Single Sign-On (SSO) has been a security best practice for years and nowhere is this more apparent than in the cloud. The complexity of managing identities and users in the cloud is one of the biggest challenges facing cloud security professionals and having a single identity store makes life much more easier. This becomes every more important as more companies are moving to a multi-cloud environment where standardizing security policy is critical if you want to avoid a data breach.
What is Single Sign-on?
For a quick primer, Single sign-on (SSO) allows users to have one set of credentials to gain access to multiple applications i.e. sign in once and then access all your authorized apps instead of having to sign in multiple times.
SSO brings numerous benefits such as :
✅ Decreased IT workload as overworked IT departments do not have to worry about managing access to multiple applications ( password resets still happen manually in many companies by the way even in 2022 ! ). This is also really helpful if the user has been compromised and needs his or her access revoked from over 50 applications!
✅ Improved security posture as by having one password to access multiple applications, users are motivated to pick a strong one. This helps considerably in decreasing the blast radius of password attacks and reduces friction when accessing applications
✅ Standardize security policy as enforcing Multi-factor authentication (MFA) and other context-driven controls like location, time, risk ratings, etc. becomes easier to manage and unify.
✅ Centralized permissions management as a user’s SSO identity can be mapped to roles/job titles enabling easier reviews and privilege management.
⚠️ Just to play devil’s advocate, some people do make the case that relying on one password can increase the exposure of an attack if the password is compromised. However, this ignores the fact that user’s generally re-used passwords across applications and that SSO enables enhanced authentication features like intelligent MFA, context-based controls, intelligence risk ratings etc.
Single Sign-on in the Cloud ( Cloud SSO )
As cloud adoption speeds up, SSO becomes a critical part of a company’s cloud security strategy. Cloud SSO brings all the previous benefits and enables centralized control over cloud applications. Additionally, it enables integrations with cloud-specific tools like Cloud Security Brokers and Cloud DLP which can detect data leakage in real-time.
Taking the example of Azure AD , a sample Cloud SSO pane would be something like the one below where the user would log into Azure AD and see all of his cloud applications in one pane.
How Does SSO Work?
In its simplest form, SSO works between two entities which are the Identity Provider (IDP) and the Service Provider (SP). You can think of the IDP as the one holding all the identities while the SP is the application asking for verification. The flow looks something like this:
- User signs into the application (SP)
- The SP sends the credential ( user id and password) to the IDP for verification
- The IDP verifies the same and issues an access token that contains the user’s privileges
- This token is used to authenticate future requests in the session so that further entry of the credentials are not needed.
The flow can be either IDP initiated ( user goes through the IDP to access the applications ) or SP initiated ( user goes through the application )
Below would be an example of IDP initiated flow :
SSO works through the use of numerous protocols such as SAML, OAuth, OpenID, etc. with Security Assertion Markup Language (SAML) being the most common. SAML is an open standard that enables the exchange of access tokens and is specially optimized for web applications and the cloud. It has pretty much become the de facto standard for SSO in cloud applications
There are a rising number of Cloud SSO solutions available with Azure AD, Ping, and Okta being the biggest names in the market. Which one you go with really depends on your budget and the list of features/customization that you want. Those wanting more customization will lean towards a specialized solution like Okta or Ping while those wanting a quicker learning curve will go with Azure AD.
SSO is the future for cloud
Cloud environments can get very complex very fast and investing in SSO early on will save a lot of trouble in your cloud security journey. SSO reduces complexity and increases the speed of incident response while giving you access to intelligence policy-making in the cloud. Cloud identities are the new firewall and SSO will empower cloud security teams to take security to the next level
Let me know if you found this useful in the comments section and if you want a more deep dive into different SSO products