The Evolution of Single Sign-on

Replacing mainframes with 21st century identity

By Paul Madsen, senior technical architect

The concept of single sign-on (SSO) is not a new one, and over the years it has successfully bridged the gap between security and productivity for organizations all over the globe.

Allowing users to authenticate once to gain access to enterprise applications improves access security and user productivity by reducing the need for passwords.

In the days of mainframes, SSO was used to help maintain productivity and security from inside the protection of firewalls. As organizations moved to custom-built authentication systems in the 1990’s, it became recognized as enterprise SSO (ESSO) and later evolved into browser-based plugin or web-proxy methods known as web access management (WAM). IT’s focus was on integrating applications exclusively within the network perimeter.

However, as enterprises shifted toward cloud-based services at the turn of the century and software-as-a-service (SaaS) applications became more prevalent, the domain-based SSO mechanisms began breaking. This shift created a new need for a secure connection to multiple applications outside of the enterprise perimeter and transformed the perception on SSO.

ping-cloud1Large-scale Internet providers like Facebook and Google also created a need for consumer-facing SSO, which did not previously exist.

Prior to these social networks, SSO was used only within the enterprise and new technology was created to meet the demands of businesses as well as securely authenticate billions of Internet users.

There are many SSO options available today that fit all types of use cases for the enterprise, business and consumer, and they have been divided into three tiers—Tier 1 SSO being the strongest and most advanced of the trio. Tier 1 SSO offers maximum security when moving to the cloud, the highest convenience to all parties, the highest reliability as browser and web applications go through revisions and generally have the lowest total cost of ownership. Tier 2 SSO is the mid-level offering meant for enterprises with a cloud second strategy. Tier 3 SSO offers the least amount of security and is generally used by small businesses moving to the cloud outside of high-security environments.

The defining aspect of Tier 1 SSO is that authentication is driven by standards-based token exchange while the user directories remain in place within the centrally administered domain as opposed to synchronized externally. Standards such as SAML (Security Assertion Markup Language), OpenID Connect and OAuth have allowed for this new class of SSO to emerge for the cloud generation. Standards are important because they provide a framework that promotes consistent authentication of identity by government agencies to ensure security.

These standards have become such a staple in the authentication industry that government agencies like the United States Federal CIO Council, NIST (National Institute of Standards and Technology) and Industry Canada have created programs to ensure these standards are viable, robust, reliable, sustainable and interoperable as documented.

The Federal CIO Council has created the Identity, Credential, and Access Management (ICAM) committee to define a process where the government profiles identity management standards to incorporate the government’s security and privacy requirements, to ensure secure and reliable processes.

The committee created the Federal Identity, Credential, and Access Management (FICAM) roadmap to provide agencies with architecture and implementation guidance that addresses security problems, concerns and best practices. Industry Canada’s Authentication Principles Working Group created the Principles for Electronic Authentication which was designed to function as benchmarks for the development, provision and use of authentication services in Canada.

As enterprises continue to adopt cloud-based technologies outside of their network perimeter, the need for reliable SSO solutions becomes more vital. Vendors that support these government-issued guidelines offer strongest and most secure access management available today. Since the establishment of SSO, the technological capabilities have greatly advanced and SSO has been forced to evolve over the past few decades. First generation SSO solutions were not faced with Internet scale or exterior network access, whereas today’s SSO is up against many more obstacles.

As IT technology progresses in the future, SSO will have to grow with it and strengthen its security. For instance, while SSO is the expectation for web browser applications, the emergence of native applications (downloaded and installed onto mobile devices) has hilted the necessity of a similar SSO experience for this class of applications. To address these new use cases, new standards (or profiles of existing standards) are emerging and initiatives like the Principles for Electronic Authentication will have to adapt accordingly in order to offer the best guidance possible.

Drastic Measures Not Needed with DRaaS

mike-gault“We are seeing 100-year hurricane cycles arrive every two years.”

Mike Gault

Perhaps the only thing worse than a disaster happening is seeing it coming and knowing nothing can be done to stop it. Businesses along the northeastern seaboard had several days of warning before Hurricane Sandy struck, certainly not enough time to implement a disaster recovery plan from scratch. Even more painful is the understanding that some disaster recovery plans would not be enough; physical backup systems in separate geographical areas may have still suffered the same losses as the home site due to the size of the storm.

Most disasters come with no warning at all. Explosions, power outages, and simple equipment failure can cause the same damage. Operations are down, customers suffer, and revenues tank. Once business recovers the harder work of wooing back customers and convincing new ones about the company’s reliability begins.

Simply doubling up infrastructure and creating physical backups is expensive and time-consuming leading to systems that function inadequately when put into use. Cost cutting means doing without applications and information essential to performance. Lack of testing and differences in tools lead to inefficient work practices during the recovery.

Move into the Cloud

Cloud computing and virtual services eliminate a majority of these concerns. Disaster Recovery as a Service, or DRaaS, is a resource-efficient method of allowing business to continue with little to no interruption. Because everything resides in the cloud, no duplicate infrastructure is needed, testing and upgrades are assured, and no applications or information need be out of commission.

DRaaS is a natural extension of the cloud computing phenomenon. Service providers have hardened their security and created tiered services that fit any budget. Companies are embracing cloud computing for a variety of purposes. The flexibility of such services is a huge driver to adoption since only the services needed are active. The rest can be brought online as desired or shut down during idle time.

IT overhead and infrastructure reductions create cash to fuel growth. Cloud services are the perfect vehicle for the rapidly expanding mobile worker and consumer groups. By taking the time upfront to plan and consider operational requirements, disaster recovery can be the key to successful business recovery.

Service Level Agreement Considerations

The Service Level Agreement (SLA) spells out exactly what will and will not be provided with any cloud service. It is crucial to understand the SLA governing disaster recovery, because a disaster is not the time to discover shortcomings in coverage. Performance and productivity need not suffer if due diligence is taken to make a realistic determination of business continuity needs. Planning wisely also keeps SLA costs to a minimum.

Consider these questions:

  • What applications must be included?
  • What operations are essential for service?
  • What information must be easy to access during this time?
  • How often are testing and upgrades performed?
  • What guarantee of data integrity is offered?

A good service provider will have the experience to help answer these and other questions. They should have an excellent understanding of the extent of disaster recovery needed in a variety of industries. Some providers may even specialize in certain verticals, deepening their ability to determine needs and provide suggestions.

DRaaS Benefits Tower Over Risk

If nothing else, Hurricane Sandy brought home the absolute worst that could happen. Fire, flood, and power failures on such a massive scale are unprecedented but not impossible. Disaster recovery is an essential part of business continuity that must not be put off.  The cost of loss far outweighs the cost of DRaaS because, even if such events are rare, all it takes is once. New York Governor Andrew Cuomo said we are seeing 100-year hurricane cycles arrive every two years.

With the knowledge that DRaaS, like all cloud services, is a cost-effective way to relieve the worry of business interruptions, large or small, business owners can put a line through this item on the to-do list. With guarantees of integrity and continuity, resources and energy can be channeled into growing the business and keeping customers happy.

# # #

Mike Gault is CEO of Guardtime, a developer of digital signatures that algorithmically prove the time, origin and integrity of electronic data.  He started his career conducting research in Japan on the computer simulation of quantum effect transistors. He then spent 10 years doing quantitative financial modeling and trading financial derivatives at Credit Suisse and Barclays Capital. Mike received a Ph.D. in Electronic Engineering from the University of Wales and an MBA from the Kellogg-HKUST Executive MBA Program in Hong Kong. You can reach him at Mike.Gault@guardtime.com or visit www.guardtime.com.