Identity and Access Management (IAM) strategies that include Single Sign-On can bring enormous benefits to organisations in both security and user experience, but a successful implementation requires some due diligence beforehand. Even out-of-the-box SSO solutions can fail to fulfil their purpose if it isn’t a good fit for the organisation. Here are 5 common mistakes to avoid when selecting and implementing SSO.
1. Not ensuring compatibility with all apps
Open security standards such as SAML and OIDC are enormously useful for providing SSO, but they are not compatible with all application types. Windows desktop apps, virtualised environments and thin-client apps can all pose problems for token-based authentication, as well as a large number of internal and external web apps which do not yet support these protocols. In order to ensure these apps are also protected, the SSO solution of choice cannot rely on token-based authentication alone.
By selecting an SSO solution which incorporates enterprise password management functionality, applications which require a username and password can be integrated with Single Sign-On without using an API. Enterprise password management functionality also enables password policies to be enforced on 3rd party cloud applications by automatically generating complex passwords and updating these on the 3rd party application. The credentials will then be automatically filled into application login forms by the SSO product providing the same user experience as token-based authentication.
A good enterprise password manager should also be able to hide the newly-updated password from the user meaning, the user cannot be phished for it. These randomly generated, high-entropy passwords also protect against brute force attacks and credential stuffing. By taking the responsibility of creating, managing, and entering passwords away from the user, the SSO solution can manage the full range of identity resources being used by employees ensuring that lax security practices no longer persist in the workforce.
2. Not ensuring full integration with existing enterprise architecture
As well as the app suites used by employees, it is also imperative that the SSO solution integrates with the network architecture as a whole. If the SSO solution does not integrate with the corporate directory, or threat monitoring solutions for example, this disconnection can make it more difficult to manage identities and risk within the organisation.
Some SSO vendors encourage businesses to move to their own proprietary directory, which can pose significant extra challenges for the enterprise. As well as requiring extra time and work to simply replace existing functionality, this can also make it more difficult for the business to change vendors in the future. If the existing directory (e.g. Active Directory) can be leveraged as a single source of truth instead, the organisation can maintain its current users and organisational units, not only ensuring that all employees are onboarded smoothly, but also greatly reducing the difficulty of deploying the solution, and the resultant workload on IT departments.
It is also crucial that the SSO solution be able to fully integrate with other security technologies that exist within the organisation. SIEM systems are vital for ensuring real-time event monitoring to detect potential security issues – if the SSO solution is not able to integrate with the SIEM system, the IT department may have a blind-spot that inhibits the ability to detect, mitigate and respond to threats.
3. Inhibiting user adoption through poor UX
With any cyber security measure, there will always be some balance to be struck between security and user experience. A solution which requires stringent authentication factors every time a user tries to access any resource on the network may seem to be highly secure, but can deter users from adopting it, making them more likely to find unsecure workarounds.
Step-up authentication is one way to balance these competing needs. By requiring additional authentication factors from users only when more sensitive resources are accessed, employees are still able to carry out routine, day-to-day tasks without their productivity being impacted by excessive prompting for authentication. This gives a smooth and efficient user experience while still keeping the most important data secure against malicious actors who may have gained access to the network.
In addition, the solution should require no change in user behaviour, to remove any potential barriers to adoption. Authenticating users through the existing corporate directory rather than requiring separate authentication into the SSO solution is ideal – a function of the solution is to reduce the number of credentials required by employees, not to add one more. To further ensure there is no change in user behaviour, an SSO solution which works in the background without an intrusive user interface also helps to guarantee adoption by the workforce. When users simply need to click on an application to access it and be automatically authenticated, the SSO solution enhances the user experience, rather than detracts from it.
Lastly, if the SSO solution incorporates an enterprise password manager as well as leveraging open security standards such as SAML and OIDC, it is imperative that the two function together seamlessly. The solution should be able to automatically detect login forms, even non-standard ones, automatically entering user credentials when the app is accessed. This helps to keep the user experience consistent regardless of the background technology, again ensuring that the solution is widely adopted and fulfils its purpose.
4. Not future-proofing the solution
While a SSO solution may meet the present needs of an organisation, it should also be ready to meet any future changes. As businesses grow, new employees require onboarding, old employees leave, users change roles, and the cloud apps in use can change significantly over time. An SSO solution must adequately scale and adapt to changes in the business to continue providing protection from external threats. If apps and users cannot easily be added and removed from the SSO system, they can remain as potential vulnerabilities that the business can no longer keep track of.
By utilising the corporate directory as a single source of truth, onboarding, offboarding, and changing user permissions becomes much simpler and more comprehensive, since it only needs to take place in one location. When an employee leaves the company, ceasing their access in the directory can enable the SSO solution to immediately revoke their application access, eliminating the risk of employees retaining access to corporate systems, a significant risk factor in data breaches. In a recent study by My1Login, 40% of business leaders surveyed stated they were concerned that when employees leave, they may know passwords or retain access to applications that contain corporate data.
As well as employees, apps used by an organisation also shift over time. The SSO solution must be able to integrate new applications without requiring an extensive setup process or specialist knowledge, allowing both administrators and users to easily gain the full benefit of the solution and ensuring it retains full coverage into the future, beyond just the current applications being used.
5. Not taking Shadow IT into account
The suite of apps used by employees is often not limited to those that are visible and approved by IT. According to research by McAfee, the number of cloud apps used by employees is at least ten times greater than the number known to IT departments, which can pose a significant hurdle to ensuring that an SSO solution offers full coverage of apps being used by the workforce. With these apps left unprotected, poor security habits that the SSO solution is designed to prevent will remain, such as weak, reused, and written-down passwords. This is even more significant due to remote working, since certain corporate resources, which would previously never have left the confines of the office, are now more exposed to access by family, trades persons, or any other visitor to a household.
To combat this problem, the SSO solution should be capable of automatic detection of apps used by employees. This real-time monitoring allows IT departments far greater visibility over the true range of web app usage across the organisation, and allows administrators to easily integrate or exclude individual apps from the SSO solution.
With full control and visibility over the applications being used by the workforce, the business can mitigate the risk of threats posed by app usage outside the visibility of IT departments. Where the organisation permits, department-led adoption of cloud applications can take place with the security function confident these can be automatically detected and integrated by the SSO solution where appropriate.
With full visibility of the applications being used throughout the business, any previous shadow IT blind-spots are removed, ensuring the business can remain in control of applications and identities in use. This helps manage department-led adoption of cloud applications, without the typical risks of this happening outside of IT’s control.
A well-executed Identity and Access Management strategy that incorporates Single Sign-On (SSO) and enterprise password management mitigates the risk of a data breach, improves user experience and puts the organisation firmly in control of user access to corporate identities and data. Avoiding these common mistakes when choosing and implementing a SSO solution will maximise the likelihood of a successful implementation and achieving the business outcomes the SSO initiative set out to achieve.
