Compelled by competitive pressures and user demand, companies have embraced mobility and cloud. And even if companies haven’t embraced cloud, their employees have. Bring Your Own Device (BYOD) is now commonplace, and the average mobile worker carries an average of3.5 mobile devices, each accessing multiple applications that connect to protected corporate information, or that serve as another place to squirrel away copies of corporate data. Individuals and individual departments—as well as partners—want immediate access to new cloud applications that help them get more work done faster. So the role of IT has changed. Instead of having absolute control over firewalls and machines (access points) and a relatively stable number of applications, IT must suddenly ensure security in the face of an ever-growing and changing number of users, devices, and applications located both on-premises and in the cloud.
Further complicating IT’s task, even if employees think to ask IT for applications (instead of signing up themselves), they have little patience for an IT department that may take days or weeks to make applications available. This leads to the increase in “shadow IT,” in which users or groups simply sign up for apps on their own with no involvement of IT, introducing a tremendous security risk.
Think of it, a company with, say, 2,000 employees, each with 10 cloud apps, suddenly has 20,000 potential points of entry—usernames and passwords—by which hackers, disgruntled employees, and former employees can breach corporate data—whether in the cloud or behind the corporate firewall.
“We need to make them stop!” is the IT knee-jerk response, but stopping it cold is impossible. Shadow IT will thrive whenever IT says “no,” so IT needs to employ an identity management solution to mitigate the risk, keeping users empowered.
In this environment, however, traditional identity and access management (IAM) and single sign-on (SSO) solutions simply don’t provide IT with the ability to provide access and ensure security as fast as business users are embracing these easy-to-access cloud apps. Introduced in the 1990s, when tightly controlled, monolithic file servers were the enterprise norm, these solutions are expensive to manage and are located inconveniently behind a firewall for maximum security, but they now make it tricky and time consuming to manage today’s diverse user groups, cloud applications, and—with 20,000 usernames and passwords—the flood of password-related help desk tickets.
This is why the entire traditional approach of ensuring security through individual usernames and passwords needs to be replaced by a cloud-based enterprise IAM and SSO solution designed to best support both cloud and on-premises applications. Such a solution can make cloud applications instantly available to users around the world without any of the cost or complexity of deploying on-premises infrastructure.
How does enterprise identity management work without passwords? Through SAML (Security Assertion Markup Language), an XML standard for exchanging user authentication and authorization data. SAML enables Internet-based SSO by eliminating the need to distribute and maintain multiple authentication servers. SAML, considered the gold standard for SSO, replaces passwords with digital signatures to establish trust between the identity provider and the application. Using SAML, SaaS providers can use an independent online identity provider to authenticate users who are trying to access secure content, thus locating secure identity management outside the firewall.
SAML SSO increases security by enabling enterprises to more easily control access to their sensitive data and by reducing the number of user logins and the potential for sharing user IDs and passwords. It also eliminates the possibility of phishing attacks using fake login pages. SAML SSO increases user access and reduces user frustration by providing one-click access from portals and intranets, automatically renewing sessions, and enabling deep linking so users can reach links deep inside an application in one click even if they must first be authenticated and signed in by the identity provider. These benefits are particularly important for users of mobile devices. Finally, SSO reduces the burden on IT by centralizing authentication, providing greater visibility, making directory integration easier, and significantly reducing help desk tickets. And since IT can make applications instantly available to users, there is no longer a need for shadow IT.
Adoption of SAML continues to increase. According to a recent study conducted by the Cloud Security Alliance and OneLogin, 67 percent of the SaaS vendors surveyed use SAML for SSO identity management, while 19 percent plan to implement the standard within the next 12 months. According to the study, the key drivers of SAML adoption are customer demand, improved security and compliance, and speed of integration.
Even with widespread SAML adoption, more needs to be done to provide a true SSO experience on mobile devices, and new standards are emerging to support this effort. The good news is that today enterprises can begin to dramatically improve security and the identity management experience for both users and IT by standardizing on SAML-enabled apps and by SAML-enabling the apps that they develop internally.
(David Meyer is VP of Product at OneLogin, a Real-Time Identity Management & Single Sign-On provider.)