Talk Lecture 6

From CyberSecurity
Revision as of 19:37, 10 October 2005 by Somconcept (talk | contribs) (Talk lecture 6 Usability and Single Sign On)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Talk lecture 6 Usability and Single Sign On

Prof Voelker mentioned usability as one of the constraints to implementing cyber security. From my experience of working in a small organization (~250 users) with a windows based infrastructure I find it very relevant. Users (many of our users are outside of corporate and traveling) frequently forget passwords/use it as an excuse not to enter data they are supposed to enter. This leads to a large volume of help desk calls to reset passwords. Gartner group estimates the cost of each call to be $32. Therefore we are attempting to provide a single sign on to all our web based applications. Here is what we have been able to achieve so far

  • Users just have to remember one set of login and password (the Windows Domain/AD account)
  • All web-based applications (.NET on Microsoft IIS) use basic authentication (we wanted to use Integrated but getting the users to remember the domain name was a challenge) plus SSL.
  • When the user enters their credentials (user id and password) it is validated against the Active Directory.

This would have been an excellent solution but for the following, when users have to use different web applications (spread across different physical machines) they have to again encounter the IIS dialog (for user id and password) and they have to enter the same user id and password over and over again. This is an annoying step. Here is what I wish for: some kind of programmable server side redirect which will allow the user to be redirected to any of the company web servers (on the same domain) when a user has already been authenticated once.

I would appreciate comments from Microsoft folks about the latest work in this direction that is happening at Redmond. We had spoken to some third party vendors such as Entrust , Netegrity, Obelix who have Single Sign On Solutions but the cost and complexity of implementing them are horrendous especially for a small company. Also interesting would be information about latest research on this and other usability aspects of cyber security. (Somnath Banerjee)

Retrieved from "http://cubist.cs.washington.edu/CyberSecurity/index.php?title=Talk_Lecture_6&oldid=1741"