Enterprise Single Sign-On (ESSO)

Enterprise Single Sign-On (ESSO) is basically a tool that enable a person to access multiple applications or endpoints by just entering his/her credential once.  It usually consists of 3 components : the agent (in the end-point), the application server, and the repository (usually LDAP).  Although the concept is pretty simple, the use cases of this technology are quite interesting, such as:

  1. Biometric Authentication Enforcement
  2. Application Whitelisting
  3. Reducing IT Service Desk cost

Biometric Authentication Enforcement

Have you ever imagine how could a terminal emulator software implement a biometric authentication?  Or, how could a plain old web application implement that?

The answer is pretty simple if you have ESSO inside your organization, just configure the ESSO to scramble the target system’s password, and prompt the biometric authentication (eg: fingerprint) before it injects the credential to the terminal emulator or web application.  Done!

Next time a user tries to open the terminal emulator or that web application, ESSO will intercept it, and ask the user to swipe his/her fingerprint, if the fingerprint matches with the UserID, ESSO will inject the credential to the terminal or web application.  There is no way the user can bypass the biometric authentication, because the password has been scrambled and known to no one except ESSO.

The same concept is also applicable for other two factor authentication (2-FA) such as token, smartcard, or iris recognition.

When a certain security compliance requires biometric authentication, ESSO can be a great help to enable enterprise wide biometric authentication enforcement without requiring changes in any application.

Some enterprise downgrade the Enterprise Single Sign-On into Reduced Sign-On where the user is required to re-enter his/her credential every time he/she needs to perform critical action.  Therefore, the strong authentication is enforced for all critical activity.

Application Whitelisting

How can you prevent a DBA from running a database query direct to the database server in production environment?  Is it possible to enforce a DBA to run query from a certain application only?

Since ESSO has scrambled the user’s password in the database, there is no way a user can access the database directly without ESSO.  ESSO will only authenticate if the user opens a registered application (read: whitelisted), that’s how an enterprise can prevent a DBA from using a harmful application to run a query.  This feature makes daily operation easy to stay compliant with security standard.

Reducing IT Service Desk Cost

According to Gartner, password problems make up 20%-30% of all IT Service Desk volume.  There are 2 problems those are easily identified here :

  1. The user can’t work, because he/she can’t access the application due to password problem.  If the user is a top level management, this will cost the company a lot.
  2. The service desk has to spend time resolving the user’s password problem

By implementing ESSO, it is easily concluded that the organization will have a higher productivity, and some of the IT Service Desk can now be dispatched to other strategic task, because they are no longer too busy to handle password problems.

And it will be good the users too, since now the user just need to remember 1 password only (which less likely to be forgotten).