When I tell people I work for an identity management company, a common response I receive is “Oh, you mean single sign-on?” For this reason, I have come to believe single sign-on or SSO is the “cola” of IT security lexicon. I say this because similarly SSO is often used as a catchall phrase that generalizes a multitude of sodas into the one word “coke”. Just like the expression “do you want a coke?” more correctly means, “pick from our sodas.” SSO frequently incorrectly implies several components of enterprise password management.
The SSO misnomer is top of mind, because Monday night at a St. Patrick’s Day celebration, I heard enough blarney to inflate a SSO cloud of fantasies. In the moment, I found myself in a precarious situation. On one hand, I could reveal what’s in the pot at the end of the rainbow and on the other I risked the melancholy. So, I popped a Guinness, counted my lucky stars and leveraged a shamrock to debunk three single sign-on software myths.
Before I start a jig, it is important to note. For the shamrock, the three leaves hold the purpose of maximizing photosynthesis. Just as, enterprise password management maximizes efficiency for operations. SSO represents one leaf. The other two leaves are self-service administration and identity authentication.
For every IT organization, self-service password reset and password management represent the quickest way to reduce your help desk burden and lower costs. For an enterprise, strong identity authentication represents the best way to improve information security access management. SSO includes neither self-service password management nor strong authentication. It is one leaf from the stem and where the tale begins.
Myth 1: Single Sign-On Software Lowers Costs
The fable goes SSO lowers IT costs. It eliminates the need for password resets, which represents the number one help desk request. SSO enables organizational efficiency through self-service password administration.
May the road rise up to meet you when SSO includes self-service password reset.
Self-service password management is not inherent in SSO. Self-service password tools let business users change their passwords, synchronize passwords across enterprise systems, unlock accounts, and change their challenge questions. In enterprise password management, the operational cost savings from reducing help desk calls comes mainly from offering self-service tools rather than SSO. Although SSO can reduce requests without self-service, you would need to call help desk for password management requests.
Myth 2: SSO Improves Information Security
Internet folklore and Y2K pioneers advocate SSO improves security, because users no longer write down their passwords. Since one password gets you into all applications, SSO increases security by enforcing identity privileges.
May the sun shine warm upon your face the day single sign-on software authorizes user access and manages account privileges.
Let’s be clear when one password grants access to all systems your risks increase. For every lost password, you assume greater vulnerability. Additionally, SSO does not control entitlements and privileges. User provisioning and governance control entitlements across multiple applications not single sign-on software. To improve security, organizations must integrate SSO with an account provisioning, entitlement management, de-provisioning, and credential management system. Single sign-on software improves security only when operating in conjunction with an identity authentication and access management system.
Myth 3: Cloud SSO Reduces Enterprise Risks
Information age evangelists advocate moving all operations to the cloud including password management. In this tale, you gleefully dance and sing a lyric about the benefits from handing a cloud SSO service the keys to the enterprise kingdom.
Christ on a bike do not let a SSO cloud service manage your enterprise identities.
Do not duplicate your enterprise identities in the cloud. And, do not believe a third party will better safeguard your customer data than you. Instead, deploy solutions that extend and synchronize your on-premises directories and provision user accounts directly to your cloud services. Apply two factor and multi-factor authentication to enhance identity authentication and deliver access control based on corporate policies and business rules. Unless you are a small business SaaS only shop, never put your identities in the cloud. For an enterprise of significance, cloud SSO reduces information security risks only when your directories control access.
Perhaps the most widely proclaimed SSO myth is the name itself. Truly, there is no such thing as a SSO password. With the inclusion of high security web applications, SSO more correctly refers to managed sign-on. Clearly, SSO reduces sign-on to improve the user experience. Yet, unless it is bundled with a unified enterprise password management and identity management solution, the full information security value from self-service and identity authentication cannot be realized.
In the end, the moral is to take a look at the state o’you before jumping off a SSO bridge.
Learn the Top 10 Password Management Best Practices for successful implementations from industry experts. Use this guide to sidestep the challenges that typically derail enterprise password management projects.