Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Single Sign-On Increasingly Connected In The Cloud

Behind the scenes, identity and access solution providers continue a broad effort to integrate to cloud services -- the biggest hurdle to SSO adoption

The difficulty in integrating single sign-on (SSO) with service providers almost spelled the end to the ambitions of e-learning firm Edulabs Global Learning Solutions.

A provider of all-in-one tablets for education, the Bangkok, Thailand-based company packages a growing suite of educational cloud services for students in developing countries in Asia, starting with Thailand, where the government is rolling out a commitment of one tablet per child. The company aims to provide students with a sub-$60 per-year tablet that includes more than three dozen educational services.

Yet, in December, problems in integrating its SSO system with one virtual-school provider nearly put a heavily scrutinized pilot on hold. Getting the two systems working together required a great deal of integration work by Edulabs' cloud-identity provider, Symplified, says Craig Hovendove, chief visionary officer for Edulabs.

"That was a critical piece," Hovendove says. "It wasn't really anyone's problem, but I can't tell you the stress it put everyone under."

While the decade-old Security Assertion Markup Language (SAML) used for online authentication has become a mature standard, connecting applications to online Web or cloud services continues to remain a headache, say vendors and customers. Cloud identity and access solution (IdAS) providers -- such as Okta, Ping Identity, and Symplified -- have created hundreds of connectors, also known as adapters, to bridge the gap, but new services require new code, and that has slowed adoption.

However, the market for better SSO services is expanding because the vendors have laid much of the technological tracks in the form of integrations between cloud services and SSO technology. Last week, for example, cloud security service Zscaler announced it had partnered with Okta, OneLogin, Ping Identity, and RSA to integrate their identity and access solutions into its product.

"Vendors who want to integrate with each other are taking the initiative and forming partnerships that ultimately take the hard work out of establishing single sign-on interactions," Patrick Foxhoven, chief technology officer of emerging technologies for Zscaler, said in an e-mail interview. "Enterprises no longer have to (blindly) implement, and then test and validate, integrations between two different third parties."

[Anyone with access to your cloud providers' servers has access to your data. Don't think burglars or Ethan Hunt of 'Mission Impossible': Think insiders and search warrants. See The Physical Security Factor With Cloud Providers.]

The trend will continue, according to business-intelligence firm Gartner. By 2016, one in four purchases of identity and access management software will be an IdAS rather than on-premise technology, up from about 5 percent today.

Of course, many times it's the small and midsize businesses that are investigating cloud solutions. Smaller companies with a growing investment in software-as-a-service (SaaS) and that are having a hard time finding people to manage an identity and access solution internally will typically choose an IdAS. Companies that have an IAM solution on their premises already will have a lot more legacy equipment and will likely look to extend their current in-house solution, says Gregg Kreizman, research vice president for Gartner.

"It is not a one-size-fits-all thing," says Kreizman.

Other complexities exist, as well. Companies have to worry about making sure that the use of a single authentication portal does not hide an employee's activities from the auditor, says Darren Platt, chief technology officer of Symplified. And companies need to be aware that an attacker that has access to an employee's password has access to every service, and plan for better authentication measures.

"When you do single sign-on, you have aggregated your risk behind that one password," Platt says. "You need to make sure that you make it a harder and stronger form of authentication."

With more companies opting for cloud services rather than on-premise technology, and employees bringing in their own mobile devices and their own preferences for applications, the case for SSO services will only get stronger. Solving the password problem will become even harder, says Patrick Harding, chief technology officer of Ping Identity.

"The biggest problems looking forward relate to how to allow SSO to scale to a point where billions of users, devices, and applications can seamlessly work together so that passwords go the way of cassette tapes, typewriters, and calculator watches," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
PUBLISHED: 2021-06-22
In permission declarations of DeviceAdminReceiver.java, there is a possible lack of broadcast protection due to an insecure default value. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: Android...
PUBLISHED: 2021-06-22
In wpas_ctrl_msg_queue_timeout of ctrl_iface_unix.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID...
PUBLISHED: 2021-06-22
In isBackupServiceActive of BackupManagerService.java, there is a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-158482162
PUBLISHED: 2021-06-22
In RenderStruct of protostream_objectsource.cc, there is a possible crash due to a missing null check. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-1791617...