If you’re not using Single Sign-On (SSO), one password gets you into one of your apps and a different password gets you into another – that’s assuming you use good password practices in the absence of SSO. With SSO deployed, one password will get you into all of your applications, which is much more practical in an environment where multiple cloud apps are accessed both on site and via mobile device.
But SSO aggregates risk. If your SSO credentials are compromised, all the applications and data you’re authorized to access can become vulnerable in one fell swoop.
How then can you reconcile the convenience and risk associated with SSO? The short answer is strong authentication. Strong authentication comes in many different forms, but usually involves requiring the user to provide something they have (e.g. a code on a SecurID token) or something they are (e.g. a fingerprint) as proof of their identity.
Strong authentication is not the complete solution, however. End users will not want to perform strong authentication when they are accessing only low-risk applications during a given login session. So an SSO system must be able to enforce ‘tiered SSO’ – where an administrator can define different authentication requirements for different applications.
First you need to determine which applications pose little or no risk if compromised, and which represent a high security risk if accessed by an unauthorized user.
Once low-risk and high-risk applications have been identified, the next step is to implement tiered SSO services. This involves creating SSO security policies to assign risk-appropriate authentication requirements based on the sensitivity of each application and the data it is used to access.
For example, users may be allowed to access email and business productivity applications via SSO with their corporate username and password login. However, when attempting to access sensitive applications like financial, ERP, HR, treasury or payroll systems, they are challenged for a stronger or secondary form of authentication.
The proliferation of cloud apps and services has put a spotlight on SSO. Companies need to be aware that a compromised employee password potentially opens up unauthorized access to every service.
Because SSO aggregates risk behind one set of login credentials, we need to make sure those credentials have the appropriate level of security associated with them. That’s why we believe SSO will ultimately be the “killer app” that strong authentication vendors have been waiting for all along.