Ever considered how many passwords are used by employees in your organization? And how many workers cannot remember their secret character set and write it down on a piece of paper that they keep next to the computer? What percentage of all help desk calls are related to passwords, such as password recovery?
According to LastPass research, the average number of passwords per employee ranges from 25 to 97 depending on the size of the organization and industry. At the same time, as DigitalGuardian notes, about 18% of users use the same passwords to access various services, 38.6% of users write passwords on a piece of paper lying next to the computer, about 16% save them in a separate file on the computer.
At the same time, Gartner estimates that 40% of all help desk calls are due to password transactions. And this despite the fact that every year there are on average 21 calls to such services per user (data from META Group).
The introduction of the Single Sign-On (SSO) approach will help to relieve the burden on the support service and at the same time increase the information security in the company. SSO provides the ability to authenticate once and then access protected resources or applications without having to re-enter credentials. At the same time, for a combination of convenience and security, the first login is performed using multi-factor authentication.
To implement the Single Sign-On approach, large companies are building centralized authentication systems based on Identity and Access Management (IAM) solutions.
There are many IAM solutions on the market today. All of them, in addition to Single Sign-On, provide the following main functionality:
- Authentication, including multi-factor.
- Adaptive Authentication (applies stronger forms of authentication based on the context of the user—geolocation, device they’re logging in from, and so on).
- Session management.
In this article, we have collected information about IAM solutions on the Russian market, practices and recommendations for choosing them, and compared this with our experience in implementing these solutions. I note that we will consider only On-Premise solutions.
Main points of the article:
- Don’t spend a lot of time and effort on a detailed comparison of the features of IAM solutions. For the most part, they all provide similar functionality.
- In addition to foreign IAM solutions, there are currently good domestic and Open Source products.
- With any IAM solution, you will have to solve integration problems when connecting corporate IS to it.
The centralized authentication system will become a critical system. If it is inoperable, corporate IS will be unavailable. Therefore, when choosing an IAM solution, pay more attention to quality criteria: fault tolerance, performance, etc.
How to choose the right IAM solution
How do you usually choose software? They do reviews, detailed comparisons of each of the products according to a variety of criteria, calculate some abstract total scores and study other statistics, consider reports from different analytical agencies – while each analyst says different things. There is endless communication with vendors, with each vendor praising their own product, providing a large amount of materials. While you choose, time passes, life changes, system requirements change, the product itself changes. Every six months, or even less, there is a change of leader in product comparisons. What was the main feature of one product becomes commonplace for everyone. After all this, you have a thousand and one considerations, and you are drowning. Don’t drown. There are many IAM solutions on the market today. And, by and large, according to the main characteristics, they are all about the same.
From our experience, the functionality currently available in IAM products is enough to implement at least 90% of the requirements that you have for centralized authentication systems. The rest is decided by customizing solutions. And you will have to customize any product, no matter what you choose. And you will have to integrate the solution with your information systems, regardless of the chosen product. In today’s rapidly changing world, a significant part of the requirements arise during the course of the project, and it is unlikely that you will be able to describe all the specific requirements before the start of implementation in order to select the most accurate solution.
Can there be mistakes? Of course they can. But it is better to test several products in practice than to spend a lot of time studying ratings and reviews, but not finding the best solution for yourself.
Of course, there are a number of criteria to consider when choosing an IAM solution. Some of them relate to the choice of any software: it is a vendor solution or Open Source, domestic or foreign. For IAM solutions, the specific criteria may be the type of SSO functionality they provide (WebSSO or Enterprise SSO). Next, we will analyze each of these criteria with an indication of specific IAM solutions.
Of the foreign products available on the Russian market, the most common are the following:
- Oracle Access Management
- IBM Security Verify Access
- Microfocus NetIQ Access Manager
- ForgeRock Access Management
Their advantages include global recognition and a long time on the market, in connection with which the products have greater functionality and a large number of implementations in the world. In addition, high-level technical support is usually provided for such solutions. Of the shortcomings, it should be noted, first of all, the high cost of products and support. Also, if it is necessary to perform some specific modification for a specific customer, it will be extremely difficult to achieve it from a foreign vendor. In addition, these decisions do not comply with the domestic policy of import substitution.
I believe that it is advisable to choose these products for creating centralized authentication systems based on them if the company already uses other solutions from these vendors. The listed vendors have a product line for managing user authentication and access rights, Oracle and IBM have many business applications. It will be easy to carry out integration work between products to build a single platform.
