Computer science gradauate Thesis
1
Authentication and Authorization in Identity Management and Single Sign
On
Submitted to Harrisburg University of Science and Technology as a fulfillment of
the Requirements for the Master of Science degree in Cyber Security
By
Ujjwal Joshi
Supervised By
Sangwhan Cha
2
Table of Contents
Abstract……………………………………………………………………………………....3
Chapter 1……………………………………………………………………………………..4
1.1 Introduction………………………………………………………………………4
1.2 Problem Statement and Justification……………………………………………..7
Chapter 2……………………………………………………………………………………10
Chapter 3……………………………………………………………………………………16
3.1 Introduction…………………………………………………………………….16
3.2 Research Approach……………………………………………………………..17
3.3 Research Design………………………………………………………………..18
3.4 Data and Rubrics Collection…………………………………………………....21
3.5 Population and Sampling……………………………………………………….23
Chapter 4…………………………………………………………………………………....25
4.1 Findings………………………………………………………………………....25
4.2 Benefits provided by IAM and SSO…………………………………………….30
4.3 Challenges Faced by IAM and SSO solutions………………………………….33
4.4 Best Practices to Follow………………………………………………………...34
Chapter 5…………………………………………………………………………………....35
References…………………………………………………………………………………..38
Appendix A………………………………………………………………………………….40
3
Abstract
Identity and Access Management (IAM) and Single Sign on (SSO) are two security concepts that
are related to each other. IAM governs the user access in an organization whereas SSO facilitates
the user by authenticating to one centralized application and not having to re-authenticate when
trying to access other applications. This paper addresses the different benefits that an IAM and
SSO tool can provide to reduce the security risk within an organization. Since, authentication and
authorization is one of the major concerns in the cyber security, this paper analyzes common
problems that are faced during authentication and authorization. In this paper we have also
analyzed prior researches that have been done in the IAM and SSO space along with conducting
a survey to understand the different issues and benefits of IAM and SSO. From the survey that
has been conducted for this paper, we have addressed different issues when implementing IAM
and SSO solutions along with understanding the architecture, in which these solutions have been
deployed into. The surveys conducted have been compared with prior researches done in IAM
and SSO space to understand the benefits that the solution provides. The results from the survey
have been analyzed to provide the best practices when implementing IAM and SSO solutions
along with the benefits provided by the solution. Future work related to this research, we can
look into IAM and SSO practice more in depth from different risk management aspect and cyber
security vulnerabilities that can exist while using IAM and SSO solutions.
4
Chapter 1
1.1 Introduction
Identity Management also commonly known Identity and Access Management (IAM) refers to
the set of processes that can be applied to grant right access to the right people within any
corporate enterprise environment (Manguic, 2012). Businesses today, implement IAM solutions
so that it provides them with the framework that can manage user IDs and passwords along with
solving problems related to the challenges associated with managing accesses and permissions of
multiple user IDs (Peterson, Smedegaard, Heninger, & Romney, 2008). IAM solutions also
provide different auditing capabilities that enable the managers and higher officials within
organization to keep track of the different accesses that their employees have (Peterson,
Smedegaard, Heninger, & Romney, 2008). A terminated employee still having access to the
organization resources can cause certain damage to the organization so having an IAM system
can reduce the risk associated while manually removing or adding users to different systems.
Today, architectures within an organization can be categorized based on whether their
applications are deployed in the cloud or within their own network also known as on-premises
(Manguic, 2012). This increases the complexity of managing users and granting accesses to them
due to increased privacy and security risk (Nunez & Agudo, 2014). Although IAM systems can
remove and create access, the user still needs to enter their user name and password to access the
systems that they were provisioned to by the identity management systems. Remembering
passwords and usernames can lead to issues where the user can forget their credentials or lose
their credentials for certain system, which might fall into the hands of an intruder. Single Sign
On (SSO) provides a better functionality for managing authentication and authorizations to
applications, by not having the user re-enter the credential every time they need to login
5
(Catuogno & Galdi, 2014). SSO provides a single source of authentication mechanism which
provides the user a single platform to enter their credentials to access different applications and
also discourages the need to maintain multiple credentials to access different systems (Lewis &
Lewis, 2009).IAM and SSO solutions provide a secure way for businesses to manage and
authenticate their users. This research explores the authentication and authorization mechanism
that IAM and SSO provides with the view of providing better security while implementing these
solutions. The research also explores the different models of architectures that an enterprise
environment can have to recommend the best practices that can be followed while implementing
IAM and SSO solutions.
Security is one of the major concerns that an organization faces today, as risk from cyber-attacks
can damage an organization (Andre, 2017). As business today are growing bigger and faster than
anticipated, they are looking for new technologies that can provide a simplified solution for them
to manage their user’s accesses and resources. A user within an organization needs to have the
right set of access to do their work and manually managing user accesses is not a suitable
practice for an organization since there can be gaps such as assigning wrong or incorrect
accesses(Manguic, 2012). Also manually adding and removing accesses can lead to issues such
as forgetting to remove accesses when users leave organization or adding accesses when users
join organization.
