In March 2020, many people began working from home due to the COVID-19 pandemic. The email to your teammates stating that you were “working from home” instantly had new meaning. Working from home resulted in additional risk management and security challenges for employees, executive leadership, and information technology (IT) teams. Organizations that had not embarked upon the journey that is IT Modernization or that had not implemented identity and access management (IAM) struggled with business continuity efforts. A huge part of their struggle included the need for an instantaneous remote workforce, working from virtually anywhere, and in many cases, from any device, including unsecured devices.
What is Single Sign-on and How Does it Work
Using the same password for all software applications increase the chances of cybercriminals learning an individual’s log-in credentials and gaining unauthorized access – resulting in data theft, identity theft and other harm. On the other hand, remembering 10, 15 or 20 passwords to perform daily personal and professional tasks can result in password fatigue. This is due to corporate security policies that require users to create complex passwords, enter and re-enter passwords or passphrases, and change passwords every 90 days.
Single Sign-On (SSO) is a solution that combats password fatigue. Why? Because it is easy and it considers the user experience. User experience is a very broad term, and in many respects, contextual. In general, user experience refers to what users think and how users feel when they use a product application, system or service.
SSO allows users to access multiple applications, and the underlying data, without having to re-authenticate to access each application. One username and password, i.e., login credentials, will access multiple applications. SSO, therefore, eliminates the need to recall the password created for each application. In other words, users sign in to one account, one single time, and automatically gain access to multiple applications.
The ability to federate identities to external apps and services is crucial in the SSO process. This is what enables identity verification to take place separately from other cloud services, making SSO possible. Federation is enabled through a standard called SAML (Security Assertion Markup Language).
However, SSO is only one aspect of managing user access. It must be combined with risk-based access control for tracking and controlling user behavior within an organization’s systems to enable conditional access and step up security using multi-factor authentication (MFA). The concept of a static login for all user activities is not enough to address the evolving risk landscape where businesses operate.
Five Benefits of Single Sign-on
SSO has several benefits and use cases. The following five benefits highlight why SSO is a practical enterprise solution for organizations.
- Improves user experience and mitigates risks associated with password fatigue by eliminating the need to maintain and use multiple passwords to access multiple applications.
- Improves a company’s bottom line by increasing employees’ productivity and ability to access multiple applications efficiently.
- Results in reduced burden on an organization’s IT help desk function (e.g., fewer requests to reset passwords).
- Supports Business to Business (B2B), Business to Consumer (B2C) and Business to Employee (B2E) activities (e.g., provisioning and de-provisioning a single account).
- Bolsters Identity and Access Management (IAM) programs and an organization’s overall security posture.
Password Vaults, SSO and Virtual Private Networks
Password vaults, also described as password managers, are encrypted vaults that digitally store usernames and passwords. They are used to manage all of the passwords that an individual maintains to access software applications and websites. Individuals who utilize password managers only need to remember one password, and that one password will ensure the availability and use of all of the other passwords. One drawback to using a password manager is that you will need to make an initial time investment in creating accounts, usernames and passwords for each application or website for which you want the password manager to interact.
Similar to SSO, password vaults are also used to mitigate password fatigue by limiting the need to maintain a password for each application that you access. Unlike SSO, however, password managers are what they claim to be: a digital vault in which other passwords are stored. Each time a user logs onto the application, the password vault retrieves the correct credential and presents it to the application. Password vaults that are protected only by passwords are vulnerable to the same vulnerabilities that affect other applications.
Organizations that are considering enhancing IAM also note the challenges that accompany the virtual private network (VPN) model. A VPN provides a secure, encrypted connection over the Internet from a device to a network. While VPNs create a trusted zone, they have their own set of vulnerabilities. Once an adversary exploits these vulnerabilities and they get themselves inside the VPN channel, they can gain access to all data and apps protected by the virtual network.
We are a society that focuses immensely on efficiency and convenience. Let’s face it, we want easy access! Processes and workflows that take more steps than necessary to achieve the desired goal or a desirable user experience are often met with resistance and resentment. Notwithstanding any resistance, organizations must balance this desire for easy access and convenience with enterprise security risks. In doing so, implementing strong IAM combined with authentication is an absolute must. Strong IAM programs that bring awareness to the importance of eliminating the use of usernames and passwords as a sole method of authentication, will deploy SSO to keep pace with the proliferation of apps, the remote nature of the post-pandemic workforce and user experience.
About the Author:
Ambler is an attorney with an extensive background in corporate governance, regulatory compliance, and privacy law. She currently consults on governance, risk and compliance, enterprise data management, and data privacy and security matters in Washington, DC. She also writes about today’s most important cybersecurity and regulatory compliance issues.