Hello everyone and welcome to this PortalGuard webcast. My name is Laura Woodbury and I will be speaking today about SAML based single sign-on. I would first like to help set expectations for this event. Before diving in to the details, please understand that I am here to provide you with food for thought. You may already be familiar with some of the information presented today. We are hoping to educate you with new knowledge on authentication and reasons to take a closer look at your current standards.Today we will be talking about ways to manage your corporations’ password systems to reduce cost, enhance the user experience and improve productivity, improve security and simplify auditing and compliance.Before we get started, I would like to go over a few housekeeping items. The presentation has a run time of about 15 minutes. Following the webcast, I will provide you with contact details should you like more information or a copy of the slides presented today. I would also like to encourage you to take a brief survey that will help us determine future webcasts, products and product improvements. Now, lets get started…
How much do passwords really cost?According to a recent Gartner study, roughly 30% of help desk calls are password related. On average, your employees call the help desk one to two times each month. Each of those help desk calls costs in the area of $30. If you do the math on a corporation with 1000 employees each making 21 help desk calls a year at a cost of roughly $30 per call with 30% of those being password related…. Passwords are expensive!
Now, lets talk about how secure those costly passwords are.We’ve all heard of the big security breaches over the last few months – Twitter, LinkedIn, Apple IDs – where there networks are hacked and thousands of user IDs and passwords are compromised. Lets take it step closer and get personal.
Recently, a senior writer for Wired magazine, Mat, told the story of how he was the target of an epic hacking. In a single hour, hackers were able to destroy Mat’s digital identity. The goal of this particular hacker was to take control of Mat’s Twitter handle. The hacker found Mat’s email and home address from his Twitter profile. From Gmail’s password recovery screen, the hacker discovered Mat’s backup email – a .me account. With some simple hacking and Mat’s email and home address, the hacker gained access to Mat’s Amazon.com account and accessed the last four digits of his credit card. The hacker now held enough information to contact Apple and reset Mat’s Apple ID – giving them full access to his .me account and iCloud. The hacker leveraged the forgotten password screen from Gmail and had his password sent to the .me account. The hacker now had control of Mat’s Gmail account and effectively his entire digital identity. The hacker got what they were after and took over his Twitter handle. Having access to Mat’s Apple ID, the hacker was able to remotely wipe his iPhone and Macbook – erasing all his data including videos and pictures from the past year of his newborn daughter. Much of this could have been avoided had Mat made use of two-factor authentication…instead, Mat suffered the loss of his online identity.
What’s the answer to these concerns? Single sign-on using strong authentication. Single sign-on is a system, which users log on to their applications – both cloud and enterprise without being prompted to enter a new password or provide authentication for each individual system. Strong authentication is a form of computer security in which user identities are verified without transmitting passwords over the network. Strong authentication enforces stronger password policies. Combining both single single sign-on with strong authentication – be it two-factor or contextual - secures your network and makes life a little easier for your users. Additional benefits are self-service password management allowing users to service their own needs at their convenience and freeing up your help desk staff to work on more pressing issues.
Why should you implement single sign-on? There are many benefits to implementing a single sign-on solution. Several that I will touch on today are reducing costs associated with multiple passwords, enhancing the user experience while increasing productivity, improving security around a single point of access and simplifying auditing and compliance.
Lets start with reducing cost. As I mentioned earlier, passwords are expensive! And supporting those passwords is not only costly, but time consuming. Implementing a single sign-on solution with self-service password management puts the ability to reset passwords in the able hands of the user while freeing help desk staff to work on the more challenging IT issues. Choosing and implementing a solid, well-supported single sign-on with password management will result in a return on your investment in months… not years!
Enhance the user experience while increase productivity. Passwords for email, CRM, ERP, marketing automaton, accounting, project management, payroll – how many passwords are your people trying to manage? And of those passwords, how many are scribbled on sticky notes and stuck under the keyboard or worse, stuck to the laptop! People make all sorts of bad decisions when it comes to ‘managing’ their usernames and passwords, making your security vulnerable. Vulnerable security is not only costly, but can end in severe loss.Single sign-on eliminates the need for multiple passwords and allows users to maintain a single username and password. This means fewer password related help desk calls and lost productivity. The average downtime for a user waiting for a password reset is about 20 minutes. That’s time you never get back. You can take advantage of self-service password reset options to further enhance the user experience and take the burden off of your help desk staff.
