Note: An updated article on SSO, password managers, and MFA is available:
Single Sign On (SSO) for Nonprofits.
Topic: Single Sign On (SSO) Security
What is Single Sign On (SSO)? Is it convenient? How does it work?
Do I need it at my nonprofit?
Will SSO help enhance the security of nonprofit IT at my organization?
Do I need an SSO or MFA solution to comply with Cybersecurity Insurance requirements?
What SSO products are available? How much do they cost?
Single Sign On (SSO) is a convenient technology has been growing in popularity but is more than just trendy – when implemented correctly it can make your nonprofit’s cloud-based applications easier to use and enhance your security. Similar to the password managers many of us already use, an SSO product forms a protective layer between the user and cloud applications that user has access to, and acts as a master password.
From the staff member’s standpoint, the Single Sign On SSO is convenient – only one password to remember and you are connected to all your organization’s cloud services – remote email and file sharing, databases, etc. The single password can be made to require 2-step authentication, making it reasonably secure. And if the single sign on is compromised – no writing it on a sticky note on your laptop! – the IT administrator can disassociate it from all cloud credentials at a single stroke.
To learn more about the ways these tools can improve the security of your organization’s cloud, join Matt Eshleman for a half-hour video as he shares our experiences with SSO. He discusses where it can be a successful part of your security strategy, the pros and cons, the available SSO products, tips on training staff on SSO, and the costs.
This webinar is appropriate for nonprofit executives, managers and nonprofit IT personnel – and as with all our webinars, we will discuss technology in a manner that is accessible to a varied audience.
As the Chief Technology Officer at Community IT and our resident cybersecurity expert, Matthew Eshleman is responsible for shaping Community IT’s strategy around the technology platforms used by organizations to be secure and productive. With a deep background in network infrastructure, he fundamentally understands how technology works and interoperates both in the office and in the cloud.
Matt holds dual degrees in Computer Science and Computer Information Systems at Eastern Mennonite University, and an MBA from the Carey School of Business at Johns Hopkins University.
Matt is a frequent speaker at NTEN events and has presented at the Inside NGO conference, Non-Profit Risk Management Summit and Credit Builders Alliance Symposium. He is also the session designer and trainer for TechSoup’s Digital Security course.
Johan: Welcome to the April Community IT innovators webinar. Thank you for joining us today for a deeper dive into single sign-on, which in our opinion is rapidly becoming a security requirement.
Today’s webinar is really a follow-up to the March webinar that we did on security readiness. And if you happen to miss that webinar, you can find a link to the recording and slides on our website, www.communityit.com. I encourage you to go back and check that webinar out as well.
My name is Johan Hammerstrom. I’m the president and CEO of Community IT and the moderator for our webinar series. Before we begin, I’d like to just quickly tell you a little bit more about our company in case you’re not familiar with us. Community IT is a 100% employee owned company and our team of almost 40 staff is dedicated to helping nonprofit organizations advance their missions through the effective use of technology. We’re technology experts. And in fact, we were recently named the top Washington DC based managed services provider or MSP by MSP Mentor. We will be posting the slides and recording of today’s webinar on our website, YouTube channel and SlideShare account later today or tomorrow and we’ll send the link out to you as well. And now I’m going to turn it over to our presenter. Matthew Eshleman to introduce himself. Hey Matt. Good afternoon.
Matthew: Good afternoon. Thanks Johan. Happy to be here to present this webinar as a follow on to last month’s webinar on security. So as Johan mentioned, my name is Matthew Eshleman. I’m the chief technology officer at Community IT, joined the company all the way back in 2000 and have stuck around ever since. So I’m really happy to be here and to share this content with you. I do invite questions and thanks to everyone who submitted questions in advance of the webinar. Please chat them in, Johann will be monitoring the back channel. And we’ll attempt to answer those questions as we go along. And then we’ll also have some time at the end to do some catch-up.
As Johan mentioned this is a follow on from last month’s webinar, which was focused broadly on security. This is a more deep dive on one of the aspects that we talked about last month. To state the obvious, we are really in a mobile first and cloud first world. These are some statistics from a Microsoft slide deck taken from some of the reports the IDC reported from back in 2015, but it mirrors our experience, as well.
