SSO Strategy Implementation Considerations

SSO Strategy Implementation Considerations July 8, 2010

Agenda
Why listen to this @jfbauer guy on SSO?
Agree on Terminology
Current Landscape
SSO Utopia
Application – Framework View
Future State
Roadmap

Why listen to this @jfbauer guy on SSO?
SSO Related Speaking Engagements
Nov. 2008 CA World, Identity and Access Management
Sept. 2008 Oracle OpenWorld, Identity and Access Management
Aug. 2008, CA IAM Conference, Houston, TX
July 2008, Medical Mutual IAM Conference, Cleveland, OH
Nov. 2007, Gartner Identity and Access Management Conference, Los Angeles, CA
Nov. 2007, Oracle OpenWorld, Online Real-time Fraud Detection
Aug. 2007, Oracle NEO Enterprise Architecture Quarterly
June 2006, NACHA Authentication conference, Reston, VA

Agree on Terminology Single Sign-On? LDAP vs. Active Directory? Authentication vs. Authorization? Build vs. Buy? Vendor Solutions? TAM vs. SiteMinder vs. OAM? Security = Inverse of Convenience? Directory of Record? How/When to “Integrate?” Roadmap? Entitlements? IAM?

First step, establish definitions for terminology so we can all speak the same language

Single Sign-On = Ability for a single individual to use one single set of credentials (ex. user name + password) to access multiple applications they use with applications
Authentication = Simply an individual providing credentials to prove who they are
I’m really Bob, not Mary

Authorization = Simply verifying if an authenticated individual has been granted access to an application
I’m Bob and I can access Application X
Audit = Recording in a log file what just occurred
Bob successfully accessed Application X login page on 7//7/2010 at 9:01am EST

Entitlements = Now that an individual has been authenticated and is authorized to access an application what can and can’t they do/see within that application
I’m Bob, I can access Application X and within Application X I can view planning data and reports but I can’t change anything

LDAP = “Lightweight Directory Access Protocol is an application protocol for querying and modifying data using directory services running over TCP/IP”*
Directory = “is a set of objects with attributes organized in a logical and hierarchical manner.”*
*Source = http://en.wikipedia.org/wiki/LDAP

Active Directory = “is a technology created by Microsoft that provides a variety of network services, including: … LDAP”*
Kerberos = “a computer network authentication protocol, which allows nodes communicating over a non-secure network to prove their identity to one another in a secure manner”** or one way to authenticate stuff
*Source = http://en.wikipedia.org/wiki/Active_Directory **Source = http://en.wikipedia.org/wiki/Kerberos_(protocol)

IAM = “Identity and Access Management” or the IT/Security industry discipline that encompasses all this stuff (analogous to PMO for projects or ITIL for systems management, etc.)

Current Landscape
Second step, agree on how this are currently done so we all are working from the same baseline understanding

Current Landscape
Everyone solves the 3 A’s within their own solution domain
3 A’s = “Authentication, Authorization and Auditing”
Each project has to invest time/energy/$$$/resources to solve the same AAA problems over, and over, and over
Post project, per application AAA workflows provide on going support costs

Current Landscape
Um, err, business case here???
International Data Group reports that an average user in a 10,000-employee company has 14 separate passwords.
Forrester, “Password problems and resets generally constitute between 25% and 40% of total help desk incidents”*
*Source = Twenty-three Best Practices For the Customer Service Center, Chip Gliedman, Forrester, 10/11/2005

Current Landscape
Long story short … if an organization continues to grow without an SSO strategy + solution, the costs associated with managing user application access (AAA) will proportionally increase

SSO Utopia
Common service for external SSO
Common service for internal SSO
Self Service credential reset
Standard SSO integration path for all project solutions/applications
TOC for IAM reduced across the enterprise
Raises for everyone in IT

Application – Framework View
More realistically:

Future State Approach Pros Cons In-House Developed Solution
Control over entire feature set
Lack of vendor dependencies
Deep internal SME over solution
Will take longer
Will require a larger team to execute.
Longer delay to benefiting from ROI
Lack of inherent competency in this space.
Resource attrition takes away irreplaceable knowledge thus reducing initial approach value
Purchase Vendor Framework
Already mature product options in the marketplace
Top tier vendors investing in this space (CA, Oracle, IBM, etc.)
Faster realization of outlined benefits
Leverage vendor expertise to augment internal resources as needed
Will incur licensing and support cost from selected vendor.
Will involve normal vendor product lifecycle management challenges (version upgrades, product road maps, custom feature sets)

Roadmap
Agree on definitions
Agree on SSO utopia future state
Agree on strategic Auth and Az stores
Example: LDAP for all external users?
Example: AD for internal/employees?
Agree on initial SSO integration approach
New project designs w/SSO after X date
or retrofit N existing applications
or “Major project Y and then …”
or some other criteria???

Roadmap
Evaluate/RFI/RFP vendor landscape
Short list
Example: CA, Oracle and IBM
Consider Gartner “magic quadrant” and existing vendor relationships
Vendor POC including “integration service” modeling
Legacy/Project integration criteria
FTE/staffing to support
Production deployment
Integrations!

? Graphics blatantly stolen with approval from @jurgenappelo

SSO Strategy Implementation Considerations

by John Bauer on Jul 08, 2010

Accessibility

Categories

Upload Details

Usage Rights

2 Embeds 40

Statistics

SSO Strategy Implementation Considerations — Presentation Transcript

http://midwestitsurvival.com	34
http://www.midwestitsurvival.com	6