Credit: Psyomjesu, CC BY-SA 4.0, via Wikimedia Commons
My company, like most, has been letting go of on-premise corporate applications in favor of cloud-based alternatives for quite a while now. Still, it wasn’t until last week that it really came home to me how thoroughly committed to the cloud we now are.
The occasion for this eye-opener was a meeting with our CIO and his IT team, who were preparing to investigate single sign-on (SSO) for the company and wanted my input on requirements and vendor selection.
At Issue: The company is contemplating SSO to make it easier for users to access myriad cloud-based applications.
Action Plan: Anticipate any security problems that SSO could bring and try to head them off.
When your employees have to sign on to just about every application they use in the course of getting their work done, SSO starts to make a lot of sense. As a matter of fact, we’re still using just two on-premise corporate applications: one to manage our source code, and a collaboration software package that our engineers use to track product road map changes. Everything else, from email to sales and marketing to our financial and accounting software, is all cloud-based now. We even migrated a password vault to the cloud. When you count them all up, we have about 20 corporate applications (that we know about) in the cloud, and that means 20 different passwords to remember.
So, yes, SSO makes sense. But it also scares me to death.
Which isn’t to say that it won’t help in the areas of security and compliance. Because our cloud initiatives were often undertaken not by the IT team but by various departments, we have the marketing team administering its own application, the HR team managing the performance management application, and so on. This decentralization has resulted in many departed employees retaining access to some of our cloud applications. SSO can help resolve that sort of problem.
But if not deployed properly, SSO can cause a company more harm than good. What makes it so convenient for users — just one password for all SSO-enabled applications — is also what can make it a threat. You log onto your PC in the morning, and that authentication extends to all the corporate applications you need. Wonderful! Except that the same holds true for any hacker who gets a hold of your credentials. Not wonderful at all!
A directory service such as Microsoft Active Directory, which we use, can help. Active Directory streamlines account management, providing one place to configure an employee and one place to remove or disable any employee who departs or no longer needs access. Ideally, once an employee’s identity is created, the accounts, services and roles are enforced within Active Directory, and associated accounts are created for the various applications that employee needs to access (and only those applications), both on-premises and in the cloud. This doesn’t always work, however, because not all applications provide integration with Active Directory, and some don’t support SSO capabilities, which include SAML (Security Assertion Markup Language) or other direct integration or synchronization. When that happens, an employee can bypass the SSO access and browse directly to the application.
Sign up for CIO Asia eNewsletters.