Everyone
BlackHat Briefings
Diana Kelley & Ian Poynter
9
Business Risks
• Single Point of Failure
– Denial of Service/Lack of Availability
• Stolen Credentials via Insecure
Implementations
• Overly Ambitious Projects
– Physical and Network
– Complicated Procedures
• n-factor Authentication
– Square Pegs in Round Holes
BlackHat Briefings
Diana Kelley & Ian Poynter
10
Business Risks
• Failure to Consider the Legacy
– OS/390, AS/400, Custom Client/Server
Applications, RADIUS
• Failure to Consider Regulatory
Requirements
– Financial Services and GLBA
– Health Care and HIPAA
– Content Providers and COPPA
– International Businesses and EU DPD
BlackHat Briefings
Diana Kelley & Ian Poynter
11
Authentication Methods
• Declaring and Proving Who or
What You Are
• Sure, Signing on Once, but What With?
• Becomes an Even Larger Question with
SSO Because More Systems are Involved
BlackHat Briefings
Diana Kelley & Ian Poynter
12
Authentication Methods
• Have, Know, Are
– Tokens, Passwords, Fingerprints
• Single vs. Multi
BlackHat Briefings
Diana Kelley & Ian Poynter
13
Authentication Methods
•
•
•
•
•
•
Passwords
One Time Passwords
Tokens and SmartCards
PKI
Digital / Machine Fingerprints
Biometrics
BlackHat Briefings
Diana Kelley & Ian Poynter
14
Authentication Protocols and
Technologies
• Dial-In Users and Wireless (802.1x)
– RADIUS
• S/390 Mainframes
– RACF, ACF2, CA Top-Secret
• Unix
– PAMs (Pluggable Authentication Modules)
• Windows
– GINA, Kerberos, NTLM
BlackHat Briefings
Diana Kelley & Ian Poynter
15
SSO Technologies
•
•
•
•
Traditional Single Sign-On
Password Synchronization
Authentication Platforms
Web Logon Aggregators
• NB: Convergence Between Traditional
SSO and Authentication Platforms
BlackHat Briefings
Diana Kelley & Ian Poynter
16
SSO Technologies
• Traditional Single Sign-On
– Allows a User to Login Once, Using a Single
Authentication Method to Gain Access to
Multiple Hosts and / or Applications
– May Also Provide Access Control /
Authorization Features
• Authorization policies restrict which applications or
systems a user has access
• And what the user can and can’t do on these
applications and systems
BlackHat Briefings
Diana Kelley & Ian Poynter
17
SSO Technologies
• Traditional Single Sign-On
• Not an Entirely New Concept
– Kerberos and Kerberized
– RADIUS and Radiized
BlackHat Briefings
Diana Kelley & Ian Poynter
18
Traditional SSO: How It Works
• Authenticate Once To Access Many
• Login Credentials (ID And Authentication)
Usually Stored Locally
• Transparently Presented to the System or
Application When Needed
BlackHat Briefings
Diana Kelley & Ian Poynter
19
Traditional SSO: How It Works
• Single Credential for All Systems
– Kerberos Model
• Multiple Credentials
– Required for Most Heterogeneous
Environments
BlackHat Briefings
Diana Kelley & Ian Poynter
20
Traditional SSO: How It Works
• APIs And DLLs
– Write the SSO Authentication into Each
Application or System (compare to: Radiized)
– Or Use Replacement DLLs
• Scripts
– Pieces of Code on the Client That Manage the
Login Procedure to Multiple Systems
• Cookies
– For Web Applications Only
BlackHat Briefings
Diana Kelley & Ian Poynter
21
Traditional SSO: Pros and Cons
• Pros
– Very Easy to Use
– Reduces Support Costs
– Reduces Logon Cycles
• Cons
– Integration of Legacy Can Be Expensive and
Time Consuming
– Single Point of Attack
– Scripting Solutions Often Lead to Storage of
Passwords And IDs on the Client
BlackHat Briefings
Diana Kelley & Ian Poynter
22
Traditional SSO: Business Fit
• Good Business Fit for