Since authentication and authorization are one of the major components of IAM and SSO, the
need to provide access and manage user authentication are highly in demand. Corporate
environments today are complex because they have users and data scattered in different
applications and servers. So there is always a need to manage users efficiently so that the
organization is less vulnerable to intrusions and outside attacks. This topic is also worth
6
investigating because most organizations today need the security knowledge that can help them
to investigate the security solutions that are available. Business always makes mistakes by
believing the vendors or service providers rather than understanding their own infrastructure for
their security purposes.
7
1.2. Problem Statement and Justification
Lack of security knowledge and security principles are one of the common problems that
organizations face today. By tradition software applications within an organization were
supposed to be deployed within the organization boundaries (Manguic, 2012). However, today
an organization cannot restrict itself to the traditional views and are deploying applications
outside an organization boundary. Any application that is outside the organization boundary is
not within the organization trusts zones and organizations do not have complete control over it.
Since some applications are within the organization boundary and some are maintained by
service providers, the complexity to sync users between application increases. As technologies
are rapidly changing today, IAM is gaining a popular momentum as it is one of the key
components when managing users on applications deployed within organization boundaries and
outside organizations boundaries (Nunez & Agudo, 2014).The problem still lies on how business
and organizations can securely manage users and their credentials for applications that are inside
the organization and outside the organization boundaries. Since service provider’s applications
are managed by service provider’s resources and application within organization boundaries are
managed by organizational resources, manually adding the users and creating credentials can
lead to gaps where the user may not have the right access. The complexity also increases when
users try to access service provider’s applications with different credentials which can lead to
forgetting or losing passwords. Such complex situations can be managed by using SSO for
authentication and authorization along with IAM for managing user accesses. However, not all
the SSO and IAM may be feasible for an organizations. Depending of the complexity of the
organization infrastructure there is a need to do research which provides guidelines to business
8
so that they know the check and balances that is required when implementing IAM and SSO
solutions.
In this research we will evaluate different criteria that an organization can have from the
infrastructure and architecture perspective. The architecture will depend on the number of
applications that are hosted within and outside the organizational boundaries. The infrastructure
will be based on the number of employees that an organization has and the different kinds of
policies that is applicable to each employee. We will than categorize the organization on the
basis of architecture and infrastructure that the organization has. Depending on the categories
that the organization fits into we will analyze the different process that an organization can
undergo to select the suitable IAM and SSO solutions. We will also provide the guidelines on
some of the best practices that the organization can follow to implement those solutions.
However, this research will not recommend any solution that exists in the market today but
provide more of a guideline that the organization needs to take into consideration while
implementing IAM and SSO solutions.
Research Questions
➢ Analyzing the role SSO and its importance in identity authentication and authorization
➢ Studying different ways SSO can be implemented in today’s cyber security space and
predicting which SSO standards are better and in what situations
➢ How cloud infrastructures are functioning with SSO authentication standards and what
would it look like without SSO authentication standards?
➢ Is SSO a must for business to decrease their security risk?
➢ Analyzing the challenges faced by organizations while using SSO and IAM solutions.
9
➢ Risk and challenges of identity management in organizations and importance of
authentication and authorization
10
Chapter 2
Literature Review
Authentication and authorization are one of the mechanisms used in computer security to
validate if the user has the right credentials and permission to access a system. However
authenticating and authorization also known as identification, is one of the common problems in
the area of computer security (Catuogno & Galdi, 2014). Although many researches have been
done to improve the authentication standards, passwords is still common authentication
mechanism (Catuogno & Galdi, 2014). Using passwords as an authentication mechanism
increases complexity in an enterprise environment since forgetting passwords from time and
again can lead to inefficiency while accessing systems. Organizations today, are also demanding
systems that helps them manage users so that end users can manage their private information
more efficiently (Tormo, Millán, & Pérez, 2012). Identity management is one of the key
components of an organization since it plays an important role in authentication and
authorization (Nunez & Agudo, 2014). Identity management refers to the process of managing
identities so that each identity has the right set of accesses that is needed for them to do the
required work in an enterprise environment (Manguic, 2012). Identity management consists of
four major modules which are Authentication, Authorization, User Management and Central
User Repository (Manguic, 2012). The authentication module deals with validating user
credentials where the user can authenticate themselves by providing username and password or
through other different authentication mechanism such a Kerberos, SAML and so on(Manguic,
2012). The authorization modules provide the functionality of validating a user access to
different systems. The user access can range from the group of permissions or roles that a user
has to access the system (Manguic, 2012). The user management module provides functionality
11
such as provisioning and de-provisioning of users, life cycle management to manage the user
accesses, when the user joins the company till the time the user leaves the company. The central
repository module delivers a one stop place for reviewing users and different access they carry
along with different systems that IAM is integrated to and reading information from different
other managed systems (Manguic, 2012).The proper deployment of the four modules of identity
management can result in building robust enterprise environment where processes can be
automated and limited manual intervention is required.