About 75% of network intrusions exploit weak or stolen credentials. And as we talked about during last month’s webinar, we’re certainly seeing a dramatic increase in the effectiveness of brute force attacks, both against on premises server infrastructure, but then also infrastructure that’s hosted in the cloud.
They call this viral unsanctioned IT, maybe that’s a bit strong, but I think in organizations it is no surprise that, perhaps more than 80% of employees use non-approved software service applications in their job. So staff just want the right tools to do their work. And, those might not be the official tools that the rest of the organization uses.
This statistic, only 15% of large organizations have adequate mobile security governance for process and policies. Again, rings true for nonprofits, which have really done a great job of adopting new technology and cloud-based technologies first and foremost. But the governance and management and control has not been there to support the use and adoption.
We’re starting with this landscape where data is off the local network and it’s out in the cloud. Managing that data, controlling it, understanding it is really a challenge that many, many organizations face.
Best Practices for Identity Access Management
We’re going to talk a little bit about best practices for identity management. This is actually a slide from the last webinar for security. We’re really talking now very specifically around identity and access management. Your users are the end users in your organization, are that security perimeter. And so user account control of what they have access to is very key.
Everything does start with a good password policy. You’ll see that in the news over and over again, for whatever security breach or threat that comes out.
Often the recommendations are the same:
- Have a good password.
- Don’t reuse it,
- Turn on two factor (a.k.a. multi-factor authentication/MFA)
And if you’re following those basic steps, you’re going to have a much better security profile than organizations that are not doing it.
For us at Community IT, our standard password policy recommendation is to
- have at least eight characters,
- changing that password every 90 days.
- We’re also turning on account lockout. For organizations that have that client server model, that’s one of the settings we use to minimize or even identify those accounts that are being targeted for brute force attacks
- and then implementing two factor authentication for the cloud.
The last item is really a bullet point that has moved from, “Hey, wouldn’t it be great if you could,” to — this is really the best practice recommendation that all organizations should be moving towards. The tools are out there to do it. And we’ll talk a little bit more specifically about those solutions as part of this presentation. Two factor for the cloud is very easy to do. It’s not expensive, it’s not very complicated. And so there’s a lot of good reasons to do it and not very many reasons to not implement two factor.
Then in addition to having a good password policy, recommendation is to do single sign-on for cloud applications. And again, that’s what this webinar is primarily going to be about.
And I’ll talk a little bit about the difference between single sign-on versus a password manager.
Now we have other good practices around the overall account management at your organization.
- Renaming admin accounts,
- having very complex service account passwords,
- making sure that we have a good accounting of all of the accounts that are active, Single sign-on, can really help with that as well.
And then for those remote access, ways that you’re getting into systems from outside of the office, making sure that those systems have good security controls in place.
For terminal servers, that means
- enabling network level authentication,
- putting things behind a firewall
- using direct access,
- moving applications out to the cloud where it’s a lot easier to implement a more robust security profile.
And then finally work with security awareness training for staff. There’s a lot of great technology tools that are out there, but at the end of the day, if somebody is clicking on a link or if they’re using bad practices around sharing their account password, those technical controls are relatively easily subverted.
Providing security awareness training for staff is a great way to reinforce and buttress your security practices. And so that’s something that we’ve been working on as well. And I’ve been testing some additional security awareness training internally. It’s something that we need to do as a managed services provider and security experts as well.
I did want to talk a little bit about some of the landscape that’s out there and the different technology solutions.
Whenever we’re talking about identity access management, there’s two avenues that folks are familiar with. The one that we’re going to talk about today is called Single Sign-on (SSO), and I’ll compare that with a password manager.
So many folks may be familiar with using password managers, such as Dashlane or KeePass or 1password. There’s a lot of different ones out there where it’s a web hosted web service or an application that you have running on your computer. That application stores passwords for the various websites that you log into. And then when you go to that website, it will copy and paste the credentials into the login information, and then you’re able to authenticate in.
So that’s a little bit different than single sign-on in that with single sign-on, you’re not actually creating or storing passwords at that application, you’re actually using a single sign-on service to authenticate to a third-party application with a single set of credentials. So it’s different in that you don’t actually have a standalone account and password at all these different services. You’re simply using a single authentication source to manage access to different applications.
