E-SSO NOW *

* Enterprise SSO, NOW

Implementing Enterprise Single Sign-On to

strengthen security, conform to regulatory
requirements, improve productivity and
reduce costs

Challenges - Solutions - Best practices

The challenges of SSO: managing the human factor in security

Page 2

SSO solutions: the on-going search for simplicity

Page 4

Implementing SSO: myths, errors to avoid and best practices

Page 9

Conclusion: seven key points for successfully implementing SSO

Page 11

WiseGuard: third-generation E-SSO

Page 12

Implementing Enterprise SSO for rapid return on investment (ROI)

Implementing any security policy always seems to involve some kind of compromise between the level
of security and business imperatives. This is one result of an increasingly decentralized approach to IT:
with the proliferation of passwords complicating users' daily working procedures. So the question is:
how can you reduce this complexity, which so often leads to security breaches and significant costs, due
to everything from an increased need for support and to lost productivity?
Today, SSO (Single Sign-On) provides a simple and pragmatic answer to this challenge. The aim is to
simplify secure access to applications for users. The benefits include increased productivity and lower
call center costs, whilst security levels and compliance with current regulatory requirements are both also
strengthened.
Based on the experience of some of the world's largest companies and public sector organizations, this
white paper aims to help IT Managers and Security Administrators identify the most effective way to
implement Enterprise SSO rapidly, so the whole business can benefit from it RIGHT NOW. Drawing on
real-life scenarios and examples of best practice, it also aims to help decision-makers to:
- Understand E-SSO challenges
- Evaluate the different E-SSO solutions
- Identify the golden rules that simplify implementation of E-SSO

Information systems have never been so critical:

from the front office to back office. But they have
also never been so exposed to such a range of
potential threats. From vandalism to fraud, and
from cybercriminality to espionage: attacks on IT
systems could be costing more than $100 billion
a year worldwide (source: Mi2G). In the face of
these challenges, security has been climbing
steadily up the list of preoccupations for IT
Directors and CIOs. Adding to this pressure is the
growing need to comply with industry and financial regulations such as Sarbanes-Oxley, Basel
II and HIPAA.

THE CHALLENGES OF SSO: MANAGING

THE HUMAN FACTOR IN SECURITY
Every year, IS Managers efforts are increasingly devoted to implementing tighter security
policies. And this is often supported by setting
up new authentication procedures and robust
access control mechanisms: from digital certificates and secure USB keys, to smart cards
and even biometrics.
A nightmare of complexity
While these security initiatives may be essential,
they necessarily entail numerous operational
difficulties. From ERP solutions to customer relationship management (CRM), most organizations effectively use several dozen different applications. Implementing an enterprise security
policy involves protecting most of them: and this
entails, as a minimum, unique identifier/password controlled access. And for 'sensitive' applications - that require even greater protection 2

robust authentication procedures are essential.

The end result is a system that is just as complex to use as it is to manage. This leads to:
- Lost user productivity. On average,
every user will need to use between 8
and 12 passwords every day, and each
of them will need to be changed several times a year. So every user wastes significant amounts of time each
day simply connecting to various applications. What's more, each time a user
forgets, loses or changes a password,
hours of productive working time are
lost. T-Mobile, the German leader in
mobile communication systems,

Real-life examples
Robert Adam, Marketing
Robert has four children, dozens of relatives,
a hundred or more friends, and 15 passwords
to remember
Sarah Smith, Finance
Sarah is the only person with authorized access to
the decision support system. When she is away on
training, nobody else can use it
Brian Duval, Administration and support
Brian's team spends 30% of its time resetting passwords.
The team could be much more productive
Helen Brown, IS Security Manager
Regulatory compliance requires a robust password
policy. But when you have over 1,000 applications to
run
Eric Martin, CIO
Eric spends millions of euros each year trying to
make information systems secure. Yet his IS Security
Manager and the users are both still complaining.

