Single sign-on delivers both convenience and security
SSO manages 100s of username and password combos in one secure login process
06 September, 2016
category: Corporate, Digital ID, Financial
Productivity, security gains
SSO enables users to be much more productive, and they tend to adopt applications more quickly, says Centrify’s Williams.
When employees have access to numerous applications, they tend to avoid using the ones that are hard to access. As a result, they’ll rely on antiquated – and more time-consuming ways – to accomplish certain tasks.
For example, instead of using a new collaboration app, the employee might compose an email or make a phone call. “That doesn’t help to improve employee productivity,” Williams says. “All these new applications are frustrating to use if you can’t remember your username and password.”
SSO can also reduce help desk calls, which Williams says are password-related as often as 40% of the time.
Temporary SSO tokens provide a better experience for end users because there’s no password transmitted across the wire, and it’s more secure because the tokens are short lived and don’t represent the ongoing access of the password
An SSO system not only centralizes the authentication of applications, it often replaces usernames and passwords with temporary tokens generated via established digital identity standards. “These actually provide a better experience for the end user because there’s no password being transmitted across the wire, and it’s more secure for IT because these tokens are short lived and don’t represent the ongoing access of the password,” Williams says.
This allows enterprises to maintain a vault of individual or shared passwords for each user’s accounts, and allows users to log on automatically without prompting them to type in the password itself. “It reduces errors that lead to users locking their accounts, and it encourages best practices around password complexity and uniqueness for better security,” Williams says.
SSO puts all authentication requests for an application through a centralized platform, where a company can look at the user’s behavior and decide whether or not that person should be getting access to an application. For instance, there’s no need to challenge or deny access to someone trying to sign on to their e-mail during work hours and within their company’s corporate network. “But if they’re accessing a system that they haven’t accessed in three months from China after hours, then maybe I want to deny access or prompt them for additional factors of authentication,” Williams says.
A case study in SSO evolution
Cetera Financial Group, a national network of independent broker-dealer firms, has relied on single sign-on to streamline workstation access for its advisers for seven years. About 20,000 independent financial advisers are direct members of the firm and need to access the company’s network and the 17 different service applications.
“We had this whole ecosystem of providers and internal applications that had their own identity stores. We had to figure out how to make all that into one experience for our advisers,” says Matt Lehman, chief information security officer at Cetera.
Cetera’s adviser workstation portal gives advisers a place to log in and access client and transaction information. If an adviser wanted to place a trade on behalf of a client, he would go to a trading button where another window would pop up, launching a third-party system. “That exchange has to have an SSO there, otherwise the whole thing breaks down really fast,” Lehman says.
As the company’s needs have evolved over time, so too has its SSO setup. Moving to Centrify one year ago was the most recent step in this evolution.
Previously, Cetera only relied on SSO for things that absolutely had to be done that way. The idea behind switching to Centrify, Lehman says, was that the company wanted to start using SSO for everything and to have a single identity across cloud apps and internal apps alike.
In the past year, Cetera has been able to cut down the time it takes to onboard new software applications – previously a three to nine month process – to three weeks or less.
Cetera is also able to automate the process of granting entitlements for the company’s providers to access specific apps. Whereas the process used to take the company’s help desk three to four days, it now takes about an hour. “It cuts down our service desk’s costs as well,” Lehman says.
Steps to deployment
For an enterprise to deploy its own single sign-on system, Dingle explains that the easiest and most common first step is to connect their existing user directory environment to an ID-as-a-service server. This server will then send security assertions to the enterprise’s cloud apps. “You get a lot of benefit from that very simple first step,” she says.
Knowing employees, authenticating users and provisioning access across networks and in the cloud |
Larger organizations can then think about how to secure the application programming interface, or API, on their mobile apps. Dingle says there’s a substantial security risk for companies that use native mobile apps a lot.
For cloud-based applications, Symantec’s Law says there are few, if any, hardware requirements necessary for SSO deployment. Integration primarily happens with other identity access management systems, authentication systems and the user directories that the enterprise uses.
“Authentication solutions that offer features such as passwordless authentication using the biometrics on the mobile device eliminate the password and further improve the user experience,” Law says.
Relying on one username and password might make things easier, but there are some risks involved with having a single set of keys to the kingdom. Enterprises are advised to pay close attention to that one password and watch for suspicious patterns in how users are logging into systems. “That’s much easier to do in a central environment,” Dingle says.
Adding multi-factor authentication becomes especially important when using single sign-on. “If you’re any kind of organization that cares about risk, a username and password simply is not enough in today’s security environment,” Dingle says.
Dingle points to Netflix, one of Ping’s clients, as an example. Netflix is outsourcing its multi-factor authentication to Google, which checks hundreds of different factors, beyond just passwords, to determine if a user is who they say they are.
“The security theory behind SSO is that a watched central system has a better chance of success than 100 unwatched distributed systems,” she says.