Single Sign-On Feasibility and Vendor Analysis
Client Business Issues:
Our client, a global investment bank, has faced significant user password related problems due to the increased enterprise computing, across varied hardware and operating systems platforms, with individual users accessing applications and data on multiple hosts in local and wide area networked environments, and remotely, from outside the enterprise network. Users had to remember a number of different IDs and passwords, and different logon procedures, and remember which one to use where. They had to re-authenticate several times just to get into the business application they really want to use, and will often need to repeatedly authenticate throughout the day when moving from one application to another. There was also the burden of the administrative tasks such as adding new users, deleting those no longer with the company and revising access rights of existing users as they move from one job to another within the corporation. For the security administrator, setting up new users meant enrolling them in several different security files or access control lists, which may be maintained by different units within the enterprise, using completely different administration tools. Removing a user's access or simply determining what access a given individual has may require searching through several files or reports. Help desk operators were handling an increased number of calls from users who are confused about what ID/Password to use where, or who have locked themselves out by trying to logon to one system with the ID and password for another. Those problems, and just the need for multiple, repetitive logon and authentication, had a severe effect on productivity. To try to alleviate the above problems and improve the level of security within the firm, Investment Bank engaged Arc to evaluate the feasibility of utilizing Single Sign-on (SSO) technologies through out 20,000 end-users globally.
Our Approach:
Arc Partners’ study included following:
SSO Definition: The scope of the initiative and technology requirements were clearly identified by the Arc team. The primary purpose of SSO was to enable authorized users to perform one initial sign-on to access a broad array of applications, data and network-based services based on a set of clearly defined administrative rules.
Value of SSO to the Clent: Detailed cost benefit analysis was conducted in order to give recommendations on the feasibility of implementing SSO at the investment bank. Global Help Desktop/Admin statistical study was conducted in order to measure cost of the inefficiencies due to password related problems.
SSO Technology and Vendor Evaluation: Several interview sessions were conducted with each vendor in order to communicate requirements and understand the technology behind the SSO products. Comparative vendor evaluation was summarized by scoring each vendor against each technology requirement. Following components included detailed technology requirements:
- System Functionality — The system must be scalable, provide APIs, interface with 3rd party smartcard products (e.g., SecurID) and offer replication for regional server distribution. Integration with native security systems (e.g., NT and ACF2) and an easy to use yet strong scripting facility are also required.
- Administrative Functionality — While the SSO module itself can eliminate the need for users to maintain multiple user IDs and passwords, an overall solution should include centralizing the administrative function.
- Client Functionality — The selected solution should be as un-intrusive as possible. It must work within the native security environment while enhancing security and helping to increase user productivity. The SSO application must also provide a fail-safe that will allow a user to continue accessing authorized applications if ever the SSO system was unavailable.
- Technology Compliance — We rated vendor products based on their ability to work with all of Investment Bank’s mission critical platforms and applications, operate under a free-seating environment, and provide a standardized method for applications security module development. We also examined their future development direction.
Recommendations: Based on the results of vendor evaluation and cost / benefit analysis, a final recommendation was communicated to the client.
Value Received By Client:
The report prepared by Arc was submitted to the senior management for the final decision. Arc's detailed cost / benefit analysis together with the compressive SSO technology evaluation enabled the client to choose the vendor that would provide the best value.