Secure Web-based Application - Essay Example

Research methodology: Introduction: This research is conducted for the purpose of developing a simple and secure web-based application sign-on method in order to increase the security, reduce the risk of identifying theft by reducing the passwords number of the web- based applications. The scope for this paper is limited to the security solutions by using SSO. Afterwards in the maturity phase the suggested solution will be implemented practically. A design will be constructed for the purpose of offering a better solution for these problems. In addition, the solution will be much more comprehensive than others currently offered in the market. Research Method: A Research methodology is a set of underlying principles behind the collection of models, theories, ideas, and hypothesis. Collectively, research methodology is a technique of collecting data systematically (Rajeev, 2009). For this research the data was analyzed from the previous researches in the literature review section. The authenticity and contingency of this paper depends upon the validity of study data, the reliability of measures taken to collect the data, as well as the time taken to conduct the analysis. Here I would like to tell you that the data was collected from _________ number of respondents through _________(tool used). This data collection part of the research took approximately_________(time consumed for data collection). Basically Single Sign On system cannot accomplish the goals on its own. In order to triumph over the challenges in user understanding and security obstacles, security and usability professionals require putting efforts and working more strongly together (Connolly, 2002). In this research, the ultimate solution will be produced which will allow the creation of a "strong": password (contains letters, numbers and special characters) that will open all the authorized applications. As we are using here the Single sign on method so some of its benefits are listed over here: Ability to enforce consistent project authentication and/or authorization policies across the whole project End to end user audit sessions to make better security reporting and reviewing Removes application developers from having to understand and apply indiviual or seperate security in the applications Frequently results in significant password help desk cost savings If an employee does forget their one password, he or she can easily reset it by using the preset authentication line. Both are factors that have need of extraordinary concerns. Our initial research was done on the internet to discover seller password synchronization tools that would fill our total requirements. We piled up a list of vendors that offer Single Sign On products. A new list of needs and wants was created to incorporate total requirements and other assessment criteria. Some of our initial requirements were that the security system must be able to synchronize password between different platforms, should be able to plot user ids from one platform to another, should provide password status synchronization between different platforms, to implement host platform password format rules across the diverse server platforms. Next step of our research methodology is to develop some evaluation criteria. Our analysis has shown that several flaws in the evaluation criterion and specification can lead to vulnerable implementations (Thomas, 2003). Based on this comment of Thomas we have selected cost, Support for Tandem, Support for other security platforms, and lastly the clearness to application development as our evaluation criterions. Now these criterions were to be tested and verified. Verification of criterions (testing): As mentioned earlier the purpose of this paper is to develop a simple and secure web-based application sign-on method in order to increase the security, reduce the risk to identify theft by reducing the passwords number of the web- based applications and the tool for encryption which will be used here is ASP.net. So from the above mentioned criterions firstly the pre-existing products in the market were observed which were currently offering security systems. Next task was to develop a new and fresh web based application of sign-on method. For that purpose a requirement assessment plan was created for the even evaluation of each product. Requirement Assessment Plan: The requirements assessment is the first step toward solving your business challenge. This section outlines the entire business solution process. Here in this step a flexible, scalable design will be created that will take into account the changing business needs. Our Single Sign-on requirements assessment addresses the following: Desktop SSO design, executive and optimization In this a basic review of environment has to be done for the purpose of ensuring that the basic SSO requirements are being met or not. Security guidelines and procedures: In this the review of security polices has to be done for application development and assimilation. Secondly review of security procedures has to be performed for the purpose of including password and user account management. Risk assessment analysis of existing application security is also included in this section. AES encryption method integration: Analysis of existing AES encryption projects and integrations with an SSO model is performed along with the review of existing application data sources and integration with SSO or other directory- AES is used in this method because it is much better then DES and 3DES. ASP.net may also be applied for the purpose of programming. Since