The word is out: users want a single logon - one user ID/password combination that will allow them to access network resources without having to sign on to scores of applications and databases. In addition, application developers want vendors of network operating systems and security services to open up their APIs so security standards can work independently of an operating system's authentication process. And
SINGLE SIGN-ON HAS COME TO BE SEEN AS THE "HOLY GRAIL" OF ENTERPRISE COMPUTING. FROM A USER STANDPOINT, IT'S EQUIVALENT TO SIMPLY SPEAKING A MAGIC WORD THAT OPENS THE DOOR TO THE RESOURCES AND SERVICES OF THE ENTERPRISE.
Organizations are looking to Secure Single Sign-On (SSSO) solutions to solve these problems. In fact, SSSO has come to be seen as the "holy grail" of enterprise computing. From a user standpoint, it's equivalent to simply speaking a magic word that opens the door to the resources and services of the enterprise. From an IS perspective, SSSO provides the most comprehensive means of managing user privileges and centralizing security administration. In this sense, it allows an enterprise to implement its security policy on a layer separate from its business rules or practices.
How DCE and
Connection address SSSO
The Open Software Foundation's Distributed Computing Environment (DCE) already address many of these issues. DCE provides a flavor of SSSO, which uses an authentication brokering mechanism called Kerberos. In this model, a user logs on to a server; that server then authenticates the user throughout the network. From a network standpoint, Kerberos is widely accepted as one of the most comprehensive security environments available. But there still remains the issue of how to integrate previously developed applications and data sources into the SSSO framework. Connection, a middleware solution provided by Open Horizon (headquartered in South San Francisco, California), lets organizations integrate DCE without rewriting existing applications.
Together, DCE and Connection provide a robust and feature-rich security framework for implementing SSSO. DCE establishes a single source of identity and credentials, and provides a framework of access control lists (ACLs) for building authorization engines for use by DCE-enabled application servers. DCE also provides a delegation mechanism to allow preservation of client identity in multi-tier environments. Connection takes advantage of all these industry standard capabilities and adds value by providing a flexible, manageable, and scalable approach to wrapping calls to SQL databases and all other ODBC-based products inside the DCE security framework.
In addition to providing connectivity and scaling solutions, Connection extends DCE security to applications and data bases. Only authorized applications can access data sources, preventing rogue or infected applications from entering the enterprise and ensuring that eager end users don't bypass the security structure with simple query tools. Connection performs this without any modification to the applications, thereby leveraging existing investments. In effect, Connection can "Kerberize" an entire enterprise without requiring developers to write any additional code. And developers can write new applications to their favorite APIs, allowing them to leverage existing development skills.
DCE's Secure Single Sign-On provides an organization with the following benefits:
Open Horizon's Connection middleware enhances these benefits by providing:
DCE and Connection in practice:
Realizing a vision
The University of Arizona is using DCE and Connection today to deliver on the promise of SSSO.
John Detloff, development specialist at the University's Center for Computing and Information Technology, has been charged with bringing to reality the vision the University has for its students: to eliminate lines during registration, reduce to one the number of times they fill in their names, addresses, and social security numbers, and to allow students to conduct all campus business by simply signing on to a kiosk or dialing in to a Web gateway. This vision is taking form through the SIS 2000 (Student Information System 2000) project, which involves reengineering the University's student and financial information systems to take advantage of client/server technology. Registering for classes, applying for financial aid, or requesting transcripts can be accomplished remotely as the University makes its information systems accessible to 35,000 students and 10,000 staff members.
While SIS 2000 might be a dream come true for students and staff, from an IS perspective this initiative represents a potential security nightmare. With as many as 45,000 clients using hundreds of applications to access back-end data sources, the real challenge for Detloff and his team of developers has been to create an infrastructure that adheres to rigorous security standards - without having to rewrite applications.
"We needed to lay the foundation for end-to-end application security by adopting a standards-based security infrastructure," says Detloff. The thrust of SIS 2000 is the migration from mainframe to client/server computing to create a unified distributed computing environment. Applica tions written for departments had to be deployed on an enterprise level. Hetero geneous data sources needed to become available to all applications. And users needed to access these applications and databases as easily and securely as possible.
THE DATABASE ADMINISTRATOR GAINS FREEDOM FROM KEEPING USERS' DATABASE PASSWORDS SYNCHRONIZED ACROSS SEVERAL DATABASES, AND ALSO PRESERVES THE ABILITY TO MONITOR AND AUDIT ACTIVITY AT THE DATABASE LEVEL, EVEN IN THREE-TIER ENVIRONMENTS.
DCE provides this infrastructure um brella, which will extend to protect all existing and future components in the University's evolving distributed computing environment. The essential ingredient that Open Horizon's Connection middleware product added to this recipe was to enable implementation of DCE without re quiring any modifications to applications.
Another example of this is a major petroleum company that currently uses Connection to combine a key human resources application with the security and directory services provided by DCE. With this combination, the company can use their application of choice without requiring additional work or other resources to run the application under DCE.
The attraction of SSSO
SSSO is another feature that attracts organizations to Connection. With the DCE/Connection infrastructure, users sign on only once to the DCE environment, eliminating the need to sign on to the network, then to each application, relational database management system, or database. This provides the framework for reducing the maintenance and administration costs associated with managing passwords.
Detloff agrees that SSSO is imperative to the enterprise computing mission. "With the number of clients we're proposing, and in consideration of future expansions of the enterprise, it was critical that we reduce the number of passwords within the system."
Connection manages SSSO by transparently mapping each client's DCE identity to native database accounts, preserving the client's identity end-to-end and providing, for the first time, an automated way to incorporate distributed and heterogeneous databases inside the same single sign-on framework. The user benefits by needing to remember only one password. The database administrator gains freedom from keeping users' database passwords synchronized across several databases, and also preserves the ability to monitor and audit activity at the database level, even in three-tier environments. Most importantly, no password is ever sent over the network.
"Our major concern in migrating to SIS 2000 was to have our security measures in place before users were allowed into the system," says Detloff. "Connection allowed us to use our existing applications within the DCE environment, making the transition quick, easy, and, most importantly, secure."