An enterprise environment today, is not just restricted to application deployed within a particular
network, but also includes various other applications on different vendor systems. Enterprises
now are also moving their resources to cloud and are exploring the different cloud models. There
are three cloud concepts which are gaining popularity such as Software as a Service (SaaS),
Platform as a Service (PaaS), and Infrastructure as a Service (IaaS) (Alston). The concept of
SaaS, PaaS and IaaS has also changed the way different authorization and authentication
mechanism worked. The mechanism to store identities across different systems using SaaS, PaaS
and IaaS is also known as federated identity management (Catuogno & Galdi, 2014). With cloud
based applications and the need to access applications anywhere at any time has brought in
changes in the traditional authentication mechanism and developed different standards that are
also known as SSO standards. However enterprise still use username and passwords as a
common authentication mechanism and these can lead to certain problems. In password based
authentication the user passes in a username and password to prove they have the right
credentials to access the system. So every time a user needs to access a system they need to enter
the password. The use of password based authentication and classical authorization techniques
are described below
12
➢ Alpha numeric passwords are used which sometimes can be easy to guess so an
unauthorized user may also access the system (Catuogno & Galdi, 2014).
➢ Since different system may have different passwords the user has to memorize all the
password or maintain a list somewhere else which can be stolen or lost
➢ Some system with password based authentication allows grammars in passwords which
provides a way for attacks like dictionary attacks (Catuogno & Galdi, 2014)
➢ Two factor authentications can be a better approach but not all the systems follow two
factor authentication.
➢ Once the user is able to authenticate the next process that happens is authorization which
allows the user to access certain resources in the system.
➢ The authorization techniques for classical system are assigning permissions directly
which is difficult to manage (Catuogno & Galdi, 2014).
➢ RBAC (Role Based Access Control) is one of the mechanisms used in various systems to
grant access to users for authorization (Catuogno & Galdi, 2014).
➢ The RBAC solves the issues with permissions since permissions are assigned within the
roles and roles are assigned to the users (Catuogno & Galdi, 2014). This reduces
management risk since they only need to be aware of the roles that the user has.
SSO provides enterprises with a mechanism to authenticate and authorize users with a single
password. Once the user logs into one system and authentication happens the users does not need
to login again to access other applications (Catuogno & Galdi, 2014). This prevents user from
having to remember multiple passwords for different applications. However, since there are
many different standards that provide single sign on for users, there is a need to understand and
13
analyze how different single sign on systems works and suits for a particular enterprise
environment. (Catuogno & Galdi, 2014)
Today, there are different SSO and IAM solutions that are available in the market. Organizations
need to understand how these solutions work for them based on their architecture and
infrastructures design. Some of the commonly used identity management systems that exist
today are Sailpoint IdentityIQ, Oracle Identity Manager, RSA lifecycle and governance and so
on. SSO tools that exist today are Okta, IdentityNow which have the capability of creating and
removing users and also providing single sign on for the enterprise users. Rather than focusing
on the tools that exists, it is necessary for the organization to understand the protocols that these
tools use and choose the right one that fits their organization. Some of the protocols that are
widely use and accepted are OAUTH, OpenID, and SAML etc.
Organizations today have also started a centralized authentication mechanism where the user
does not have to remember their entire password and maintain a sticky note or list, attached to
their computer (Lewis & Lewis, 2009). This authentication mechanism when configured
properly provides security where users do not have to worry about maintaining sticky note of all
their passwords to access different systems (Lewis & Lewis, 2009). To attain a centralized
authentication mechanism different standard can be followed and one such standard is Security
Assertion Markup Language (SAML) which uses Extensible Markup Language (XML) based
solution for exchanging information between service providers (Lewis & Lewis, 2009). Another
authentication mechanism that can be used is OpenID where an OpenID provider acts as an
authentication provider to authenticate relying parties (Hsu, Chen, & Machiraju, 2011). SSO
systems such as SAML, OpenID are the first step in reducing the problem of using different
password to log in different systems (Catuogno & Galdi, 2014). Aside from SAML and OpenID
14
another SSO standard that is quite popular is Kerberos authentication. Kerberos provides single
sign on through the generation of tickets (Pérez-Méndez, Pereñíguez-García, Marín-López, &
López-Millán, 2012). These systems are also known as federated authentication standards and
are used to authenticate users across different platform (Shitamichi & Sasaki, 2014).SSO
protocols like SAML, OAUTH and OpenID replaces traditional authentication by using a single
source of authentication at the identity provider (IdP) (Mainka, Christian; Mladenov, Vladislav;
Schwenk, Jörg). However, each of these protocols also has their own advantages and
disadvantages and based on the literature review there are different ways to attack these single
sign on protocols. One of the attack that is possible which using SAML based single sign on is
by constructing a false SAML token (Krawczyk). Since SAML uses xml to authenticate the users
the attackers can modify the xml to attack the system. One of the major concerns for
organization today is how to remediate certain attacks that can occur within the organization. No
systems today are free from attacks by attackers despite of the fact whether the organization is
using identity management and single sign on solutions. Knowing and having information about
different attacks can help organization to plan ahead to prevent those attacks. Some of the
vulnerabilities and ways that an attacker can attack an organization involve:
➢ Injecting malicious endpoints: In this attack the attacker creates a malicious end which is
used to force the user to enter their user name and password so that the attacker can
retrieve the username and password. Once the credentials are retrieved the attacker uses
the known credential to authenticate themselves (Mainka, Christian; Mladenov,
Vladislav; Schwenk, Jörg).