- has estimated that before implementing SSO

for its 2,200 users, the resulting lost productivity cost them around 1.4 million a year!
- Higher helpdesk costs. According to Gartner,
up to 30% of all calls to helpdesks are password-related, with the main problems being
people forgetting their passwords or having
difficulties logging on As the IS Manager of
one major French public sector body observes*: "Every call to the helpdesk ultimately
costs nearly 20, which adds up to several million euros over the course of a year".
- Less productive systems administrators.
Just like support services, administrators waste
untold hours repeatedly resetting passwords
for different accounts and users, at significant
cost. According to analysts, the loss in productivity could represent as much as 30% of systems administration budgets.
- Compromised security for IT Security
Managers. While complexity gets in the way of
productivity, it doesn't necessarily mean that systems are any more secure. In reality, faced with this
kinds of problem, users do everything they can to
get round it by choosing, for example, very simple
passwords (that are easy to guess), jotting down
passwords or leaving them lying around on their
desk... For example, one company in the defense
sector* noticed during a security audit that many
users use the same password everywhere, from
Linux to IBM z/OS mainframes. The result: once
this password had been 'cracked', even the most
sensitive servers could be accessed!
- Difficulties in establishing regulatory compliance for auditors. Because they are dealing with so many heterogeneous applications,
when there is no central user provisioning system in place auditors' resources are often too
thinly spread over tens or even hundreds of
applications. This leads to problems when it
comes to obtaining data and correlating or analyzing to demonstrate that the business complies with current regulations.

"We have to comply with the FDA 21 CFR Part

11 regulations. Among other things, it quickly became
clear to us that the lack of unified security management on the workstation was a major handicap."

- Overall dissatisfaction for CIOs. At the end

of the chain, IT Directors are surrounded by
unhappy people: complaints from users; pressure from business managers to conform with
regulations; high support and systems administration costs; and pressure from worried IT
Security Managers. What's worse, in the event
of a security problem, they are seen as the
'guilty party'!
An absolute essential: a security system that
can be implemented simply
All these difficulties point to a clear need: to strengthen workstation security policies while at the
same time simplifying the lives of both users and
systems administrators.
Single Sign-On: the ultimate security solution?
'Single Sign-On' (SSO) solutions are precisely
designed to meet this need.
They work on the principle that a unified authentication and access control system allows each
user to identify him or herself just once - at the start
of a work session - and then have total transparent access to all the applications they need, for
as long as that work session lasts.
But is SSO a myth? A long-held vision on the
part of security solution providers, SSO has
always raised high expectations and driven the
emergence of numerous technologies. It has
been through many incarnations in the past
and, as a result, a number of myths persist.
But today's SSO solutions largely dispel those
myths: they are tried and tested, and implemented with success by a huge number of organizations.

As the IT Security Manager at a leading international pharmaceutical company* commented:

Today, more and more businesses are committing to implementing SSO. But they are often
faced with the choice of several alternative solutions. With so many different architectures, disparate functionality and benefits to choose from,
how do you decide which is best? What are the
alternatives? What are the pitfalls to avoid? What
are the best practices? This white paper sets
out to answer these questions, among others.

SSO SOLUTIONS: THE ON-GOING

SEARCH FOR SIMPLICITY
Over the years, several approaches and generations of solutions have appeared in response to the
needs of SSO. These various solutions are all still
in existence today, and sometimes cause a certain amount of confusion. The three main types
of solution currently available are E-SSO, Web
SSO, and Federated SSO. The forerunner to all
these was password synchronization. Every organization has to examine the alternatives before
choosing the most appropriate approach for their
particular environment and specific priorities.
1- Password synchronization: the precursor to SSO

Password synchronization is based on a simple

idea: systematically using the same password for
all applications. From this principle have emerged agent-based technologies enabling a single
password to be synchronized on all systems and
for all applications. While this synchronization
simplifies the user's life to some extent - because
only one password needs to be memorized - it
nevertheless still requires the user to manually
log in to each application. In addition, it has serious
security limitations, because it brings the security level down to weakest link. Discovering one
password on a poorly protected machine will subsequently give the intruder access to even the
most sensitive systems! Following a brief period
of interest at the end of the 1990s, password synchronization is used less and less today, despite
the fact that it is inexpensive to implement.
Generally, it is reserved for the rare cases where
implementing SSO is problematic for various reasons.
2 - E-SSO: the Universal SSO
Universal single sign-on first made an appearance in the mid 1990s, and was dedicated to
internal B2E (Business to Employee) environments. So E-SSO (Enterprise Single Sign-On)
is chronologically the first form of SSO and, to
date, the most complete. It works like this: install a dedicated software component on the

