Separating single sign-on myths from fact
by Geoff Webb - Director of Solution Strategy at NetIQ - Tuesday, 26 February 2013.
Single Sign On (SSO), the ability to authenticate only once and have automatic access to many systems, has many potential benefits ranging from lower IT overhead costs to increased end user convenience and even an increased level of data security that reduces overall organizational risk. Itís a powerful tool, which is why it is particularly of interest to CIOs in light of the increased number and severity of data breaches occurring around the globe Ė many of which are caused by inappropriate access to vital business data.

Yet despite the renewed level of interest in SSO, there are a number of myths that persist regarding the technology, how it works and how it is best used to provide business value. Here are four myths about SSO that in my experience persist among enterprise and government CIOs.

First, a baseline understanding of what SSO does

To first understand SSO, letís establish a few baseline concepts about how SSO can help simplify IT operations and increase security.

Single sign-on is an approach that simplifies the management of access to more and more services by a growing constituency of users Ė users within your environment, that you know, and want to make as productive as possible. It allows you to manage access based on parameters Ė be it time of day, location, device used to access data or other parameters. This allows you to enable internal users to access what they need when they need it Ė no more and no less access than that required to do the job efficiently. It also simplifies removing access from a broad range of services quickly when necessary.

The right approach to SSO, enables organizations to build controls around the concept of identity. Thatís important, because with the current rate of rapid changes in where the data resides, how it is accessed and where it is accessed from, user identity is often the only constant. Therefore, organizations must build their thinking around the processes of providing access and simplify the management of identity because these will enable them to meet the challenges of an increasingly complex and interconnected business environment. How do you simplify this process? Single sign-on is one solution.

Myth #1: SSO is password synchronization

Some IT professionals label the process of synchronizing username and password across applications as single sign-on; meaning there is one username and password that is synchronized across applications. The truth is that this is a relic of the early years of distributed computing, before true SSO solutions arrived on the market. This old (and frankly, crude) solution to the problem of multiple usernames and passwords provides only some convenience but fails to deliver greater compliance, administration or security benefits. Fortunately, however, modern solutions have phased out this approach, and now offer far more integrated and seamless functionality with tighter security controls as well as a far better audit trail than mere password synchronization could ever provide.

Myth #2: In SSO environments, users still enter their passwords and/or know the actual credential that is passed onto the application

Somewhat related to Myth #1, this misconception assumes that SSO provides no automation but rather is just passes through whatever the user enters. Not true, as this approach would provide little convenience with almost no security or compliance benefits! The truth is that SSO solutions provide authentication automation for each application accessed. Once the users have logged into their SSO solution, it automates the process of providing each application with a set of credentials for the user and ensures that the granular access policies for each application are applied. The SSO solution can also provide a detailed audit trail and centralized control over application access in the event of a security incident.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 4th