On a typical day, employees log into a myriad of software programs, from email to benefits systems, and other applications designed to simplify daily tasks. Remembering all of the usernames and passwords associated with these products can be a challenge. Single sign-on systems (SSO) are crucial in alleviating the need for — and stress of — recalling a multitude of credentials. Providing a good SSO user experience has become more complex because the technical professionals responsible for implementing identity and access management (IAM) initiatives must balance user convenience with enterprise security risk.
SSO is a core IAM requirement for most organizations
“SSO is a core IAM requirement for most organizations,” Mary Ruddy, research vice president at Gartner, says. “With employees using so many different software applications and companies transitioning to the cloud, the responsibility is greater to provide SSO without compromising security.”
Ruddy identifies seven steps necessary to deliver an effective SSO architecture.
Step No. 1: Review objectives for SSO as part of the overall IAM program
View every IAM project as an opportunity not only to achieve specific functional goals, such as deploying SSO, but also to position the organization to support future IAM change. Explore the choices for implementing SSO and select the options that make the most sense for your current and future organization. “To stay ahead of the increasing demands on IAM infrastructure, organizations implementing, or reimplementing, SSO should strive toward achieving IAM agility that will be able to adapt to future changes in business requirements and security demands,” Ruddy says.
Step No. 2: Identify users and requirements, assess capabilities and perform gap analysis
Identify the organization’s SSO requirements, which involves several key decision areas. For example, employee, business-to-business partner and consumer SSO can have very different requirements. Implementing an SSO solution for all types of users and all applications can be a big task for some organizations. In many instances, it makes more sense to use a phased approach and implement SSO for a subset of user constituencies.
Step No. 3: Design an architecture to support SSO
Decide whether to run SSO software on-premises, use a cloud-based service such as identity and access management as a service (IDaaS) or take a hybrid approach. “One of the most important factors to consider is whether the organization has the skills and resources to operate the SSO software securely and with high availability,” says Ruddy.
By 2022, IDaaS will be the chosen delivery model for more than 80% of new access management purchases globally
Increasingly, organizations without regulatory requirements for on-premises IAM software are deciding to outsource their SSO capabilities. Gartner predicts that, by 2022, IDaaS will be the chosen delivery model for more than 80% of new access management purchases globally, up from 50% today.
Step No. 4: Determine access control requirements for SSO
A key aspect of providing SSO is ensuring that users are properly authenticated. In today’s environment of cyberattacks and phishing attempts, take an adaptive trust-based approach to user authentication. The continuous adaptive risk and trust assessment (CARTA) approach to identity corroboration evaluates multiple signals, including both affirmative signals that confirm that the user is who they say they are (such as device and IP address recognition) and negative signals (such as unusual behavior) that indicate increased risk.
Step No. 5: Assess other requirements
Once the general architectural approach is defined, assess other requirements that are relevant to the specific organization, such as access to Microsoft Office 365, Amazon Web Services (AWS) and APIs.
Step No. 6: Refine the architecture as needed
Iterate and refine architectural approaches as needed. It is usually not necessary for all employees to have SSO access to all the applications that they use — especially if providing an SSO connection to a seldom-used (or soon to be replaced) application would be disproportionately expensive. Apply the 80/20 rule.
Step No. 7: Determine required features and vendor shortlists
Fill the gaps between existing and required infrastructure. This can be done by upgrading existing IAM tools to newer, more modern versions or by adding new software or services. Larger organizations with multiple business units or user constituencies should double-check that another division doesn’t already have SSO software that could be leveraged for the current initiative.
“Even if an organization has valid reasons for implementing separate SSO software instances for different user constituencies, it can reap operations staffing and training benefits from using the same software product for multiple SSO initiatives, where practical,” says Ruddy.