The different types of SSO

Non-administrated users

Administered
partners and
users

Administered users

Web and personal

Single Sign-on
Web and
Federated
Single Sign-On

Enterprise
SSO

Source : Forrester

LAN
EXTRANET INTERNET
Client-server
Web
Web
Web
Web-services

of primary authentication (single sign-on), but can

then handle secondary authentication to each
application transparently as far as the user is
concerned. The advantages of this architecture are
that it takes into account all kinds of application
(mainframe, client-server, Web, local, etc.), and
provides easy integration with robust authentication methods and fine-grained management for
audit purposes.
- First-generation SSO: centralized
SSO. The main principle behind first-generation solutions is the strong security
approach. Aimed primarily at sensitive businesses, these solutions include a centralized
authentication and audit engine. To cope with
the heterogeneous nature of the various applications, the earliest versions simply offered a
series of APIs that required scripts to be written for each application. And it is this that led
to the some of the earliest providers gaining
a reputation for complexity. Fortunately, a
number of tools appeared subsequently,
enabling instantaneous integration of any
application using a simple 'drag and drop'
approach. Today, very large organizations
including Deutsche Telekom, EADS and
CNAM (the French national organization for
health insurance) have deployed secure SSO
solutions using this kind of architecture. The
main advantages are in high level administration and security, while the limitations are
mainly around the costs involved, due to the
need to deploy a whole authentication server infrastructure.
- Second-generation SSO: decentralized
SSO. Appearing alongside the development
of enterprise LDAP directories and Kerberos
Windows authentication infrastructures, a
second generation of SSO solutions was then
developed based on the principle of a more
decentralized approach to security management. Aimed at businesses valuing simplicity
over and above security, the second-generation SSO solutions relinquished the central
principle of the authentication and audit server in favor of user self-service, as well as
the use of LDAP directories for storing user

profiles and back-to-back operation of the

Kerberos authentication system running under
Windows (which provides native SSO for
some Microsoft applications). As a result, the
SSO offered by Kerberos is extended to any
application. The advantages are the simplicity
and greater user autonomy, while the main
limitations are the minimal administration functionality, as well as in terms of security and
regulatory compliance.
Later in this white paper, we will examine the third
generation of E-SSO that is now available; combining the advantages of both the above approaches,
while at the same time addressing their respective
limitations.

How SSO works

SSO is a tool that collects passwords, stores
them securely, presents them to the various
applications in the system and maintains them
(instead of the user having to do so), operating in synergy with strong authentication tools
and LDAP directories.
The main functions of SSO are to:
- Verify user identity and credentials using a
primary authentication tool for which a level
of security can be chosen according to need
(password, token, smartcard, biometrics,
etc.). SSO can be placed back-to-back with
local authentication or an authentication server (Windows Kerberos / Active Directory, a
dedicated server, etc.).
- Handle subsequent connections to each
application transparently (logon), presenting
the correct password to each application.
- Administer and audit (configuration, issuing
and cancellation, changes made to passwords, accreditation, audit, etc.).

3 - Web / J2EE SSO: Web B2B and B2C SSO

A multitude of internal (B2E) and external
(Business to Business (B2B) and Business to
Consumer (B2C)) applications have been developed using HTML standards, in parallel with the
growth of the Web. The proliferation of these applications has rapidly posed the same kind of security and simplicity problems as for traditional applications, with an additional constraint: the difficulty
of installing dedicated software on the workstations
of users outside to the company. As a result, a
specific range of Web SSO solutions emerged
towards the end of the 1990s, specially adapted
for http applications. The idea behind them was
to establish a gateway between clients (Internet
browsers such as Explorer, Firefox etc.) and Web
servers (proxy architecture) or agents on Web
servers (agent architecture), enabling SSO to be
provided for every type of Web application. SSO
solutions dedicated to Java J2EE applications
were also developed along the same lines.
Their main advantage is near-perfect transparency, with no components needing to be installed on any client workstation. The main limitation
is that they are only suitable for Web / Java applications, whether they are running on an intranet
or extranet, or the Internet.
4 - Federated SSO: towards the extended
enterprise
The employees and customers of many businesses increasingly need to access a partner
organization's applications. Until now, the available technologies required each user for each
application to be specifically identified and
authorized. Today, new standards are appearing that take into account the fact that these
days relationships are generally established
between companies rather than between individuals. This means it is becoming possible to
distinguish between authentication functions
(identity) and access control (authorization)
between different businesses. So, for example, depending on its security policy, a company may decide to grant access to individuals
presenting appropriate accreditation from another company. Based on a Web SSO principle

extended to meet new federated identity standards (such as Liberty Alliance and Microsoft
Infocard, highly user-oriented, or WSFederation, which extends to the security of
'Web services') these so-called 'federated' SSO
technologies offer a very promising extension
to Web SSO. While steadily growing in sectors
such as telecoms, finance, health or industry,
this type of solution is nevertheless still emerging. It currently involves more pilot projects
than large-scale deployments.