So let’s say primarily single sign-on is really
- designed for the enterprise first.
- It’s a single authentication source.
So as I mentioned, single sign-on means, with that single username and credentials, you’re able to access multiple third-party applications. And we’ll look at some of those details as we go through the presentation. It also supports some other really nice features. And this is really handy, particularly if you are a large organization, maybe over 50 staff, or if you have a lot of turnover, single sign-on services allow you to do automated provisioning.
So you can create a user account one time and then through some automated provision rules, you can then assign applications to that user. So you don’t have to create their account in your active directory, and then create an Office 365 and then create it in Salesforce and Slack and Box and in your HR system. You can create the account once and then automatically provision it. So it can really streamline your account creation and provisioning.
And then also on the flip side, whenever a user leaves, you can de-provision their account. And access is then removed from all of those other services. One of the challenges with SAS and cloud-based applications is that it’s really easy to get a license to assign it, but now we have a case where we actually have 85 licenses provisioned in a certain application, and we only have 35 staff because we haven’t gone through a process to reclaim that. So single sign-on solutions are really designed to facilitate that easy account provisioning and then also account de-provisioning.
And then one of the tremendous benefits as it relates to security is that you have centralized reporting. So you can have your organizational view of who’s accessing what applications. How are they getting there? From what locations are those staff accessing applications? And so it gives you a much richer view of how and what applications staff are using.
I think we’ll look at the comparison with the password managers. Those tend to be more user centric. And so, they’re great for individuals. But from the enterprise, the organization perspective, the centralized reporting is really a tremendous benefit from a single sign-on solution.
There’s also the benefit of policy management. Policy management can cover password complexity requirements. So again, the benefit for single sign-on is that you can have a single username and password that will get you into 10, 15, 20, 30, 50, however many cloud-based applications you have.
Then you can set a single password policy that says, “We want passwords to be 12 characters long and complex, we’re going to turn on two factor authentication and we’re not going to require that challenge if people are in the office, but if they’re out of the office, we’re going to require them to have a two factor challenge.” You can do all of this policy management again from a single location, and then that policy is applied to that user as they go around and you don’t have to have different policies for different web based applications.
I think that one of the challenges is that each web service or cloud service has slightly different requirements. So, in Office 365, well, maybe you can only have 16 characters, but in some other applications, you need to have 18 characters and some support certain special characters and others don’t.
So being able to really streamline and simplify it so that users don’t have to be bombarded with managing accounts at 10 different software as a service applications. They have their network user and password and that gets them into everything that they need to as a user.
One of the questions came in is, “What happens if a single service sign-on vendor goes down?”
The single sign-on services are reliant on the vendor to provide that authentication source because that’s what this vendor’s job and sole purpose is. They obviously invest a tremendous amount of resources into their uptime and availability. So, those systems are highly resilient and distributed and are designed for a 100% uptime. Obviously, as with anything, there are going to be problems and blips are going to occur. But in our experience and observation, and looking at the marketplace, there aren’t single sign-on vendors that have been out for days at a time.
Johan: Hey, Matt, I’m sorry to interrupt. That was a great question. I thought now might be a good time to tackle it. This goes back to the previous slide as well. The issue is that many of the apps, especially Google apps, allow login info to be saved on the browser.
Oftentimes that’s checked by default or I think sometimes people don’t even think about it and they just go ahead and check it. I’ve seen this a lot with conference room PCs, where you open up the browser and you notice that Google apps is already logged in by the previous person who used that public PC.
My initial thought is that the best solution is probably training. But I was wondering if single sign-on provides any sort of protection against that sort of issue or if there’s other ways of dealing with it aside from good user training?
Matthew: This is one of the areas where the convenience and the helpfulness of various websites to try to save information, to make it easy to sign in the next time, comes into conflict with the need to have good security, especially in a shared computing environment.
Single sign-on doesn’t completely eliminate that case where somebody is saving or caching credentials, but I would say it does reduce it quite a bit because in most cases, with single sign-on vendors, you aren’t even actually presented with a username and password authentication challenge. You would log in through the single sign-on vendor portal, and then you access the other key applications through there.
