5 Steps to Secure Internet SSO

white paper
5 Steps to Secure Internet SSO
OverviewThis white paper, intended for a management-level audience, describes why and how any organization can implement secure Internet single sign-on with a federated identity management system. Employees today may need to access up to thirty different applications within the enterprise network and over the Internet in the performance of their daily jobs. Most businesses are struggling to secure their internal networked resources while still providing access to external applications, including Software as a Service (SaaS) and other business process outsourcing (BPO) arrangements. Fortunately, there are now standards-based solutions available that provide solid security in such a multi-party environment. The underlying capability is federated identity management, which provides for the portability and interoperability of identity information across organizational boundaries. For the user, federated identity eases access by delivering single sign-on to Internet-based applications, just as if the application were running on the local network. For the CISO, federated identity improves security. For the CIO, federated identity reduces operating costs.white paper
Attacks on Enterprise Services Employees today may need to access up to thirty different applications within the enterprise network and over the Internet in the performance of their daily jobs-often with different usernames and passwords for each one. Such a situation is not only cumbersome; it is inherently insecure, being especially vulnerable to phishing, Trojans and other malware that can quickly spread throughout the entire organization. Willie Sutton was allegedly asked why he robbed banks; his famous reply, of course, is because "that's where the money is." Software as a Service (SaaS) offerings like Salesforce.com's are now where the money is-at least for many identity thieves. As more applications move outside the enterprise firewall, the number of potential targets increases. Other examples of popular SaaS targets include video conferencing and travel services where either the service itself or some personally-identifiable information (PII) is stolen. Sometimes the theft takes the form of industrial espionage, where the perpetrators attempt to The impact of phishing steal customer lists, product plans, and other sensitive or proprietary corporate on SaaS providers information. includes: Every external application creates a potential vulnerability into the enterprise. The more systems there are, the more vulnerable the enterprise becomes. . Monetary Loss These vulnerabilities come in many forms, but one of the most popular (based . Legal Liabilities on its successful use by hackers) is phishing. Phishing is a technique employed by identity thieves to acquire usernames and passwords, mostly via fraudulent . Reputational Loss emails. The email appears to be authentic from a legitimate source, and the . Time to Resolve Website where users are directed may also appear to be authentic. The victims log in unaware that their usernames and passwords are about to be stolen, . Brand Damage giving the identity thief access to their actual accounts. Users who log into these fraudulent Websites may also be subject to infection with a trojan that captures . Competitive Disadvantage keystrokes to discover access credentials for other accounts. . Regulatory Exposures Spear phishing is a special form of phishing targeted at small groups or even at select individuals. Salesforce.com was victimized by such an attack recently when an administrator was phished and his credentials were subsequently used to spear phish specific accounts. In this particular incident, a seemingly trustworthy Microsoft Word document was infected with a Trojan program that captured keystrokes to obtain user credentials. The phishing incident at Salesforce.com mentioned above was quite well publicized, which can cause a vendor's reputation to suffer substantially. Despite the warning windows provided by Salesforce.com and other SaaS vendors, users continue to become victims. Phishers can be extraordinarily clever, which makes recognizing a phishing email extremely difficult, especially for busy workers who often fail to take the time to scrutinize suspicious emails. This means that even the very best user education programs provide no guarantee of real security.
Homegrown and Proprietary Security MechanismsOrganizations th... [download for more]