The advantages of SSO

- Increased productivity. Users no longer
have the problem of multiple identifiers and
passwords to access applications. Once
identified at the start of their day or work session, they no longer have to waste time with
multiple authentications, and they no longer
spend time searching for lost or forgotten
passwords.
- Reduced costs. The help desk and systems administrators are no longer overloaded with password problems. Support costs
typically fall by 30%, guaranteeing rapid ROI,
sometimes in a matter of months.
- Stronger security. With security becoming
simple to use and administer, it is finally possible to easily implement policies for secure
password handling or strong authentication.
Passwords are no longer displayed on
workstations, making them easy pickings for
visitors and cyber pirates.
- Regulatory compliance. Finally, from SOX
to HIPAA, and from GLBH to the CFR, the
security procedures required by new business regulations can be easily implemented
and audited, providing appropriate proof that
they are being followed (using reporting and
audit tools).

5 - Personal SSO: solutions for individuals

Finally, there are some 'SSO' solutions that
are purely individual, dedicated to users wanting to manage their passwords locally, by their
own efforts. These are often very basic, and
negate the possibility for any strong management of security policies, since they are more
dedicated to individuals than to businesses.
Towards third-generation SSO solutions
From E-SSO to Web SSO: SSO is currently
evolving at an extremely rapid pace. Web SSO
has become an almost commodity product,
while J2EE and federated SSO are becoming
more popular. E-SSO is making a strong comeback and attracting the attention of a large
number of organizations.
So the question arises: which solution should
you choose?
In a B2B/B2C context, Web, J2EE or federated SSO are the ideal solutions. In a B2E
context, E-SSO is essential if you want to avoid
limiting SSO only to http applications. The
appropriate type of architecture that is best
suited to the needs of the company also needs
to be chosen. The deployment of first-generation E-SSO software provides a powerful
solution, but one which can seem cumbersome
to companies where a high level of security is
not the primary consideration.
Second-generation solutions are also attractive,
but suffer from major gaps when it comes to
administration. In effect, although generally
they offer a good level of integration with heterogeneous applications, strong authentication
tools and directories, these second-generation solutions often do not integrate well with
real business processes. Even now, they still
force users to face up to numerous constraints:
Lack of fine tuning capability for security administration.
For example:
- How to deploy different access and secu-

rity policies for different applications

(because each may require their own specific security measures)?
- How to check that the login really does
come from an authorized user, on a given
workstation, and in a specific timeslot?
- How to provide access to certain secure
application services to certain categories
of user (once they have been authenticated), without them needing to be aware of
the access procedures and passwords?
- How to enable auditors to immediately
identify exactly who has an access account
to which application, to demonstrate effective compliance with current regulations?
- How to enable IS Security Managers to
carry out an extremely detailed audit for
each user and each application, in the
event of an incident being discovered?

The difficulty of integrating fully with existing

processes.
For example:
- How to handle delegation processes to
enable continuity of operation - during holiday periods, or when staff with the necessary skills are absent for training purposes, for example - without giving away the
relevant passwords and compromising
security in so doing?
- How to handle those users who have
several accounts (for example a user
account and a systems administrator
account) for a single application?
- How to handle shared accounts (group
accounts)?
All these constraints are now set to disappear,
with the arrival of third-generation E-SSO solutions.
The principle behind these is to combine the
best of the security-oriented approach (of firstgeneration, centralized solutions) and the usercentered approach (of second-generation, distributed tools).

This is achieved using highly sophisticated systems administration tools and a totally flexible
architecture that enables the SSO tool to be
adapted to mirror the realities of business processes extremely closely.
Based on a Role-Based Management (RBM)
model, the latest generation of tools fully take
account of actual businesses processes (delegation between users, multiple accounts for
one user, different means of authentication
depending on the sensitivity of each application
in terms of security or according to the user's
access point, etc.) and administration requirements (from the most delegated to the most
centralized management approaches). In other
respects, it offers the auditors powerful reporting and audit tools, themselves essential for
guaranteeing and proving regulatory compliance.
Advantages of third-generation SSO solutions:
- Productive and satisfied users.
- Support staff and systems administrators
who can finally focus more on the valueadded aspects of their role.
- Happier IT Security Managers.
- Business managers reassured about secu-

rity and regulatory compliance, and the

resulting productivity gains for their
b u s i ness processes.
- Financial Directors happy with their rapid
ROI.
- And finally, IT Directors and CIOs being
congratulated.
Today, only one solution available in the marketplace fully implements this third-generation
approach: Evidian WiseGuard.
The advantages of third-generation
SSO stem from the fact that it combines all the
user flexibility of the second-generation solutions with the advanced administration tools
of the first-generation. This approach enables
organizations to get the right balance between
security and user-friendly issues, as well as
reflecting the appropriate level of centralization/decentralization for their particular operations. They decide exactly where the 'tipping
points' are for their business: offering users
a great deal of leeway and at the same time
ensuring high levels of security to satisfy the
demands of the company and the IT Security
Manager, and in turn ensuring more effective
compliance with current regulatory regimes.