And then there are different security policies that can be put into place that can help with those authentication challenges where it requires a new login, or you can set policies on certain computers or machines to always re-challenged for an authentication.
So yeah, user training is good. Maybe even some policies to block remembering the password on the computer side. The single sign-on vendors are able to provide a bit more configuration in terms of how often you’re forcing re log-ins or if you need to have special policies for different computers.
Johan: Great. Thank you, Matt. That’s really helpful.
Matthew: I appreciate the questions and please keep chatting them in and we’ll answer them as we can.
I mentioned the password manager. That is very much a user centric view. Everybody has their own. You can buy bulk accounts and there’s some central administration. But in general, it’s fundamentally a user centric approach in terms of managing the passwords. And again, the primary method for this is to store passwords. And so those are kept in an encrypted form and then decrypted, copy and paste into the application website. And then you go on from there.
So it’s not single sign-on. You may have a single password to get into your password vault, but then you’re still copying and pasting passwords. And whenever you need to change a password, these password managers can facilitate that in terms of generating a new password. But again, that’s something that you, as the end user, need to keep track of.
If you have 30, 40, 50 different websites you’re logging into, each one of those has its own unique set of password requirements and aging. And so, the password managers are good at helping you make that transition, but the fact still remains that you’re making those password changes at all those different applications, all those different websites, on whatever schedule they happen to define.
And again, the password manager relies on the application vendor, so the password manager is just storing the passwords. It’s just a vault, you’re copying and pasting. The authentication is still handled by the website itself and not through a third party application.
Identity and Access Management
Password manager, we have that distinction now, is a user centric approach of saying, “I’m this user, but I’m going to have all these different passwords,” versus identity and access management with single sign-on where you’ve got one common identity.
Then you have access to all these different applications. It’s a common identity. From the IT perspective it is just tremendously beneficial to have simplified management. As the manager of an organization, you have a lot more oversight control reporting and insight into the applications that you’re providing to the staff and how they can access those applications.
Overall it’s a much improved security approach to have that access, the centralized view for single sign-on and the ability to add on additional policies that can help improve security.
You can have a consistent policy for two factor authentication, consistent policy for passwords, and so on.
These are some examples. Microsoft has incorporated single sign-on as part of their Azure Active Directory. If you have an Office 365 account, congratulations, you have an Azure Active Directory account and you can use that as the foundation to build access into other applications. It provides that unified experience.
Through this single sign-on enterprise application management, you can handle provisioning, you can handle collaboration with other applications all from a centralized portal. So you don’t have to set up your use in your on premises network, then set them up uniquely in all of your different cloud applications.
You can centrally manage and provision app users and then assign applications to them. The other really nice thing about the single sign-on is that on the backend, there’s the ability to implement some self-service for password resets to manage their dashboard for what applications they want to access or how they want to access them.
I think that’s a big bonus. I know on our service desk, password management, password resets, was one of the top categories of support requests that we get. So if we can empower staff and give them tools so they’re able to reset their own password, that reduces the number of calls to your help desk and gives people access back into the applications that they need to do their work a lot quicker.
So this is a representation graphically of how a single sign-on application process works. This is the Microsoft view of things. And essentially this is a model that’s very consistent across vendors. In the cloud here, we’ve got our Azure Active Directory identity protection and the cloud app security. So here is where your identity is stored and managed.
From that, Microsoft and their single sign-on vendors are able to do some more sophisticated, advanced threat analytics. So they are able to, through the power of big data, with a high degree of sophistication, analyze, manage, track and report on what attacks may be happening, which accounts might be compromised, which accounts are generating login requests from unusual locations.
All of that is facilitated by this connection in the cloud. Your identity is managed here in the cloud. And then through the app security, you’re able to then provide access to all these different cloud applications. That is facilitated through some common security exchange protocols. So, you can have access to Salesforce, to G Suite, to Box, to ServiceNow, all of these things are able to be integrated in the security credentials passed from your Azure Active Directory into these other cloud services.
Fundamentally you and your users are authenticating against a single directory. Then from that directory, you’re being granted access to these other applications. So authentication requests essentially all get funneled through here where, through the power of the cloud, they’re able to be analyzed and managed and reported on and then provided access to the different cloud-based services that are integrated into the directory here, as well.
