Computer science gradauate Thesis

profilesaki1434
CISC_699FinalPaper_Last-ST21.pdf

1

Authentication and Authorization in Identity Management and Single Sign

On

Submitted to Harrisburg University of Science and Technology as a fulfillment of

the Requirements for the Master of Science degree in Cyber Security

By

Ujjwal Joshi

[email protected]

Supervised By

Sangwhan Cha

[email protected]

2

Table of Contents

Abstract……………………………………………………………………………………....3

Chapter 1……………………………………………………………………………………..4

1.1 Introduction………………………………………………………………………4

1.2 Problem Statement and Justification……………………………………………..7

Chapter 2……………………………………………………………………………………10

Chapter 3……………………………………………………………………………………16

3.1 Introduction…………………………………………………………………….16

3.2 Research Approach……………………………………………………………..17

3.3 Research Design………………………………………………………………..18

3.4 Data and Rubrics Collection…………………………………………………....21

3.5 Population and Sampling……………………………………………………….23

Chapter 4…………………………………………………………………………………....25

4.1 Findings………………………………………………………………………....25

4.2 Benefits provided by IAM and SSO…………………………………………….30

4.3 Challenges Faced by IAM and SSO solutions………………………………….33

4.4 Best Practices to Follow………………………………………………………...34

Chapter 5…………………………………………………………………………………....35

References…………………………………………………………………………………..38

Appendix A………………………………………………………………………………….40

3

Abstract

Identity and Access Management (IAM) and Single Sign on (SSO) are two security concepts that

are related to each other. IAM governs the user access in an organization whereas SSO facilitates

the user by authenticating to one centralized application and not having to re-authenticate when

trying to access other applications. This paper addresses the different benefits that an IAM and

SSO tool can provide to reduce the security risk within an organization. Since, authentication and

authorization is one of the major concerns in the cyber security, this paper analyzes common

problems that are faced during authentication and authorization. In this paper we have also

analyzed prior researches that have been done in the IAM and SSO space along with conducting

a survey to understand the different issues and benefits of IAM and SSO. From the survey that

has been conducted for this paper, we have addressed different issues when implementing IAM

and SSO solutions along with understanding the architecture, in which these solutions have been

deployed into. The surveys conducted have been compared with prior researches done in IAM

and SSO space to understand the benefits that the solution provides. The results from the survey

have been analyzed to provide the best practices when implementing IAM and SSO solutions

along with the benefits provided by the solution. Future work related to this research, we can

look into IAM and SSO practice more in depth from different risk management aspect and cyber

security vulnerabilities that can exist while using IAM and SSO solutions.

4

Chapter 1

1.1 Introduction

Identity Management also commonly known Identity and Access Management (IAM) refers to

the set of processes that can be applied to grant right access to the right people within any

corporate enterprise environment (Manguic, 2012). Businesses today, implement IAM solutions

so that it provides them with the framework that can manage user IDs and passwords along with

solving problems related to the challenges associated with managing accesses and permissions of

multiple user IDs (Peterson, Smedegaard, Heninger, & Romney, 2008). IAM solutions also

provide different auditing capabilities that enable the managers and higher officials within

organization to keep track of the different accesses that their employees have (Peterson,

Smedegaard, Heninger, & Romney, 2008). A terminated employee still having access to the

organization resources can cause certain damage to the organization so having an IAM system

can reduce the risk associated while manually removing or adding users to different systems.

Today, architectures within an organization can be categorized based on whether their

applications are deployed in the cloud or within their own network also known as on-premises

(Manguic, 2012). This increases the complexity of managing users and granting accesses to them

due to increased privacy and security risk (Nunez & Agudo, 2014). Although IAM systems can

remove and create access, the user still needs to enter their user name and password to access the

systems that they were provisioned to by the identity management systems. Remembering

passwords and usernames can lead to issues where the user can forget their credentials or lose

their credentials for certain system, which might fall into the hands of an intruder. Single Sign

On (SSO) provides a better functionality for managing authentication and authorizations to

applications, by not having the user re-enter the credential every time they need to login

5

(Catuogno & Galdi, 2014). SSO provides a single source of authentication mechanism which

provides the user a single platform to enter their credentials to access different applications and

also discourages the need to maintain multiple credentials to access different systems (Lewis &

Lewis, 2009).IAM and SSO solutions provide a secure way for businesses to manage and

authenticate their users. This research explores the authentication and authorization mechanism

that IAM and SSO provides with the view of providing better security while implementing these

solutions. The research also explores the different models of architectures that an enterprise

environment can have to recommend the best practices that can be followed while implementing

IAM and SSO solutions.

Security is one of the major concerns that an organization faces today, as risk from cyber-attacks

can damage an organization (Andre, 2017). As business today are growing bigger and faster than

anticipated, they are looking for new technologies that can provide a simplified solution for them

to manage their user’s accesses and resources. A user within an organization needs to have the

right set of access to do their work and manually managing user accesses is not a suitable

practice for an organization since there can be gaps such as assigning wrong or incorrect

accesses(Manguic, 2012). Also manually adding and removing accesses can lead to issues such

as forgetting to remove accesses when users leave organization or adding accesses when users

join organization.

