A Single User Identity. A Single Credential. It’s more ...
4
A Single User Identity. A Single Credential. It’s more than just Single Sign-On… The approach you implement for authenticating users when they log on to SAP business applications is just as critical as the information the users access when they have logged on. Since you make business decisions based on information stored in your business applications, ask yourself these crucial questions: 1. Are users circumventing our organization’s security policy when they log on to SAP business applications? 2. Does our current approach for authenticating users when they log on to SAP business applications comply with industry regulations? 3. Can a policy of using a single set of credentials actually reduce liability? 4. Are we fully capitalizing on our existing investment in our Active Directory infrastructure? As you explore questions like these, let CyberSafe share some of the experiences we have gained from our existing customers, and explain to you how your existing authentication infrastructure can be leveraged to secure your most critical business data. At CyberSafe, we understand the benefits of a user having a single unique identity and the need for a single set of credentials for user authentication. Our TrustBroker® products include a wide range of features which allow you to fully utilize an existing Microsoft Active Directory infrastructure, support simple and diverse user authentication requirements, improve security, significantly reduce costs, and deliver a rapid ROI… all essential elements for organizations like yours, who are using SAP business applications.
Transcript of A Single User Identity. A Single Credential. It’s more ...
A Single User Identity.A Single Credential.
It’s more than just Single Sign-On…
The approach you implement for authenticating users when they log on to SAP business applications is just as critical as the information the users access when they have logged on. Since you make business decisions based on information stored in your business applications, ask yourself these crucial questions:
1. Are users circumventing our organization’s security policy when they log on to SAP business applications?2. Does our current approach for authenticating users when they log on to SAP business applications comply with industry regulations? 3. Can a policy of using a single set of credentials actually reduce liability? 4. Are we fully capitalizing on our existing investment in our Active Directory infrastructure?
As you explore questions like these, let CyberSafe share some of the experiences we have gained from our existing customers, and explain to you how your existing authentication infrastructure can be leveraged to secure your most critical business data. At CyberSafe, we understand the benefits of a user having a single unique identity and the need for a single set of credentials for user authentication.
Our TrustBroker® products include a wide range of features which allow you to fully utilize an existing Microsoft Active Directory infrastructure, support simple and diverse user authentication requirements, improve security, significantly reduce costs, and deliver a rapid ROI… all essential elements for organizations like yours, who are using SAP business applications.
User Identity, Credentials & Authentication
Your user’s identity is important, so that your systems and your SAP business applications can recognize users and determine what actions they can perform once they are logged on.
Most importantly, to protect business assets and application data, these systems and applications need to determine whether a user is ‘who they say they are’, and this is referred to as authentication. The information provided by the user during the authentication process is referred to as their credential.
Users typically use credentials for authentication when they log on to a workstation and/or an application, or when they need to re-authenticate to an application (usually for security and/or compliance reasons). Some examples of different credential types are listed below, the most common of which is the user name and secret password combination:
• User name or number and a secret password• Biometric data (such as fingerprint, voice recognition or retinal scan)• Hardware tokens (such as RSA SecurID)• X.509 Public Key Certificates
Sometimes different credential types are combined to improve security. For example, if a user provides a token code from their RSA SecurID token when authenticating, this might not be considered good enough to give 100% assurance that the user is ‘who they say they are’, since somebody could have been using another user’s token. To solve this, when using token devices to authenticate users, a user name and a PIN (personal identification number) or password are also provided. This is referred to as multi-factor authentication, because two factors; ‘something the user has’ and ‘something the user knows’ are being used.
Organizations have many different systems and business applications, each of which require users to identify and authenticate themselves, so it is not uncommon to find that users need to keep track of a large number of different credentials. Having multiple credentials reduces security, is expensive, and causes users to sometimes circumvent the organization’s security policy in the spirit of ‘getting things done’. Instead, a single credential for each user is desired, which means a user needs a single unique identity, and for that a single, centrally managed authentication infrastructure is needed.
A SAP Business Application UserMultiple Identities + Multiple Credentials
A Single Active Directory Account and a Single Credential (e.g. Password)
A Single or Multiple SAP
User ID’s and Multiple
Credentials
Multiple Sign-On= High Costs + Unproductive Users
+ Compliance Issues
A typical situation for users of SAP business applications, with and without TrustBroker
A SAP Business Application UserSingle Identity + Single Credentials
A Single Active Directory Account and a Single Credential (e.g. Password)
Single Sign-On / Multiple Sign-On= Low Costs + Productive Users
+ Solve Compliance Issues
However, many SAP business applications continue to include their own authentication, resulting in a situation where users need to manage multiple identities, and each identity has its own credentials for the user to remember. The on-going costs are high since administrators need to manage user accounts in numerous places, and users are more likely to forget a password if they have many to remember. User productivity is also affected when they have to manage multiple identities and multiple credentials.
The TrustBroker products make it possible for applications to use Active Directory for all user authentication needs, providing the user with a single unique identity and a single credential instead of many identities and many credentials.
Some of the key benefits of using the TrustBroker products for Active Directory based authentication with SAP business applications include:
Utilizing your Microsoft Active Directory® infrastructure
Most organizations today already make use of a Microsoft Active Directory infrastructure to authenticate users when they log on to their workstations.
