Posts tagged Security

Single Sign-On

0
2 years ago
by Scott Coughlin in , , , , , , , ,

The Information Technology (IT) Vocabulary Builder series aims to deliver a very concise summary of a currently relevant topic to Information Professionals.  It is done mostly by collecting a small number of highly relevant web links to save you the time of combing through search results yourself.  It differs from sites such as Wikipedia because it includes opinions, forecasts, and detractions in addition to just facts.

image

Today’s term is Single Sign-On.  This is how Wikipedia defines the it:

“Single sign-on (SSO) is a property of access control of multiple, related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them. Single sign-off is the reverse property whereby a single action of signing out terminates access to multiple software systems.

As different applications and resources support different authentication mechanisms, single sign-on has to internally translate to and store different credentials compared to what is used for initial authentication.”

Essentially, it is the practice of setting up one, very-high security fence for your users to cross.   Once they pass this tough security check-point, then they have ability to use all of the system resources without having to deal with another user-intrusive validation procedure.  If your information system is a castle, then the single sign-on is the main gate and the computing resources are all of the shops in the castle market that is inside the walls and moat.  The opposing model is one, very similar to the Internet, where users get asked for differing usernames, passwords, and security tokens before they get access to individual pages, databases, and programs.

Single Sign-On protocols usually invoke very hard security requirements to make sure that users are authenticated, validated, and properly approved for access at that once check.  Solutions usually involve some or all of the following:

  • Usernames
  • Strong passwords or Personal Identification Numbers (PINs)
  • Hardware Tokens
  • Random number generators
  • Digital certificates
  • Access Control Lists
  • Smart cards

Here are some of the reasons why one might be interested in instituting a single sign-on solution:

  • Users are more willing to be inconvenienced with complicated security protocols once and actually follow them.  This means that you can really come up with a high-powered “lock” and they will be willing to use it.  This prevents the “writing the password on a sticky” problem as well as the one password for many places challenge.
  • Having a single repository protocol for security services permits less vulnerabilities due to software or hardware faults.
  • Troubleshooting of security processes is significantly simplified when only one system is in use.
  • Vendors can develop products for your system and evoke security as a service.
  • Disavowing a user is simplified for human resources because they only have to expunge them from one service vice many.
  • You can use completely open source services to maximize forward looking compatibility.
  • Alternatively, you can use completely proprietary systems to employ “security through obscurity” concepts and be comfortable that you can replace the entire single-sign on component at a future date if desired or required.

As you can see there are potentially many reasons to consider a cross grade.

What are some of the disadvantages?

  • Complexity.  These solutions are rarely easy, simple, or straight forward.
  • Installation Expense.  Good solutions require investments in people, products, and training.  This is not the place to short change.
  • Recurring Expense.  If you choose solutions that require hardware tokens or third-party certificates, then you will be stuck purchasing them forever.
  • People.  If you only have one gate, then you had better make sure that your gate guards know what they are doing and how it works.  If you choose an obscure or complicated system then you need to be ready to pay for the right people here.
  • Fault Tolerance.  If you have one gate and it gets stuck up then you entire system is out of commission.  You need to have back-up plans that don’t remove all of the security advantages of the Single Sign-On system by creating back doors.

Here are some of the best links on the subject that I found in my search of the web:

  • Wikipedia – Single Sign-On.  Contains a great pros and cons as well as resources section.
  • The Open Group – Single Sign-On.  Contains open source specifications, solutions, and white papers.
  • IBM – Build and implement a single sign-on solution. Industry best practices, Java implementation guide, and commercial products to achieve goals.
  • Novell – Secure Login Solutions.  Includes ROI calculators, product comparisons, implementation guides, and white papers.

I have used many Single Sign-On solutions.  Overall, I think that if you properly procure the solution after a formal process of defining your requirements, manning for success, and training your people the benefits of these solutions far outweigh their costs.  I am a big proponent of their employment.

Hopefully, this introduction to the vocabulary word was valuable for you.  Considering all the options for optimizing knowledge management is a core competency of all Information Technology Professionals.

That is my Information Technology Thought of the Day (ITTOD) for February 11, 2010 by Scott Coughlin.

Image Credit: Positiv-it

News Commentary: Is There Any Truth in the Google Hacking Story?

0
2 years ago
by Scott Coughlin in , , , , , ,

On Sundays I offer comments on some of the most interesting information technology stories that I have found on the web that week.  Please feel free to join in the discussion or suggest other stories.

image

Wow, this was a tough week to be an Information Technology Professional and not get frustrated with the news coverage of the case of the Google Hackers.  Our industry and profession are hard enough to explain to laymen without every major news organization in the world pulling out their experts and telling them to dumb down their commentary until they are essentially nonsensical.  Seriously, I have not read a single news story on Google’s self-proclaimed hacking that made sense, added value to the Google press release, or did justice to the complexity of the problem.  Take a look at the following two stories from CNN.com and tell me that they don’t over simplify the issue to boredom.

