Is single sign-on the answer to your cloud computing security worries?

The downside of the cloud is a password and username overload -- but there are technologies available to help.
Written by Mark Samuels, Contributor
Login screen

Will we ever be able to sign-on once and see all our cloud applications and services?

Image: iStock

The cloud provides a raft of business benefits to organisations that want to access applications in a flexible and cost-conscious manner. But to really take advantage, businesses must be sure that information is easily and safely accessible.

At the same time, as more organisations move their applications online, staff are confronted with an profusion of user names and passwords. CIOs must find a technical solution to the business challenge.

So how easy is it to sign-in once and access all enterprise applications through the cloud? Hear advice from some pros who have dealt with this challenge.

1. Take note of the challenges inherent to your specific sector

Chris Hewertson is CTO of hotel chain glh and a big advocate for the power of the cloud. Hewertson has managed a technology-led transformation of his business during the past few years. A large proportion of that change can be attributed to his decision to move on-demand: the firm does not run any in-house servers now and 95 per cent of IT services are delivered through the cloud.

Hewertson says there are many benefits from moving to the cloud, but certain key issues remain, not least the ability for an individual to sign-on once and see all the applications and services that they are authenticated to use.

"We now have a plethora of cloud services, with lots of different user names and passwords. It would be great to provide a nice, simple workspace around those services. From an end user's perspective, it means people only need to log on once to see all our services," says Hewertson.

Integration across service providers is a key issue, especially as his firm uses a range of industry-specific applications. Yet Hewertson is hopeful of rapid and positive change. "It's tough because a lot of cloud services don't have the secure APIs to support single sign-on," he says. "But we're doing an RFI right now and I think we can get very close to achieving our aims."

2. Find a secure platform for application authentication

Farrer & Co IT director Neil Davison is another CIO who is a big believer in the cloud. He recognises legal firms such as his are often risk-averse, but Davison says change is slowly coming.

His firm uses various cloud-based systems, including Citrix, NetDocuments, Chrome River, and Panopto. Like Hewertson, he believes single sign-on creates complications for a firm looking to move on-demand. "It's a real challenge," he says. "People have to remember too many web addresses and too many usernames and passwords."

However, Davison believes he has found a technical solution to the business challenge. Davison has deployed OneLogin, a cloud-based identity access management technology that provides users with secure access to cloud applications from any device.

Davison says OneLogin represents a layer that sits across the entire IT estate. Users have one site to visit in order to sign-in to all services. Once logged in, authenticated individuals are presented with a portal that includes an access point to all of the firm's approved applications. The technology includes two-factor authentication.

The key benefit of One Login, says Davison, is that it offers hundreds of preconfigured plug-ins for enterprise applications. He says OneLogin uses Security Assertion Markup Language (SAML), a standard for web-based single sign-on. The approach provides a secure method for collaborating.

"All you have to do is pick your software, drop in your security information, and the technology meshes with your internal SAML system," says Davison. "It's so seamless and it's very quick. We include access to all kinds of content, including websites and cloud-based training videos. And all our users have to do is visit one secure site."

3. Recognise there will be gaps in even the best technical solution

Mark Ridley, director of technology at recruitment specialist reed.co.uk, represents the future of business IT. "Our company has, by and large, everything related to enterprise systems running in the cloud," he says.

When it comes to productivity applications, most of the firm's employees use Google Apps for the work they complete. One of the key benefits of Google Apps, says Ridley, is that the system already includes single sign-on. "We encourage our people to sign-on to services through their Google accounts wherever they can," he says.

Like Davison, Ridley has also used other SAML-based technology platforms to provide secure access to enterprise applications. The first system his IT team procured when the business moved to the cloud was OneLogin.

The firm followed up that move almost instantly with an investment in mobile device management technology AirWatch. "We addressed security in the cloud at a very early stage of our move on-demand," says Ridley.

Ridley agrees with Hewertson's earlier suggestion that technology is no panacea. "There are definitely gaps," he says. "It can be a challenge, for example, to store the keys associated to the systems that individual developers use. But for the majority of users, identity management in the cloud is now pretty easy."

4. Understand that education matters more than hype

So while progress is being made, some elements of cybersecurity in on on-demand era remain a challenge. Tim Holman, chief executive of 2-sec and director of the Information Systems Security Association, understands the scale of the issue -- and lays blame at the door of the technology vendors.

"I've seen many an IT budget wasted on the next big security product, as some misguided IT guy reckons it will solve all of their company's problems," he says. "I do see cybersecurity vendors as a big problem in this space. They can give companies a sense of false security."

While technology can help, Holman says CIOs must also focus on the human element. Workers can use the cloud to share information both within and outside the enterprise firewall. Great best practice in terms of worker behaviour remains crucial.

"It's not rocket science, and much of it is common sense," says Holman. "Examples of where things can go wrong include sharing information with third-party suppliers, putting data in the cloud and allowing data on employee devices, while not bothering to patch the estate."

Read more essential CXO and business leadership stories

Editorial standards