Security of Data in Transit
Microsoft Windows and Active Directory include, and take advantage of, the Kerberos protocol, which ensures that credentials are never sent over the network and that encryption can be used to protect sensitive data. The TrustBroker products fully use Kerberos for authentication, and to secure the application data in transit. This is particularly important for sensitive applications, like those used in Human Resources or Finance, where it is critical that data does not pass in clear text over the network.
Maximizing ROI in Existing Infrastructure
When the TrustBroker products are used, the Active Directory infrastructure can be used when users log on to your SAP business applications. All users will have a single unique Active Directory identity, and can use a single credential (for example, their Active Directory account and password) for both Workstation logon and when they log on to their SAP business applications. Some users might benefit from Single Sign-On, whilst other users (particularly those using shared workstations or who use more sensitive applications) may use Multiple Sign-On, but all users are able to use their Single Identity and a Single Credential for authentication, thanks to TrustBroker.
Reduced Costs and Increased Productivity
Users waste time when they have multiple credentials. Having a single credential increases user-productivity, and reduces additional IT and help/service desk costs. In fact, one CyberSafe customer, in the pharmaceuticals industry, recently calculated that after deploying TrustBroker products their users are now saving 48 minutes per month, which they would have otherwise spent managing credentials, getting frustrated when they cannot log on, or asking the help /service desk to reset their passwords for them.
Easier to Remember a Single Credential
Now that users have a single Active Directory identity they can enjoy the benefits of having a single set of credentials which will be easier for them to remember, and reduce the number of times they need to call the help/service desk to get their password reset.
What would an extra 48 minutes of productivity per user
each month mean to your business?
Your security policy and compliance issues related
to password sharing, writing down passwords
(password abuse) are now solved.
Are you concerned about your critical data being
exposed on your network?
TrustBroker products are able to help
organizations take full advantage of an existing
Active Directory infrastructure, and no additional
infrastructure is required.
While many vendors concentrate on selling Single Sign-On, we make the point that Single Sign-On is not always possible or desirable. While it is a good fit for many users, and this is fully supported in our TrustBroker products, there are exceptions where, although a single credential can be used, you may still need users to perform multiple authentications (Multiple Sign-On), or authenticate using different credentials. Some of these exceptions are summarized in the use cases below:
Human Resources and Finance.
Due to the sensitive nature of the HR and Finance data there is often a security requirement that users authenticate each time they log on to one of these applications. While a single identity and a single credential are preferred, Single Sign-On may be perceived as a security risk, since it can be compromised if a user leaves their workstation unattended.
Shared Workstations used by Multiple Users.
Each user needs to log on to the SAP business applications using their own credentials. If Single Sign-On were implemented the user would not get the screen asking them to authenticate, resulting in the compliance concern of a shared password. It is therefore necessary to turn off Single Sign-On for shared workstations, yet still allow multiple users to log on using their own unique single identity, with a single credential, without having to log off Windows and log on again as a different user.
External Users and Business Partners.
You may have external users and/or business partners who need to log on to your SAP business applications. This creates some technical challenges, if you have implemented Single Sign-On, since
it is often not desirable or possible for these users to take advantage of Single Sign-On. The TrustBroker products include features to allow these users to take advantage of a Single Credential, and to use your Active Directory infrastructure without Single Sign-On.
Administrator Logon.
An administrator who is helping a user and using the user’s workstation may need to escalate privileges in order to perform some function. If Single Sign-On could not be turned off, the user would have to shut down all of their applications, log off Windows, and then the administrator would have to log on as themselves and then log on to the SAP application using their own credentials. Clearly, this is a cumbersome process. If Single Sign-On can be turned off, and the administrator is shown a Sign-On screen, they can log on as themselves, and then turn Single Sign-On back on again when finished.
CyberSafe TrustBroker products allow organizations to streamline their authentication processes, to offer improved security and provide an enhanced user experience. Additionally, the CyberSafe TrustBroker products provide the flexibility to meet many use cases, above and beyond Single Sign-On, so this is why we say, “It’s more than just Single Sign-On”.
It’s more than just Single Sign-On
By using TrustBroker products you can use a single credential for each of your users and satisfy a wide range of use cases, not just Single Sign-On.
CyberSafe is a registered trademark of CyberSafe Limited. SAP and all SAP Logos are trademarks of SAP AG in Germany and several other countries. All other products and trademarks are the property of their respective owners. | Copyright © 2012 CyberSafe Limited. All Rights Reserved.
North America
CyberSafe North America, LLC. P.O. Box 791Atlanta, GA, 30096, United States.
Tel +1 (678) 824-4411
Worldwide
CyberSafe Limited. Abbey House, 450 Bath Road, Longford, Middlesex, UB7 0EB, United Kingdom.
Tel +44 (0) 208 757 8910
Contact Us
Email [email protected] Web http://CyberSafe.com
Security Solutions for everybody...Whether you are looking for Single Sign-On, Active Directory authentication for SAP business applications, or have more complex requirements, we will be happy to learn your organization’s unique needs and tailor a solution that meets your objectives and prepares you for the future.
Version 1.0 | 13/04/2012
