Workforces are adopting cloud applications at an unprecedented rate and often these range far wider than the, relatively small, subset of core applications the IT team have visibility of.
Whilst core applications (i.e. email and expenses apps) might be used across the organisation, there are often hundreds or even thousands of additional, business applications being used by departments and teams across the enterprise. Whilst the IT team may have ensured the core applications support identity standards for Single Sign-On (i.e. SAML or OIDC), business applications adopted by other departments will often necessitate the use of usernames and passwords. These credential-based applications create a huge attack surface for malicious actors and present a very real and imminent risk of data breach to the enterprise.
As the workforce adopt this increasing number of cloud applications, they also need to keep track of more and more passwords which leads to poor security practices, such as weak or reused passwords that can easily be brute-forced or phished from the employee.
Here we look at the top 10 “must have” features for any Single Sign-On solution, to ensure maximum compatibility with minimal user intrusion so you achieve the highest level of risk mitigation for your organisation.
1. Zero Sign-in to the Single Sign-On Solution to Reduce User Friction
One of the desired outcomes from a Single Sign-On (SSO) solution is to reduce user friction and make things easier for the workforce, not to give them yet another password to remember. An SSO solution that integrates seamlessly with your corporate directory should mean no sign-in is required to the SSO system itself, improving adoption and making the user experience frictionless and more efficient.
2. Zero User Interface Option to Guarantee Adoption
For widespread enterprise use, your workforce Single Sign-On solution should be able to be configured to run silently in the background, authenticating users with the applications they need at the time when they need them. Users should be able to launch the application they wish to access in the usual way and simply be authenticated with it. This also means no user training is required, which in turn means guaranteed adoption and substantially improved security benefits and return on investment from your solution.
3. Password Policy Enforcement to Eliminate Phishing Risks
Where SSO protocols such as SAML or OIDC are not supported by your external applications, make sure your Single Sign-On solution includes a feature to enforce password policies on the external applications that do rely on passwords by generating strong, random passwords for users and updating these on the external applications without needing an API.
For the greatest security benefits, this feature should also enable administrators to configure a policy that hides the newly updated password from the end user, meaning they do not know it and therefore cannot be phished for it.
4. Application Discovery and Learning of Credentials to Manage Shadow IT Risks
Single Sign-On solutions that can discover the applications being used by the workforce, and automatically learn the credentials for these if required, enables the enterprise to expedite time-to-value by minimising deployment effort. This also delivers the additional benefit of significantly mitigating corporate data breach risks by detecting Shadow-IT and integrating these identities with the Single Sign-On solution so they can be managed effectively.
5. SSO Compatibility with Web and Windows Desktop Apps to Maximise Risk Mitigation
Ensure your SSO solution has maximum compatibility with applications with the ability to integrate:
- Windows desktop executable applications
- Virtualised/thin-client applications running on the desktop
- Web Applications that use authentication protocols (e.g. SAML, OIDC)
- Web Applications that use credentials (e.g. usernames and passwords)
This range of compatibility with various types of applications will future-proof your investment in SSO, offer the broadest range of compatibility, and therefore offer the maximum level of risk mitigation.
6. Zero Knowledge Encryption for Greatest Security
Given that many business applications still require passwords for authentication, it is important to ensure that your SSO solution vendor has no access to these, or indeed the encryption keys used to protect them. Zero Knowledge Encryption means that no one outside your enterprise can access your secured data – not even the SSO vendor. This is crucial in giving your organisation complete control and eliminating a potential security risk – ask your SSO vendor where the encryption takes place and if they have access to the keys.
7. Support Multiple Credentials for Specific Applications to Maximise Compatibility
Often, users in specific functions will need to access the same application using different sets of credentials (e.g. marketing accessing multiple corporate Twitter accounts or IT having admin, user and test credentials for an application). Make sure your SSO solution is able to support this and facilitates easy switching between identities to maximise compatibility, risk mitigation, and maintain an efficient workflow.
8. Automate User Account Lifecycle Management to Improve Efficiency and Security
Your SSO solution should enable administrators to configure policies that automate user access to identities and applications based on their group membership within the corporate directory, minimising IT administration effort. Conversely, the SSO solution should also be able to revoke access to identities and applications when a user is suspended or deleted from the corporate directory to reduce offboarding risks where leavers retain access to corporate data.
9. Full Audit Trail and Integration with Security Information and Event Management (SIEM) Solutions
Any effective SSO solution should be able to provide a full audit trail of who accessed what system and when to help support compliance and any retrospective investigation following a security incident. The SSO solution should provide canned and customised reporting options that can be interrogated locally, exported or linked directly to your SIEM solution for analysis and aggregation with other events.
10. Policy Based Step-up Authentication for SSO to Improve Security for Critical Applications
For increased security on critical applications that protect sensitive data, your SSO solution should be able to apply conditional access policies that mandate users satisfy multi-factor challenges or step-up authentication before being given access to your most critical applications.