Thales Blog

Selecting the Right Cloud SSO Solution for Your Organization

January 7, 2021

Danna Bethlehem Danna Bethlehem | Director, Product Marketing More About This Author >

Modern architectures and applications place additional demands on access management tools. This blog will introduce access management evaluation criteria guidelines and discuss what features you should look for and what vendors to consider for your next employee access management solution.

Over the past few years, cloud adoption has been phenomenally high. According to the Thales Access Management Index 2020, over half of respondents regarding cloud-first world challenges identified unprotected infrastructure (57%) or cloud applications (55%) as one of the biggest targets for cyber-attacks. To mitigate the risk of these attacks, risk officers and IT managers are searching for Single Sign On or SSO solutions. They need to maintain an easy user management access for cloud-based applications and services, without compromising on security.

Pandemic intensifies the need for secure remote access management

Even before the onset of the pandemic, many risk and IT leaders were concerned with more secure access for remote workers. But these workers only consisted of a subset of the entire workforce. However, with the onset of COVID-19, many enterprises were forced to find solutions for their employees working at home. According to Gartner’s March 2020 survey at least 74% of the respondents planned to move at least 5% of their in-office employees to work at home permanently, even after COVID-19 fades. Of those surveyed, 20% of respondents indicated that they have deferred on-premises technology spend.

Short term vs. long term

The traditional IAM model has been to extend remote employees to access applications to employees from VPN and add multifactor authentication (MFA) to add layers of security to the VPN connection. In the new working environment, many enterprises have extended this to most of their workforce. This practice may be a solution in the short term, however, secure remote access via VPN can be costly to implement, complicated to operate, and time-consuming to deploy in the longer term. In addition, it doesn’t offer the flexibility needed to accommodate modern cloud computing environments.

Password-based app access: convenient but risky

The other widely used convention by enterprises is to allow employees to login directly to cloud-based applications such as, (but not limited to) Office365, Slack, Agile, with passwords. But using one or two-factor logins such as email and password leaves enterprises vulnerable to security risks and data breaches. In addition, employees having to remember many sets of passwords for multiple cloud-based applications can burden IT teams with requests for password resets or locked-out scenarios.

Cloud-based access management and authentication

Cloud-based access management and authentication offers a strong alternative, and overcomes the problems related to VPN access or direct access via passwords. These solutions can play a key role in securing access to cloud services at the access point, as well as protecting access to networks remotely.

IAM innovations for cloud-based remote access

IT and risk professionals are looking for new ways to secure access. Consequently, IAM security vendors have innovated new technologies or leveraged existing authentication approaches including passwordless authentication, FIDO authentication, adaptive authentication and Zero Trust:

Passwordless Authentication

Passwordless authentication offers enterprises methods for users to verify their identity without having to enter or remember textual passwords. Passwordless authentication can provide stronger security, reduce risk of breaches, and alleviate password management pressure.

FIDO Authentication

Originally developed for consumer services, the FIDO2 standard evolved and was adopted by Microsoft for Windows Hello. This has pushed FIDO to be part of an enterprise identity framework. Although it offers security and an easy user experience, it is can still be difficult to manage lifecycle and token provisioning. FIDO tokens offer organizations that use PKI and certificate-based authentication a way of expanding to modern access use cases, such as cloud access. For example, Thales offers a combined FIDO-PKI smart card.

Adaptive Authentication

Adaptive authentication is based on attributes including device, network data, user behavior, location and others. These provide enterprises with the ability validate a person’s identity to a reasonable degree. This offers flexibility in setting up access policies for diverse scenarios. Policies could use adaptive authentication together with other MFA methods. Enterprises can tailor a specific user, group of users or specific applications that employees need to access. This also protects cloud-service and on-premises applications. The more applications a user needs to access on a daily basis drives the need for IT professionals to offer more secure and convenient login experiences.

Zero Trust

Zero Trust is an umbrella framework for guiding risk managers on implementing viable security practices in the organization. Access management and authentication play a critical goal in meeting the “Trust No One” and “Protect Everywhere” elements of Zero Trust. AM solutions such as Thales SafeNet Trusted Access can adhere to Zero Trust ideals by validating users’ identities continuously, each time they log in. In addition, SafeNet Trusted Access can reduce traffic and bandwidth on VPNs, by allowing employees direct access to the applications and services they need daily.

Smart Single Sign On vs. Simple Single Sign On

SSO relies on an initial single assertion at the point of assertion and applies it to each login in the same session. Smart Single Sign On, in contrast, validates a user’s identity every single time a user logs in to an application. It makes sure that the appropriate authentication method is applied within that session. If a policy engine discovers that the application login does not fit the scenario, it will prompt the user to supply another authentication method.

Pressing the fast-forward button on remote access management

The need to balance security and user-convenience is more critical than ever in securing a remote workforce. To learn more about how organizations are approaching cloud security, watch Trends in Cloud Access Management, Single Sign On & Authentication: EMEA Edition.