Increase security around a single point of access with strong authentication. When you have a single password, you better make sure its secure! Implementing strong authentication along with your single sign-on solution is a good way to secure your single point of entry to your enterprise. Two-factor authentication increases security by requiring something you know – your password - and leverages something you have – say a mobile phone. An example would be signing in to your system and entering your password. You then receive a text message on your mobile phone with a one time password or OTP. You are asked to enter your OTP in the login screen in order to authenticate the user. Once the system agrees that you are who you say you are, you are granted access.More and more, corporations are dealing with roaming and remote employees. Contextual based authentication can be leveraged to gauge the security risk based on where a user is logging in from and base the level of authentication required accordingly. If the network detects that a user is logging in from inside the building via a LAN connection, the user may only be required to authenticate with a password. However, if the network detects that the user is logging in from a remote location during the middle of the night, the user may be required to meet more stringent authentication means such as an OTP.
You can also make use of configurable password policies. You set the requirement of the passwords or pass phrases. Not only defining specifications for the password, but also how often the password expires and how frequently the user can change his password.If your IT administrator determines that security has been compromised, they will have a much cleaner log of accounts to sort through to identify and shut down the rogue account.
Auditing and compliance is simplified. Gartner is predicting that the number of regulatory requirements directly affecting IT will double over the next few years. Single sign-on helps alleviate some of the challenges of regulatory compliance such as SOX, HIPAA, GLB and FFIEC. Single sign-on by itself does not imply compliance, however when implementing single sign-on you are creating a centralization of authentication. You will also likely think about and document the logging and auditing of your systems. The centralized authentication and documentation boosts your compliance efforts. And with fewer passwords to keep, you can reduce the manpower that is spent each year on regulatory compliance.
The preferred method – SAML Single Sign-OnIdentity federation solves the multiple password challenge by providing a secure, private mechanism for organizations to share user identities, removing the need to maintain separate user profiles for each enterprise or cloud based application. SAML or Security Assertion Markup Language is the predominate identity federation standard that enables single sign-on. SAML is an OASIS approved standard. Version 2.0 was ratified in March 2005. In a nutshell, SAML single sign-on eliminates multiple passwords and streamlines access for the user.
Why SAML?SAML is platform neutral – it works on workstations, tablets and mobile devices; improves the online experience for end users; increases security; is supported by many SaaS applications and has strong commercial and open source support.
How do you implement single sign-on?Now that you see the clear benefits to deploying a single sign-on solution, how do you choose a solution and successfully deploy it? One of the first questions you may ask is, can we go with a ‘homegrown’ approach? As with any homegrown software, you will have higher up-front costs in development and testing consuming resources. More lead-time is required which means your deployment schedule must be pushed out. And a big one is that you get to deal with all the bugs yourself. Deploying a system that isn’t tried and tested can severely impact adoption and user satisfaction. You also have to deal with workforce and expertise attrition. What happens when your developer leaves or advances? And lastly, ongoing maintenance demands and costs.
PortalGuard software is an authentication platform which is focused on enhancing usability, while maintaining a balance between security, auditing and compliance for your cloud based and desktop authentication requirements. PortalGuard provides capabilities including Single Sign-On; Two-Factor Authentication; Contextual Authentication; Self-Service Password Reset; Password Management; Password Synchronization and Professional services. We encourage you to contact PortalGuard for a one on one conversation about your requirements and how our products and professional services may meet your needs.
With that, I'll wrap things up. I hope I’ve given you a few things to think about. I encourage you to contact us with any questions and comments. I look forward to seeing you at our next event.
The Cost and Loss of Not using Single Sign-On with Two-Factor Authentication
The Cost and Loss of NOT Using Single Sign-On with Two Factor Authentication Presented by
Setting expectations Here to provide you with food for thought Managing your corporation’s password systems Reduce cost Enhance the user experience and improve productivity Improve security Simplify auditing and compliance Housekeeping Run time of approximately 15 minutes Contact details will be provided at the end of the presentation. We welcome questions and comments.
