The shortcomings of single sign-on in the age of information security
Why is it so difficult for companies to properly manage employee access to the online tools and services they are using? This article will walk you through the challenges that companies face when it comes to managing employee access, present the most common solutions, and give you an idea of why we need to take a step further than single sign-on.
Managing user access via Excel — Band-Aid on a gunshot wound
Let’s build a simple scenario; a small (by US standards) company of 100 people uses at the very least around 20 cloud services — some of the most common being Google G Suite, Dropbox, Salesforce, Microsoft Office 365, AWS, Slack, WebEx, Box, Yammer, and others. Each of the 100 employees has (or should have) access to different services based on their role, with different access levels (e.g. admin, user), and, to complicate matters further, may only need to have access to part of the service (e.g. a single Dropbox folder or Slack channel). Our fictitious company maintains all this information in an Excel sheet — which makes it hard to make sure that the info is up to date and accurate. Admins may forget to update changes or simply not be aware of them, and the workflow can be hard to follow. If this company handles sensitive info, such as financial data or personal client data, there is a strong chance that this info can be accessed by unauthorized employees.
There are existing US, EU, and international standards around privacy and the control of access to sensitive information, which make it imperative to be able to monitor access levels. The EU is rolling out GDPR in May 2018, a data protection regulation that will have a major impact in how companies deal with identity and access management, among other things. So, how can our 100-people company hope to comply with all these laws and regulations, when it can hardly keep track of which employee has access to which cloud service? Enter identity providers (IdP) — also known as single-sign-on (SSO) providers.
The market landscape
There are quite a few Single Sign-on providers out there; market research company Gartner includes 15 vendors in their ‘Access Management’ Magic Quadrant: Atos (Evidian), CA Technologies, Centrify, Covisint, ForgeRock, IBM, i-Sprint Innovations, Micro Focus, Microsoft, Okta, OneLogin, Optimal IdM, Oracle, Ping Identity, SecureAuth. We’ll focus on Okta, Azure AD, Ping Identity, Centrify, OneLogin, G Suite as they are, arguably, the most well known ones.
In the table below, you can see a breakdown of some of the core features of SSO providers, and how the providers compare with each other in terms of these features.
SSO
SSO allows users to sign-in to the Single-sign On provider once and access any connected cloud or other services. This is the common denominator between all these providers — but the implementation can sometimes be different.
SCIM
SCIM allows you to provision and deprovision users to your cloud services via the SSO Provider, i.e. managing users directly on their platform and not through each individual service
Provision users in batches
Onboarding users in multiple cloud services with a single step. This typically works by creating a “group” or “role” in the SSO platform, and then allowing access to multiple cloud services in a single go. It does not mean managing permissions in the services, merely creating a new user.
Privileged identity management
Creates temporary admin roles instead of permanent ones, in order to reduce the attack surface to your infrastructure.
Dynamic access policies
Allows access to the SSO platform when users match specific criteria, e.g. make sure users can only access your cloud services from a specific IP or geographical area, allow access within working hours (block during the night), fingerprint and whitelist specific devices, etc
From the list of core features above, we can see that SSO providers do a great job at creating new users and providing them with easy access to a company’s cloud services — but they do little in terms of granularity of access and helping manage user authorizations.
SSO is the beginning of the journey, not the destination
The company of tomorrow will need to maintain a minutely detailed map of all its online resources, who has access to them, and what kind of access each person has. Think of a company like a secure building — an SSO provider opens the door to the right users, but it doesn’t give you any insight into what happens after someone walks in. Following our building analogy, what’s missing is services that will allow you to know exactly which room or even which desk each user should have access to.
Many large, medium, or even small companies, find themselves having more licenses to a cloud service than they need to, simply because access has been purchased by different people or departments, and there’s no centralised management system to coordinate them. At the same time employees may request access to an online tool or service which they shouldn’t have access to, or they may be given much broader clearance than they should — e.g. asking for access to a specific Dropbox file, and being given permission to access to the entire folder, which may contain sensitive info. Another example of unauthorized access often comes when employees leave the company but maintain access to many of the services that they used, simply because nobody is fully aware of all of them and thought to revoke them. There are many instances in which this kind of blindspot has led to critical security breaches — even tech giants like Amazon are not covered against it, as was evident from the AWS breach a few months ago.
Information security is becoming a must for every single company, from the largest enterprise to the smallest startup. Security doesn’t just mean protecting your critical infrastructure from hackers, but also building the processes that will ensure each employee has access to the resources, data, or information that they need — no more, and no less. The advent of GDPR in Europe will ensure that all companies are compliant with data protection and privacy regulations and best practices, and online asset management (i.e. mapping which employees have access to which online services) is an important first step towards compliance.
Introducing Authorization-as-a-Service
The next logical step after SSO is Authorization-as-a-Service — essentially a centralised system that maps employee access to a company’s resources on a granular level, and manages their authorization requests in a way that minimises security exposure. At the same time, this new generation of service should facilitate user authorization, while helping admins remain conscious of potential security threats.
This article was first published on Enterprise CIO https://www.enterprise-cio.com/news/2018/jan/05/shortcomings-single-sign-age-information-security/