Microsoft Enterprise Mobility Solutions
I mentioned that Microsoft has included this little feature as part of the Azure Active Directory. So again, if you have Office 365, you have an Azure Active Directory account. Then that can be used to extend the integration into other platforms. If you are thinking about doing this, as with a lot of things with Microsoft, to get the full features, you have to buy up the versions.
So Microsoft has included a higher level of Azure Active Directory in their enterprise mobility suite. And we’ll look at the pricing and some features of that in another slide or two. So in addition to just having the single sign-on integration, it also gives you the ability to do password write back.
Password write back means you can change your password from the cloud which is a pretty big deal, especially if you have a lot of remote users.
For us as at Community IT it’s a nice benefit because we have staff that are in the office, but primarily they’re working remotely or they travel quite a bit. And so, nobody’s really in the office with their computer joined to the domain. They’re off working remotely and working from home or in the office and out of the office.
So with the use of Azure Active Directory as part of the enterprise mobility suite, we can reset passwords when we’re outside of the office, we can write those passwords right back to our active directory. If you have an Azure Active Directory joined computer, then the password is updated there as well. So it’s a pretty sophisticated process that Microsoft has built in. And so that’s one element of the enterprise mobility suite.
And then they throw in some other stuff as well. They have their advanced analytics which is more on the reporting and security analysis side of things.
They have Intune, which is probably worth another webinar at some point down the road, which is focused primarily on mobile device management. Typically, we get clients who say, “We’re interested in mobile device management. We want to enforce a pin code and remotely wipe a device.” If those are your two primary requirements, you can do that already, if you have Office 365. That’s an out of the box thing that doesn’t require any additional work.
But if you want to push applications to staff, if you want to control what folks can do with their devices, if you want to enforce encryption and do some other things then Intune is the Microsoft way of doing device management.
If all you want to do is make sure they have a pin code, make sure you can wipe their device if it gets lost, you don’t need Intune for that.
And then there’s also some Azure rates management, which is some other encryption, and we don’t see a ton of that, but all this is to say is that Azure Active Directory has the ability to do password write back as part of the enterprise mobility suite.
I know it’s a lot of acronyms and we’ll try to simplify it here in a little bit.
SSO Options for Nonprofits
For single sign-on options for nonprofits, first I’d say, this is not an exhaustive list. There’s a lot of other single sign-on vendors out there. For us, either the Office 365 option or Okta has been the best fit for the organizations that we work with. There’s OneLogin, there’s a bunch of other ones out there. We’re the most familiar with these two.
- Office 365, I think if you’re going to look at it and do it the best way, you should look at the EM + S sku.
That’s something you buy from Office 365. There’s nonprofit pricing available at $1.65 per user (2017). So it’s very affordable. And that’s integrated with Office 365. You just assign users a license and boom, all this stuff turns on. And there’s just thousands of native integrations. We just recently added a new HR system and that integration is already there in Office 365. It’s a very robust platform.
If you’re, if you’re a 501C3 non-profit, you’re already getting that with a discount. I think it’s a good option to consider. I think it’s not as user-friendly, it’s not as pretty; some of the integrations aren’t as nice as Okta, but I think it’s a very good option and the price is right.
- The other option that we’ve worked with quite a bit is called Okta.
I think Okta is actually an acronym. It’s a degree of the measurement of cloud cover. So as I look outside the window, it’s about seven Oktas on a scale from one to eight. So Okta is a degree of cloud cover and it’s also a witty name for a single sign-on vendor.
Okta was founded by some Salesforce folks. And they’ve taken that Salesforce non-profit model and they have an Okta program called Okta For Good. The link is there and maybe we can chat that out and tweet it out as well. That provides 25 free licenses to nonprofits and that covers their whole suite of products. Single sign-on is the building block around a lot of this stuff. And then on top of it, there’s other things you can do such as mobile app security, multi-factor authentication. All these other things sit on top of the single sign-on.
So with Okta, you get 25 free licenses and it’s a great platform. I think it’s very easy to use. It looks nice. It supports pretty well and it’s a very powerful tool. So , I think that’s the benefit. The setup and integration is pretty easy. And it’s a very robust product, very good up time, one of the industry leaders in the space.