➢ Redirect Attack: In this attack the attacker learns about the user credentials when the
identity provider redirects that user by using wrong redirection code.(Fett, Küsters, &
15
Schmitz, 2016). This is possible since neither OAUTH nor OpenID connect specify how
the redirection works (Fett, Küsters, & Schmitz, 2016).
➢ IdP Mix up Attack: In this attack the attacker confuses the resource provider about the
identity provider that the user chooses at the beginning of authorization or authentication
process to impersonate as the user to access the data (Fett, Küsters, & Schmitz, 2016).
➢ State Leak Attack: In this attack the attacker forces the browser to be logged under the
attacker name at the resource provider (Fett, Küsters, & Schmitz, 2016). This attack is
also called session swapping since it breaks the session integrity property (Fett, Küsters,
& Schmitz, 2016).
One of the challenges that many organizations face today is to understand how single sign on
works and the best practices to follow while implementing any single sign on protocols. Since
most of the organizations are moving their application to cloud and each application are
supported by different vendors the traditional authentication mechanism is not suitable. Also
since not every system is threat proof and analysis needs to be done when using different
authentication and authorization protocols. The literature and journals available does point out
the different standards available for single sign on but does not take initiative on predicting how
one relates in terms to other. Also understanding how authorization and authentication works
with single sign is one of the major concerns that will be reviewed in this paper. The literature
review provides information regarding different SSO standards such as SAML, Kerberos, and
OpenID but analyzing how authentication and authorization works with the SSO standards is one
of the major aspects that needs to be researched more on.
16
Chapter 3
Methodology
3.1. Introduction
This chapter focuses on the nature of the methodology used and the nature of the research carried
out for studying the topic. One of the major reasons for studying the topic is to study how
Identity Management and Single Sign On have been able to reduce the cyber security risk that
are associated to different organizations. As organizations are growing faster and bigger there is
always a need to be able to grant the right access to the right set of users for a given period of
time. Different tools associated to Single Sign On and Identity Management is believed to help
organizations with their issue for managing their users and their credentials. Before describing
the methodology used for the research it is important to understand the problem that persists
within different organization that the research topic is able to solve. Some of the objectives of
this paper are:
➢ Study of challenges faced with SSO and IAM solutions within an enterprise environment.
➢ Study the number of resources that are allocated for SSO and IAM
➢ Analyze the complexities that can persists within the SSO and IAM infrastructure
➢ Analyze the importance of IAM and SSO in the cyber security space for business to
protect their environment.
➢ Different SSO mechanism and how each one compares to another when used within an
enterprise environment.
17
➢ Determine the best practices that can be used with authentication, authorization, single
sign on and identity management to mitigate risk and provide better security.
The objectives described above are analyzed to study the relation between IAM, SSO and its
involvement in decreasing the cyber security risk.
3.2. Research Approach
In order to understand the challenges faced by different organizations while implementing IAM
and SSO solutions it is necessary to interact, understand and analyze the insights of people
working in that platform. Proceeding further, reviewing previous researches done in IAM and
SSO provides great insights into the data gathering method and analysis. The research will use
qualitative method for data gathering. Qualitative method of data gathering involves individual
interviews, observations and research. This research will conduct interviews in phone and
through online survey with the IAM and SSO resources that are working with different
organizations. The research screening is not only limited to a particular organization within a
certain region but will cover different regions and organizations inside United States. Aside from
interviews we will also review different researches that have been done prior to this research and
analyze the results and outcomes of those researches. The interviews to be conducted will be
focused more on organizations that have recently implemented IAM solutions and SSO
solutions. The interview methods will also look at organizations that are recently planning to
implement some form of SSO and IAM solutions since those interviews can provide more
insights into the challenges that the organization had to go through in picking the right solution.
Since interviews are the primary source of data for the proposed research, the interviews will
help us to build recommendations and guidelines that can be followed while implementing
18
identity management and single sign on solutions. The interview questions are to be more
focused on the steps that were taken before finalizing the IAM and SSO solutions and the
challenges faced with those solutions. We tend to use these questions to analyze the different
circumstances within the organization prior to building the recommendations. The interviews to
be conducted will also have questions that are related to the architecture and infrastructure of the
organization and the effectiveness of IAM and SSO solutions to provide enterprise security. The
response received from interviews is than compared with the different concepts and researches
that have been done prior to this research. Different concepts regarding SSO and IAM are also
explored by reviewing journal articles, books and prior researches to build a foundation on the
existing solutions. The research will also do a comparative study on the prior researches to fill in
the gaps that has not yet been covered. The interviews related to the research have questions
related to the impact of SSO and IAM in risk management. The risk management section of the
questionnaire will be directed towards understanding how SSO and IAM solutions helped in
mitigating risk and vulnerabilities within an enterprise environment.
