© SANS Institute 2003, Author retains full rights
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2003, As part of the Information Security Reading Room. Author retains full rights.
Russell Hobbs Page 4 10/6/2003
the embedded access control component. Other vendor standards are not as
commonly implemented and generally viewed as enhancements. These include
connectivity support for web servers, proxy servers, J2EE application servers, and key
management systems. The vendor that controls the standard should certify any of
these enhancements.
The last architectural enhancement is the ability to integrate with an identity system.
This will be discussed later in section 5.11.
3.2.2 Acceptance Of Terms And Conditions
Some companies are required to display legal agreements to the users and get their
acceptance before a target application can be accessed. This may be due to
contractual requirements by 3
rd
party content providers (News providers, financial
information providers, NASDAQ, etc.). The best time for this to occur is immediately
after the user has been authenticated. Linking this feature into the SSO system and
associated auditing should enhance evidence presentation in any prosecution or
defense action.
3.2.3 User Enabled Password Reset Feature
One of the best enhancements to implement is a automated user enabled password
reset feature. External users interact with many security systems from many
companies. Some percentage of these users will forget or misplace their password to
your system. If the user must contact customer service, then the number of users will
impact the number of customer service representatives necessary at the time of primary
target access. Seasonal access times, such as the holidays, must also be accounted
for. An automated password reset feature will help minimize human customer service
demands.
Careful consideration must be applied to this area. There are many advantages to a
friendly automated password reset process. But the difficulty of maintaining an
adequate level of security increases significantly. Generally, the SSO system becomes
less secure as the friendliness of the reset feature increases. The more secure it is, the
less user friendly. This, in tern, equates to additional customer service staffing.
Somewhere in this, a compromise will be made based on the number of users, the level
of security required, and the funding available to staff a customer support group.
Some automated solutions may not help as much as expected. Take the case of a
password reset based on a question and answer pair setup during target enrollment. If
the users access the SSO system infrequently and they forget their password, they
have probably forgotten the answers needed to complete the reset. Therefore, they
have to call customer service, defeating the original purpose of the password reset.
3.2.4 Multiple Named Domains
Most enterprises have multiple registered Internet domain names. They are used to
logically group related items such as divisions, product sets, or security levels. Some of
the domains may be intranet only. There may be 3
rd
party domains that provide various
functions for the enterprise. Examples are human resources, financial services, and