KuppingerCole Report EXECUTIVE VIEW by Martin Kuppinger April 2014 by Martin Kuppinger mk@kuppingercole.com April 2014
Content 1 Introduction...3 2 Product Description...3 3 Strengths and Challenges...4 4 Copyright...5 Page 2 of 6
1 Introduction Enterprise Single Sign-On (E-SSO) is a well-established technology. Despite all progress in the area of Identity Federation, E-SSO is also still a relevant technology. This is also true in the light of the growing number of Cloud-SSO solutions that manage access to cloud applications, both on-premise and cloudbased approaches but targeted on Single Sign-On to Cloud apps. However, in most organizations there are still many legacy applications in on-premise installations in place. Providing single sign-on to all types of applications and services on all platforms increases convenience for users and might also reduce help desk cost. In addition, there are many specific use cases such as hospitals or production environments that require E-SSO for security and efficiency reasons. Thus, E-SSO is one of the technologies that are of high importance for organizations. E-SSO provides centrally managed solutions that grant access to various applications, both traditional fat client and browser-based applications. E-SSO solutions are the tactical, non-intrusive approach for SSO. From the user perspective, they provide an SSO experience, while there is no true SSO at the system level. E-SSO works with different credentials for different systems. Thus, these solutions do not require changing applications. E-SSO frequently is used in combination with other SSO approaches such as Identity Federation or token-based systems (such as Kerberos), the latter typically based on the primary Microsoft Active Directory authentication. Their value is based on two facts: The solutions are non-intrusive and thus simple to implement. They have a strong potential for quick-wins in improving the user experience. Several applications are hard or impossible to integrate into true SSO approaches such as Ide ntity Federation or Kerberos. Thus, the solutions provide a strong benefit for environments with a large number of legacy applications. This second feature makes them interesting for many industries and environments, such as healthcare or the manufacturing areas of organizations with their specific IT solutions. Overall, there is a value in Enterprise Single Sign-On. Despite being a sort of tactical approach, these solutions are likely to stay for a long period of time. 2 Product Description, formerly known as Novell SecureLogin, is one of the veteran products in the E-SSO market segment. However, NetIQ has not rested on the acquired product, but continuously improved the product, remaining among the Leaders in this market. supports a broad variety of authentication mechanisms, including one -time passwords, biometrics, smartcards, and others. Thus, access to the passwords the keys to the kingdom can be well protected, balancing usability and security. Page 3 of 6
The product also supports secure authentication of users without direct connectivity to the E-SSO solution, by securely caching credentials on the local system. For such use cases, there might be an additional authentication requirement based on a passphrase further strengthening security. Additionally, the tool supports common requirements such as fast user switching and kiosk modes that are required for many use case such as in healthcare, retail, or in manufacturing environments. This proves the maturity of the product and the long experience of NetIQ in deploying SSO to customer environments. When assessing, there is very little to complain about. As mentioned, the product is a proven, mature solution with a large installed base. It supports all common features expected for that type of product, including delivery of pre-configured applications and good support for more complex applications such as SAP GUI and Lotus Notes clients. It provides good flexibility for scripting, but also GUI wizards to configure new applications. Especially wizard-based integration is outstanding, with support for various types of applications such as web applications, Windows and Java applications. In contrast to most other solutions in this particular market segment, NetIQ also provides tight integration to its own SIEM solution, NetIQ Sentinel. That allows using log-in information in network security monitoring. There are a few aspects we consider as shortcomings, mainly in the field of more innovative features, such as the lack of delegation support or the missing capability of unlocking multiple systems with a single login. Also, only supports LDAP v3 compliant directories as credential stores but no databases directly. This might be a challenge for some customers that want to rely on a database system only. However, there is a long experience in building simple to configure yet secure credential stores based on directory services. Aside from that, given that any LDAPv3 compliant directory service is supported, customers can either rely on existing directories or quickly set up a specialized directory for the purpose of, depending on their specific requirements. 3 Strengths and Challenges is one of the leading-edge products in the E-SSO market. It is mature and featurerich. In addition, NetIQ can build on a very large customer base and an excellent global ecosystem. Thus, it is also one of the products that is a logical choice when defining shortlists of vendors in the E-SSO market. Among the strengths are the excellent capabilities for configuring Single Sign-On to applications, based on a wizard. NetIQ is one of the few vendors supporting both scripting and wizard-based configuration. Another strength is the tight integration into NetIQ s own SIEM solution, allowing further analysis of E- SSO events and automated reaction on such events. Page 4 of 6
There are few weaknesses, which mainly are in very specific areas such as the ability to unlock multiple machines with a single sign-on which is relevant for some specific use cases such as stock brokers or control rooms for instance in plants. Another shortcoming is the lack of delegation support in administration. Overall, is a strong offering in the E-SSO market that should be considered in product selections. Strengths Comprehensive and mature set of product features. Large customer base and broad partner ecosystem. Supports both scripting and GUI interfaces for configuring applications. Challenges No support for delegating access to other users. No databases but yet only directory services supported as credential stores. 4 Copyright 2014 Kuppinger Cole Ltd. All rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole s initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no l iability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. Page 5 of 6
The Future of Information Security Today KuppingerCole supports IT professionals with outstanding expertise in defining IT strategies and in relevant decision making processes. As a leading analyst company KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business. KuppingerCole, founded in 2004, is a leading Europe-based analyst company for identity focused information security, both in classical and in cloud environments. KuppingerCole stands for expertise, thought leadership, and a vendor-neutral view on these information security market segments, covering all relevant aspects like Identity and Access Management (IAM), Governance, Risk Management and Compliance (GRC), IT Risk Management, Authentication and Authorization, Single Sign-On, Federation, User Centric Identity Management, eid cards, Cloud Security and Management, and Virtualization. For further information, please contact clients@kuppingercole.com Kuppinger Cole Ltd. Am Schloßpark 129 65203 Wiesbaden Germany Phone +49 (211) 23 70 77 0 Fax +49 (211) 23 70 77 11 www.kuppingercole.com