3.3. Research Design
Interviews are the primary source of data for this research topic. The interviews questions are
designed to help us understand how IAM and SSO solutions are functioning within an
organization. The questions presented are within the understanding of people working in
different IAM and SSO solutions or people who have some cyber security knowledge. The
research questions are designed to understand the different systems of environment an
organization has, different SSO protocols used, examine the IAM and SSO concepts within the
cyber security space, number of resources that organization has for IAM and SSO and
understand the easiness or efficiency provided by using different IAM and SSO solutions. Visual
19
representation of the data collected and gathered is presented in Chapter 4 to analyze and
understand the feedback from the questionnaire.
In this research we classify the data collected into three different architecture models that an
organization can have. The models are based on the different applications and users that the
organization has. The models are categorized as small, medium and big and analysis is done
projecting the different models and evaluating the differences that each model has in compared
to another.
The result obtained from data gathering and reviewing different articles is reviewed to
understand the impact and various factors that are involved within an organization. It is expected
that the research methodology used above will provide us with the information that is needed to
understand the organizations limits and their issues in following the best practices that are
required. The result obtained from the research is used to build a set of best practices that is
needed for any organization while implementing IAM and SSO solutions in cyber security space.
This research paper evaluates how IAM and SSO solutions can help to mitigate risk in an
enterprise environment when best practices are followed.
20
Figure 1: Research Design Flow Diagram
Research
Objectives
Identifying Important
Factors and Criteria
Reviewing
existing
Literatures and
theories
Assumptions and
Theories
Collecting relevant
information and
discarding
irrelevant
information
Analysis and
Documentation Conducting
Interviews
and Surveys
Research
Questions
21
3.4. Data Rubrics Classification
The data rubrics classification is used to classify organization based on the users, applications,
size of the team that an organization has. The recommended practices to be followed can vary
based on each organization architecture and model.
3.4.1 Architecture Design Model
The organization architecture is based on small, medium and big based on the number of users
that the organization has
Small
• Number of users less than 10000
• Number of applications less than 50
Medium
• Number of users less than 25000 and more than 10000
• Number of application less than 150 and more than 50
Big
• Number of users more than 25000
• Number of applications more than 150
22
Size of IAM and SSO team (Team Classification)
The team classification is based on the number of employees and contractors that are directly and
indirectly involved in IAM. Indirectly involvement may include employee and contractors that
are aware of the IAM system and need to coordinate with the IAM team for different
enhancements that needs to be done.
Small
• Less than 5 employees and Contractors directly involved in IAM and SSO
• Less than 10 employees involved indirectly involved in IAM and SSO
Medium
• More than 5 and less than 10 employees and contractors involved in IAM and SSO
• Less than 20 and more than 10 employees and contractors indirectly involved in IAM and
SSO
Big
• More than 10 employees and contractors involved in IAM and SSO
• More than 20 employees indirectly involved in IAM and SSO
Complexities with IAM and SSO solutions
5 The system is reliable
4 The system has issues but has helped organization to function better
3 The system is fairly designed and has space of improvement
23
2 The system is poorly designed but can be improved
1 The system is not reliable and needs to be replaced
3.5. Population and Sampling
The data is collected based on the questionnaire that is provided on Appendix A and evaluated
based on the data rubrics classification mentioned in the previous section. The data analysis
process is as described below
• Understand the current architecture of the organizations surveyed and classify them based
on the classification rubrics
• Analyze the problems and issues that can be potentially faced by different organization
who have implemented IAM and SSO solutions
• Analyze the security issues reduced with IAM and SSO solutions
• Analyze the recommended practices that can be followed with IAM and SSO solutions
through survey and prior researches
• Compare and contrast the feedback from the survey and other past researches that has
been done
• Build set of recommended practices based on the survey or prior researches
24
User Population Sampling
The interview process involves 20 different people who are working in IAM and SSO and the
analysis is based on their feedback and literature reviews. The user population consists of
different people with different background on IAM and SSO.
25
Chapter 4
4.1. Findings
The findings are based on the survey that was conducted with 20 participants that are working in
the IAM and SSO security space. The findings presented below has been analyzed and compared
with prior researches to reflect IAM and SSO practices that are being followed. The findings also
looks at the complexity involved with IAM and SSO solutions and the role they play in
mitigating security risk.
4.1.1. Organization size and Architecture
Based on the survey conducted it can be concluded that most of the organizations that were
surveyed had more than 10000 user that was needed to be managed by SSO and IAM solutions
26
Figure 1: Users currently working within the Organization
Figure 2: Applications currently supported within the Infrastructure
Less than 10000 More than 10000 and Less than 25000
More than 25000
27.00%
28.00%
29.00%
30.00%
31.00%
32.00%
33.00%
34.00%
35.00%
36.00%
How many users are currently working within the organization?
Responses
Less than 50 More than 50 and Less than 150
More than 150
0.00%
5.00%
10.00%
15.00%
20.00%
25.00%
30.00%
35.00%
40.00%
45.00%
How many applications are currently supported within the infrastructure?
