Why single sign-on is more than “just” security — Evidian helps & guides
Perhaps the most considerable upheaval for a generation, the coronavirus has certainly highlighted several aspects of technology and the way we interact with it at work.
Among the primary issues that have floated to the surface have been remote working methods, collaboration, and security. The latter subject is one that concerns an entire subsection of IT, and quite rightly (there’s no career path in videoconferencing methods — at least, not at present!). After all, if an organization’s assets and intellectual property are digital, ensuring digital safety and compliance are of central concern.
With a large majority of people capable of working remotely doing so, it’s become very apparent that the practices of many employees right up to the very highest level, in cybersecurity and online hygiene terms, are quite weak.
As the organization’s “perimeter” is now manifestly different from what it was just a few short years ago, ensuring safety, compliance, security, and control all have to be person-based, rather than perimeter or network-based. Ensuring a safe perimeter that creates a protected local network can no longer compensate for poor practices, and companies have to adjust, and quickly before the inevitable data breach happens.
That’s where single-sign-on (SSO) is playing a significant role in this much-changed enterprise structure. Providing all employees the facility to sign into all resources safely and simply, with access privileges carefully chosen for them and centrally overseen, goes a considerable way in protecting the person, the company, and the company’s standing in the eyes of the law (but more on regulatory compliance later).
There is a superb document available which helps companies finding themselves challenged in these troubled times: “7 rules for a successful SSO” helps businesses of any size help plan out their own SSO projects and highlights some of the typical projects’ facets that may not have been considered.
Clearly, we encourage you to download it and absorb its information for yourself, but to give you a taster, here are some of the elements of the full document that hadn’t occurred to us here at Tech Wire Asia, and may not have been on your radar, too.
The objectives of an SSO project clearly will include better security and compliance, but there are also issues of helping save your IT Helpdesk staff a great deal of time — with the obvious positive effect on the overall bottom line.
Furthermore, there are beneficial aspects of SSO that aren’t immediately apparent, like the ability to assign pre-set privilege sets for each member of staff (or a variation on those sets). That directly helps tie-down security and closes loopholes.
Additionally, those privileges can be rescinded or altered very quickly, allowing (or quickly preventing) an employee’s access to the different systems that make up the enterprise.
In most articles of this type, adherence to local governance with regards to data protection is often mentioned last. But what the PDF document “7 rules for a successful SSO” shows, the ability to prove compliance is at least as important as maintaining compliance. That proof needs presenting in specific ways depending on the geographies in which your organization functions, but regardless, the annual security “audit” that regulators want to see is much faster and simpler to produce with SSO in place: in fact, having SSO creates a massive number of plus-points for the business, in regulators eyes.
Like any piece of technology, involving the end-users from the outset of any IT project is critical. When deploying SSO, for example, not only will users always want to use systems that are easier and “feel safer,” the uptake of the final SSO structure will be 100 percent. That ensures a full ROI and gives purpose to the whole exercise.
The Evidian paper makes a very interesting observation, too, in this regard. The SSO implementation process will expose those applications (and the required access levels) that are in use that are considered by the end-users to be critical, yet the IT function may not even be aware of or considered their relevance.
Observe the existing
Any SSO framework needs to co-exist and integrate with the IT stack that’s already in daily use. In most enterprises, therefore, adhering to the most open, the most platform- or OS-agnostic solution is perhaps the best route. The paper mentions LDAP as one such example of the basis on which the SSO can work — but each institution, will, of course, have its own underpinnings and specific requirements.
Publish and (don’t) be damned
The necessary buy-in for any technology project is an integral part of the preparation phase. But ensuring that the acceptance continues is very important: it helps make all staff continue to comply with security policy and drives organic and positive change in practices and daily procedures.
The SSO platform, therefore, should publish, openly, the key metrics that help spread the continuing message of security.
Financially, sharing helpdesk figures (numbers of calls, cost centers, time spent on L1 through L3 activity, and so forth) paints a picture of efficiency that the SSO will be a crucial part of. But like the “discovery” of unknown or little-considered applications and services mentioned above, the software using the SSO, and its users’ identities — who uses what, and how often — help form IT policy going forward.
An article of this type can’t cover off all the information in the full paper, which will help any organization presented with the massively changed structure of their business at the present time.
For any company, coming to terms with the new security and governance implications of wholesale remote working, it should be essential reading. Single sign-on plays a critical role in this changed landscape, but its effects go well beyond a “sticking plaster” solution for the current scenario. The full document shows and guides, and comes highly recommended.