Towards third-generation E-SSO, reflecting real business processes

First generation

Second generation

Third generation

Architecture
Security
Cost

Centralized
Strong
High

Distributed
Medium
Low

Flexible
Strong
Low

Focus

Centered on
authentication
server

Centered around
users

Centered on
business
processes

IMPLEMENTING SSO: MYTHS,

ERRORS TO AVOID AND BEST
PRACTICES
Many IT Security Managers and IT Directors /
CIOs are asking themselves: "Which E-SSO
should we be implementing, how can we get the
greatest benefits from it and how can we maximize our ROI?" With this in mind, it is vital to
de-bunk the myths, and to be aware of the main
mistakes to avoid and best practices.
The myths and the realities
Three great myths, usually a result of past experiences, prevail about SSO.
1 - There will be no need for SSO products given
the current developments in information systems, which will mean that they will soon feature native SSO. In the past decade or so since
SSO software came into being, the merchants of
doom have been predicting their imminent disappearance in the face of the integration of Kerberos
within Windows, the increased Web-enabling of
applications, and the development of ADFS and
Liberty Alliance. So many technologies which
"would integrate SSO natively, rendering dedicated software null and void". A prediction that is
constantly contradicted by the facts! Because
today the facts show that the SSO market is very
far from dying out, and is in actual fact growing
extremely rapidly!
As the CIO of one large health sector organization* commented recently: "Web applications or applications integrated
within Kerberos/Windows account for less than 30% of our
information system, and will remain in the minority for many
years to come. If we relied on them to provide a universal
and native SSO, we would be condemned to wait indefinitely. But the need for security, for productivity and regulatory
compliance will not wait: and they affect the whole of our information system! "

2 - SSO reduces security levels, because "primary password theft would deliver up the keys
to an entire kingdom" in other words, access
to all applications. But this is a case of tunnel
vision. With only one password to memorize,
the user can choose an extremely complex and therefore very safe - identifier; with no need

to remind themselves what it is by writing it on

a Post-It note on their desktop. What's more,
SSO enables and facilitates the implementation
of strong authentication methods, which inherently reinforces security levels!
"Reduced security is a purely theoretical concern," commented one CIO for a major corporation working in the
defense sector*. "In practice, SSO centralizes the point of
administration and control. It's much easier and safer than
having to manage multiple points of control, corresponding
to so many different applications".

3 - SSO would be complicated to implement.

Today, most SSO solutions are activated for the
majority of applications via a simple 'drag & drop'
action, without any need for scripting or software development work. SSO solutions are also
easily deployed on a grand scale. For example,
several organizations employing over 100,000
people have already successfully implemented
E-SSO, including Total, Deutsche Telekom and
others.
This is confirmed by this comment from the IT Security Manager
for a major Telecoms organization*: "Configuring SSO for our
applications was very simple. Technically, a prototype was set
up in just a few days. The actual implementation was done
over the space of a few months, providing extremely rapid
ROI!"

The two key mistakes to avoid

1 - Not understanding the difference between
E-SSO, Web SSO, and Federated SSO It is
vital to distinguish between internal users - where
you have some control over the workstation they
are using - and external users with access via
the Web.E-SSO will be more suitable for the former, providing SSO to all applications (clientserver, Web, emulator, etc.). A Web, J2EE or
federated SSO tool will be better suited to the latter, adding access control functions to the overall functions of the SSO tool. However, it is
important that E-SSO and Web-SSO tools can
interoperate, notably for nomadic users.
As the CIO of a large defense company* is at pains to
point out: "Each technology is adapted to a very precise
need. For our staff, we have deployed an E-SSO. As for
our Extranet, it is based on Web SSO".

2 - Failure to take real business processes into

account. Users' day-to-day business life involves
very real needs to delegate to others, manage
9

multiple accounts, share accounts, etc. In the

same way, when it comes to systems administration, you have to completely separate the
organizational and the technical roles.
"If you ignore these constraints, you risk implementing an
SSO solution that may integrate perfectly with your user
authentication tools and applications, but will leave a lot to
be desired when it comes to actually operating your business!" remarked the IT Security Manager of a major manufacturer*.

