Separating single sign-on myths from fact
Single Sign On (SSO), the ability to authenticate only once and have automatic access to many systems, has many potential benefits ranging from lower IT overhead costs to increased end user convenience and even an increased level of data security that reduces overall organizational risk. It’s a powerful tool, which is why it is particularly of interest to CIOs in light of the increased number and severity of data breaches occurring around the globe – many of which are caused by inappropriate access to vital business data.
Yet despite the renewed level of interest in SSO, there are a number of myths that persist regarding the technology, how it works and how it is best used to provide business value. Here are four myths about SSO that in my experience persist among enterprise and government CIOs.
First, a baseline understanding of what SSO does
To first understand SSO, let’s establish a few baseline concepts about how SSO can help simplify IT operations and increase security.
Single sign-on is an approach that simplifies the management of access to more and more services by a growing constituency of users – users within your environment, that you know, and want to make as productive as possible. It allows you to manage access based on parameters – be it time of day, location, device used to access data or other parameters. This allows you to enable internal users to access what they need when they need it – no more and no less access than that required to do the job efficiently. It also simplifies removing access from a broad range of services quickly when necessary.
The right approach to SSO, enables organizations to build controls around the concept of identity. That’s important, because with the current rate of rapid changes in where the data resides, how it is accessed and where it is accessed from, user identity is often the only constant. Therefore, organizations must build their thinking around the processes of providing access and simplify the management of identity because these will enable them to meet the challenges of an increasingly complex and interconnected business environment. How do you simplify this process? Single sign-on is one solution.
Myth #1: SSO is password synchronization
Some IT professionals label the process of synchronizing username and password across applications as single sign-on; meaning there is one username and password that is synchronized across applications. The truth is that this is a relic of the early years of distributed computing, before true SSO solutions arrived on the market. This old (and frankly, crude) solution to the problem of multiple usernames and passwords provides only some convenience but fails to deliver greater compliance, administration or security benefits. Fortunately, however, modern solutions have phased out this approach, and now offer far more integrated and seamless functionality with tighter security controls as well as a far better audit trail than mere password synchronization could ever provide.
Myth #2: In SSO environments, users still enter their passwords and/or know the actual credential that is passed onto the application
Somewhat related to Myth #1, this misconception assumes that SSO provides no automation but rather is just passes through whatever the user enters. Not true, as this approach would provide little convenience with almost no security or compliance benefits! The truth is that SSO solutions provide authentication automation for each application accessed. Once the users have logged into their SSO solution, it automates the process of providing each application with a set of credentials for the user and ensures that the granular access policies for each application are applied. The SSO solution can also provide a detailed audit trail and centralized control over application access in the event of a security incident.
Myth #3: SSO reduces security
This outdated belief stems from that assumption that SSO provides a single set of keys to the kingdom, and that once those keys are in the wrong hands, then all applications will be at risk. But the truth is that when used properly, SSO actually increases security by enabling more complex authentication policies, randomizing passwords, enabling re-authentication within an application as needed.
In addition, SSO solves one of the biggest, long-standing and most intractable problems of security: leaving password management in the end users’ hands. Everyone knows that having strong, unique and regularly-changed passwords (that are not all written down in one place) is important for maintaining basic security of end user accounts. However, whether we are talking about work or personal accounts, as we all know that these best practices are seldom followed by end users without some form of enforcement mechanism from IT. A SSO solution requires users to remember one, secure password for everything they access, rather than forcing them to have many similar passwords (which will often be much weaker.)
Myth #4: SSO is only for internal users, not public-facing services
This last misconception deals with much more recent trends in IT, and requires a more thorough response.
As we discussed earlier in this article, SSO allows you increased efficiency in management, security and the ability to grant users access to online services. As organizations start to deepen their interactions with their customers or users, then they want to provide online access to services which are more personalized. One approach is to use the concept of social identity. This approach uses existing online identities, such as those created with services like Facebook or LinkedIn, and allows the same identity to be used to access a business’ or government entity’s services.
Social identity allows organizations to engage with users with the least amount of friction, at the lowest cost, and with minimal management burden. It also allows a business to grant more access to more people with less overhead and management headache, and therefore, provides an organization with SSO functionality to access public-facing web services. Therefore, SSO and social identity are complementary concepts that organizations can use to enable frictionless access to anything, from anywhere from any device, based upon an individual’s identity.
BYOI and the way forward
When we look at how things are evolving and changing with the consumerization of IT, it is likely that we are going to have to continue to assess how to utilize both SSO and social identity frameworks support business objectives.
We want to achieve verifiable identity based upon unique identities, within the given context of what those identities are seeking to access, from where, when and with what device. Therefore, social identity may provide the first step in authenticating an individual, but would need to be part of a process of secure and scalable authentication.
It may be that it is all that is required to access some services, or be part of a multi-factor authentication approach to really verify identity in order to access other, more sensitive data.
As social identity becomes more ubiquitous, we are already entering the era of “Bring Your Own Identity” (BYOI), where user identity is decoupled from traditional control, while businesses have the ability to rapidly provision, deprovision and manage individual access of data across public and private cloud services.
For CIOs that can get past these entrenched myths, and apply SSO in light of today’s disruptive IT trends, such as cloud, consumerization of IT, mobile and of course, social Identity, SSO’s long track record as a proven technology and solution offers additional layers of protection to existing identity and access solutions for comprehensive access authentication that circumvents the weakest link – humans who have challenges remembering dozens of user names and passwords. Perhaps most importantly, it strengthens today’s move towards far more comprehensive data protection measures to meet business and compliance demands.