Password management policies and procedures should be an integral part of security practices for any organization. Although password management can be automated and simple to manage through software, most organizations fail to follow through with the company password management policies. If an organization does not enforce password management policies it will be easier for hackers, identity thieves and hijackers to break into the corporate environment. The good news is that corporate password management policies can be automated through software to ensure compliance.

CloudAccess recommends the following to protect the confidentiality of your passwords:

1. Password policy: Define enterprise-wide password management policies and requirements.
2. Prevent Capture: Setup the policies, systems and procedures that minimize or eliminate the possibility password capture.
3. Prevent password guessing and cracking: Configure password mechanisms to reduce the likelihood of guessing to crack a password.
4. Password expiration policy: Determine requirements for enterprise-wide password expiration policy.

In order to mitigate risk against password theft or tampering organizations could consider a number of prevention steps including policies for password storage and transmission. In addition, password policies should include measures to prevent guessing and cracking. Strong passwords are typically used to help mitigate these risks. The enterprise policies should include how to recover forgotten passwords and how to reset them. CloudAccess Identity and Access Management (Web SSO and SaaS SSO) have comprehensive capabilities for setting, monitoring and managing enterprise password policies.

An Introduction to Single Sign On (SSO)

Single sign-on (SSO) technology allows a user to authenticate once and then access all the resources the user is authorized to use. Authentication to the individual resources is handled by the SSO technology in a manner that is transparent to the user. SSO could create a unique, strong user password for each resource and changes the passwords regularly. Usually the end user does not know any of the resource passwords, just the SSO password. Because a different password is used for each resource and the user does not need to memorize the passwords, the SSO can make each password as strong as each resource will support and change the passwords frequently. SSO can also support the storage and use of multiple identifiers for a single user or example, scarfoneon one system and ?carfon7on another.

It is unlikely that any SSO solution can provide authentication for every possible system and resource. However, even when only providing a limited capability, an SSO technology can be very effective in reducing the number of usernames and passwords that users need to remember and the number of times that users have to authenticate. The benefit of SSO in reducing the cost of help desk is well studied and documented.

There are many possible architectures for SSO technologies. A common architecture is to have an authentication service, such as Kerberos, for authenticating SSO users, and a database or directory service, such as Lightweight Directory Access Protocol (LDAP), that stores authentication information for the resources the SSO handles authentication for. Regardless of the exact architecture, an SSO solution usually includes one or more centralized servers containing authentication credentials for many users. Such a server becomes a single point of failure for authentication to many resources, so the availability of the server affects the availability of all the resources that rely on the server for authentication services. Also, any compromise of the server can compromise credentials for many resources, which makes the security of the server particularly important.

User authentication to the SSO technology itself is also very important. If proper mutual authentication is not performed, the SSO technology is vulnerable to man-in-the-middle (MITM) attacks. All communications of sensitive authentication information, such as passwords, should have their confidentiality and integrity protected through the use of FIPS-approved cryptography. Replay attacks are also a concern for authentication credentials, so timestamps or other mechanisms to thwart replay attacks should be included in credential transmissions. Another major concern with SSO user authentication is that an SSO password is susceptible to compromise through social engineering, phishing, keylogging, or other means, and such a compromise of a single password could grant an attacker access to many resources.

CloudAccess SSO

CloudAccess SingleSource is a comprehensive and affordable enterprise-class cloud-based security platform. CloudAccess Access Management (Web SSO and SaaS SSO) provides for web/internet/intranet applications and Software-as-a-Service applications single sign on respectively.These solutions address the key password management and synchronization challenges discussed here. CloudAccess Web SSO and SaaS SSO allow for enterprise level policy setting with time, role, password policy and authentication capabilities with encryption which can virtually work with any environment.