Yet despite the renewed level of interest in SSO, there are a number of myths that persist regarding the technology, how it works and how it is best used to provide business value. Here are four myths about SSO that in my experience persist among enterprise and government CIOs.
First, a baseline understanding of what SSO does
To first understand SSO, let’s establish a few baseline concepts about how SSO can help simplify IT operations and increase security.
Single sign-on is an approach that simplifies the management of access to more and more services by a growing constituency of users – users within your environment, that you know, and want to make as productive as possible. It allows you to manage access based on parameters – be it time of day, location, device used to access data or other parameters. This allows you to enable internal users to access what they need when they need it – no more and no less access than that required to do the job efficiently. It also simplifies removing access from a broad range of services quickly when necessary.
The right approach to SSO, enables organizations to build controls around the concept of identity. That’s important, because with the current rate of rapid changes in where the data resides, how it is accessed and where it is accessed from, user identity is often the only constant. Therefore, organizations must build their thinking around the processes of providing access and simplify the management of identity because these will enable them to meet the challenges of an increasingly complex and interconnected business environment. How do you simplify this process? Single sign-on is one solution.
Myth #1: SSO is password synchronization
Some IT professionals label the process of synchronizing username and password across applications as single sign-on; meaning there is one username and password that is synchronized across applications. The truth is that this is a relic of the early years of distributed computing, before true SSO solutions arrived on the market. This old (and frankly, crude) solution to the problem of multiple usernames and passwords provides only some convenience but fails to deliver greater compliance, administration or security benefits. Fortunately, however, modern solutions have phased out this approach, and now offer far more integrated and seamless functionality with tighter security controls as well as a far better audit trail than mere password synchronization could ever provide.
Myth #2: In SSO environments, users still enter their passwords and/or know the actual credential that is passed onto the application
Somewhat related to Myth #1, this misconception assumes that SSO provides no automation but rather is just passes through whatever the user enters. Not true, as this approach would provide little convenience with almost no security or compliance benefits! The truth is that SSO solutions provide authentication automation for each application accessed. Once the users have logged into their SSO solution, it automates the process of providing each application with a set of credentials for the user and ensures that the granular access policies for each application are applied. The SSO solution can also provide a detailed audit trail and centralized control over application access in the event of a security incident.