Information Assurance
IT Quote of the Day: Jeff Moss
0I like Information Age quotations. I find some of them very inspirational and like to carry a new one around about every week. I thought that i could share mine with you from time to time.
Here is my quote of the day:
“Establishing dependable network security isn’t like following a recipe for brownies.] A lot of people think you can buy a firewall, install it, and be done with it, … have the person who knows the most [about computers] read the manual and do the job.”
- Jeff Moss
Jeff Moss is the founder of the Black Hat and DEF CON computer hacker conferences. You can learn more about our quote source at Wikipedia.
So how do you think that this relates to Information Technology? How do you think that it could be important to Information Technology Professionals?
Do you like quotations? Do you collect them, too? What did you think of when you read this one? Do you agree or disagree with it? Please comment below.
That is my Information Technology Thought of the Day (ITTOD) for February 22, 2010 by Scott Coughlin.
Image credit: Fox News
Quote Source: thinkexist.com
Single Sign-On
0The Information Technology (IT) Vocabulary Builder series aims to deliver a very concise summary of a currently relevant topic to Information Professionals. It is done mostly by collecting a small number of highly relevant web links to save you the time of combing through search results yourself. It differs from sites such as Wikipedia because it includes opinions, forecasts, and detractions in addition to just facts.
Today’s term is Single Sign-On. This is how Wikipedia defines the it:
“Single sign-on (SSO) is a property of access control of multiple, related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them. Single sign-off is the reverse property whereby a single action of signing out terminates access to multiple software systems.
As different applications and resources support different authentication mechanisms, single sign-on has to internally translate to and store different credentials compared to what is used for initial authentication.”
Essentially, it is the practice of setting up one, very-high security fence for your users to cross. Once they pass this tough security check-point, then they have ability to use all of the system resources without having to deal with another user-intrusive validation procedure. If your information system is a castle, then the single sign-on is the main gate and the computing resources are all of the shops in the castle market that is inside the walls and moat. The opposing model is one, very similar to the Internet, where users get asked for differing usernames, passwords, and security tokens before they get access to individual pages, databases, and programs.
Single Sign-On protocols usually invoke very hard security requirements to make sure that users are authenticated, validated, and properly approved for access at that once check. Solutions usually involve some or all of the following:
- Usernames
- Strong passwords or Personal Identification Numbers (PINs)
- Hardware Tokens
- Random number generators
- Digital certificates
- Access Control Lists
- Smart cards
Here are some of the reasons why one might be interested in instituting a single sign-on solution:
- Users are more willing to be inconvenienced with complicated security protocols once and actually follow them. This means that you can really come up with a high-powered “lock” and they will be willing to use it. This prevents the “writing the password on a sticky” problem as well as the one password for many places challenge.
- Having a single repository protocol for security services permits less vulnerabilities due to software or hardware faults.
- Troubleshooting of security processes is significantly simplified when only one system is in use.
- Vendors can develop products for your system and evoke security as a service.
- Disavowing a user is simplified for human resources because they only have to expunge them from one service vice many.
- You can use completely open source services to maximize forward looking compatibility.
- Alternatively, you can use completely proprietary systems to employ “security through obscurity” concepts and be comfortable that you can replace the entire single-sign on component at a future date if desired or required.
As you can see there are potentially many reasons to consider a cross grade.
What are some of the disadvantages?
- Complexity. These solutions are rarely easy, simple, or straight forward.
- Installation Expense. Good solutions require investments in people, products, and training. This is not the place to short change.
- Recurring Expense. If you choose solutions that require hardware tokens or third-party certificates, then you will be stuck purchasing them forever.
- People. If you only have one gate, then you had better make sure that your gate guards know what they are doing and how it works. If you choose an obscure or complicated system then you need to be ready to pay for the right people here.
- Fault Tolerance. If you have one gate and it gets stuck up then you entire system is out of commission. You need to have back-up plans that don’t remove all of the security advantages of the Single Sign-On system by creating back doors.
Here are some of the best links on the subject that I found in my search of the web:
- Wikipedia – Single Sign-On. Contains a great pros and cons as well as resources section.
- The Open Group – Single Sign-On. Contains open source specifications, solutions, and white papers.
- IBM – Build and implement a single sign-on solution. Industry best practices, Java implementation guide, and commercial products to achieve goals.
- Novell – Secure Login Solutions. Includes ROI calculators, product comparisons, implementation guides, and white papers.
I have used many Single Sign-On solutions. Overall, I think that if you properly procure the solution after a formal process of defining your requirements, manning for success, and training your people the benefits of these solutions far outweigh their costs. I am a big proponent of their employment.
Hopefully, this introduction to the vocabulary word was valuable for you. Considering all the options for optimizing knowledge management is a core competency of all Information Technology Professionals.
That is my Information Technology Thought of the Day (ITTOD) for February 11, 2010 by Scott Coughlin.
Image Credit: Positiv-it
Cyber Security Statistics
2Finding good sources of computer security statistics is always a challenge. It was recently pointed out to me that Entrepreneur Magazine has a very good running collection of some good ones along with their sources.
I recommend that you give them a read.
Here are some examples that they have:
From my experience, their set is a great starting point for corporate training, fact support to internal documents, and general knowledge upgrading. I believe every one of their stats and think that most of the “how bad is it” ones are only getting worse since they last updated.
I am sure that you have favorite or known sources of other computer security statistics. Please share them via the comments section below.
Special thanks to Entrepreneur Magazine for putting together and maintaining this valuable resource for all Information Technology Professionals.
That is my Information Technology Thought of the Day (ITTOD) for February 23, 2010 by Scott Coughlin.
Image credit: Guelph-Wellington Seniors Association