If you are not a 501C3 nonprofit, if you’re a 501C4, you’re a socially responsible business, or some other things, and all you really want to do is make sure that you can have the same password and single sign-on with your local network and Office 365, then they have a one integration free license. If you want to integrate a single other software as a service application, you can do that for free. They just have email support available, so you can buy up on all these things, but that’s another option to look at.
Then, if you’re paying full price, these solutions are all about two to eight dollars per month, per user, depending on how many extra gizmos and whizzbang features you sign up for.
Johan: Matt, another question that came in, it’s related to this:
If someone’s not on Office 365 and let’s say they’re using Google or they still have their email in-house or they’re using another third party email provider, would you recommend Okta as definitely the right solution? Are there other solutions out there for anyone on Google apps to consider?
Matthew: I’m not as familiar with Google apps or G Suite, but I think that you can use the Google apps open ID as a single sign-on solution. But if you’re not in that Microsoft world primarily, then Okta would probably be the place that I would start. They support G Suite and then all the other stuff.
If you’re already in Microsoft, it’s worth exploring that first. I would say Office 365’s a little bit more complicated. It’s not quite as pretty.
And so if you want something really easy and it looks good, then Okta is a great choice, especially if you’re in that 20 seat range where you get it for free. So, the price is right.
Matthew: Cool. So again, as I mentioned, this is what Okta looks like. For organizations it’s typically set up as, yourorganization.okta.com, and then you would have a username and password that you would log into from there. From the IT administrator’s perspective, what you can do is provision applications to staff and then present that and assign that to them. So here you can see this account, has a work account, and these are applications that are automatically provisioned and assigned to this user. So our user Jane logs in, and then she has access to Gmail, to GoToMeeting, to Zendesk, to Tableau, and if she clicks on this button it’s going to just pop open those applications in another browser tab, and then we’ll automatically log her in.
So there is no copy/paste passwords or storing anything. Those applications are automatically authenticated through the security assertion from Okta. So that’s the whizzbang magic that these applications have.
As a user, you can go in and actually add other tabs that can be personal. So maybe there are work applications that are essentially managed and provided to you, but then you’ve got some other applications that you use for work. And maybe for convenience sake, you want to have them here instead of having a separate password manager.
Then staff can create separate tabs and add their own applications here from a list of the applications that Okta has and it numbers in the 1000s. Basically, any web based service that you log into, there’s likely an integration or pre-built integration that’s already available from one of the big single sign-on providers.
As an admin, then you can go and manage users, groups, permissions, centralized policies, all those group assignments, all of that through the administration portal here.
The comparable view, this is the Office 365 view; this is the My Apps page. It looks similar in that from the single portal, you have access to all these different applications. This is very web centric primarily. You would log in and then from here, you can click and then would automatically be taken to and authenticated through to whatever application that you provide. So this is just a little bit of the visual representation of the different groups that are there.
These are what they call tiles and just click on them. We’ll then take you through and authenticate. So again, this is primarily web-based. If you are using desktop applications, there’s a couple of different ways to do that. So both Microsoft and Okta have what they call desktop single sign-on where you can pass along your credentials from the desktop all the way through to web based applications and desktop applications as well. So if you’re using Outlook, you don’t have to log into Outlook again; it just passes along your credentials and you can open up Outlook on your desktop. That’s an additional feature that you have to buy and sign up and configure. But for web based applications, all that stuff works just out of the box.
There are a number of questions around end-user adoption. I’ll talk a little bit about what we found, some lessons learned and some things to be mindful of if you’re thinking about embarking on this implementation for your own organization.
It all starts with planning. The first step is to identify the current applications that are in use or that you want to use.
So I’ve got a couple of different options here. For us and the organizations that we support, we’ve got a couple of different ways to figure out what based applications folks are looking at; one is using open DNS. So that’s a tool that we use to provide web based security and also provide some insight into what websites folks are going to.
So through open DNS or Microsoft has a tool called their Cloud App Discovery or even, looking at the firewall, a lot of the firewalls now will provide some application reporting. You can get a little bit of a survey, so I think we all know the top couple of applications that folks are using.