Hence the interest in third-generation E-SSO

tools.
Five keys to best practice
1 - Achieve full integration with all the organization's
directories. Directories such as Microsoft Active
Directory, Sun Java System Directory Server, Novell
eDirectory and others, are at the heart of user profile
management in today's businesses. Clearly, the key
is to get the most from these infrastructures and use
them and your existing data to their best advantage,
by choosing an SSO that natively integrates with them
(without no need to duplicate this infrastructure), and
that uses and capitalizes on business groups and
profiles that have already been set up.
As the CIO of a major French bank (CDC) highlights: "The
directory is a key item for any identity management and SSO
project. It is essential that the security functions can be organized around it".

2 - Strengthen authentication policy. At the same

time as reinforcing a security system, it is vital
to also strengthen its access key. Hence the
importance of linking SSO in with a program of
enhancing password policies: for example introducing longer passwords, or those generated
automatically and changed every month. This
offers a dual benefit: it relieves the user of the
task of managing their own passwords, and in
the meantime strengthens security. In addition,
the SSO can act as an excellent support for the
deployment of strong authentication technologies, speeding up ROI as a result.
As the CIO at the world's fourth largest oil company, TOTAL,
comments: "Security principles are only worthwhile if they
are applicable AND applied by the user. SSO has allowed
us to enhance our security, at the same time as it has simplified the lives of our users".

10

Strong authentication methods

These can combine one or even two identity
verification methods (for example password
and smart card):
- One-Time Password (OTP) tokens
- Smart cards
- USB keys
- Contactless cards
- Biometrics (for example, fingerprint, iris
recognition, etc.)

3 - Offer auditing and reporting tools to demonstrate regulatory compliance. Today's major financial and business regulatory frameworks (such
as Sarbanes Oxley, HIPAA and others) require
organizations to guarantee a certain level of
security when it comes to their information systems. To meet these requirements, powerful
tools for generating reports (indicating which
accounts belong to each application, and who
has access to what, etc.) and audits (who is
connected to which application, at which point in
time, etc.) are essential.
As an IT Manager at Manpower, a world leader in the employment services industry, recalls: "Our first objective was to
implement SSO to reduce costs. But it has had additional
benefits, helping us meet other major objectives, such as
compliance with Sarbanes-Oxley legislation."

Nevertheless, it is important to choose an SSO

tool that does not just apply to the Windows login
console, but which also enables detailed and
centralized analysis. Third-generation SSO provides a powerful solution in this respect.
4 - Involve everyone, from the Chief Executive
to the users, in the project. Experience shows
that the main obstacles encountered when implementing SSO are rarely technical, but are instead
linked to the organization or the personalities
involved.
"The main sponsor of SSO is the user" explains the IT
Security Manager of a major Spanish company*. "So it is
essential to involve users early on in the project, and then
keep them informed and motivated. If they feel they are not
being listened to, the project may be doomed to failure. In
the same way, it is useful that the project is presented to

the Managing Director of the organization and supported

by him or her. SSO is one of the rare projects that involves
everyone in the company, and this has to be taken into
account. Conversely, it is also an excellent means for the IT
Director and the IT Security Manager to be recognized for
their contribution".

5 - Use SSO as an entry point or a way of facilitating identity and access management (IAM)
projects. Choosing to start with an SSO project
enables the organization to respond rapidly, and
relatively cheaply, to an immediate problem relating to security, flexibility, and regulatory com-

pliance conformity, with rapid ROI and also

paving the way for future developments and provisioning (SSO and provisioning being complementary). Another approach is to put in place
SSO after (or in parallel with) a provisioning or
strong authentication project, to facilitate its
implementation and improve ROI.
"Our first objective was to improve the productivity of our
users", explains the IT Security Manager at T-Com, the
German telecommunications operator. "That's why we launched the SSO project ahead of any other identity and access
management project".

CONCLUSION: SEVEN KEY POINTS FOR SUCCESSFULLY

IMPLEMENTING SSO
1.
Distinguish clearly between requirements: E-SSO, Web SSO and Federated
SSO. These different types of SSO co-exist
and fulfill distinct needs. As a result, it is important to clearly identify priorities, and the tools
chosen to deliver them.
2.
Take into account actual business
policies and processes: delegation, fine
access control, grained etc. Taking these needs
into account is essential to the successful operational deployment of SSO.
3.
Integrate fully with the company's
directories. It is vital to make the most of existing infrastructures and data in distributed LDAP
directories, and use them to best advantage.
4.
Link SSO to overall security improvements. By combining SSO with implementation of strong password policies or strong
authentication, the organization can speed up
its ROI, thanks to the productivity improvements
and reduced user costs enabled by SSO.
5.
Offer comprehensive audit tools to
prove regulatory compliance. Choosing an ESSO that includes comprehensive audit tools
can provide very useful aid in this respect. This
particularly involves choosing tools that enable
detailed and centralized reporting.

