The struggle to reach “Password Unification”
At Glasswall we use a wide range of technologies available to us, from the more standard tech like Office 365 and Amazon Web Services, to the more specific tech like Datadog and Ngrok, but trying to remember a password for each and every application is a nightmare!
Sure you can save passwords in places like Google Chrome or a tool like LastPass, but what if you’re on a different PC? or using a different browser?
And then there is Two or Multi Factor Authentication, what happens if you haven’t got your phone? or lost your recovery codes?
The obvious answer is to implement Single Sign On, but this isn’t without it’s own challenges.
Companies like Microsoft and Amazon have tried to make it as easy as possible by doing a lot of the legwork for Administrators in creating applications to implement, and useful instruction guides which take you through the process step by step — For example, Jira and AWS SSO Instructions.
This unfortunately is met with new challenges, for a start, which is the right Single Sign On provider for me?
We have deep roots in Microsoft’s Azure utilizing a lot of their technologies like Azure DevOps, Azure Functions, and the more run of the mill tech like resource groups and storage blobs.
We also have made a big push on utilizing Amazon Web Services, taking full advantage of Lambdas, API Gateway, and S3, among a lot of others, and have about 8 accounts (instances) and growing.
We decided to go for a mixed approach, using Azure Active Directory as our source of truth, using Azure SSO, and then pulling our users and groups into AWS SSO. This allows us to provide user access to specific AWS Accounts, but unfortunately this doesn’t solve our issue of other technologies.
Using Github as an example, a company owned by Microsoft that also integrates well with Azure Active Directory as it’s identity provider. If we would like to implement SAML SSO then we would need to upgrade to Github Enterprise, at a cost of $21 per user per month, more than double!
Slack is another example, a company that works well with pretty much everyone due to it’s wealth of API’s and integrations, only lets you use Google’s OAuth for it’s SSO integrations unless you upgrade to the Plus tier allowing you to use a range of different identity providers at a cost of almost, but not quite, double the amount.
If you decide not to pay the premium for security then you only have the two options, keep on having an account for each person and each technology, or create a lot of fragmentation and tech debt by implementing SSO from Microsoft, AWS, Google, Onelogin, Okta, and many more.
From an IT Administrator point-of-view, the former is unsustainable. Every time a user joins or leaves the company, moves teams, moves role, etc. the IT Team would need to log into dozens of portals removing and adding accounts as necessary, and updating permissions.
The latter on the other hand, whilst it is a viable option, is very unnecessary and difficult to maintain — which application lives on which platform? Are changes being replicated? etc etc.
I have discovered the website The SSO Tax Wall Of Shame by Rob Chahin which helps to detail the mark up that around 45 companies impose whilst holding SSO to ransom, with one company having a 6300% premium on implementing SSO:-
SSO Tax puts forward that:-
“If companies claim to “take your security seriously”, then SSO should be available as a feature that is either:
- part of the core product, or
- an optional paid extra for a reasonable delta, or
- attached to a price tier, but with a reasonably small gap between the non-SSO tier and SSO tiers.
Many vendors charge 2x, 3x, or 4x the base product pricing for access to SSO, which disincentivizes its use and encourages poor security practices.”
Whilst it is understandable that companies may charge a premium for SSO, they should be offering this as a standalone service, maybe at just an extra dollar or two per month, rather than bundled inside higher tiers with features that won’t be used, or even looked at.
Thanks for reading!
SSO Tax Wall Of Shame — https://sso.tax
Rob Chahin — https://twitter.com/robchahin
