September 2, 2015
Singe Sign-on: Improving Security In the Cloud
Once upon a time, back in the days when there was hardly a cloud in the digital sky, the average user of computers only ever had to ‘sign-in’ once per day – and this was largely for the purposes of accessing a Windows environment. However, in the modern world of all-things-internet, with cloud computing and mobile devices abound, the average user now has to ‘sign-in’ to probably anything between 5 and 50 online applications or web sites every single day.
For this reason, many users prefer to activate the ‘stay signed in’ option on these sites and apps where available, to improve the convenience of working (or playing) on the web.
Even so, the tendency amongst individuals – be they casual internet surfers at home or professionals using the web in an office environment – is to use the exact same login credentials (i.e. usernames and passwords) to sign up for and into pretty much every site or application that they access. And this is certainly understandable. It can be terribly difficult to remember any more than 1 or 2 passwords – and when we might have as many as 10, 20, 30, 40 or 50 accounts registered, it is simply an impossible task memorize different passwords for all of them – let alone remember which one is assigned to which account.
And so, users often just stick to one that they can remember, and be done with it – despite the obvious security risks that this practice comes with.
Of course, certain technology solutions have been devised in order to work around this problem. Password managers, for instance, are of course very useful in this instance – especially for private and individual users. But when it comes to protecting company information in a secured and consistent way, something else needs to be done.
Single Sign-On (SSO)
Firstly, what is SSO?
The best way to think about SSO is in terms of something like Google.
Google Apps uses SSO. With just one username and password, you can sign on to everything that is available from Google – YouTube, Google+, Drive, Docs, Gmail and all the rest.
Put simply, SSO is an advanced authorization and authentication access control method that’s normally used in environments where users access multiple applications everyday. Google uses it, and so does the likes of Facebook, PayPal, Yahoo and Microsoft. These all of course run huge, disparate sites that serve millions and even billions of people every single day around the globe – and with SSO, users can access them all at once.
However, whilst SSO is perhaps most often associated with web 2.0 sites, it’s actually a very good tool to use in the enterprise.
Centralization And Active Directory
Since the cloud has come along, many companies have chosen to migrate some or all of their IT needs to a cloud-based solution. Google Apps is a good case in point here, actually. Most new start-ups now wouldn’t dream of equipping every computer in the office with a native Microsoft Office suite (though they might consider Office 365 – the cloud solution), since the free office suite available from Google is more than substantial for crafting any document that they may want – and it’s free and all files are stored safely away in the cloud.
However, for companies that are more than, say, 4 years old – it’s almost guaranteed that they will have begun life without the cloud providing for them many of the conveniences and securities that it does for so many companies today.
And if we go back further – another 10-15 years – then many organizations from then which are still around today will have been using Microsoft’s Active Directory to organize their company’s network, files and access.
Understanding The Benefits Of Active Directory
Active Directory has stood the test of time because of its relative simplicity in the organization of a lot of inherently disorganized data. Here’s how it’s explained on the Microsoft website:
“A directory, in the most generic sense, is a comprehensive listing of objects. A phone book is a type of directory that stores information about people, businesses, and government organizations. Phone books typically record names, addresses, and phone numbers. Active Directory is similar to a phone book in several ways, and it is far more flexible. Active Directory will store information about organizations, sites, systems, users, shares, and just about any other network object that you can imagine. Not all objects are as similar to each other as those stored in the phone book, so Active Directory includes the ability to record different types of information about different objects.”
One of the great things about Active Directory is SSO. Not only has the service been instrumental in improving the security of many organizations for many years – a feat it has achieved largely due to the centralization of control – but SSO has always made and continues to make user access and authentication a much more streamlined process.
Chris E. Avis on the TechNet blog explains the uses and benefits of Active Directory thoroughly but nonetheless succinctly:
“Active Directory on-premise is the means by which we authenticate and authorize users when the logon to a workstation, when they attempt to run an application, when the attempt to access a local web based portal, and even when they attempt to connect to a mail server to send/receive email. Active Directory contains objects that define the user, any groups they are a member of, and what rights and permissions they have as a user or members or a groups or groups.
“One of the primary benefits of Active Directory is Single Sign-On. Because of the centralized administration and the organization of all AD objects with a single forest (and through the use of trust relationships), a user can logon to their workstation once at the beginning of a work day, and never be presented with additional user ID and password prompts. This makes for a more [seamless] experience for end-users while unifying the security contexts and control for administrators.
“The key thing to understand here is that Active Directory Domain Services was developed for and is primarily used for managing on premise resources. These are resources and objects that are typically 100% under the control of company administrators. As the industry continues to shift to a more cloud based model, we need to extend Active Directory into the cloud.”
SSO In The Cloud
Avis’s last point is the most pertinent here. With so many businesses now migrating to the cloud – and with literally thousands that have been born in the cloud – there is now a slowly prevailing attitude that centralization can be done away with.
However, this is a danger to businesses for 2 main reasons – regulatory compliance and security.
Let’s talk security first.
Is SSO Secure?
There exists a common misconception that because SSO only requires one username and one password to provide wholesale access to multiple sites and applications, then it must come with a substantial risk.
Undeniably, if a malicious individual should be able to acquire a user’s SSO credentials then all applications protected by them will be open and vulnerable. However, that is a rather reductive oversimplification of the matter. In fact, common sense kills this argument against SSO down dead in an instance.
Think about it – as discussed above, users will often use a single password when signing up to many, many sites and applications anyway. However, when doing so, they will often sign up to some that are decidedly insecure as compared to others. This means that some of these sites will be very easily hacked – and with that information in hand, the hacker can just simply take a leisurely stroll around the web, signing into as many accounts as possible using the easily-hacked and remembered username and password.
Sometimes, however, people will go to the trouble of remembering different passwords for many different sites. However, they will still use the same email address for each one – which means that if a hacker got into the user’s email, it would be pretty simple to just request password resets for each and every account.
With SSO on the other hand, as the Jscape blog explains: “all authentication processes and elements are handled by the identity provider. Many of these providers (e.g. Google, Yahoo!, AOL, Salesforce) are large and reputable organizations who have the means and motivation to establish really strong security. Thus, it would be extremely difficult for a cybercrook to acquire your login credentials from there.”
With SSO, it will be much easier to ensure that your employees are first of all using strong passwords – since they will only be required to remember a single one. Secondly, it will also encourage them to use various security applications – a secure file transfer system, for instance, which protect the transmissions of sensitive data.
Such things are currently much underutilized by companies, simply because end users find them too complicated, and so find a workaround instead. This, obviously, is very detrimental to your overall security – but onboarding end users is an absolute must with all software and applications that you use. As such, SSO will help no end as it will aid employees in adhering to your security policies.
Active Directory was great – but it is of course dated now. Which is why Microsoft has developed Microsoft Azure Active Directory FS, which brings all of the great things about Active Directory into the cloud.
With modern companies moving away from Active Directory, users now have separate passwords for computer, email, Dropbox, Box, SalesForce and so on and so on and so on. Needless to say this is an absolute nightmare to manage all of these passwords for both companies and users – and indeed feels like a step backwards rather than forwards.
And this is why Microsoft Azure Directory – and other similar solutions like Okta, for example – are so brilliant. For they bring back centralization through the use of SSO, and that is invaluable in terms of security and ease of use for end users.