6.
Make sure users are actively involved in the project. The first sponsor of SSO
is, above all, the user. Involving users early on
in the project and taking into account the real
business processes are essential to success.
7.
Use SSO as entry point for identity
and access management projects. Choosing
an evolutionary approach, and one that is capable of integrating with IAM solutions, is important to ensure that any investment in SSO now
can deliver even more value in the future.
We hope that this white paper will make a useful contribution to businesses' deliberations
about the prospects for implementing E-SSO.
* For security reasons, and because of the sensitive nature
of their information systems, these customers wish to
remain anonymous.

Further information: you will find

other white papers plus personalized advice
on how to optimize your SSO and identity
and access management implementation at:
www.evidian.com/iamnow

11

WiseGuard: third-generation E-SSO

As an expert and pioneer in SSO and identity management, Evidian
was the first software publisher in the world to successfully implement large-scale deployments of secure E-SSO from the end of the
1990s (for over 70,000 users at the CNAM and 100,000 at T-Com
among many others). In 2002, Evidian launched the world's first
'plug and play' Web SSO solution built using gateway architecture.
With its WiseGuard 3G software, Evidian now offers the first complete third-generation E-SSO solution, combining security, productivity and rapid ROI.

The first of the third-generation E-SSO solutions, WiseGuard capitalizes on the entire
expertise of Evidian with regard to first and
second-generation E-SSO. Perfectly integrated with directories, applications and strong
identification resources, as well as with business processes, WiseGuard offers three distinct advantages:
- A complete and open E-SSO solution.
WiseGuard combines several modules, to
offer a complete E-SSO solution. The core
component - SSOWatch - provides a simple and secure SSO module. To further
enhance security, WiseGuard also supports the whole spectrum of strong authentication solutions, from certificates to biometrics, with its Advanced Login facility,
and can manage the lifecycle of smartcards or USB keys with Token Manager.
Finally, its Extended Manager console reinforces access administration, and facilitates administration and audit operations.
The key advantages are totally secure
SSO that further strengthens regulatory
compliance.
- A solution focused on the organization's security policy: bridging the gap
between traditional E-SSO tools and the
actual management policies adopted by
enterprises, WiseGuard enables E-SSO
management centered on actual business
and security policies. The Extended
Manager component - the most sophisticated and highly- developed consoles of
any solution on the market - enables easy
management of system administration,
delegation and audit. The advantages?
12

Better management performance, focused on business needs and user privileges, and fully aligned with the organization.
Security, regulatory compliance and user
productivity are all reinforced.
- A totally flexible and distributed solution. WiseGuard can be totally integrated
with the organization's directories - whether these are Microsoft Active Directory or
ADAM, Sun Java System Directory Server,
Novell e-Directory, IBM Directory or any
other LDAP directory - and is based on
their existing organizational structures. It
is not necessary to duplicate the infrastructure with additional authentication or
management servers, nor with appliances
that are complex to implement and synchronize.
WiseGuard's non-intrusive architecture and
its capacity to be implemented in a distributed
LDAP environment enables rapid deployment
of E-SSO for many hundreds of thousands of
users.
An open solution, WiseGuard integrates with
most industry standard identity management
solutions, including those from Oracle, Novell,
IBM Tivoli, Sun, CA and others.
WiseGuard is, of course, also integrated with
the Evidian global identity and access management suite, which provides numerous complementary functions including Web/J2EE
access control, identity management and provisioning.

WiseGuard: A complete, secure and flexible approach to E-SSO

Evidian WiseGuard incorporates a central component (SSOWatch) plus three
optional components:

Manager enables the entire life cycle of

the card or key to be managed, from initial attribution to renewal.

SSOWatch
SSOWatch provides the core SSO functions, and adapts to each application
using 'drag-and-drop' type configuration.
No modifications to applications are needed for them to work with WiseGuard.
SSOWatch is based on distributed LDAP
architectures for storing the authentication policies and re-uses the identities
described in existing LDAP databases. It
can be installed on a workstation, a Citrix
MetaFrame sever or a Microsoft
Windows Terminal Server

Extended Manager
Extended Manager provides an intuitive
graphical interface that enables the
management of advanced SSO policies
such as:

Advanced Login
Advanced
Login
complements
SSOWatch by providing a vast choice of
strong authentication methods: smart
cards, USB keys, or biometric authentication.
Token Manager
Designed for organizations that want
to protect selected access points
using smart cards or USB keys, Token

- Administration roles: definition of

dedicated administration views, as a
function of the business entities or user
groups concerned.
- Extended SSO policy: suspension,
modification or revoking of application
software accounts. It is also possible to
define or create password policies, or
update or delete passwords.
- Access point policy: definition of obligatory access points (workstations) and
working hours etc.
- Advanced audit and analysis: to reinforce security and guarantee regulatory
compliance.