Since authentication and authorization are one of the major components of IAM and SSO, the

need to provide access and manage user authentication are highly in demand. Corporate

environments today are complex because they have users and data scattered in different

applications and servers. So there is always a need to manage users efficiently so that the

organization is less vulnerable to intrusions and outside attacks. This topic is also worth

6

investigating because most organizations today need the security knowledge that can help them

to investigate the security solutions that are available. Business always makes mistakes by

believing the vendors or service providers rather than understanding their own infrastructure for

their security purposes.

7

1.2. Problem Statement and Justification

Lack of security knowledge and security principles are one of the common problems that

organizations face today. By tradition software applications within an organization were

supposed to be deployed within the organization boundaries (Manguic, 2012). However, today

an organization cannot restrict itself to the traditional views and are deploying applications

outside an organization boundary. Any application that is outside the organization boundary is

not within the organization trusts zones and organizations do not have complete control over it.

Since some applications are within the organization boundary and some are maintained by

service providers, the complexity to sync users between application increases. As technologies

are rapidly changing today, IAM is gaining a popular momentum as it is one of the key

components when managing users on applications deployed within organization boundaries and

outside organizations boundaries (Nunez & Agudo, 2014).The problem still lies on how business

and organizations can securely manage users and their credentials for applications that are inside

the organization and outside the organization boundaries. Since service provider’s applications

are managed by service provider’s resources and application within organization boundaries are

managed by organizational resources, manually adding the users and creating credentials can

lead to gaps where the user may not have the right access. The complexity also increases when

users try to access service provider’s applications with different credentials which can lead to

forgetting or losing passwords. Such complex situations can be managed by using SSO for

authentication and authorization along with IAM for managing user accesses. However, not all

the SSO and IAM may be feasible for an organizations. Depending of the complexity of the

organization infrastructure there is a need to do research which provides guidelines to business

8

so that they know the check and balances that is required when implementing IAM and SSO

solutions.

In this research we will evaluate different criteria that an organization can have from the

infrastructure and architecture perspective. The architecture will depend on the number of

applications that are hosted within and outside the organizational boundaries. The infrastructure

will be based on the number of employees that an organization has and the different kinds of

policies that is applicable to each employee. We will than categorize the organization on the

basis of architecture and infrastructure that the organization has. Depending on the categories

that the organization fits into we will analyze the different process that an organization can

undergo to select the suitable IAM and SSO solutions. We will also provide the guidelines on

some of the best practices that the organization can follow to implement those solutions.

However, this research will not recommend any solution that exists in the market today but

provide more of a guideline that the organization needs to take into consideration while

implementing IAM and SSO solutions.

Research Questions

➢ Analyzing the role SSO and its importance in identity authentication and authorization

➢ Studying different ways SSO can be implemented in today’s cyber security space and

predicting which SSO standards are better and in what situations

➢ How cloud infrastructures are functioning with SSO authentication standards and what

would it look like without SSO authentication standards?

➢ Is SSO a must for business to decrease their security risk?

➢ Analyzing the challenges faced by organizations while using SSO and IAM solutions.

9

➢ Risk and challenges of identity management in organizations and importance of

authentication and authorization

10

Chapter 2

Literature Review

Authentication and authorization are one of the mechanisms used in computer security to

validate if the user has the right credentials and permission to access a system. However

authenticating and authorization also known as identification, is one of the common problems in

the area of computer security (Catuogno & Galdi, 2014). Although many researches have been

done to improve the authentication standards, passwords is still common authentication

mechanism (Catuogno & Galdi, 2014). Using passwords as an authentication mechanism

increases complexity in an enterprise environment since forgetting passwords from time and

again can lead to inefficiency while accessing systems. Organizations today, are also demanding

systems that helps them manage users so that end users can manage their private information

more efficiently (Tormo, Millán, & Pérez, 2012). Identity management is one of the key

components of an organization since it plays an important role in authentication and

authorization (Nunez & Agudo, 2014). Identity management refers to the process of managing

identities so that each identity has the right set of accesses that is needed for them to do the

required work in an enterprise environment (Manguic, 2012). Identity management consists of

four major modules which are Authentication, Authorization, User Management and Central

User Repository (Manguic, 2012). The authentication module deals with validating user

credentials where the user can authenticate themselves by providing username and password or

through other different authentication mechanism such a Kerberos, SAML and so on(Manguic,

2012). The authorization modules provide the functionality of validating a user access to

different systems. The user access can range from the group of permissions or roles that a user

has to access the system (Manguic, 2012). The user management module provides functionality

11

such as provisioning and de-provisioning of users, life cycle management to manage the user

accesses, when the user joins the company till the time the user leaves the company. The central

repository module delivers a one stop place for reviewing users and different access they carry

along with different systems that IAM is integrated to and reading information from different

other managed systems (Manguic, 2012).The proper deployment of the four modules of identity

management can result in building robust enterprise environment where processes can be

automated and limited manual intervention is required.