Responses
27
Figure 1 and Figure 2 describes the numbers of users and applications currently managed or
needed to be managed by SSO and IAM solutions. Based on this result it can be predicted that
the survey data fall under the medium or big tier.
4.1.2 Compliance and Auditing Policies
Compliance and Auditing can be described as one of the major reasons that require organization
to purchase IAM and SSO solutions. The compliance and auditing policies may differ based on
the different domain that the organization is associated with, however the two most popular of
those are SOX and HIPAA (Heino, 2011). Based on the survey gathered majority of the
respondents agreed that the organization has some compliance and auditing policies that they
need to follow. The figure below shows the responses from the participants that were involved in
the survey.
28
Figure 3: Compliance and Auditing Policies Enforced
4.1.3 Complexity
Figure 4: Already having IAM and SSO in place.
Yes No
0.00%
10.00%
20.00%
30.00%
40.00%
50.00%
60.00%
70.00%
80.00%
90.00%
100.00%
Is there currently any compliance or auditing policies that the organizations
need to follow?
Responses
Yes No
0.00%
10.00%
20.00%
30.00%
40.00%
50.00%
60.00%
70.00%
80.00%
90.00%
100.00%
Does the organization already have an Identity and Access Management and
Single Sign On tools in place?
Responses
29
Based on figure 4 most of the respondents responded with already having an IAM and SSO
solution in place. So based on this data finding it can be argued that the responses provided to
other questions in the survey are more inclined with organizations that have implemented IAM
and SSO.
The data gathered from the survey also identifies that organizations had reviewed the IAM and
SSO solutions before implementing them. The bar graph below shows that most of the
respondents responded with the organizations efficiently studying or analyzing the IAM and SSO
solutions prior to implementation.
Figure 5: Review of IAM and SSO solutions
Some of the other restriction that were related with the IAM and SSO solutions are shown in the
figure below
Efficiently Well Versed Not At all
0.00%
10.00%
20.00%
30.00%
40.00%
50.00%
60.00%
70.00%
How efficiently the IAM and SSO tools were studied before implementing them?
Responses
30
Figure 6: Restrictions with the Tools
The figure above defines some of the restriction that is there when using the IAM and SSO tools.
Some of the restrictions that are there with the tool are mentioned below from top to bottom
according to the data collected are as below:
1. More customization needed with the tool
2. Provisioning capabilities are limited
3. Compliance and Auditing capabilities not as needed by the organization
Compliance and Auditing capabilities not
as needed by the organization
Provisioning capabilities are limited
More customization needed within the tool
0.00%
10.00%
20.00%
30.00%
40.00%
50.00%
60.00%
70.00%
What are some of the restriction that comes with the tools?
Responses
31
4.2 Benefits provided By SSO and IAM solutions
According to the survey conducted and by reviewing the prior researches that have been done in
IAM and SSO, we define the different benefits that are provided by Single Sign On and Identity
and access management solutions.
4.2.1 Security
One of the major benefits that a SSO and IAM solution are able to provide is the extra layer of
security that it adds to the existing infrastructure. IAM solutions ensures that each user in the
organization has the right access to do their work so it decreases the risk of employees having
more access than that is needed for them. SSO ensures that user do not have to remember their
authentication credentials for every applications that they need to login in. Removing the
necessity of having to remember multiple credentials also reduces the risk of being easily
targeted by losing their credentials to the intruders. SSO protocols make it tougher for attackers
to easily extract credentials that are caused by server-side vulnerabilities and trying to trick the
system to access a particular application which are managed by SSO solutions (Alaca, Oorschot,
& C., 2018).
4.2.2 Privacy
An SSO solution also helps to maintain privacy within an organization, since employees do not
have to re-enter their credentials for every applications. Also SSO authentications techniques
such as SAML and OAuth depends upon Identity Provider(Idp) and Service Provider (SP) for
authentication mechanism the Idp does not have knowledge about the SP that the user is
authenticating to which is also known as private browsing (Alaca, Oorschot, & C., 2018).
32
4.2.3 Automation
IAM and SSO solutions are able to provision users to other application without manual
intervention or little manual intervention. This functionality helps organization to automate
different provisioning, compliance and auditing activities that are needed which helps
organizations to grant and remove employees’ access faster and with reliability. An organization
not using IAM and SSO solutions will need to rely on manual resources for provisioning,
compliance and auditing activities which takes more time and effort.
4.2.4 Regulatory Compliance
Organizations within the United States are required to perform compliance activities based on
the domain that they operate within (Heino, 2011).The Sarbanes-Oxley (SOX) and Health
Insurance Portability and Accountability (HIPAA) act are among the most popular act that
organizations need to abide by. According to Sarbanes-Oxley act of 2002, the SOX act protects
the interest of the investors and general public by diminishing fraudulent practices with the
enterprise and improving the accuracy of the disclosures. The SOX act applies to all the
organizations in US and the organizations are required to comply with the SOX (Heino, 2011).
The HIPAA act which provides data privacy and security within the health and medical domain.
One of the major reasons of using IAM solutions at least in USA is also because of the Sarbox or
SOX and HIPAA since organizations need to comply with that act (Heino, 2011).
