Courion Corporation

ESSO and Access Assurance

Tweet

 

Sometimes customers tell us they're considering implementing enterprise single sign-on (ESSO) and that this is going to solve their IAM problems. After all, all the user has to do is sign on once to the SSO system and it will automatically log them onto all the other systems the user needs access to, right?

Not so fast... ESSO is a great tool for delivering a high level of convenience for users, especially those who need to log on and log off various systems quickly. The classic example is a doctor in a hospital moving around from patient to patient. Doctors are notoriously busy and can't be expected to log on to a dozen or so applications every time they need to electronically review a lab result, order a test, or fill out a prescription.

However, implementing an ESSO solution doesn't mean that's all you need. In fact, implementing an Access Assurance strategy is the best way to gain the most effectiveness and efficiency from your ESSO solution.

Why?

Because ESSO is primarily focused on access authentication. Transparently authenticating a user to multiple back end systems with one log on definitely provides value. But, who configures and manages the accounts and access rights on the target systems? Not the ESSO system; it handles authentication (and password resets, when required.)

In order to create and manage IT accounts and access rights in the first place, you need an Access Assurance strategy, which includes:

• Access Governance- defining enterprise roles, using role management software, and corporate access policies for the various systems that users need to access. Access Governance lets you define what systems the user needs access to, and what his/her access rights should be-in other words, making sure the right person have the right access to the right resources.
• Access Provisioning-once you have defined the accounts (whether through policy or more explicitly using role management), access provisioning is used to implement the policy by creating accounts on target systems and configuring user access rights.
• Access Compliance-if the organization needs to demonstrate that personnel have access rights that are consistent with policy or regulations, access compliance drives compliance attestation and reporting.

An important practical consideration to remember is that a provisioning solution can also provision the ESSO system directly-essentially opting in a new user by default. Otherwise, the first time a user tries to log on, the ESSO system must walk them through a registration process, where the user provides the ESSO software with the username, password and other authentication information required for each target system. If you have 15 or more target systems (email servers, applications, databases, enterprise directories, desktop PCs, etc.), the ESSO system has to capture the user's access information for all 15 systems before it can log them on. Provisioning eliminates this hassle, since the ESSO system can be initially provisioned with all the data (user name/password, etc.) required for authentication.

And, of course, it's important to ensure users have the appropriate access rights before you go making it easier for them to access systems or applications they shouldn't have. This is why security policies must be enforced every time you add or change user access rights.

ESSO is important to many customers, but don't forget that an effective Access Assurance strategy will help you get the most value from your ESSO system.