An enterprise environment today, is not just restricted to application deployed within a particular

network, but also includes various other applications on different vendor systems. Enterprises

now are also moving their resources to cloud and are exploring the different cloud models. There

are three cloud concepts which are gaining popularity such as Software as a Service (SaaS),

Platform as a Service (PaaS), and Infrastructure as a Service (IaaS) (Alston). The concept of

SaaS, PaaS and IaaS has also changed the way different authorization and authentication

mechanism worked. The mechanism to store identities across different systems using SaaS, PaaS

and IaaS is also known as federated identity management (Catuogno & Galdi, 2014). With cloud

based applications and the need to access applications anywhere at any time has brought in

changes in the traditional authentication mechanism and developed different standards that are

also known as SSO standards. However enterprise still use username and passwords as a

common authentication mechanism and these can lead to certain problems. In password based

authentication the user passes in a username and password to prove they have the right

credentials to access the system. So every time a user needs to access a system they need to enter

the password. The use of password based authentication and classical authorization techniques

are described below

12

➢ Alpha numeric passwords are used which sometimes can be easy to guess so an

unauthorized user may also access the system (Catuogno & Galdi, 2014).

➢ Since different system may have different passwords the user has to memorize all the

password or maintain a list somewhere else which can be stolen or lost

➢ Some system with password based authentication allows grammars in passwords which

provides a way for attacks like dictionary attacks (Catuogno & Galdi, 2014)

➢ Two factor authentications can be a better approach but not all the systems follow two

factor authentication.

➢ Once the user is able to authenticate the next process that happens is authorization which

allows the user to access certain resources in the system.

➢ The authorization techniques for classical system are assigning permissions directly

which is difficult to manage (Catuogno & Galdi, 2014).

➢ RBAC (Role Based Access Control) is one of the mechanisms used in various systems to

grant access to users for authorization (Catuogno & Galdi, 2014).

➢ The RBAC solves the issues with permissions since permissions are assigned within the

roles and roles are assigned to the users (Catuogno & Galdi, 2014). This reduces

management risk since they only need to be aware of the roles that the user has.

SSO provides enterprises with a mechanism to authenticate and authorize users with a single

password. Once the user logs into one system and authentication happens the users does not need

to login again to access other applications (Catuogno & Galdi, 2014). This prevents user from

having to remember multiple passwords for different applications. However, since there are

many different standards that provide single sign on for users, there is a need to understand and

13

analyze how different single sign on systems works and suits for a particular enterprise

environment. (Catuogno & Galdi, 2014)

Today, there are different SSO and IAM solutions that are available in the market. Organizations

need to understand how these solutions work for them based on their architecture and

infrastructures design. Some of the commonly used identity management systems that exist

today are Sailpoint IdentityIQ, Oracle Identity Manager, RSA lifecycle and governance and so

on. SSO tools that exist today are Okta, IdentityNow which have the capability of creating and

removing users and also providing single sign on for the enterprise users. Rather than focusing

on the tools that exists, it is necessary for the organization to understand the protocols that these

tools use and choose the right one that fits their organization. Some of the protocols that are

widely use and accepted are OAUTH, OpenID, and SAML etc.

Organizations today have also started a centralized authentication mechanism where the user

does not have to remember their entire password and maintain a sticky note or list, attached to

their computer (Lewis & Lewis, 2009). This authentication mechanism when configured

properly provides security where users do not have to worry about maintaining sticky note of all

their passwords to access different systems (Lewis & Lewis, 2009). To attain a centralized

authentication mechanism different standard can be followed and one such standard is Security

Assertion Markup Language (SAML) which uses Extensible Markup Language (XML) based

solution for exchanging information between service providers (Lewis & Lewis, 2009). Another

authentication mechanism that can be used is OpenID where an OpenID provider acts as an

authentication provider to authenticate relying parties (Hsu, Chen, & Machiraju, 2011). SSO

systems such as SAML, OpenID are the first step in reducing the problem of using different

password to log in different systems (Catuogno & Galdi, 2014). Aside from SAML and OpenID

14

another SSO standard that is quite popular is Kerberos authentication. Kerberos provides single

sign on through the generation of tickets (Pérez-Méndez, Pereñíguez-García, Marín-López, &

López-Millán, 2012). These systems are also known as federated authentication standards and

are used to authenticate users across different platform (Shitamichi & Sasaki, 2014).SSO

protocols like SAML, OAUTH and OpenID replaces traditional authentication by using a single

source of authentication at the identity provider (IdP) (Mainka, Christian; Mladenov, Vladislav;

Schwenk, Jörg). However, each of these protocols also has their own advantages and

disadvantages and based on the literature review there are different ways to attack these single

sign on protocols. One of the attack that is possible which using SAML based single sign on is

by constructing a false SAML token (Krawczyk). Since SAML uses xml to authenticate the users

the attackers can modify the xml to attack the system. One of the major concerns for

organization today is how to remediate certain attacks that can occur within the organization. No

systems today are free from attacks by attackers despite of the fact whether the organization is

using identity management and single sign on solutions. Knowing and having information about

different attacks can help organization to plan ahead to prevent those attacks. Some of the

vulnerabilities and ways that an attacker can attack an organization involve:

➢ Injecting malicious endpoints: In this attack the attacker creates a malicious end which is

used to force the user to enter their user name and password so that the attacker can

retrieve the username and password. Once the credentials are retrieved the attacker uses

the known credential to authenticate themselves (Mainka, Christian; Mladenov,

Vladislav; Schwenk, Jörg).