4.2.5 B2B Collaboration
Most of the organizations today do not work alone but rather collaborate with other organizations
as partners. This brings in the need for IT systems in one organization to collaborate with other
organizations IT systems (Bazaz & Khalique, 2016). Collaboration with other organization needs
33
resources of one organization to be able to access the systems available in other organizations.
For this particular reason an employee within a particular intranet of one organization needs to
access applications that are in a different intranet. An SSO and IAM tool makes this possible by
centralizing their authentication and authorization mechanism and allowing their users login
once and be able to access shared resources across multiple organizations (Bazaz & Khalique,
2016)
4.2.6 Simple Administration
Having a centralized system makes it possible for enterprises to have a single source where
different access that the user has can be defined (Bazaz & Khalique, 2016)The IAM and SSO
solutions provide interactive UI which makes it possible to be a one stop shop to view all the
users and their accesses. The ease of being able to navigate through different users and
revoke/remove certain access that the user should not be having provides organization with
greater flexibility of managing their users.
34
4.3 Challenges Faced by IAM and SSO solutions
The challenges faced by IAM and SSO solutions mentioned below are derived based on the
survey that was conducted and prior researches that describe the issues related to SSO and IAM.
Some of the common challenges are as follows:
1. Lack of research done on the tool to study whether it meets the requirements for the IAM and
SSO solutions
2. Complexity of the architecture and applications that needed to be integrated with the IAM and
SSO solutions
3. Lack of proper documentation of the product and the tool
4. Having incident management and change control in place.
5. Understanding the vulnerabilities of the tools and how it can impact the infrastructure
6. Sufficient and Knowledgeable resources needed to support the tool.
35
4.4 Best Practices to Follow
After analyzing the survey some of the best practices that can be followed during IAM and SSO
implementation are as follows
• The organization should review the tool that they are implementing and understand the
complexities associated with the tool
• The organization should have sufficient and trained resources to manage their tool
• The organization should maintain proper documentation for any changes or
customization that is done to their IAM and SSO tool
• The organization should have incident management and change control activities in place
for any changes that are done to the IAM and SSO tool
• The organization should understand the vulnerabilities that are with the tool and have
teams and resources to mitigate the vulnerabilities with the tool
• There should be 24/7 support for monitoring and managing the tool like having an
incident response team available
36
Chapter 5
5.1 Conclusion
In this paper we analyzed how different IAM and SSO practices are being followed
within several organizations. The survey looked at different architectures that the organizations
has along with different practices that the organizations followed. In this paper we also analyzed
different challenges that the organizations have while implementing IAM and SSO solutions
along with the different benefits that an IAM and SSO solution provide. The research also
reviewed other research that was done in IAM and SSO to analyze the best practices and
comparing it with the survey conducted to understand IAM and SSO practice in organization
based on their infrastructure and architecture.
However, in this research we limited our scope to only twenty participants and prior
researches to understand the importance of IAM and SSO in the cyber security space. The survey
conducted was also limited due to the time and scope of the paper. The participants were only
interviewed based on the survey questions and no other possible feedback or inquiry was done
aside from the survey questions. However although the research and survey was limited, the
responses from the participants helped to analyze the different aspects of IAM and SSO
solutions.
5.2 Recommendations for Future Work
Since, our research was only limited to 20 participants, the research scope can be expanded by
increasing the number of questions on the survey and the number of participants for the survey.
The survey conducted was more focused on understating the importance and benefits of IAM
and SSO in the cyber security space but it did not go in depth to really understand and analyze
the IAM practice in different organizations. Since the method of conducting survey was online
37
there was also a limitation on the questions that could be asked and responses that was received.
Future work can also look into IAM and SSO practice more in depth from different risk
management aspect and cyber security vulnerabilities that can exists. In this research we did not
analyze into different cyber security vulnerabilities that can exists with an organization and how
IAM and SSO solution can help in reduce each of those vulnerabilities that exists. Future, work
can also take into consideration in focusing depth analysis on different SSO protocols that can be
used within an organization considering their infrastructure and architecture.
38
References
Alaca, F., Oorschot, v., & C., P. (2018). Comparative Analysis and Framework Evaluating Web Single
Sign-On Systems.
Alston, A. (n.d.). Attribute-based Encryption for Attribute-based Authentication, Authorization, Storage,
and Transmission in Distributed Storage Systems. pp. 1-20.
Andre, T. (2017). Cybersecurity: An Enterprise Risk Issue. Hfm Healthcare Financial Management , pp.
1-6.
Bazaz, T., & Khalique, A. (2016). A Review on Single Sign on Enabling Technologies and Protocols.
International Journal of Computer Applications , 15 (11), 18-25.
Catuogno, L., & Galdi, C. (2014). Achieving interoperability between federated identity management
systems:A case of study. Journal of High Speed Networks 20 , 209-221.
Fett, D., Küsters, R., & Schmitz, G. (2016). A Comprehensive Formal Security Analysis of OAuth 2.0.
Heino, E. (2011). Evaluating financial benefits of an identity management solution CASE Logica.