Among domestic IAM solutions, the most common are:
- Blitz Identity Provider
- Avanpost FAM
- Real Access Manager
The advantages and disadvantages of domestic IAM solutions are, in fact, opposite to the advantages and disadvantages of foreign ones. The disadvantages include a low level of support service compared to foreign solutions, a relatively small number of implementations. However, domestic solutions are cheaper than foreign counterparts, their use is in line with the import substitution policy. They have or are being certified by domestic regulators, which allows the use of these solutions as a means of protection in personal data systems. The presence of a vendor “nearby” makes it possible to perform the necessary refinement “for a specific customer”. At the same time, in terms of the set of functionality, domestic IAM solutions are already almost as good as foreign ones.
Therefore, if you decide to use a vendor solution and you do not have a ready-made infrastructure of foreign vendors, you can safely choose a domestic solution.
Open Source IAM
The following Open Source solutions are most common on the Russian market:
- Keycloack (Red Hat SSO)
- WSO2 Identity Server
- Gluu Server
- Wren A.M.
All these solutions have the advantages of Open Source solutions (free of charge and the ability to refine the solution on their own), and also have commercial technical support. It, like an insurance policy, reduces the risks typical of Open Source. Among these risks are situations where deep product knowledge is required to fix a problem and you have to resort to the help of a professional community (community) that does not have an SLA.
WebSSO and Enterprise SSO
The following evaluation criterion is specific to IAM solutions.
Technologies that provide Single Sign-On can be divided into two main types:
- Corporate (Enterprise) Single Sign-on. This technology involves installing an agent on user workstations. This agent provides automatic substitution of the user’s login and password into the authentication windows of the applications.
- Web Single Sign-on. This technology provides authentication in web applications. Applications connect to the authentication service using protocols such as SAML, OAuth, and OpenID Connect.
It should be noted that the integration of information systems with Web Single Sign-on requires that they support one of the protocols listed above. To work with ESSO, system modification is usually not needed, the necessary settings are performed by the authentication system itself. When working with ESSO, authentication data (login/password) is transmitted towards the application, while in the case of Web Single Sign-on it is not. With WebSSO, authentication data is transmitted only towards the authentication system, which issues a ticket (token) to the user to interact with the application. It is he who is transmitted towards the application from the client (web browser).
It is also worth noting that some vendors have added an authentication function to the Windows operating system in their products for centralized authentication. With its help, you can provide access to the computer using additional authentication mechanisms: one-time passwords, biometrics, etc.
Summary information on IAM solutions.
A summary table of IAM solutions is shown below.
|IAM product||Russian software||open source||WebSSO||ESSO||PC Login|
|Avan Post FAM||+||+||+||+|
|IndeedID Access Manager||+||+||+|
|Oracle Access Management||+||+||+|
|IBM Access Management||+||+||+|
|ForgeRock Access Manager||+|
|KeyCloack (Red Hat SSO)||+||+|
|WSO2 Identity Server||+||+|
|Wren Access Manager||+||+|
When building centralized authentication systems, the most attention should be paid to quality requirements (performance, fault tolerance …). IAM systems are critical not only to an organization’s security, but also to the availability of its digital services. If the centralized authentication system fails, users will not be able to enter the IS.
So take a closer look at at least the following:
Instead of asking the vendor to answer a specific functional question, ask them for a load test report on the solution. Better yet, conduct it in your environment on your own by performing a test installation of the product as part of the PoC (Proof of Concept). Time spent on this activity will be much more useful than watching an endless number of functional reviews and other materials. From experience, a good half of the negative from users that can be with the functioning of an IAM solution is related to its performance.
Choose a solution that scales easily. This is especially true for authentication systems with uneven load over time. For example, in the work of public service portals there are days when the load reaches its peak. Usually this is the day when the provision of certain services starts, for example, enrolling children in a kindergarten or school. If the solution is easy to scale, then it will not be difficult for you to prepare for such days. You simply add an instance of the database, application server, or compute resources. After a load drop, you can also easily remove unused power.
– Fault tolerance.
Of course, the centralized authentication service must be highly available. Otherwise, it will become an obstacle to the user experience. SSO is not a benefit if it prevents access to your applications! All of the solutions mentioned above use technologies to build a highly available service. So this is more of a question for the system design phase as a whole. But still – at the stage of choosing a solution, add this item to your checklist. There is no point in having unpleasant surprises after the decision has been made.
– Ease of expansion and customization.
As noted above, during the project you will still have to customize any solution you choose, it will be necessary to solve integration problems. Therefore, it is very important to see what opportunities for improvements the solution provides. Will you be able to perform them yourself if necessary, or for any slightest customization, a new assembly of the solution from the vendor is required.
In general, it is necessary to pay as much attention as possible to non-functional aspects and quality criteria. Selecting the right IAM solution based on feature comparison alone is not a viable approach since most vendors offer similar features.
Aleksey Kuzmin, Head of the Biometric Technologies and Authentication Systems Group at the Center for Applied Security Systems at Jet Infosystems.