– Companies That Want to Simplify the User
Experience
– Companies That Need to Reduce the Login
Cycle
BlackHat Briefings
Diana Kelley & Ian Poynter
23
Traditional SSO:
Brand Examples
• IBM/Tivoli Global Sign-On
• Netegrity SiteMinder
• RSA ClearTrust (formerly Securant)
BlackHat Briefings
Diana Kelley & Ian Poynter
24
SSO Technologies
• Password Synchronization
– Manage Passwords Across Platforms and
Systems
– Keeps Same Password So User Only Needs
to Remember One
– When User Changes Her Password,
Synchronization Server Automatically
Updates User Password on All Available
Systems or in the Central Repository Server
BlackHat Briefings
Diana Kelley & Ian Poynter
25
Password Synchronization:
How It Works
• Distributed
– Agents Automatically Reset Passwords on
Applications and Systems
• Centralized
– All Authentication Requests Are Forwarded to
a Central Server
BlackHat Briefings
Diana Kelley & Ian Poynter
26
Password Synchronization:
Pros and Cons
• Pros
– User Has Only One Password to Remember
– Usually Fairly Easy to Implement
– Help Desk Can Reset Passwords to All
Systems From Single Console
• Cons
– Does Not Reduce the Number of Logons
– Only Supports Password Authentication
BlackHat Briefings
Diana Kelley & Ian Poynter
27
Password Synchronization:
Business Fit
• Good Business Fit for
– Companies That Only Use Password
Authentication
– Companies That Don’t Need to Reduce the
Login Cycle
BlackHat Briefings
Diana Kelley & Ian Poynter
28
Password Synchronization:
Brand Examples
• PassGo, InSync (formerly
Axent/Symantec)
• Courion, Password Courier
BlackHat Briefings
Diana Kelley & Ian Poynter
29
SSO Technologies
• Authentication Platforms
– Provide a Central Point of Management for
Multiple Authentication Schemes
– Users Authenticate To A Gateway Using Any
Combination of Authentication Methods
• Smartcards, PKI, Biometrics etc.
– Supports Multi-layer Authentication Policies
BlackHat Briefings
Diana Kelley & Ian Poynter
30
Authentication Platforms:
How It Works
• Abstracts the Authentication Layer to an
Authentication Gateway
• All Users Login to this Gateway
• Gateway Determines Level / Type of
Authentication that is Required
BlackHat Briefings
Diana Kelley & Ian Poynter
31
Authentication Platforms:
Pros and Cons
• Pros
– Eases Integration With Abstracted Authentication
Layer
– Support for Most Authentication Factors
• Cons
– Does Not Reduce Number of Logins, Unless SSO is
Embedded in the Authentication Platform
– Single Point of Attack / Failure
• Denial of Service
BlackHat Briefings
Diana Kelley & Ian Poynter
32
Authentication Platforms:
Business Fit
• Good Business Fit for
– Enterprises with Hierarchical, Complex
Authentication Requirements
– Companies using N-factor Authentication
Solutions
– Organizations with Regulated
Security / Privacy Requirements
• Financial Institutions, HealthCare, Government
Agencies
BlackHat Briefings
Diana Kelley & Ian Poynter
33
Authentication Platforms:
Brand Examples
• Bionetrix Authentication Server
• Novell Modular Authentication Service
(NMAS)
• ActivCard (formerly Ankari)
– Trinity Server with SSO Functionality
BlackHat Briefings
Diana Kelley & Ian Poynter
34
SSO Technologies
• Web Logon Aggregators
– One Login, Access Multiple Sites
– User Logs into Aggregator Software or Site at
Beginning of Session
– All Subsequent Logins to Web Sites Visited
Are Handled Transparently
BlackHat Briefings
Diana Kelley & Ian Poynter
35
Web Logon Aggregators:
How It Works
• Credentials Are Cached Either
– Locally via Cookies
– On Server via State Mechanism
