Signing into anywhere on the Internet has become everyone’s bugbear. We all tear our hair out at the request for the creation of, yet another, username and password.
Research has shown that 7 in 10 users don’t trust passwords to protect online accounts, yet 73% of us use the same password to access multiple accounts. And passwords are not an easy option; according to a report by DashLane the problem doesn’t stop at fatigue. The average number of lost passwords, per person, in 2015 is 11 and this number is expected to double by 2020. Password fatigue, lost passwords and the use of online recovery mechanisms, or worse, expensive help desk calls, have created an incredibly messy, potentially insecure Cloud sign in system. This nebulous password landscape is not tenable and needs to be improved.
At the same time, adoption of Cloud technologies is at its highest with research by Cloud architect specialists Right Scale showing that 82% of enterprises have at least a hybrid cloud strategy in place and 55% are moving towards Cloud based applications, by building Cloud architectures for existing applications.
Cloud Single Sign On to the Rescue
Until fairly recently an enterprise would rely on a directory system like LDAP, or username/password on a per application basis, to control access to system resources. As internet based services have blossomed and the enterprise has created their own Cloud computing environment, these types of authentication measures have created complexity, resulting in password and account management issues. This has generated a push towards a more seamless credential management system; this system being Cloud Single Sign On or Cloud SSO.
Cloud SSO is an authentication method that allows an individual user to access multiple applications and services, including those in a Cloud infrastructure, using a single login. SSO allows you to federate or delegate your users’ login so that they can access web applications and services without having to separately login to each – similar to how Google logs you into their suite of web applications after you’ve logged in a first time.
Many popular applications, such as those from Salesforce, Adobe and Microsoft are setup to handle enterprise Cloud SSO. Cloud SSO can work with directories like Active Directory and LDAP, standard protocols like SAML 2.0, OpenID Connect and WS Federation, or even proprietary systems built specifically for the purpose. Microsoft has also invested heavily in creating Microsoft Azure Active Directory which is a fully fledged Cloud SSO enabled directory. But standards are often better at maintaining extensibility in a system and ensuring interoperability, allowing organizations to add new applications and services as needed.
Cloud SSO Moving Parts
Cloud SSO is comprised of the following basic components:
- The account: This has to be provisioned and can be federated through an Identity Provider (IDP) or through synchronization / delegation with a directory like LDAP. The account contains data such as attributes about the user, e.g. their email address and may also hold access rights/roles. It is worth noting that some IDP’s allow individual attributes to determine access rights within an SSO system.
- Credentialing and authentication: The SSO account has credentials associated with it, for example a username and password and perhaps a second factor such as a SMS PIN code or biometric. These credentials authenticate the user to the single sign on session when they first request access to an application.
- Identity / login tokens: This is a token created on a per session basis. It is this token that is requested by a web application or service to allow access. It contains the authentication information to prove the users identity, so they don’t have to login again during that session.
Single Sign On and the Mobile Universe
Using Cloud SSO with mobile devices can give an enterprise true control over the BYOD security problem. Employee’s personal devices have added a new dimension of security issues into the enterprise and without careful control can push the enterprise out of compliance with many security and privacy standards. Cloud SSO is the most convenient method to pull personal devices back into the control of corporate security policies. Access to web apps and services from any device can be handled through Cloud SSO. Many web apps that support SSO can also be downloaded to mobile devices, as mobile apps and many SSO products can also handle mobile app access using Cloud SSO principles.
Cloud SSO: Benefits and Issues
Cloud SSO can offer a number of benefits, including:
- User experience benefits: The use of SSO creates a much more simplified and seamless experience for users. It streamlines sign in, allowing automated login across applications for fast access.
- Central control benefits: Easier control of credential management is a cornerstone of the SSO method. Password storage and changes are automatic and easier to manage. It allows administrators to centrally control employee access to all of their Cloud and enterprise applications.
- Revocation benefits: With a single click an administrator can revoke a user’s access to all applications and manage extinct accounts – this is a vital tool in modern enterprise personnel management.
- Productivity benefits: Lost time caused by password resets before an employee can actually start working, have been shown to cost U.S. businesses around $420 per employee per year, adding up to almost $210,000 per company in lost productivity. SSO massively reduces this issue.
But what about any problems that using SSO might bring?
- Security issues: although it may seem like a logical conclusion that a single login must mean one point of failure. There are ways around this, including the implementation of 2nd factor, which can be accommodated through most SSO implementations.
- Availability Issues: Extensibility of the solution to incorporate additional applications and login points. This can be accommodated through good SSO product choice and use of standard protocols, which allow you to easily add in new applications.
- Inter-federated model: An Inter-federated system is those that bring disparate applications and sites together under one SSO umbrella. Business and legal models for inter-federated applications and sites can potentially be challenging and the creation of a ’prime’ who pulls all the strings together can be a bit of work but will ultimately yield great benefits.
Going Forward Into the Cloud
Cloud SSO offers you a way to achieve a great user experience for your employees, whilst maintaining good levels of security. User access to distributed Cloud apps and services using SSO provides greater control for your organization. Employee account management becomes a more fluid and integrated operation, giving you an easy way to switch accounts on and off. Using Cloud SSO is a powerful way to handle the security and usability implications of the extended enterprise perimeter.
Michael Liebi ist Gründer und nun als Board Member bei United Security Providers tätig.