➢ Redirect Attack: In this attack the attacker learns about the user credentials when the

identity provider redirects that user by using wrong redirection code.(Fett, Küsters, &

15

Schmitz, 2016). This is possible since neither OAUTH nor OpenID connect specify how

the redirection works (Fett, Küsters, & Schmitz, 2016).

➢ IdP Mix up Attack: In this attack the attacker confuses the resource provider about the

identity provider that the user chooses at the beginning of authorization or authentication

process to impersonate as the user to access the data (Fett, Küsters, & Schmitz, 2016).

➢ State Leak Attack: In this attack the attacker forces the browser to be logged under the

attacker name at the resource provider (Fett, Küsters, & Schmitz, 2016). This attack is

also called session swapping since it breaks the session integrity property (Fett, Küsters,

& Schmitz, 2016).

One of the challenges that many organizations face today is to understand how single sign on

works and the best practices to follow while implementing any single sign on protocols. Since

most of the organizations are moving their application to cloud and each application are

supported by different vendors the traditional authentication mechanism is not suitable. Also

since not every system is threat proof and analysis needs to be done when using different

authentication and authorization protocols. The literature and journals available does point out

the different standards available for single sign on but does not take initiative on predicting how

one relates in terms to other. Also understanding how authorization and authentication works

with single sign is one of the major concerns that will be reviewed in this paper. The literature

review provides information regarding different SSO standards such as SAML, Kerberos, and

OpenID but analyzing how authentication and authorization works with the SSO standards is one

of the major aspects that needs to be researched more on.

16

Chapter 3

Methodology

3.1. Introduction

This chapter focuses on the nature of the methodology used and the nature of the research carried

out for studying the topic. One of the major reasons for studying the topic is to study how

Identity Management and Single Sign On have been able to reduce the cyber security risk that

are associated to different organizations. As organizations are growing faster and bigger there is

always a need to be able to grant the right access to the right set of users for a given period of

time. Different tools associated to Single Sign On and Identity Management is believed to help

organizations with their issue for managing their users and their credentials. Before describing

the methodology used for the research it is important to understand the problem that persists

within different organization that the research topic is able to solve. Some of the objectives of

this paper are:

➢ Study of challenges faced with SSO and IAM solutions within an enterprise environment.

➢ Study the number of resources that are allocated for SSO and IAM

➢ Analyze the complexities that can persists within the SSO and IAM infrastructure

➢ Analyze the importance of IAM and SSO in the cyber security space for business to

protect their environment.

➢ Different SSO mechanism and how each one compares to another when used within an

enterprise environment.

17

➢ Determine the best practices that can be used with authentication, authorization, single

sign on and identity management to mitigate risk and provide better security.

The objectives described above are analyzed to study the relation between IAM, SSO and its

involvement in decreasing the cyber security risk.

3.2. Research Approach

In order to understand the challenges faced by different organizations while implementing IAM

and SSO solutions it is necessary to interact, understand and analyze the insights of people

working in that platform. Proceeding further, reviewing previous researches done in IAM and

SSO provides great insights into the data gathering method and analysis. The research will use

qualitative method for data gathering. Qualitative method of data gathering involves individual

interviews, observations and research. This research will conduct interviews in phone and

through online survey with the IAM and SSO resources that are working with different

organizations. The research screening is not only limited to a particular organization within a

certain region but will cover different regions and organizations inside United States. Aside from

interviews we will also review different researches that have been done prior to this research and

analyze the results and outcomes of those researches. The interviews to be conducted will be

focused more on organizations that have recently implemented IAM solutions and SSO

solutions. The interview methods will also look at organizations that are recently planning to

implement some form of SSO and IAM solutions since those interviews can provide more

insights into the challenges that the organization had to go through in picking the right solution.

Since interviews are the primary source of data for the proposed research, the interviews will

help us to build recommendations and guidelines that can be followed while implementing

18

identity management and single sign on solutions. The interview questions are to be more

focused on the steps that were taken before finalizing the IAM and SSO solutions and the

challenges faced with those solutions. We tend to use these questions to analyze the different

circumstances within the organization prior to building the recommendations. The interviews to

be conducted will also have questions that are related to the architecture and infrastructure of the

organization and the effectiveness of IAM and SSO solutions to provide enterprise security. The

response received from interviews is than compared with the different concepts and researches

that have been done prior to this research. Different concepts regarding SSO and IAM are also

explored by reviewing journal articles, books and prior researches to build a foundation on the

existing solutions. The research will also do a comparative study on the prior researches to fill in

the gaps that has not yet been covered. The interviews related to the research have questions

related to the impact of SSO and IAM in risk management. The risk management section of the

questionnaire will be directed towards understanding how SSO and IAM solutions helped in

mitigating risk and vulnerabilities within an enterprise environment.

