Upload
john-bauer
View
6.699
Download
2
Embed Size (px)
Citation preview
SSO Strategy Implementation Considerations
July 8, 2010
Agenda• Why listen to this @jfbauer guy on SSO?• Agree on Terminology• Current Landscape• SSO Utopia• Application – Framework View• Future State• Roadmap
Why listen to this @jfbauer guy on SSO?
SSO Related Speaking Engagements• Nov. 2008 CA World, Identity and Access Management• Sept. 2008 Oracle OpenWorld, Identity and Access Management• Aug. 2008, CA IAM Conference, Houston, TX• July 2008, Medical Mutual IAM Conference, Cleveland, OH• Nov. 2007, Gartner Identity and Access Management Conference, Los Angeles, CA• Nov. 2007, Oracle OpenWorld, Online Real-time Fraud Detection• Aug. 2007, Oracle NEO Enterprise Architecture Quarterly• June 2006, NACHA Authentication conference, Reston, VA
Agree on Terminology
Single Sign-On?LDAP vs. Active Directory?
Authentication vs. Authorization?
Build vs. Buy?
Vendor Solutions?
TAM vs. SiteMinder vs. OAM?
Security = Inverse of Convenience?
Directory of Record?
How/When to “Integrate?”
Roadmap?
Entitlements?
IAM?
Agree on Terminology• First step, establish definitions for terminology so
we can all speak the same language
Agree on Terminology• Single Sign-On = Ability for a single individual
to use one single set of credentials (ex. user name + password) to access multiple applications they use with applications
• Authentication = Simply an individual providing credentials to prove who they are– I’m really Bob, not Mary
Agree on Terminology• Authorization = Simply verifying if an
authenticated individual has been granted access to an application– I’m Bob and I can access Application X
• Audit = Recording in a log file what just occurred– Bob successfully accessed Application X login page
on 7//7/2010 at 9:01am EST
Agree on Terminology• Entitlements = Now that an individual has
been authenticated and is authorized to access an application what can and can’t they do/see within that application– I’m Bob, I can access Application X and within
Application X I can view planning data and reports but I can’t change anything
Agree on Terminology• LDAP = “Lightweight Directory Access Protocol
is an application protocol for querying and modifying data using directory services running over TCP/IP”*
• Directory = “is a set of objects with attributes organized in a logical and hierarchical manner.”*
*Source = http://en.wikipedia.org/wiki/LDAP
Agree on Terminology• Active Directory = “is a technology created by
Microsoft that provides a variety of network services, including: … LDAP”*
• Kerberos = “a computer network authentication protocol, which allows nodes communicating over a non-secure network to prove their identity to one another in a secure manner”** or one way to authenticate stuff
*Source = http://en.wikipedia.org/wiki/Active_Directory**Source = http://en.wikipedia.org/wiki/Kerberos_(protocol)
Agree on Terminology• IAM = “Identity and Access Management” or
the IT/Security industry discipline that encompasses all this stuff (analogous to PMO for projects or ITIL for systems management, etc.)
Current Landscape• Second step, agree on how this are currently done
so we all are working from the same baseline understanding
Current Landscape• Everyone solves the 3 A’s within their own
solution domain– 3 A’s = “Authentication, Authorization and
Auditing”– Each project has to invest
time/energy/$$$/resources to solve the same AAA problems over, and over, and over
– Post project, per application AAA workflows provide on going support costs
Current Landscape• Um, err, business case here???
– International Data Group reports that an average user in a 10,000-employee company has 14 separate passwords.
– Forrester, “Password problems and resets generally constitute between 25% and 40% of total help desk incidents”*
*Source = Twenty-three Best Practices For the Customer Service Center, Chip Gliedman, Forrester, 10/11/2005
Current Landscape• Long story short … if an organization
continues to grow without an SSO strategy + solution, the costs associated with managing user application access (AAA) will proportionally increase
SSO Utopia
• Common service for external SSO• Common service for internal SSO• Self Service credential reset• Standard SSO integration path for all project
solutions/applications• TOC for IAM reduced across the enterprise• Raises for everyone in IT
Application – Framework View• More realistically:
Approach Pros ConsIn-House Developed Solution
•Control over entire feature set•Lack of vendor dependencies•Deep internal SME over solution
•Will take longer •Will require a larger team to execute.•Longer delay to benefiting from ROI•Lack of inherent competency in this space.•Resource attrition takes away irreplaceable knowledge thus reducing initial approach value
Purchase Vendor Framework
•Already mature product options in the marketplace•Top tier vendors investing in this space (CA, Oracle, IBM, etc.)•Faster realization of outlined benefits•Leverage vendor expertise to augment internal resources as needed
•Will incur licensing and support cost from selected vendor.•Will involve normal vendor product lifecycle management challenges (version upgrades, product road maps, custom feature sets)
Future State
Roadmap1. Agree on definitions2. Agree on SSO utopia future state3. Agree on strategic Auth and Az stores
– Example: LDAP for all external users?– Example: AD for internal/employees?
4. Agree on initial SSO integration approach– New project designs w/SSO after X date– or retrofit N existing applications– or “Major project Y and then …”– or some other criteria???
Roadmap• Evaluate/RFI/RFP vendor landscape
– Short list• Example: CA, Oracle and IBM• Consider Gartner “magic quadrant” and existing vendor
relationships• Vendor POC including “integration service”
modeling– Legacy/Project integration criteria– FTE/staffing to support
• Production deployment• Integrations!
?
Graphics blatantly stolen with approval from @jurgenappelo