October 10, 2014
Relieve Password Pains with Single Sign-On
Posted by Sean Batchelor
Who enjoys memorizing and tracking an ever-expanding list of user names and passwords? Not many of us!
Personal applications aside, the number of logins required to perform day-to-day tasks in the professional world is mounting. The time spent changing passwords, increasing their complexity, remembering those passwords, and calling the support desk to reset forgotten passwords, plus the heightened security risk of passwords being written down, is adding pressures (and costs) for companies large and small. In response, an increasing number of firms are adopting cloud-based single sign-on (SSO) services (like Okta).
SSO allows employees to log in to their company’s network and enjoy automatic access to a wide range of cloud-based applications, without any additional log-in requirements. Hence the name “single sign-on.” Even outside the network, a single password (sign-on) will provide access to all company applications. This saves precious time and relieves frustration, as employees can seamlessly access time-entry systems, payroll systems, 401k sites, performance evaluation applications, secure file transfer services and more – without needing to set, reset and otherwise administer multiple application-specific credentials.
Of course, implementing an SSO service requires some fundamental enterprise changes. Many companies adopting SSO will shift their governance/oversight to the SSO application and away from the actual applications. However, in most cases, SSO services replace where authentication happens, but not where access provisioning happens.
Most SSO applications are only authenticating the user. Authentication means the service is proving that the user is the user through the username, password and possibly other information. Basically, they are validating that John Doe is John Doe. The SSO application will then pass those credentials (the John Doe validation) to the related applications. Most applications will take those credentials, and the application will grant or deny permissions for that user (allowing or denying what John Doe can do). The new tool doesn’t mean the focus for all application access should be moved away from the application; only some of it. All governance, control and audit activities need to consider where those control activities are happening now, and adjust their related focus accordingly.
Check out more tips, tricks, and insights from Armanino.
A senior manager in the Governance, Risk and Compliance (GRC) practice at Armanino, Sean has over 10 years of experience in corporate and public accounting. He serves clients in a broad range of industries, including high tech, manufacturing, financial services, private lending and insurance. His expertise includes reviewing operational, financial, and technology processes to provide management with an individual assessment of business risk, internal controls, and the overall effectiveness and efficiency of processes. He also assesses and educates companies on the risks associated with Sarbanes-Oxley (SOX), as they pertain to internal controls.
Sean received his B.S. in business administration from the University of the Pacific. He is a member of the California Society of Certified Public Accountants and the American Institute of Certified Public Accountants.