I’m also wary about going with an SSO service that offers an application portal, which gives employees point-and-click access to all the appropriate corporate applications and even personal applications, such as banking, Amazon and eBay. No need to remember passwords for any of them, or even to bookmark them. For employees who travel or work from home frequently, it’s a great feature. I, however, always see danger when I think about employees using public PCs at an Internet kiosk or hotel lobby; if they don’t log off properly and leave that portal up, anyone could get access to sensitive corporate information. For that reason, I would want the login to such a portal to be protected by two-factor authentication and encryption. And the inactivity and session timeouts need to be set to mitigate the risk that arises when a user walks away from an untrusted public PC.
Finally, in choosing an SSO vendor, whether cloud or on-premises, we’ll need to conduct appropriate due diligence, since we will be entrusting credentials and availability of the service to a third party.
As we progress, I’ll be putting together a complete set of security requirements and due diligence questions for a potential vendor.
Sign up for CIO Asia eNewsletters.