• Automatically Presented to Sites as
Needed
BlackHat Briefings
Diana Kelley & Ian Poynter
36
Web Logon Aggregators:
Pros and Cons
• Pros
– Ease of Use
– Streamlines Web Experience
• Cons
– Web Only
– Sites May Need to Opt In
– Outsources Trust to 3rd Party
– Loss of Control
BlackHat Briefings
Diana Kelley & Ian Poynter
37
Web Logon Aggregators:
Business Fit
• Good Business Fit for
– Companies Providing Web Interfaces to
Customers or Employees
– Home Users Who Want to Streamline Their
Web Experience
BlackHat Briefings
Diana Kelley & Ian Poynter
38
Web Logon Aggregators:
Brand Examples
• .NET / Passport
• Liberty Alliance (in process)
• Yodlee
– Account Aggregator
BlackHat Briefings
Diana Kelley & Ian Poynter
39
Case Studies
• Example Architectures From the
Real World
• Identifying Characteristics Have Been
Changed Where Needed to Protect Client
Confidentiality
BlackHat Briefings
Diana Kelley & Ian Poynter
40
Case Study 1
• Large US Insurance Company
– Project: Reduce ‘Wake Up’ Time for Internal
Personnel and External Agents by Integrating
Login Function to Multiple Back and Front
Ends
BlackHat Briefings
Diana Kelley & Ian Poynter
41
Case Study 1
• Points for the RFP
– State Business Requirements (cf. previous
slide)
– Provide Hard Numbers
• Example: Time Goal for Reduced Wake-up Time
– Time and Cost Estimates
• Don’t Forget QA Before Roll Out
• Include Support and Training
BlackHat Briefings
Diana Kelley & Ian Poynter
42
Case Study 1
• Points for the RFP
– Technical Requirements
• All Internal Logins Triggered by NT Login
• External Users Credentials Stored in
LDAP Directory
• Login Support For
–
–
–
–
–
BlackHat Briefings
S/390 with RACF
Oracle Database
RADIUS for Remote Agents
Custom DOS-Based Money Transfers with SecurID
Custom Web Applications
Diana Kelley & Ian Poynter
43
Case Study 1
• Proposal from Selected Vendor
– Hybrid Technical Solution
• Internal Users
–
–
–
–
Custom GINA
LDAP Support
Link to Traditional SSO for Web Application Logins
Trigger for Users That Needed to Access SecurID
Protected Solutions
• External Users
– Traditional SSO for Web Application Logins
BlackHat Briefings
Diana Kelley & Ian Poynter
44
Case Study 2
• International Consulting Firm
– Project: Link Multiple Intranets, Distributed
Around the World, for Secure Access to
Internal-Only Information Sharing And Project
Collaboration
BlackHat Briefings
Diana Kelley & Ian Poynter
45
Case Study 2
• Points for the RFP
– State Business Requirements
– Provide Hard Numbers
• Example: Define Secure Access
– Type of Authentication
– Encryption Requirements
– Roaming User Needs
– Time and Cost Estimates
• Don’t Forget QA Before Roll Out
• Include Support and Training
BlackHat Briefings
Diana Kelley & Ian Poynter
46
Case Study 2
• Points for the RFP
– Technical Requirements
• Internationally Distributed Web Servers Across
Multiple Domains
• Custom Web Applications
• Netscape, ISS, Apache Web Servers
• Mac And Windows Clients
BlackHat Briefings
Diana Kelley & Ian Poynter
47
Case Study 2
• Proposal from Selected Vendor
– Netegrity SiteMinder with Installation Services
BlackHat Briefings
Diana Kelley & Ian Poynter
48
Summary
•
•
•
•
•
•
•
•
•
Know the Business Requirements
Complete a Cost-Benefit Analysis
Set Reasonable Goals
Investigate the Available Technologies
Investigate the Vendors
Match Requirements to Technology
Plan: Create an RFP and Architecture
Prototype, Build, Test, Train, and Deploy
Throw Away Those Yellow Sticky Password
Caches!
BlackHat Briefings
Diana Kelley & Ian Poynter
49
Download