Then using these other tools to verify and monitor what else is going on can be a good way to understand like, “Well, we decided that we’re moving all of our files into Box. Oh, when I go do this app discovery, I find a third of the requests are going to Dropbox.” This is a good way to understand what applications are actually being used on your network.
Identify which applications you want to integrate and want to bring under this umbrella. I think the thing that takes a little bit of time and understanding is to review your current applications and the level of support that you have.
You may need to Level Up
This may be one of the gotchas with single sign-on. While most applications include it as part of the service, for some other organizations or other vendors, you have to be at a certain tier. Box, Slack and Salesforce are all in that case. So if you have just the basic subscription version of those applications, they don’t include single sign-on. You have to go up to the enterprise or business level service, which can cost more money. So that’s just a good thing to dive into, especially if you’re planning a big security initiative and you’re excited by the price of Okta for your 20 users, but then, you may have to upgrade Box and Slack and Salesforce and all these other things to a higher tier in order to get everything to work. So that’s just a detail to be aware of as you’re embarking under your discovery.
And then, determine your level of application integration. So for most of these, the big name web applications, the single sign-on support is pretty robust and works well out of the box without a whole lot of tweaks. But we have found that there are certain applications that require a fair amount of back and forth or custom configuration with the vendor. It can be a real challenge to try to integrate those into your single sign-on environment because it’s a custom programming application for your custom CRM, or your HR system doesn’t have the integration built in. And so you have to make a special configuration just for you.
That can add a lot of time and overhead into the integration. If you have solutions that don’t have these app integrations pre-built already, determine that level of integration.
And the other thing I’ll mention is certain applications will provide a great native single sign-on integration where you go to the website, click single sign-on and you’re in. There are other applications where they provide both options. You could log in locally using their authentication system or you could log in using single sign-on. And then there’s some applications that don’t support that native single source, single sign-on authentication and instead use that copy and paste method.
Okta and Office 365 support that as well, where they can do a password capture. And then you can log in with that method. I would say that’s a less than ideal option, but just understand how your application is going to interact and what features are you going to implement.
This has been primarily focused on single sign-on, but that’s just one element or one service. It often does get wrapped up into some of these other acronyms, which is MFA or multifactor authentication. That’s also a must have, and it makes it easy. With Office, you’ve got Microsoft authenticator which is a two factor authentication source.
Google has Google authenticator. Okta can use Google authenticator, or can use some other third party multi-factor authentication tools and then they also have their own app. This is great, a nice free app for your mobile device where it can just send you a push notification whenever you log in, your phone buzzes. You can click approve and then you log in.
Mentioning provisioning, do you want to have desktop single sign-on with the different features ? They may not all be included in the out of the box configuration.
And then the other thing is this is very web centric and geared towards the web.
How is this going to interact with our existing intranet? Are we going to write some little wrapper so we can embed this into our existing web page? Is it okay that we have people go to one place to log in to applications and another place to get the company calendar? These are some edge things to think about.
This is really a shift. We’re driving people to a portal for access to applications, how do we want to talk about that to our staff?
I would say some nice benefits of shifting now to implementation is the vendors have really great resources in terms of templates and checklists and collateral to talk to staff about. Email templates, planning calendars, charts to put up around the office. There’s a lot of great resources that are available, so you don’t have to reinvent the wheel.
Obviously we’ll need to tweak it for your organization’s unique requirements or expectations. What we typically do is have some pre-project notification, talk to staff about why we are doing single sign-on.
The primary goals may be for end users to understand or improve security. With all the stuff that’s been in the news about security recently, it feels very real and very relevant that improving security is an organization imperative.
This is a great way to do it. Framing those conversations as here’s why we’re going to do it. Here’s when we’re going to do it.
We’ve done some email blasts providing some more information, a lot of the vendors have short training videos that folks can watch, a minute, two minutes long. Here’s what it is. Here’s what you’re going to see, click on this. Give folks an expectation of what they’re about to see and then define days for application cut-over.
We’ve found the best approach is to take a phased approach. Take the easiest application first. So as you go through your discovery process, have a laundry list of applications.
The applications that affect everybody are obviously the ones that are candidates to be migrated first. Do the easiest ones first. Get some quick wins and then you’ll have the experience and understanding of how everything hangs together. You may have to deal with some applications that require some interaction with vendor support or custom programming or some other things, but you can build off those earlier successes.