Retrieved July 9, 2018, from http://epub.lib.aalto.fi/en/ethesis/pdf/12500/hse_ethesis_12500.pdf
Hsu, F., Chen, H., & Machiraju, S. (2011). WebCallerID: Leveraging cellular networks for Web
authentication. Journal of Computer Security , 862-899.
Krawczyk, P. Secure SAML validation to prevent XML signature wrapping attacks.
Lewis, D. L., & Lewis, J. E. (2009). Web Single Sign-On Authentication using SAML. IJCSI
International Journal of Computer Science Issues , 2.
Mainka, Christian; Mladenov, Vladislav; Schwenk, Jörg. (n.d.). On the security of modern Single Sign-
On Protocols –Second-Order Vulnerabilities in OpenID Connect.
Manguic, D. M. (2012). CLOUD IDENTITY AND ACCESS MANAGEMENT–A MODEL
PROPOSAL. Accounting and Management Information Systems , 11 (3), pp. 484-500.
Nunez, D., & Agudo, I. (2014, 3 6). BlindIdM: A privacy-preserving approach for identity. International
Journal Of Information Security .
Pérez-Méndez, A., Pereñíguez-García, F., Marín-López, R., & López-Millán, G. (2012). A cross-layer
SSO solution for federating access to kerberized services in the eduroam/DAMe network. International
Journal of Information Security , 365-388.
Peterson, B. H., Smedegaard, P., Heninger, W. G., & Romney, M. ß. (2008). Managing Multiple
Identities. Journal Of Accountancy , 1-6.
39
Shitamichi, T., & Sasaki, R. (2014). TECHNOLOGY OF FEDERATED IDENTITY AND SECURE
LOGGINGS IN CLOUD COMPUTING. International Journal of Electronic Commerce Studies , 5, 39-
62.
Tormo, G. D., Millán, G. L., & Pérez, G. M. (2012, 12 27). Definition of an advanced identity
management infrastructure. pp. 173-200.
40
Appendix A
Questionnaire Form
1. How many users are currently working within the organization?
• Less than 10000
• More than 10000 and Less than 25000
• More than 25000
2. How many applications are currently supported within the infrastructure?
• Less than 50
• More than 50 and Less than 150
• More than 150
3. Is there currently any compliance or auditing policies that the organizations need to follow?
• Yes
• No
4. Does the organization already have an Identity and Access Management and Single Sign On
tools in place?
• Yes
• No
If yes to question 4 than
41
5. What are the different issues related to the IAM and SSO tools?
• None
• Resource Limitations
• Unavailability of proper documentation
• Complex infrastructure and Design Limitations
6. Did the tool improve the efficiency of authentication and authorization capability of an
organization?
• Yes
• No
7. What were some of the considerations that were taken before implementing the tool?
• Proof of Concept
• Understanding the limitations of the Tool
• Concerns and issues with some of the features
8. How efficiently the IAM and SSO tools were studied before implementing them?
• Efficiently
• Well Versed
• Not At all
9. What are some of the guidelines that can be followed when implementing the tool? (Check all
that apply from more important to lesser importance)
42
• Sufficient and Knowledgeable Resources
• Reviewing the features supported by the tool
• Documentation of the product or tool
• Documenting the changes or modifications
• Understanding the vulnerabilities of the tool
• Having change management controls in place
• Having incident response teams available
• Having third party or vendor based applications that can monitor the servers and
databases where the IAM or SSO tools are deployed
• Having support resources available 24/7 for monitoring the tool
10. What are some of the restriction that comes with the tools?
• Compliance and Auditing capabilities not as needed by the organization
• Provisioning capabilities are limited
• More customization needed within the tool
11. What are some of the best practices or recommended practices that can be followed when
implementing IAM and SSO solutions? (Check all that apply from most important to less
important)
• Sufficient and Knowledgeable Resources
• Reviewing the features supported by the tool
• Documentation of the product or tool
• Documenting the changes or modifications
• Understanding the vulnerabilities of the tool
43
• Having change management controls in place
• Having incident response teams available
• Having third party or vendor based applications that can monitor the servers and
databases where the IAM or SSO tools are deployed
• Having support resources available 24/7 for monitoring the tool
12. How reliable is the IAM system
• Reliable
• Not Reliable
If no to question 4 than
13. Is the organization planning to implement any IAM and SSO SOLUTIONS?
• Yes
• No
14. Are there currently and compliance and auditing issues within the organization?
• Yes
• No
15. Is the organization following certain steps and recommendations on purchasing an IAM or
SSO solutions
• Yes
• No
44
16. What are some of the recommended practices that can be followed for any IAM and SSO
solutions? (Check all that apply from most important to less important)
• Sufficient and Knowledgeable Resources
• Reviewing the features supported by the tool
• Documentation of the product or tool
• Documenting the changes or modifications
• Understanding the vulnerabilities of the tool
• Having change management controls in place
• Having incident response teams available
• Having third party or vendor based applications that can monitor the servers and
databases where the IAM or SSO tools are deployed
• Having support resources available 24/7 for monitoring the tool