The common challenge for all of us is keeping track of all our passwords and system identities, says Jackson Shaw, Quest Software.
I think all of us would agree that we use more “identities” (that is, user ID / password, or smartcard / PIN used to log into an application or system) in our jobs than ever before. As enterprises have become more complex, distributed and diverse, there has been a corresponding rise in the identities associated with any one individual. Gone are the days when we could get by with one identity for an all-encompassing client-server app, and another one for your local PC.
The common challenge for all of us is keeping track of all our passwords and system identities. Password security requirements have gotten more stringent, with minimum requirements on length, alpha, numeric and mixed case, change intervals. IT managers are struggling to manage this cost-effectively. How can we reduce the help desk costs associated with forgotten passwords? How can we get staff to avoid writing down their passwords on post-it notes? How can we secure, control and audit the passwords associated with privileged accounts?
These challenges led to the development of a variety of single sign-on solutions that essentially enable a user to enter a user ID and password once, and log on to multiple applications or systems. The industry has settled on Active Directory as the foundation – as the primary directory for over 75 percent of enterprises (according to Microsoft), it is logical to base single sign-on efforts around the user ID and password users use to log on to their Windows desktop each day.
Single sign-on (in all its forms) has become a mature technology that now holistically addresses virtually all aspects of the challenge – going way beyond the traditional password synchronization approach. Building on Active Directory there is a spectrum of single sign-on solutions now available:
- For Windows clients, servers and applications, single sign-on is a feature built into Windows. Many users do not realize that access and authentication to nearly every Microsoft application or system occurs transparently without having to re-enter credentials. In a Windows-only environment, you logon in the morning when you arrive at work and that's the last time you have to enter your credentials.
- For some non-Windows platforms and applications (such as SAP, Linux or Java applications), Active Directory can be extended to these systems, which is the best way to provide single sign-on seamlessly to end users.
- Lastly, for the rest of the applications that do not directly support Active Directory (such as some third-party applications and websites), a logon automation solution is needed. This solution should, once configured, automatically recognize the system being accessed and transparently look up and supply the credentials that system requires.
Now that blended single sign-on solutions, tailored to the needs of each organization, exist and are proven, the issue is now one of simple economics. When the operational, security and efficiency costs of having so many user IDs and passwords are measured, most enterprises will realize that the savings they can realize by eliminating these costs far outweighs the cost of investing in a single sign-on solution.
Jackson Shaw is the senior director of product management for Active Directory and Integration products at Quest Software. Mr. Shaw has more than 15 years of industry experience and was a key member of the identity and access management team for Windows Server at Microsoft Corp. Check out his Identity Management blog at: http://jacksonshaw.blogspot.com/