I will say that for switching to single sign-on that testing is typically hard to do, particularly on a small scale, because you are effectively changing how you authenticate to an application. I think the best way is to change it so that you’re changing the authentication source.
You’re either logging into the organizations with the SAS vendor page or you’re logging into Okta. So you’ve got to make sure everything is set up in Okta and people are enrolled there and that’s all working. And then you can do cut overs one at a time.
It is difficult to test the transition, so you can turn it on, test it, but then you have to turn things off or revert it. So there’s not great ways to run systems in parallel unless you have sandbox environments and some other stuff. That tends to be a little bit too much to set up for most organizations. So you’d have to do the cut overs and you’re invested at that point.
And the other thing is planning on making tweaks. I think the lessons we’ve learned is that doing a lot of planning and discovery and talking about policy and procedure and how we want things to go. You set all this up and then people start using the system and say, “Oh, well, we don’t want to get multi-factor challenges here,” or, “Hey, can we change this, or can we tweak it?”
And so I think it’s good to just be prepared to make tweaks and adjust as you go along, because the planning is great, but there’s no substitute for actually using the system and the software. And so that will necessitate some tweaks to how things work. It comes back to, some of the ease and benefit of the single sign-on systems is that you just make a change once and now you’ve changed your access control policy for 10 or 15 different applications. So that can be pretty powerful.
Great. So that’s the wrap up of the content of the slide.
Johan, if there are other questions. I’m happy to talk about them. We do have a few minutes left before five o’clock, I’m happy to take any additional questions as they come in.
Johan: Sure, one question was,
Is there any value to just putting a few services on single sign-on versus all of the cloud services that you’re using? What are some considerations people should keep in mind when thinking about which services to add into the single sign-on?
You did a great job, Matt, of going through some of the gotchas and not every service necessarily is ready for single sign-on just yet. So there’s clearly some technical limitations that need to be taken into account, but are there other factors that might be worth considering?
Matthew: As we talked about at the very beginning, improving organizational security, I think is a key imperative for organizations in 2017. The dramatic rise in credential theft, to brute force attacks, like all of this stuff means that there are people and they’re coming after you and your data. And so having a well-articulated and well implemented security framework is really key. I don’t think there’s a good reason to just do some and not all applications, unless there are exorbitant costs that are too much to bear to make the integration.
I think this also goes to workforce efficiency and management. If you can get folks to go into the web, they log into their portal, they have access to all the applications that they use, that’s going to make the organization more efficient.
And so to have a lot of exceptions to that rule, you start to add more complexity. “You can go to this Okta portal or this, use your single sign-on portal for these applications, but if you’re using X, Y, or Z, you have to go somewhere else that has a separate password policy.”
So I think as much as you can it makes sense to say, “Hey, here are the organizational apps that we use and we’re going to bring that under this umbrella so that they’re easy to use, manage, administer and report on.
If somebody uses, say, their New York Times account, you don’t need to manage that. But I think for most organizational applications that are used to manage business, putting them in here gives you that framework to have a good password policy, make sure it has multi-factor authentication on it, make sure you have a way to de-provision accounts if somebody leaves. I would put everything you can into your single sign-on portal.
Johan: I love this slide because not only does it provide a security benefit to the organization, but I think it helps to make sense of the variety of cloud services that an organization is using. Fifteen years ago, you knew what applications you had access to because they were all on your desktop, they were all in your start menu. And now that everything has moved out to the cloud, I think it can be challenging, especially for new employees, to really get a sense of what services, what cloud applications does my organization use? And I think single sign-on not only provides a secure and easy way to access those applications, but actually maps out the applications that are available. So it really creates a sense of organization around the cloud services in addition to providing that security.
Johan: Okay. Well, I think we’re good.
Thank you very much Matt. That was a really good presentation. And I think we certainly feel very strongly that single sign-on is no longer just nice to have, but it is really becoming an essential component of an organization’s overall IT infrastructure, particularly in the cloud.
I want to thank everyone for joining us today and we hope we informed you about single sign-on, but also inspired you to take the next step in implementing it at your organization. And we’re certainly available after the webinar to answer any additional questions you might have about single sign-on.