According to a recent Gartner1 study…. • 30% of help desk calls are password related • Average employee calls 1-2 times per month • Each call costs ~$30 1000 users x 21 calls per user per year 21000 calls per year x $30 per call $630,000 x 30% password related $189,000 per year on password resets1-Password Reset: Self-Service That You Will Love (Gartner Research Note T-15-6454)
2012 Security Breaches Network gets hacked millions of users and passwords compromised Lets take it to a more personal place….
The LOSS: • Hacker wanted to take control of Mat’s Twitter account • Mat’s Gmail and home address were located on his Twitter profile • From the Gmail password recovery screen, the hacker discovered Mat’s backup email address – a .me account • To access Mat’s Amazon account, they did a simple hack and added a credit card number by calling and giving Mat’s email and billing address • The hackers called back to Amazon and added another email address to the account • Next they did a password reset on the account via the new email address and now owned Mat’s account and last 4 digits of his original credit card on the account • The hacker next called Apple and was able to have his Apple ID given to him using his billing address and the last 4 digits of his credit card – which he knew from his Amazon account • The hacker used the Apple ID to login to Mat’s .me account and reset the password • The hacker now has full control of Mat’s .me account as well as Mat’s iCloud • The hacker leverage the forgotten password on Gmail and had a new password sent to his .me account. • The hacker was then able to access Mat’s Gmail account and effectively his entire digital identity • The hacker was now able to take over his Twitter account • Having access to Mat’s Apple ID, the hacker was able to remotely wipe his iPhone and MackBook
Single Sign-On using Strong Authentication Two-factor authentication Contextual-based authentication Self-service password management
Reduce cost associated with multiple passwordsEnhancing the user experience while increasing productivityIncreasing security around a single point of accessSimplifying auditing and compliance
Passwords are expensive 30% of help desk calls are password related Reducing the number of passwords reduces the number of help desk calls Implementing SSO and self-service password reset will result in ROI in months…not years!
Passwords for: • Email • Accounting • CRM • Project management • ERP • Payroll • Marketing automation • Many many more…Of those passwords, how many are scribbled on sticky notes?SSO eliminates the need for multiple passwords allowing usersto maintain a single passwordFewer password related help desk calls and lost productivitywhile IT comes to the rescueAverage downtime for a user waiting for a password reset: 20minutes! Lost time that can never be recovered.Take advantage of self-service password reset options to furtherenhance the user experience and take burden off of help deskstaff
Strong Authentication:When you have a single point of access… it better be secure!! Strong authentication + SSO = Secure Network Two-factor authentication increases security by some thing you know – a password and leverages something you have – mobile phone, laptop Example: • User logs in with user name/password • User receives SMS with one time password (OTP) • User is prompted to enter OTP on screen • System verifies user identity and grants access Secure roaming or remote employees with contextual authentication. Gauge risk based on where user is logging in from, basing the level of authentication accordingly. Example: • Network detects user is logging in via LAN connection, authentication method = password • Network detects user is logging in from remote location during off hours, authentication requires password and OTP
Benefit from configurable password policies – you set therequirements for passwords or pass phrases along with how oftenpassword expire; how frequently users can change the passwordShould security be compromised, IT will have a cleaner log ofaccounts to research and identify the rogue account.
Gartner is predicting the number of regulatory requirements directlyaffecting IT will double over the next few years. SSO helps alleviate some of the challenges of regulatory compliance such as SOX, HIPAA, GLB and FFIEC. Implementing SSO creates a centralization of authentication Forces you to think about and document the logging and auditing of your systems Centralized authentication and documentation boosts your compliance efforts Fewer password records means reducing the manpower spent each year on compliance.
SAML is: Platform neutral – workstations, tablets and mobile devices Improves online experience for end users Increases security Supported by many SaaS applications with strong commercial and open source support
Can we go with a ‘homegrown’ approach? Higher upfront costs in development and testing consuming resources Additional lead-time is required – pushing out deployment schedule You get to work out all of the bugs! Workforce and expertise attrition Ongoing maintenance demands and cost
PortalGuard Product Offerings Single Sign-On Two-Factor Authentication Contextual Authentication Self-Service Password Reset Password Management Password Synchronization Professional Services
Thank you! Check out videos, tutorials and tech briefs at www.portalguard.com Email Mark Cochran firstname.lastname@example.org