Information Technology Reference
In-Depth Information
an independent set of credentials, which means users may need to
remember many user IDs and passwords. It becomes logistically expensive to
manage user data consistently across multiple systems, to “provision” new
users or to “de-provision” them when they leave the organisation. Processes
are necessarily manual and error-prone. Security policies are not uniformly
applied across all applications. The list goes on.
A simple extension is to have all applications validate user credentials
against a common repository, most frequently an enterprise LDAP directory.
Here's what the picture then looks like:
Fig 11: Delegated authentication
This is somewhat better because applications can now delegate the
management of user credentials (and even access rights) to an external
component. User credentials are held in and validated against a single
repository (i.e., centralised authentication). When access rights are also
similarly held and validated, this is centralised authorisation. User
provisioning and de-provisioning are a lot simpler because only one data
store needs to be managed. Security policies are more consistent across
applications because they are essentially defined at a single point (although
enforcement is still at each application's discretion).
From an auditor's perspective, although this is progress, it is still not
guaranteeably secure because enforcement of enterprise security policies,
however well defined, is still left to individual applications. Moreover, it still
isn't as convenient to users as it could be, because it isn't really “Single Sign-
On”. True, users now only have to remember one set of credentials, but they
have to enter them afresh when accessing each application they use. It's
more “Single set of credentials” than “Single Sign-On”. Can something be
done about these points? In other words, can the enforcement and
challenge parts of the process be delegated to an external component as
well?