PHP typically runs on apache, and .NET doesn't, you have the powerful, htaccess file and its rewrite abilities. But with .NET, same thing can be done with http Modules, and it can be easily done in .NET, not the web server. ASP.net has been selected for the purpose of web based application because it has a number of advantages as compared to PHP or any other encryption method. ASP>net is an easy choice as by using it you can do your work without caring about the side processes going on. And secondly with ASP.net you get the whole .NET Class Library and the thousands of third party components as well. There are definitely much more third party components out there for ASP.net than for PHP. You have to be careful about few things if you want best results while using ASP>net as your encryption method. Firstly ASP.Net has an IDE that you must use to get the most out of that language. Secondly ASP.net once learned, IDE knowledge will relocate to other V.S. languages and it needs a user login. And it is guaranteed to be around with Microsoft backing it. The hardware and software requirements were formed and an assessment atmosphere was created. All of the products to be tested were brought in that area for the confirmation of concept (testing). We formed an issues list for every product and evaluated it in detail. It was a learning experience. From this we learned that not any one of the product disable access after three invalid password entries because this password policy was being used on the mainframe. Each product synchronizes expirations on each user store with the Host user store. Along with that we realized we would have to program our Portal application to balance for each of these limitations. As ASP.net is being used for programming here and PHP was not used, it was because of the reason of high suitability of ASP.net for the creation of single sign on application. These new encoding requirements were approved and sent to the portal development panel. The ultimate evaluation was made and a product was selected. Product choice: A branded product with the name of Novell Sign on by Novell consulting Company was selected as the product that would endow with our Single Sign On solution because it best met the total requirements, added requirements and specially difficult, testing requirements (Yasin, 2002). Novell's awareness was also a helpful thing of their company in making a positive decision for their product. Single Sign-on is a Novell Directory Services (NDS)-based solution to one of today's most vital needs: password management. Single Sign-on combines user's diverse passwords network log on, e-mail, business processes and so on into the Secret Store Engines. This permits them to log in one time and, with just their accessible NDS password, entrance to all of their SSO-enabled applications. Single Sign-on eliminates the necessity for users to remember and enter numerous passwords (Andrej, 2001). The subsequent step after the selection of a product was to begin customization and assessment. Between our project steps of product choice, customization and assessment, the gateway portal product made an alteration in the policy they were going to apply for end user authentication. Our plan adjusted to provide room for the change from Novell Directory Server to the Netscape Directory Server. Since Novell Directory Server seemed to be the trickiest policy to endow with bi bi-direction password synchronization, we felt this alteration made our project less complicated. We took Novell sign on password synchronization manager for the Netscape Directory Server platform and commence our customization and assessment phase of the research. Product Customization and Assessment: On completing the requirements assessment, a properly documented report has to be prepared which will give specific guidelines on how to best implement a Single Sign-on solution in a company, based on project definition, design, and research. ASP.net was being used here for the purpose of creating a successful single sign on application for security. As business enters into a growth phase, a secure business application will be required for safety purposes. But signing on has become ever more complicated and time consuming. But with SSO, users are less stuck by frustrating time drains due to forgotten or expired passwords and are given the security and management ease of Novel NDS (Christian & Monika, 2007). For the customization after requirement assessment the product's design has to be created then there would be a need of deployment and maintenance. Product's Customization was desirable in order to accomplish the research goal of developing a simple and secure web-based application sign-on method (Josang, et al., 2005). With the intention of testing the customization properly, we created a test atmosphere that best represented our production atmosphere. There is no requirement for client/desktop software to be installed also. Beside the diverse agents exit point for single sign on application and the element that connects it all is labeled as the IP Connector (Heckle, Lutters, & Gurzick, 2008). Implementation phase: Now the next task to be performed was documentation and implementation. And for that purpose we documented the whole thing we did in the test atmosphere and produced a task plan to re-establish that whole thing in the production atmosphere. Our single sign on application and synchronization covered several areas of knowledge and expertise and the technology support team in each area had to be harmonized to execute their tasks according to the task plan. The reason behind the