Cloud
2/5/2013
01:10 AM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Single Sign-On Increasingly Connected In The Cloud

Behind the scenes, identity and access solution providers continue a broad effort to integrate to cloud services -- the biggest hurdle to SSO adoption

The difficulty in integrating single sign-on (SSO) with service providers almost spelled the end to the ambitions of e-learning firm Edulabs Global Learning Solutions.

A provider of all-in-one tablets for education, the Bangkok, Thailand-based company packages a growing suite of educational cloud services for students in developing countries in Asia, starting with Thailand, where the government is rolling out a commitment of one tablet per child. The company aims to provide students with a sub-$60 per-year tablet that includes more than three dozen educational services.

Yet, in December, problems in integrating its SSO system with one virtual-school provider nearly put a heavily scrutinized pilot on hold. Getting the two systems working together required a great deal of integration work by Edulabs' cloud-identity provider, Symplified, says Craig Hovendove, chief visionary officer for Edulabs.

"That was a critical piece," Hovendove says. "It wasn't really anyone's problem, but I can't tell you the stress it put everyone under."

While the decade-old Security Assertion Markup Language (SAML) used for online authentication has become a mature standard, connecting applications to online Web or cloud services continues to remain a headache, say vendors and customers. Cloud identity and access solution (IdAS) providers -- such as Okta, Ping Identity, and Symplified -- have created hundreds of connectors, also known as adapters, to bridge the gap, but new services require new code, and that has slowed adoption.

However, the market for better SSO services is expanding because the vendors have laid much of the technological tracks in the form of integrations between cloud services and SSO technology. Last week, for example, cloud security service Zscaler announced it had partnered with Okta, OneLogin, Ping Identity, and RSA to integrate their identity and access solutions into its product.

"Vendors who want to integrate with each other are taking the initiative and forming partnerships that ultimately take the hard work out of establishing single sign-on interactions," Patrick Foxhoven, chief technology officer of emerging technologies for Zscaler, said in an e-mail interview. "Enterprises no longer have to (blindly) implement, and then test and validate, integrations between two different third parties."

[Anyone with access to your cloud providers' servers has access to your data. Don't think burglars or Ethan Hunt of 'Mission Impossible': Think insiders and search warrants. See The Physical Security Factor With Cloud Providers.]

The trend will continue, according to business-intelligence firm Gartner. By 2016, one in four purchases of identity and access management software will be an IdAS rather than on-premise technology, up from about 5 percent today.

Of course, many times it's the small and midsize businesses that are investigating cloud solutions. Smaller companies with a growing investment in software-as-a-service (SaaS) and that are having a hard time finding people to manage an identity and access solution internally will typically choose an IdAS. Companies that have an IAM solution on their premises already will have a lot more legacy equipment and will likely look to extend their current in-house solution, says Gregg Kreizman, research vice president for Gartner.

"It is not a one-size-fits-all thing," says Kreizman.

Other complexities exist, as well. Companies have to worry about making sure that the use of a single authentication portal does not hide an employee's activities from the auditor, says Darren Platt, chief technology officer of Symplified. And companies need to be aware that an attacker that has access to an employee's password has access to every service, and plan for better authentication measures.

"When you do single sign-on, you have aggregated your risk behind that one password," Platt says. "You need to make sure that you make it a harder and stronger form of authentication."

With more companies opting for cloud services rather than on-premise technology, and employees bringing in their own mobile devices and their own preferences for applications, the case for SSO services will only get stronger. Solving the password problem will become even harder, says Patrick Harding, chief technology officer of Ping Identity.

"The biggest problems looking forward relate to how to allow SSO to scale to a point where billions of users, devices, and applications can seamlessly work together so that passwords go the way of cassette tapes, typewriters, and calculator watches," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-0360
Published: 2014-04-23
Memory leak in Cisco IOS before 15.1(1)SY, when IKEv2 debugging is enabled, allows remote attackers to cause a denial of service (memory consumption) via crafted packets, aka Bug ID CSCtn22376.

CVE-2012-1317
Published: 2014-04-23
The multicast implementation in Cisco IOS before 15.1(1)SY allows remote attackers to cause a denial of service (Route Processor crash) by sending packets at a high rate, aka Bug ID CSCts37717.

CVE-2012-1366
Published: 2014-04-23
Cisco IOS before 15.1(1)SY on ASR 1000 devices, when Multicast Listener Discovery (MLD) tracking is enabled for IPv6, allows remote attackers to cause a denial of service (device reload) via crafted MLD packets, aka Bug ID CSCtz28544.

CVE-2012-3062
Published: 2014-04-23
Cisco IOS before 15.1(1)SY, when Multicast Listener Discovery (MLD) snooping is enabled, allows remote attackers to cause a denial of service (CPU consumption or device crash) via MLD packets on a network that contains many IPv6 hosts, aka Bug ID CSCtr88193.

CVE-2012-3918
Published: 2014-04-23
Cisco IOS before 15.3(1)T on Cisco 2900 devices, when a VWIC2-2MFT-T1/E1 card is configured for TDM/HDLC mode, allows remote attackers to cause a denial of service (serial-interface outage) via certain Frame Relay traffic, aka Bug ID CSCub13317.

Best of the Web