Single Sign-On: Taking a Global Approach

Written by

Protecting business data without onerous authentication processes for employees is a challenge that most businesses will face. Single Sign-On (SSO) solutions alleviate this by managing access to multiple applications using a single login and password.

Choosing the right SSO solution can be hard and depends on the company’s existing IT environment, objectives and priorities. Often, companies have to maintain, operate, supervise and audit multiple solutions and for historical reasons, may already have separate SSOs already in place to cover different concerns.

From a cost and simplicity perspective, implementing a Global SSO solution makes a lot more sense. Covering every specific SSO challenge from a single platform, Global SSO allows organizations to invest at their own pace, while leveraging previous investments and creating a global coverage model. To find out why this is important, it’s crucial to be aware of today’s SSO landscape.

Review of the SSO Landscape Today

Enterprise SSO or eSSO

Often, the main driver in implementing eSSO is to make users’ lives easier. It works by deploying one or more components on workstations, connected to organization’s IT systems. eSSO then injects secondary credentials, such as users’ logins and passwords into applications which have previously been ‘enrolled’. It is particularly useful if you need to secure access to a range of assorted applications. However, it does require a specific installation on each workstation by the IT department.

Web Access Management (WAM or Web SSO)

WAM is designed to secure web-based architectures such as extranet/intranet portals. Although WAM only applies to web applications, it generally enforces a stronger level of security than eSSO due to the implementation of advanced access control rules. Unlike eSSO, it does not require deployment on each workstation, but may sometimes require specific developments at the application level.

Identity Federation

Technically, Identity Federation is a way to operate web SSO authentication using industry standard protocols (SAMLv2, OAuth2, OpenID Connect, and WS-Federation). From a business perspective, its main benefit is that it allows different legal entities to safely exchange authentication and access rights information, providing users with a single secure authentication experience between distinct web domains. Within the extended enterprise this spares companies from having to manage their partners' identities. It also helps set up specific identity management infrastructures for each operational entity within a complex organization.

Mobile SSO

Mobile SSO provides SSO functions to mobile devices, securing access via these devices to applications within an organization’s IT systems. This market has recently been stimulated by the boom in mobile devices and their impact on business usage. Currently, many companies rely on specific developments for mobile SSO due to the lack of alternative solutions on the market.

The risk: Implementing Different SSO Solutions for Similar Authentication Needs

Let us now consider a typical scenario, where an organization wants to deploy strong authentication, Single Sign-On and audit users’ access to its IT systems, in order to improve both the user experience and IT security.

The organization’s IT systems typically include:

  • Internal and external applications (running in SaaS, Cloud mode), managed or not, based on various technologies (thick client, web, virtualized application, mainframe) with different levels of sensitivity and criticality.
  • Internal or external users of managed PCs or on other devices (thin clients, mobile devices), some of which will require strong authentication.

In this example the organization has identified a need for eSSO, Web Access Management, Identity Federation and Mobile SSO. In our experience, in most cases the result will be as follows:

  • An eSSO solution has been deployed internally on each connected workstation, enhancing user experience through single authentication and to enable autonomous password reset
  • A Web Access Management solution is used to protect web applications deployed on the intranet/extranet
  • Identity Federation is in place, dedicated to B2B exchanges with partners or used to improve user experience while accessing external applications such as O365, GoogleApps, SalesForce
  • A Mobile SSO solution secures access to the IT systems from mobile devices and mitigates the security risks associated with Bring Your Own Device.

The solutions are based on market software packages, open source components or in-house solutions. In most cases, the organization has to administer, maintain, operate, supervise and audit four separate environments to address very similar authentication needs.

Global SSO: a New Generation of SSO

There is another option; now organizations can benefit from a single common infrastructure to operate and supervise authentication and access. Global SSO operates a single administration interface to configure every instance of SSO, along with a single audit point providing traceability of all user access across all IT applications. This offers a potential holy grail for IT departments, with a 360° view of access to the IT systems.

We have worked with a large number of finance and public sector organizations, helping them make the transition to Global SSO. Many of them are now embracing this approach in order to reduce IT costs and to improve their IT systems’ security level, notably in the finance and public sectors.

Whether SSO is already in place or not is no longer an issue; Global SSO is seen as a way to reduce cost through the pooling of technology systems. Companies are recognizing that it is a more practical and complete way to develop IT systems for their users, while allowing for better auditability and increased security.

Before organisations start any SSO project, it is necessary to carefully consider the interdependencies of data, applications and devices. A Global SSO solution can not only cover the companies' short term needs, but it can also become part of a long term strategic access management approach, providing the right features in a scalable and iterative manner.

What’s hot on Infosecurity Magazine?