WiseGuard four components

Advanced security administration

Entry-level solution

SSOWatch

Start with
a simple SSO
solution

Advanced
Login

Token
Manager

Implement an integrated
strong authentication and card
management solution

Extented
Manager
Put in place an
advanced tool for
security policy
administratrion

13

DEPLOYING E-SSO WITH WISEGARD: THREE PROJECT TYPES

WiseGuard is particularly appropriate to

three main types of project. These
approaches are not exclusive: a Type one
project can subsequently develop into a
Type two or Type three approach.
TYPE 1 APPROACH: deploying a
straightforward E-SSO solution.
Some organizations want to strengthen
user productivity above all, while maintaining a good level of security. To do this, it
is possible simply to deploy the basic
WiseGuard module, SSOWatch. The
result is a rapid project, delivering immediate benefits.
To improve its customer service, T-Com
(the number one fixed telephony provider
in Germany) wanted, for example, to facilitate secure access for its call center staff
to all applications, while continuing to
maintain a high level of security. Thanks
to Evidian's WiseGuard solution and
SSO, T-Com's call center staff can now
instantaneously access all the applications they need. Productivity and customer satisfaction have improved considerably, while preserving the highest levels
of security.
TYPE 2 APPROACH: combining ESSO and strong authentication.
Some organizations want to reinforce their
security policy without penalizing users
with complexity: combining the implementation of strong authentication tools
(tokens, smart cards, biometrics, etc.) and
E-SSO. Either the E-SSO software must
facilitate deployment of an existing thirdparty strong authentication device, or the
selected E-SSO must offer its own strong
authentication infrastructure. The result in

14

both cases is a more ambitious project, but

with high rewards in terms of security and,
of course, productivity.
For example, the world's fourth largest oil
and gas company, Total, wanted to reinforce and simplify its password management, and secure access for its 111,000
staff to its applications, using a smart
card system. Thanks to WiseGuard's
SSOWatch, Advanced Login and Token
Manager components, Total was able to
improve its security (robust user authentication, controlled access in terms of profiling, audit and alarms), while enhancing
ease of use and reducing support
demands with regard to password management.
TYPE 3 APPROACH: implementing
advanced E-SSO and administration.
Finally, some organizations are looking to
combine E-SSO and advanced security
administration for commercial or regulatory reasons. This approach involves
deploying an advanced administration
console. The result is finely-tuned management of their security policies and tight
regulatory compliance.
A leading European distribution company
wanted, for example, to manage a high
level of security while facilitating the dayto-day work of its employees (who didn't
all have fixed workstations, and who therefore had to identify themselves - one by
one - on basic terminals). The company
implemented WiseGuard in 'fast user switching' mode with its advanced administration console, Extended Manager. The benefits? A high level of security and productivity
for all their users!

Try WISEGUARD NOW:

Request a customized demonstration
or download a trial version:
http://www.evidian.com/wiseguard

15

ABOUT EVIDIAN
Evidian, a subsidiary of the Bull Group, is the European number one in SSO and identity and access management, (IAM) and among the world leaders in this area.
From E-SSO and access control to identity management and provisioning, Evidian offers a wide range of
IAM software, designed to secure the extended enterprise.
WiseGuard, Evidian's E-SSO solution, is the first true third-generation offering fully geared to support actual
business processes.
Evidian's highly scalable and flexible range of solutions enables organizations to be more responsive and
productive, while reducing their costs, successfully implementing their security policies and improving their
regulatory compliance (Sarbanes-Oxley, Basel II, HIPAA, etc.), in line with their business priorities and strategies.
Evidian's software range is used in many of the biggest organizations in Europe, Asia and the USA, in industries including telecoms, (Deutsche Telecom, Telecom Italia, Neuf-Cegetel, Telenor, etc.), the public sector (Interpol, ACOSS,etc.), manufacturing (Nissan, Total, etc.), services (Deutsche Post, Manpower,etc.), finance
(Dexia, CDC,etc.) and the health sector (CNAM, etc.).
Evidian's technology has been awarded numerous prizes and trophies, with several awards from SC
Magazine, the number one global publication dedicated to IT security.
For more information, please visit: www.evidian.com

version 1.1