CNN.comU.S. enables Chinese hacking of Google By Bruce Schneier

“Google made headlines when it went public with the fact that Chinese hackers had penetrated some of its services, such as Gmail, in a politically motivated attempt at intelligence gathering. The news here isn’t that Chinese hackers engage in these activities or that their attempts are technically sophisticated — we knew that already — it’s that the U.S. government inadvertently aided the hackers.

 

In order to comply with government search warrants on user data, Google created a backdoor access system into Gmail accounts. This feature is what the Chinese hackers exploited to gain access.”

CNN.comClinton: Internet ‘information curtain’ is dropping

“In a speech on Internet freedom and security, Clinton also urged China to investigate a wave of cyber attacks against Google and other companies.

 

The Internet and other technologies are critical to foreign policy, and those who engage in cyber attacks should face international condemnation, she said.

 

"In an interconnected world, an attack on one nation’s networks can be an attack on all," she said at The Newseum in Washington.”

Don’t get me wrong… I appreciate the severity of this issue.  I consider it a responsibility of a government to protect the property of its citizens and companies from attack from foreign governments and entities.  What I dislike is that stories like this make it seem overly easy, simplistic, one sided, and transparent.  Cyberspace is simply too new of a domain for rules, laws, and expectations to be set.  Honestly, my heart goes out to the victims of the Haiti Earthquake, but as far as I can tell that was the story that booted this frustrating discussion to the back page and probably into oblivion as far as mainstream media is concerned,

We do need international treaties and laws that govern The Information Domain.  Cyber Space will not self regulate.  What we cannot do, however, is try to apply old thinking, geographic-based constraints, and over simplification to the challenges that are ahead of us.

What do you think about this topic?  Do you agree or disagree with me? Do you have a recommended news story for next week? Please share your ideas below.

That is my Information Technology Thought of the Day (ITTOD) for January 17, 2010  by Scott Coughlin.

Image Credit: The U.S. Department of Justice

The Odds of Getting a Computer Virus are Insane

11
2 years ago
by Scott Coughlin in , , , , , ,

It is high time that we, as Information Technology Professionals, did something permanently to stop the incredible problem of malicious computer infection.  Computer viruses, malware, trojan horses, and spyware are simply symptoms of an immature technology that must be innovated out.  I find it simply unacceptable that even though home PC processors operate in the gigaflops now, we cannot come up with a scheme to allow them to know self from “other” and thus self protect.

image

How bad is it?  What are the odds and cost of this horrendous problem? Take a read here:

In Consumer Reports’ 2008 State of the Net summary, the odds of contracting a serious computer virus problems are given to be 1 in 7, the yearly costs $2.9 billion. The odds of a serious spyware problem are 1 in 14, with a yearly cost of $3.6 billion. (Note that these figures are for both businesses and consumers.)  (source link from DefendingTheKingdom.com)

Stop for a second to put that in perspective… the odds of your property (your computer) doing something that you did not know about is 1 in 7!  Compare that to the below odds…

  • Odds of drowning in a bathtub: 685,000 to 1
  • Odds of being killed sometime in the next year in any sort of transportation accident: 77 to 1
  • Odds of being struck by lightning: 576,000 to 1
  • Odds of winning a straight up on a single number in roulette: 37 to 1
  • Odds of being audited by the IRS: 175 to 1
  • Odds of dating a supermodel: 88,000 to 1
  • Odds of winning an Academy Award: 11,500 to 1

Doesn’t it seem reasonable that it should be more likely to get audited by the IRS than have your computer become a functioning part of an overseas crimebot?  Don’t you think that it would be nice if your chance of winning in roulette was better than the chance that your computer is recording your passwords via a key logger?

I don’t know about you, but I am simply embarrassed for our profession that we have gone this long, knowing of the problem, and not taking anything more than band-aide steps to mitigate the threat.  This week, I will focus on some of the more promising paths ahead for this as well as some of the key people fighting the good fight!

What do you think about this topic?  Do you agree or disagree with me? Do you have a recommended news story for next week? Please share your ideas below.

That is my Information Technology Thought of the Day (ITTOD) for January 18, 2010  by Scott Coughlin.

Image Credit: GovGab

Odds Sources: Funny2.com, defendingthekingdom.com

Go to Top