3.3. Research Design

Interviews are the primary source of data for this research topic. The interviews questions are

designed to help us understand how IAM and SSO solutions are functioning within an

organization. The questions presented are within the understanding of people working in

different IAM and SSO solutions or people who have some cyber security knowledge. The

research questions are designed to understand the different systems of environment an

organization has, different SSO protocols used, examine the IAM and SSO concepts within the

cyber security space, number of resources that organization has for IAM and SSO and

understand the easiness or efficiency provided by using different IAM and SSO solutions. Visual

19

representation of the data collected and gathered is presented in Chapter 4 to analyze and

understand the feedback from the questionnaire.

In this research we classify the data collected into three different architecture models that an

organization can have. The models are based on the different applications and users that the

organization has. The models are categorized as small, medium and big and analysis is done

projecting the different models and evaluating the differences that each model has in compared

to another.

The result obtained from data gathering and reviewing different articles is reviewed to

understand the impact and various factors that are involved within an organization. It is expected

that the research methodology used above will provide us with the information that is needed to

understand the organizations limits and their issues in following the best practices that are

required. The result obtained from the research is used to build a set of best practices that is

needed for any organization while implementing IAM and SSO solutions in cyber security space.

This research paper evaluates how IAM and SSO solutions can help to mitigate risk in an

enterprise environment when best practices are followed.

20

Figure 1: Research Design Flow Diagram

Research

Objectives

Identifying Important

Factors and Criteria

Reviewing

existing

Literatures and

theories

Assumptions and

Theories

Collecting relevant

information and

discarding

irrelevant

information

Analysis and

Documentation Conducting

Interviews

and Surveys

Research

Questions

21

3.4. Data Rubrics Classification

The data rubrics classification is used to classify organization based on the users, applications,

size of the team that an organization has. The recommended practices to be followed can vary

based on each organization architecture and model.

3.4.1 Architecture Design Model

The organization architecture is based on small, medium and big based on the number of users

that the organization has

Small

• Number of users less than 10000

• Number of applications less than 50

Medium

• Number of users less than 25000 and more than 10000

• Number of application less than 150 and more than 50

Big

• Number of users more than 25000

• Number of applications more than 150

22

Size of IAM and SSO team (Team Classification)

The team classification is based on the number of employees and contractors that are directly and

indirectly involved in IAM. Indirectly involvement may include employee and contractors that

are aware of the IAM system and need to coordinate with the IAM team for different

enhancements that needs to be done.

Small

• Less than 5 employees and Contractors directly involved in IAM and SSO

• Less than 10 employees involved indirectly involved in IAM and SSO

Medium

• More than 5 and less than 10 employees and contractors involved in IAM and SSO

• Less than 20 and more than 10 employees and contractors indirectly involved in IAM and

SSO

Big

• More than 10 employees and contractors involved in IAM and SSO

• More than 20 employees indirectly involved in IAM and SSO

Complexities with IAM and SSO solutions

5 The system is reliable

4 The system has issues but has helped organization to function better

3 The system is fairly designed and has space of improvement

23

2 The system is poorly designed but can be improved

1 The system is not reliable and needs to be replaced

3.5. Population and Sampling

The data is collected based on the questionnaire that is provided on Appendix A and evaluated

based on the data rubrics classification mentioned in the previous section. The data analysis

process is as described below

• Understand the current architecture of the organizations surveyed and classify them based

on the classification rubrics

• Analyze the problems and issues that can be potentially faced by different organization

who have implemented IAM and SSO solutions

• Analyze the security issues reduced with IAM and SSO solutions

• Analyze the recommended practices that can be followed with IAM and SSO solutions

through survey and prior researches

• Compare and contrast the feedback from the survey and other past researches that has

been done

• Build set of recommended practices based on the survey or prior researches

24

User Population Sampling

The interview process involves 20 different people who are working in IAM and SSO and the

analysis is based on their feedback and literature reviews. The user population consists of

different people with different background on IAM and SSO.

25

Chapter 4

4.1. Findings

The findings are based on the survey that was conducted with 20 participants that are working in

the IAM and SSO security space. The findings presented below has been analyzed and compared

with prior researches to reflect IAM and SSO practices that are being followed. The findings also

looks at the complexity involved with IAM and SSO solutions and the role they play in

mitigating security risk.

4.1.1. Organization size and Architecture

Based on the survey conducted it can be concluded that most of the organizations that were

surveyed had more than 10000 user that was needed to be managed by SSO and IAM solutions

26

Figure 1: Users currently working within the Organization

Figure 2: Applications currently supported within the Infrastructure

Less than 10000 More than 10000 and Less than 25000

More than 25000

27.00%

28.00%

29.00%

30.00%

31.00%

32.00%

33.00%

34.00%

35.00%

36.00%

How many users are currently working within the organization?

Responses

Less than 50 More than 50 and Less than 150

More than 150

0.00%

5.00%

10.00%

15.00%

20.00%

25.00%

30.00%

35.00%

40.00%

45.00%

How many applications are currently supported within the infrastructure?

