SSO and beyond - giving CIOs control in the cloud

Opinion by Richard Walters

On 17th May 2013, Yahoo advised users in Japan to change their passwords, as a precautionary measure, following the potential theft of a file containing 22 million user names.

On 17th May 2013, Yahoo advised users in Japan to change their passwords, as a precautionary measure, following the potential theft of a file containing 22 million user names.

A week earlier, Google announced that it plans to make two-factor authentication compulsory. Online authentication is becoming an increasing burden on users and administrators.

In February, the Fast Identity Online (Fido) Alliance published a new set of authentication standards that aim to end the reliance on passwords. By creating open and interoperable standards based on the Online Security Transaction Protocol (OSTP), the Fido Alliance hopes to authenticate users to all online applications using the Trusted Platform Module chip on the device, or biometric information supplied from the computing device.

Are passwords passé?

It has been well documented that users struggle to remember passwords. As a result, people often create weak passwords and reuse the same one to access multiple online applications, putting all services at risk in the event of a breach. Passwords also lend themselves to licensing problems, by allowing login details to be shared between authorised and unauthorised users.

Play it again SAML?

It was these very same authentication issues that led to the development of the Security Assertion Markup Language (SAML) standard ten years ago by the Organisation for the Advancement of Structured Information Standards (Oasis).

The principal goal of Oasis was essentially the same as that of the Fido Alliance: to create a new standard for confirming identity and authorising access to web services.

A decade later, one of the most important uses of SAML is to enable single sign-on (SSO) to web applications. SSO, like OSTP, removes the reliance on passwords by creating an authentication system that uses XML-based assertions between the identity provider and service provider (web application).

SaaSID supports a range of SSO methods within its solutions, but it recognises that authenticating users to online applications is just the first step.

As more corporate applications are delivered online, CIOs need more than just a record of who logged in and logged out. They need to be able to manage and record what happens between those two events.

CIOs operating in regulated industries, such as financial services, healthcare and pharmaceuticals, need to go beyond authentication and SSO and provide an audit of employees' interactions with web applications; visibility that SSO cannot provide.

The benefits of going beyond SSO

Data protection regulations require CIOs to prove that they restricted access to personal data and that they prevented unauthorised processing, changes or breaches of that data. Without being able to control and audit interactions with web applications, CIOs cannot show how risks to data have been effectively managed and this affects their ability to comply with a range of information security-related standards, regulations and legislation.

For example, if you can only see login and logout information, how do you prove to an auditor that you prevented customer lists from being exported from your organisation's CRM application?

This lack of visibility in the cloud is preventing some organisations from achieving the scalability and productivity benefits of web applications.

A cunning device?

The Fido Alliance's approach requires software to be downloaded to devices to enable authentication to online services. However, this may not be acceptable to employees working on personally owned devices.

One of the concerns voiced by CIOs is how they can ensure that new web applications are quickly rolled out to all devices and that access to corporate data is just as quickly revoked when employees leave the organisation. This is critical for combating data loss and remaining compliant.

However, because each employee tends to use multiple computing devices, this may delay roll-out and revocation of access to web applications and corporate data using a device-centric approach such as the Fido authentication system.

When using SSO, CIOs still need to tackle the compliance blind spot created when employees use web applications to process corporate data. They also need to drive out the complexity caused by employees using multiple computing devices in the corporate environment.

Identity in the cloud

Computing and mobile form factors change on an almost weekly basis, so the Fido Alliance's device-centric approach is in some ways surprising.

We realised three years ago that when users access web applications, the only point of commonality is the browser, so that's where we put our SSO - in web application management and auditing software.

By using browser-based security, CIOs can go beyond SSO to enable web application features to be controlled, while creating a detailed audit trail of user activity, regardless of the device used.

This browser-based approach hands back control to CIOs, so that employees can benefit from using web applications, regardless of the device, without CIOs losing visibility of interactions with corporate data and without IT teams wasting time on multiple password resets.

Richard Walters is chief technology officer of SaaSID


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events