Logging on to the Internet – no matter where – has become a nightmare. We all pull our hair out when we are asked to create yet another username and password. Research has shown that 7 out of 10 users don’t actually trust passwords to protect online accounts. And yet 73% use the same password for different user accounts.
Passwords are not even an easy option. According to a DashLane report, the phenomenon is not limited to password fatigue. On average, 11 passwords will be lost per person in 2015, and this figure is expected to double by 2020. Password fatigue, lost passwords and the use of online recovery mechanisms – or even expensive helpdesk calls – have all led to an incredibly chaotic, potentially insecure cloud sign-in system. This convoluted password landscape is unacceptable and needs to be improved.
At the same time, cloud technologies are being adopted like never before. According to cloud architecture specialist Right Scale, 82% of companies are pursuing at least a hybrid cloud strategy, and 55% are moving towards cloud-based applications by creating cloud architectures for existing applications.
Cloud SSO login: Savior in times of need
It wasn’t long ago that organizations would typically rely on a directory system such as LDAP (or on a per-application username/password basis) to control access to system resources. Meanwhile, Internet-based services have proliferated and organizations have created their own cloud computing environments. Accordingly, traditional authentication measures have increased in complexity, which in turn leads to password and account management issues. All of this has increased the call for a more seamless credential management system. The solution is called Cloud Single Sign-on or Cloud SSO.
Cloud SSO is an authentication method that allows individual users to access multiple applications and services – including those in the cloud – with a single login. SSO allows the user login to be federated or delegated so that you can access web applications and services without having to log in separately everywhere – similar to the way you are logged in directly to the entire Web Application Suite after your own initial login from Google.
Many common applications such as those from Salesforce, Adobe or Microsoft are geared towards cloud SSO at company level. Cloud SSO works with directories such as Active Directory and LDAP as well as standard protocols such as SAML 2.0, OpenID Connect and WS Federation or even proprietary systems built for a specific deployment. Microsoft has also invested heavily in the creation of Microsoft Azure Active Directory, a fully developed, cloud SSO-enabled directory. However, standards tend to prove their worth when it comes to system extensibility and interoperability, allowing organizations to add applications and services as needed.
This is how Cloud SSO is made up
The Cloud SSO comprises the following basic components:
- The account: This must be provisioned and can either be federated using an identity provider (IDP) or via synchronization/delegation with a directory such as LDAP. The user account contains data such as user attributes, for example e-mail addresses or access rights and roles. It is also worth mentioning that some IDPs allow individual attributes that determine access rights within an SSO system.
- Credentialing and authentication: The SSO account is associated with credentials, for example the username and password and perhaps a second factor such as an SMS PIN code or a biometric code. These credentials authenticate the user for the single sign-on session when they request access to an application for the first time.
- Identity/Login Token: This is a token that is created on a session basis. It is the token that is requested by a web application or a web service to enable access. It contains the authentication information that proves the identities of the users so that they do not have to log in again during the session.
Single sign-on and the world of mobile technology
Using cloud SSO on mobile devices can give organizations real control over the BYOD security problem. Employees’ personal devices have added a new dimension to the security issue. Without conscious control, this can lead to many security and privacy standards being breached. Cloud SSO offers the most appropriate method to bring personal devices back into the controlled realm of company-wide security policies. Access to web applications and services from any device can be controlled by Cloud SSO. Furthermore, many web applications that support SSO can be downloaded to mobile devices, as mobile applications and many SSO products can handle mobile app access using SSO principles.
Cloud SSO: advantages and objections
- User experience benefit: SSO achieves a simplified, seamless user experience. It streamlines sign-in and allows quick access thanks to automated login across applications.
- advantage of centralized control): Simplified credential management is one of the cornerstones of the SSO method. As passwords are changed and saved automatically, these processes are easier to manage. This enables administrators to centrally control employee access to all cloud applications and company applications.
- Revocation advantage: With a single click, an administrator can revoke a user’s access to all applications and manage expired accounts. This proves to be a tool for modern personnel management.
- Productivity benefit: Time is lost until an employee can even start working or until a password has been reset. This loss of time costs US companies, for example, around $420 per employee per year, which adds up to almost $210,000 in lost productivity per company. SSO significantly mitigates this problem.
But couldn’t the use of SSO also cause problems?
- The question of security: It may be tempting to assume that a “single login” is potentially also a singular (security) vulnerability. However, this can be remedied, for example with two-factor or multi-factor authentication, which can be implemented with most SSO solutions.
- The question of availability: There is a need to extend the solution to include additional applications and login points. This is achieved by choosing a good SSO product and by using standard protocols, which simplifies the addition of new applications.
- The inter-federated model: An inter-federated system combines all the different applications and sites under the SSO umbrella. Business and legal models for inter-federated applications and sites can be challenging. Establishing an authoritative central authority responsible for the creation and management of identities may also require effort, but in the end there are tangible benefits.
The step into the cloud
Cloud SSO provides employees with an outstanding user experience. At the same time, it ensures a good level of security. Using SSO for user access to distributed cloud applications and services means greater control for organizations. In particular, the handling of employee user accounts also becomes a smoother, more integrated process, with the ability to easily enable or disable accounts. Cloud SSO is a highly effective way of dealing with the security and usability implications of the extended enterprise perimeter.