success of any implementation is to write down wide-ranging records in the assessment phase and have a clear task plan and unambiguous interactions with all of the concerned areas and fields. Our web based single sign on application's implementation into production was an achievement. The password synchronization solution was installed and equipped for the web based application execution. Bringing together Lessons Learned from this study: The last step that is the part of this research methodology is to bring together or compile a set of lessons learned from all the components of research which were performed for this paper. Although there were many lessons learned from this project but still some of them are to be shared with the expectation that any person doing a related project can apply them. Primary and the most important lessons were to have an accurate and proper assessment or test plan. We learned how to evaluate all potential arrangements of parameters and guarantee the most wanted results, secondly how to check and analyze every platform and amalgamation of platforms in the project's scope. We learned that how to make a good and proper choice in products. We were competent to straight away install, investigate, assess, and implement a new web based single sign on system. We learned that how beneficial it was to keep close communications and interactions with Novell Directory Server and our domestic research group members. Afterwards it was realized that up automation should be set up to shut in and do announcements in case of any troubles with any factor related to the solution. Proper documentation and educating the support team members in how to instantly solve problems was really a learning formula. Lastly our solutions are based on industry's leading directory services, advanced dispersed computing technologies, open internet standards, designs verified in real-world business surroundings, outstanding technical training and support Novell Consulting works closely with Novell. Our total solution approach was very useful in solving today's business problems and also in accomplishing current business objectives (Patrick, Leif, & Nate, 2008). Related Advantages and Benefits: Even though it is said that the dangers are bigger using single sign-on structure for the reason that the rogue client would be able to use the entire resources obtainable to the legal user (Bradley, 2004), but still there are a number of benefits connected with it. A huge benefit of using Novell Services for the creation of web based sign on application was that it was a mode of ensuring password policies crosswise numerous platforms. Web based security technology, is a flexible and interoperable way to accomplish heterogeneous system security (Kaixing & Xiaolin, 2009). A web based solution guaranteed that the printed policy was being imposed repeatedly with least amount of policy design. An additional advantage to password synchronization is that it only needs the consumer to keep in mind one password regardless of what system they sign onto. Restricting the quantity of passwords a user must retain information, and it trims down the risk of the user writing the password down and diminishes the on the whole helpdesk expenses (Tagg, 2002). Reference list: Books: JasonGarman. X/Open Single Sign-On Service (XSSO) - Pluggable Authentication . The Open Group.Kerberos: The Definitive Guide Richard Arlen, Jean Parker, Russell Hayden, and Charles Brown. (2008). Minesweeper Brian Casselman. (2008). Citrix XenApp- Platinum Edition for Windows : The Official Guide. Kindle Edition Kindle Book Barbara Bernstein Fant, Betty Miller, and Lou Fant . (2008). The American Sign Language Phrase Book Monica Beyer. (2007). Teach Your Baby to Sign: An Illustrated Guide to Simple Sign Language for Babies Internet sources: Loveleena Rajeev. (2009). "How to Write a Good Research Methodology." Retrieved: August 23, 2009. URL: http://www.buzzel.comarticlesmhtHow to write a Good Research Methodology.mht Bradley, T. (2004). Introduction to Vulnerability scanning. Retrieved August 24, 2009, URL: http://netsecurity.about.com/cs/hackertools/a/aa030404_p.htm Connolly, P.J. (2002). "Single Sign Sign-on dangles prospect of lower help desk costs." Retrieved August 24, 2009, URL: http://www.infoworld.com/articles/es/xml/00/10/02/001002esnsso.xml Tagg, Gary. (2002). "Implementing a Kerberos Based Single Sign-on Infrastructure. Information Security Bulletin". Retrieved August 24, 2009. URL: http://www.chi chi-publishing.com/isb/backissues/ISB_2000/ISB0509/I ISB0509GT.pdf SB0509GT Yasin, Rutrell. (2002). "Password Pain Relief." Information Security. Retrieved August 24, 2009. URL: http://www.infosecuritymag.com/2002/apr/passwordm passwordmgmt.shtml Journal articles: Rosa Heckle, Wayne G. Lutters, David Gurzick. (2008). "Network authentication using single sign-on:the challenge of aligning mental models". ACM New York, NY, USA Jsang, A., J. Fabre, et al. (2005). Trust Requirements in Identity Management. Australasian Information Security Workshop." Newcastle, Australia Andrej Volchkov. (2001). "Revisiting Single Sign-On: A Pragmatic Approach in a New Context," IT Professional, vol. 3, no. 1, pp. 39-45 Christian Schlager , Monika Ganslmayer, (2007)."Effects of Architectural Decisions in Authentication and Authorisation Infrastructures". pp. 230-237 Patrick Harding , Leif Johansson , Nate Klingenstein. (2008). " Dynamic Security Assertion Markup Language: Simplifying Single Sign-On" pp. 83-85 Kaixing Wu , Xiaolin Yu.(2009). "A Model of Unite-Authentication Single Sign-On Based on SAML Underlying Web"pp. 211-213 Read More