Responses

27

Figure 1 and Figure 2 describes the numbers of users and applications currently managed or

needed to be managed by SSO and IAM solutions. Based on this result it can be predicted that

the survey data fall under the medium or big tier.

4.1.2 Compliance and Auditing Policies

Compliance and Auditing can be described as one of the major reasons that require organization

to purchase IAM and SSO solutions. The compliance and auditing policies may differ based on

the different domain that the organization is associated with, however the two most popular of

those are SOX and HIPAA (Heino, 2011). Based on the survey gathered majority of the

respondents agreed that the organization has some compliance and auditing policies that they

need to follow. The figure below shows the responses from the participants that were involved in

the survey.

28

Figure 3: Compliance and Auditing Policies Enforced

4.1.3 Complexity

Figure 4: Already having IAM and SSO in place.

Yes No

0.00%

10.00%

20.00%

30.00%

40.00%

50.00%

60.00%

70.00%

80.00%

90.00%

100.00%

Is there currently any compliance or auditing policies that the organizations

need to follow?

Responses

Yes No

0.00%

10.00%

20.00%

30.00%

40.00%

50.00%

60.00%

70.00%

80.00%

90.00%

100.00%

Does the organization already have an Identity and Access Management and

Single Sign On tools in place?

Responses

29

Based on figure 4 most of the respondents responded with already having an IAM and SSO

solution in place. So based on this data finding it can be argued that the responses provided to

other questions in the survey are more inclined with organizations that have implemented IAM

and SSO.

The data gathered from the survey also identifies that organizations had reviewed the IAM and

SSO solutions before implementing them. The bar graph below shows that most of the

respondents responded with the organizations efficiently studying or analyzing the IAM and SSO

solutions prior to implementation.

Figure 5: Review of IAM and SSO solutions

Some of the other restriction that were related with the IAM and SSO solutions are shown in the

figure below

Efficiently Well Versed Not At all

0.00%

10.00%

20.00%

30.00%

40.00%

50.00%

60.00%

70.00%

How efficiently the IAM and SSO tools were studied before implementing them?

Responses

30

Figure 6: Restrictions with the Tools

The figure above defines some of the restriction that is there when using the IAM and SSO tools.

Some of the restrictions that are there with the tool are mentioned below from top to bottom

according to the data collected are as below:

1. More customization needed with the tool

2. Provisioning capabilities are limited

3. Compliance and Auditing capabilities not as needed by the organization

Compliance and Auditing capabilities not

as needed by the organization

Provisioning capabilities are limited

More customization needed within the tool

0.00%

10.00%

20.00%

30.00%

40.00%

50.00%

60.00%

70.00%

What are some of the restriction that comes with the tools?

Responses

31

4.2 Benefits provided By SSO and IAM solutions

According to the survey conducted and by reviewing the prior researches that have been done in

IAM and SSO, we define the different benefits that are provided by Single Sign On and Identity

and access management solutions.

4.2.1 Security

One of the major benefits that a SSO and IAM solution are able to provide is the extra layer of

security that it adds to the existing infrastructure. IAM solutions ensures that each user in the

organization has the right access to do their work so it decreases the risk of employees having

more access than that is needed for them. SSO ensures that user do not have to remember their

authentication credentials for every applications that they need to login in. Removing the

necessity of having to remember multiple credentials also reduces the risk of being easily

targeted by losing their credentials to the intruders. SSO protocols make it tougher for attackers

to easily extract credentials that are caused by server-side vulnerabilities and trying to trick the

system to access a particular application which are managed by SSO solutions (Alaca, Oorschot,

& C., 2018).

4.2.2 Privacy

An SSO solution also helps to maintain privacy within an organization, since employees do not

have to re-enter their credentials for every applications. Also SSO authentications techniques

such as SAML and OAuth depends upon Identity Provider(Idp) and Service Provider (SP) for

authentication mechanism the Idp does not have knowledge about the SP that the user is

authenticating to which is also known as private browsing (Alaca, Oorschot, & C., 2018).

32

4.2.3 Automation

IAM and SSO solutions are able to provision users to other application without manual

intervention or little manual intervention. This functionality helps organization to automate

different provisioning, compliance and auditing activities that are needed which helps

organizations to grant and remove employees’ access faster and with reliability. An organization

not using IAM and SSO solutions will need to rely on manual resources for provisioning,

compliance and auditing activities which takes more time and effort.

4.2.4 Regulatory Compliance

Organizations within the United States are required to perform compliance activities based on

the domain that they operate within (Heino, 2011).The Sarbanes-Oxley (SOX) and Health

Insurance Portability and Accountability (HIPAA) act are among the most popular act that

organizations need to abide by. According to Sarbanes-Oxley act of 2002, the SOX act protects

the interest of the investors and general public by diminishing fraudulent practices with the

enterprise and improving the accuracy of the disclosures. The SOX act applies to all the

organizations in US and the organizations are required to comply with the SOX (Heino, 2011).

The HIPAA act which provides data privacy and security within the health and medical domain.

One of the major reasons of using IAM solutions at least in USA is also because of the Sarbox or

SOX and HIPAA since organizations need to comply with that act (Heino, 2011).

