Cloud
2/5/2013
01:10 AM
Connect Directly
RSS
E-Mail
50%
50%

Single Sign-On Increasingly Connected In The Cloud

Behind the scenes, identity and access solution providers continue a broad effort to integrate to cloud services -- the biggest hurdle to SSO adoption

The difficulty in integrating single sign-on (SSO) with service providers almost spelled the end to the ambitions of e-learning firm Edulabs Global Learning Solutions.

A provider of all-in-one tablets for education, the Bangkok, Thailand-based company packages a growing suite of educational cloud services for students in developing countries in Asia, starting with Thailand, where the government is rolling out a commitment of one tablet per child. The company aims to provide students with a sub-$60 per-year tablet that includes more than three dozen educational services.

Yet, in December, problems in integrating its SSO system with one virtual-school provider nearly put a heavily scrutinized pilot on hold. Getting the two systems working together required a great deal of integration work by Edulabs' cloud-identity provider, Symplified, says Craig Hovendove, chief visionary officer for Edulabs.

"That was a critical piece," Hovendove says. "It wasn't really anyone's problem, but I can't tell you the stress it put everyone under."

While the decade-old Security Assertion Markup Language (SAML) used for online authentication has become a mature standard, connecting applications to online Web or cloud services continues to remain a headache, say vendors and customers. Cloud identity and access solution (IdAS) providers -- such as Okta, Ping Identity, and Symplified -- have created hundreds of connectors, also known as adapters, to bridge the gap, but new services require new code, and that has slowed adoption.

However, the market for better SSO services is expanding because the vendors have laid much of the technological tracks in the form of integrations between cloud services and SSO technology. Last week, for example, cloud security service Zscaler announced it had partnered with Okta, OneLogin, Ping Identity, and RSA to integrate their identity and access solutions into its product.

"Vendors who want to integrate with each other are taking the initiative and forming partnerships that ultimately take the hard work out of establishing single sign-on interactions," Patrick Foxhoven, chief technology officer of emerging technologies for Zscaler, said in an e-mail interview. "Enterprises no longer have to (blindly) implement, and then test and validate, integrations between two different third parties."

[Anyone with access to your cloud providers' servers has access to your data. Don't think burglars or Ethan Hunt of 'Mission Impossible': Think insiders and search warrants. See The Physical Security Factor With Cloud Providers.]

The trend will continue, according to business-intelligence firm Gartner. By 2016, one in four purchases of identity and access management software will be an IdAS rather than on-premise technology, up from about 5 percent today.

Of course, many times it's the small and midsize businesses that are investigating cloud solutions. Smaller companies with a growing investment in software-as-a-service (SaaS) and that are having a hard time finding people to manage an identity and access solution internally will typically choose an IdAS. Companies that have an IAM solution on their premises already will have a lot more legacy equipment and will likely look to extend their current in-house solution, says Gregg Kreizman, research vice president for Gartner.

"It is not a one-size-fits-all thing," says Kreizman.

Other complexities exist, as well. Companies have to worry about making sure that the use of a single authentication portal does not hide an employee's activities from the auditor, says Darren Platt, chief technology officer of Symplified. And companies need to be aware that an attacker that has access to an employee's password has access to every service, and plan for better authentication measures.

"When you do single sign-on, you have aggregated your risk behind that one password," Platt says. "You need to make sure that you make it a harder and stronger form of authentication."

With more companies opting for cloud services rather than on-premise technology, and employees bringing in their own mobile devices and their own preferences for applications, the case for SSO services will only get stronger. Solving the password problem will become even harder, says Patrick Harding, chief technology officer of Ping Identity.

"The biggest problems looking forward relate to how to allow SSO to scale to a point where billions of users, devices, and applications can seamlessly work together so that passwords go the way of cassette tapes, typewriters, and calculator watches," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6117
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

CVE-2014-0174
Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

CVE-2014-3485
Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

CVE-2014-3499
Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

CVE-2014-3503
Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.