There is nothing new about single sign on (SSO) systems; they have been on the market for many years as a way providing a single point of authentication of users before providing them access to IT resources. What is new is the increasing capability of SSO systems to better manage the changing way applications are being deployed and accessed.
Here are some examples:
- The rise and rise of software as a service (SaaS): the availability of on-demand applications is a boon to businesses as it saves running infrastructure in-house, leaving it to external experts. There is a down side; having given an employee access to several online resources, when they leave you need to remember to de-provision them from each. However, if access is only via a SSO system, the user does not even need to know the access credentials for each system. Each new user; temporary or permanent, internal or external, can be quickly provisioned and de-provisioned according to profiles and rules understood by the SSO system. The traditional SSO vendors are changing their products to better support SaaS, for example CA SiteMinder. For specialist vendors such as Ping Identity, Okta and Symplified (the partner behind Symantec’s O3 initiative) this is a fundamental feature of their products.
- The integration of external users and organisations: the degree to which external users are directly provided access to a given business’s internal IT resources is increasing rapidly. Doing so enables more integrated and efficient business processes and supply chains. Examples include car dealerships linking in to a manufacturer’s ordering systems and travel agents linking their customers to various travel resources such as airlines, hotels and car hire companies. Achieving this is eased if the SSO system can access and dynamically integrate a range of user directories, a capability that is integral to products such as Ping Federate.
- The rise of bring-your-own-device (BYOD): even businesses that don’t really like the idea are accepting that the BYOD trend cannot be ignored and has to be managed somehow. One of the dangers with BYOD is that if employees access a range of different corporate resources, both internally provisioned and SaaS-based, all with different usernames and passwords, some of these will be remembered and stored locally on the device. This is a danger should the device fall into the wrong hands or when the organisation’s relationship with the user ends. Limiting access from personal devices to a single SSO entry point minimises the problem; indeed, the device itself can form part of the strong authentication of the user to the SSO system. Policies built into the SSO system can also limit what a user has access to depending on the type of device and their physical location.
- The desire of employees to use consumer based web resources at work: business have been putting controls around what web resources employees can access via corporate networks for many years. Increasingly such rules and policies can be built into SSO systems, in effect merging in the web and URL filtering capabilities that have been provided in the past by specialist content filtering vendors. Some SSO vendors, such as the UK start-up SaaS-ID, have taken this to a new level by actually enabling their customers to change the appearance of third party web sites and limit the options that are made available.
It is clear that SSO systems have evolved way beyond the early use-case of saving employees from remembering a range of passwords. One of the down sides pointed to by the detractors of SSO is that it provides a single set of keys to the castle. However, linked with strong authentication this should not be an issue and should instead increase security, especially with the rise of BYOD.
Another criticism has been the complexity of deployment, but this has decreased with the rise of standards such LDAP (lightweight directory access protocol), SAML (security assertion mark-up language) and SCIM (originally simple cloud identity management) and the sophistication and increased of use of many current SSO systems.
A third criticism that could be levelled for all the above use cases is an SSO system becoming s single point of failure but this is true of any network device that is used to provide user access to applications. Resilience can be built into SSO just as with any other system. Furthermore, for ease of access and to open up SSO to smaller organisations SSO itself is now available as a SaaS-based resource, for example Ping One and SaaS-ID.
For those organisations that have looked as SSO in the past and rejected it, perhaps now is time to take another look. The sophistication of the new offerings that have come to market in the last few years help address a broad range of problems and provide a secure policy based identity-bridge between users and the resources they need access to.
Quocirca’s report “The identity perimeter” is freely available here https://www.pingidentity.com/support-and-downloads/download.cfm?item=62593 (registration required)