4.2.5 B2B Collaboration

Most of the organizations today do not work alone but rather collaborate with other organizations

as partners. This brings in the need for IT systems in one organization to collaborate with other

organizations IT systems (Bazaz & Khalique, 2016). Collaboration with other organization needs

33

resources of one organization to be able to access the systems available in other organizations.

For this particular reason an employee within a particular intranet of one organization needs to

access applications that are in a different intranet. An SSO and IAM tool makes this possible by

centralizing their authentication and authorization mechanism and allowing their users login

once and be able to access shared resources across multiple organizations (Bazaz & Khalique,

2016)

4.2.6 Simple Administration

Having a centralized system makes it possible for enterprises to have a single source where

different access that the user has can be defined (Bazaz & Khalique, 2016)The IAM and SSO

solutions provide interactive UI which makes it possible to be a one stop shop to view all the

users and their accesses. The ease of being able to navigate through different users and

revoke/remove certain access that the user should not be having provides organization with

greater flexibility of managing their users.

34

4.3 Challenges Faced by IAM and SSO solutions

The challenges faced by IAM and SSO solutions mentioned below are derived based on the

survey that was conducted and prior researches that describe the issues related to SSO and IAM.

Some of the common challenges are as follows:

1. Lack of research done on the tool to study whether it meets the requirements for the IAM and

SSO solutions

2. Complexity of the architecture and applications that needed to be integrated with the IAM and

SSO solutions

3. Lack of proper documentation of the product and the tool

4. Having incident management and change control in place.

5. Understanding the vulnerabilities of the tools and how it can impact the infrastructure

6. Sufficient and Knowledgeable resources needed to support the tool.

35

4.4 Best Practices to Follow

After analyzing the survey some of the best practices that can be followed during IAM and SSO

implementation are as follows

• The organization should review the tool that they are implementing and understand the

complexities associated with the tool

• The organization should have sufficient and trained resources to manage their tool

• The organization should maintain proper documentation for any changes or

customization that is done to their IAM and SSO tool

• The organization should have incident management and change control activities in place

for any changes that are done to the IAM and SSO tool

• The organization should understand the vulnerabilities that are with the tool and have

teams and resources to mitigate the vulnerabilities with the tool

• There should be 24/7 support for monitoring and managing the tool like having an

incident response team available

36

Chapter 5

5.1 Conclusion

In this paper we analyzed how different IAM and SSO practices are being followed

within several organizations. The survey looked at different architectures that the organizations

has along with different practices that the organizations followed. In this paper we also analyzed

different challenges that the organizations have while implementing IAM and SSO solutions

along with the different benefits that an IAM and SSO solution provide. The research also

reviewed other research that was done in IAM and SSO to analyze the best practices and

comparing it with the survey conducted to understand IAM and SSO practice in organization

based on their infrastructure and architecture.

However, in this research we limited our scope to only twenty participants and prior

researches to understand the importance of IAM and SSO in the cyber security space. The survey

conducted was also limited due to the time and scope of the paper. The participants were only

interviewed based on the survey questions and no other possible feedback or inquiry was done

aside from the survey questions. However although the research and survey was limited, the

responses from the participants helped to analyze the different aspects of IAM and SSO

solutions.

5.2 Recommendations for Future Work

Since, our research was only limited to 20 participants, the research scope can be expanded by

increasing the number of questions on the survey and the number of participants for the survey.

The survey conducted was more focused on understating the importance and benefits of IAM

and SSO in the cyber security space but it did not go in depth to really understand and analyze

the IAM practice in different organizations. Since the method of conducting survey was online

37

there was also a limitation on the questions that could be asked and responses that was received.

Future work can also look into IAM and SSO practice more in depth from different risk

management aspect and cyber security vulnerabilities that can exists. In this research we did not

analyze into different cyber security vulnerabilities that can exists with an organization and how

IAM and SSO solution can help in reduce each of those vulnerabilities that exists. Future, work

can also take into consideration in focusing depth analysis on different SSO protocols that can be

used within an organization considering their infrastructure and architecture.

38

References

Alaca, F., Oorschot, v., & C., P. (2018). Comparative Analysis and Framework Evaluating Web Single

Sign-On Systems.

Alston, A. (n.d.). Attribute-based Encryption for Attribute-based Authentication, Authorization, Storage,

and Transmission in Distributed Storage Systems. pp. 1-20.

Andre, T. (2017). Cybersecurity: An Enterprise Risk Issue. Hfm Healthcare Financial Management , pp.

1-6.

Bazaz, T., & Khalique, A. (2016). A Review on Single Sign on Enabling Technologies and Protocols.

International Journal of Computer Applications , 15 (11), 18-25.

Catuogno, L., & Galdi, C. (2014). Achieving interoperability between federated identity management

systems:A case of study. Journal of High Speed Networks 20 , 209-221.

Fett, D., Küsters, R., & Schmitz, G. (2016). A Comprehensive Formal Security Analysis of OAuth 2.0.

Heino, E. (2011). Evaluating financial benefits of an identity management solution CASE Logica.

