You are here

How to get single sign-on right in today's hybrid IT environments

public://pictures/Robert-Lemos-Technology-Journalist-Lemos-Associates.jpg
Robert Lemos, Freelance writer

The ability to sign in once to a corporate workstation and use every business application is expected in today's workplace.

Single sign-on (SSO) technology has changed over the past two decades—from header-based techniques and Active Directory synchronization to Security Assertion Markup Language (SAML) and OAuth 2.0-based OpenID Connect. But the benefits to worker productivity, overall security, and the management of identity and access make it a key part of any enterprise infrastructure.

At the same time, the technology stack is getting more complex, business applications more distributed, and security considerations more critical. Identities are necessary for on-premises workstation and applications, but also for cloud services and mobile devices, said Merritt Maxim, vice president and research director of Forrester Research.

"We have more Web apps, more SaaS apps, and, now, you have microservices, API-based stuff, and containers. There is a wide range of new options, all of which have value to organizations, but all which have their own identity challenges and require identity controls."
Merritt Maxim

Done right, an SSO system can deliver significant benefits. Some 29% of breaches in 2018 were caused by the abuse of legitimate credentials, according to Verizon's 2019 Data Breach Investigations Report. And the productivity gains are significant: Saving three minutes of time for employees can save a 5,000-person company about $1.5 million a year.

Here are five ways that companies can get SSO right in today's complex enterprise environments.

[ Data privacy regulations like the GDPR and CCPA are becoming the norm. Get up to speed with these best practices from top organizations. ]

1. Deployment requires focus and persistance

Rolling out SSO services and maintaining coverage across all critical applications can be difficult. Companies should consider identity management and SSO systems not as fire-and-forget, but as infrastructure that needs full-time employees to maintain and support them.

"The most common mistake we see is that companies regard authentication management solutions as just another project or business application," Forrester said in its Now Tech: Authentication Management Solutions, Q3 2018 report.

"In reality, authentication management solutions demand 24x7 support, since, if your authentication is down, neither your employees, your business partners, nor your customers can access your site, invariably causing dissatisfaction, lost profits, and damaged reputation," the report said.

Deploying identity and access management for cloud-based systems is fairly simple, but collecting every critical business application under a single identity is far more complex. On-premises is a little bit different, said Thomas Pedersen, CTO and founder of identity provider OneLogin. Customers have old commercial applications, and a bunch of homegrown applications. 

"When you talk to customers about single sign-on for the cloud, they all have pretty much the same apps—they have Salesforce, they have Office 365—those are completely cookie cutter. And when you move into bigger enterprises, the challenges become even more difficult, especially if they have grown through acquisition or have legacy software."
Thomas Pedersen

2. Abstract away complexity

The technologies underpinning SSO systems have rapidly evolved. OAuth gave way to SAML. Nowadays, OpenID Connect, based on OAuth 2.0, is widely adopted.

Each technology has a different set of strengths and use cases—and for the most part, companies do not have to worry about the technological foundation of their service. They just need to ensure the service integrates with the applications they need, said Sean Frazier, advisory CISO at Duo Security, a provider of identity-management systems.

"You need something that scales, you need something that integrates with all your cloud things and all your non-cloud things, and you need that integration to be simple. One of the biggest security problems is complexity of configuration and complexity of integration."
Sean Frazier

SSO delivers the easiest integration with cloud applications. When almost every application that your company uses in day-to-day business requires the user to log in, SSO can boost productivity significantly. Provisioning on-premises applications can be hard.

Forrester's Maxim noted the reality for most companies is they are not 100% in the cloud, and they are not 100% on-premises.

"Hybrid is the operative word here. It is a mix, and they want to provide single sign-on across that mix of applications. Users want consistent sign-on across those modalities."
—Merritt Maxim

[ View Webinar: Five Steps to Implement a Universal Policy Strategy ]

3. Create a reasonable disaster recovery plan

The downside of cloud-based SSO is that a service outage can disrupt your business. In 2018, a widespread outage for Amazon's eastern U.S. region caused by a power failure resulted in Capital One banking customers unable to access their accounts and developers using Atlassian sidelined for a few hours. Later that same year, a code update went wrong and caused an outage for Microsoft Azure's cloud platform, including its identity service, Azure Active Directory.

Companies should consider what actions they need to take to keep the business going during such an outage. Synchronizing credentials for critical services may be warranted, but brings with it security risks. In addition, the cost and time requirements of complex recovery plans may outpace the actual benefits, since most outages only last a few hours. 

"If you have a lot of different SaaS apps, by the time you changed all those, historically we would have been back on line. It may not be the right investment."
—Thomas Pedersen

4. Multifactor is a must

A company can never guarantee that its workers are not using the same password to authenticate with a SSO solution as they do, say, on Facebook. For that reason, multifactor authentication for the main SSO credential is especially critical.

"Multifactor is a best practice regardless if you are using SSO or not. The more you can strengthen the authentication process and reduce reliance on passwords, the better off you are. Compromised credentials remain, if not the most significant form of attack, one fo the top three."
—Thomas Pedersen

Multifactor authentication can also help during some breaches of the identity provider. In 2017, for example, OneLogin notified its customers that an attacker had gained access to the company's Amazon Web Services API keys through a third-party host.

At customer sites, OneLogin administrators had to rotate their SAML certificates, their integration tokens for two-factor authentication services, and change any passwords that workers had saved in OneLogin's Secure Notes feature. Multiple factors of authentication would have prevented the attacker from further extending the compromise to clients' applications after OneLogin remediated the issue.

5. Keep developers in mind

Companies developing internal applications need to have developers take part in any discussion about adopting, deploying, or changing an SSO system. Because developers will have to adopt a central authentication framework and support existing Active Directory and LDAP implementations, they should have a seat at the table.

Part of that process will be selling developers on the benefits of a particular SSO framework, said Duo Security's Frazier.

"Developers don't even like to turn on basic things like TLS and SSL encryption, so you need to spend time with your developers to make sure that they understand the need to be turning on the bare bones of security."
—Sean Frazier

All systems go for SSO?

SSO systems are a critical part of any company's identity and access management (IAM) infrastructure and needs to be treated as such. A good SSO system, integrated tightly with enterprise applications, will improve productivity, security, and manageability.

Share your team's experience and best practices for getting SSO rolling running smoothly in your enterprise in the comments section below.

[ See Webinar: Data Protection: Your Biggest Reputational Risk? ]