Retrieved July 9, 2018, from http://epub.lib.aalto.fi/en/ethesis/pdf/12500/hse_ethesis_12500.pdf

Hsu, F., Chen, H., & Machiraju, S. (2011). WebCallerID: Leveraging cellular networks for Web

authentication. Journal of Computer Security , 862-899.

Krawczyk, P. Secure SAML validation to prevent XML signature wrapping attacks.

Lewis, D. L., & Lewis, J. E. (2009). Web Single Sign-On Authentication using SAML. IJCSI

International Journal of Computer Science Issues , 2.

Mainka, Christian; Mladenov, Vladislav; Schwenk, Jörg. (n.d.). On the security of modern Single Sign-

On Protocols –Second-Order Vulnerabilities in OpenID Connect.

Manguic, D. M. (2012). CLOUD IDENTITY AND ACCESS MANAGEMENT–A MODEL

PROPOSAL. Accounting and Management Information Systems , 11 (3), pp. 484-500.

Nunez, D., & Agudo, I. (2014, 3 6). BlindIdM: A privacy-preserving approach for identity. International

Journal Of Information Security .

Pérez-Méndez, A., Pereñíguez-García, F., Marín-López, R., & López-Millán, G. (2012). A cross-layer

SSO solution for federating access to kerberized services in the eduroam/DAMe network. International

Journal of Information Security , 365-388.

Peterson, B. H., Smedegaard, P., Heninger, W. G., & Romney, M. ß. (2008). Managing Multiple

Identities. Journal Of Accountancy , 1-6.

39

Shitamichi, T., & Sasaki, R. (2014). TECHNOLOGY OF FEDERATED IDENTITY AND SECURE

LOGGINGS IN CLOUD COMPUTING. International Journal of Electronic Commerce Studies , 5, 39-

62.

Tormo, G. D., Millán, G. L., & Pérez, G. M. (2012, 12 27). Definition of an advanced identity

management infrastructure. pp. 173-200.

40

Appendix A

Questionnaire Form

1. How many users are currently working within the organization?

• Less than 10000

• More than 10000 and Less than 25000

• More than 25000

2. How many applications are currently supported within the infrastructure?

• Less than 50

• More than 50 and Less than 150

• More than 150

3. Is there currently any compliance or auditing policies that the organizations need to follow?

• Yes

• No

4. Does the organization already have an Identity and Access Management and Single Sign On

tools in place?

• Yes

• No

If yes to question 4 than

41

5. What are the different issues related to the IAM and SSO tools?

• None

• Resource Limitations

• Unavailability of proper documentation

• Complex infrastructure and Design Limitations

6. Did the tool improve the efficiency of authentication and authorization capability of an

organization?

• Yes

• No

7. What were some of the considerations that were taken before implementing the tool?

• Proof of Concept

• Understanding the limitations of the Tool

• Concerns and issues with some of the features

8. How efficiently the IAM and SSO tools were studied before implementing them?

• Efficiently

• Well Versed

• Not At all

9. What are some of the guidelines that can be followed when implementing the tool? (Check all

that apply from more important to lesser importance)

42

• Sufficient and Knowledgeable Resources

• Reviewing the features supported by the tool

• Documentation of the product or tool

• Documenting the changes or modifications

• Understanding the vulnerabilities of the tool

• Having change management controls in place

• Having incident response teams available

• Having third party or vendor based applications that can monitor the servers and

databases where the IAM or SSO tools are deployed

• Having support resources available 24/7 for monitoring the tool

10. What are some of the restriction that comes with the tools?

• Compliance and Auditing capabilities not as needed by the organization

• Provisioning capabilities are limited

• More customization needed within the tool

11. What are some of the best practices or recommended practices that can be followed when

implementing IAM and SSO solutions? (Check all that apply from most important to less

important)

• Sufficient and Knowledgeable Resources

• Reviewing the features supported by the tool

• Documentation of the product or tool

• Documenting the changes or modifications

• Understanding the vulnerabilities of the tool

43

• Having change management controls in place

• Having incident response teams available

• Having third party or vendor based applications that can monitor the servers and

databases where the IAM or SSO tools are deployed

• Having support resources available 24/7 for monitoring the tool

12. How reliable is the IAM system

• Reliable

• Not Reliable

If no to question 4 than

13. Is the organization planning to implement any IAM and SSO SOLUTIONS?

• Yes

• No

14. Are there currently and compliance and auditing issues within the organization?

• Yes

• No

15. Is the organization following certain steps and recommendations on purchasing an IAM or

SSO solutions

• Yes

• No

44

16. What are some of the recommended practices that can be followed for any IAM and SSO

solutions? (Check all that apply from most important to less important)

• Sufficient and Knowledgeable Resources

• Reviewing the features supported by the tool

• Documentation of the product or tool

• Documenting the changes or modifications

• Understanding the vulnerabilities of the tool

• Having change management controls in place

• Having incident response teams available

• Having third party or vendor based applications that can monitor the servers and

databases where the IAM or SSO tools are deployed

• Having support resources available 24/7 for monitoring the tool