In this month's cover story, "Delivering SSO," you'll read this statement: "Surprise! eSSO isn't about security." This may be a revelation to you, but single sign-on is about improving users' computing experience; security is a side benefit.
Using SSO to simplify authentication expedites users' access to applications and networked resources. Just like home computing, users double-click what they want and get it a second later. Immediate gratification may sound trivial, but those microseconds add up; even the slightest of hang times can frustrate a user.
Security is improved through SSO because users are relieved of the multiple-password burden. Let's face it, users hate complex passwords; SSO makes that pain more palatable by reducing the number of complicated passwords they have to remember. Gone are the scrap-paper notes with ungodly long mixed alphanumerics; users have just one password to remember, and enterprise gains more control to enforce stringent requirements.
In reality, though, security isn't about simplicity. We erect controls that protect resources and data, but hamper user experience in the process. CIA is the foundation of security, but requirements for confidentiality and integrity often impede availability. This is why many executives see security as a cost center and impediment to business.
Improving the user experience isn't just about SSO. It's applicable to all of security. Security managers and network architects should strive to improve usability so that the solutions that guard our enterprises facilitate rather than impede productivity.
Here are a few technologies that are working to reduce complexity:
Federated directories. With the continued adoption of SAML, enterprises will leverage the power of distributed directories for access and identity management, which translates into fewer user identities and simpler accessibility across trusted domains.
Multifactor authentication. There's a growing realization that simple passwords aren't enough to protect data and accounts; yet users have persistently resisted multifactor authentication because they perceive it as complicated.
Easier-to-use multifactor authentication, such as the plug-and-play functionality of USB tokens, will make users more willing to adopt it as part of their computing routine.
SSL VPNs. The world is becoming increasingly distributed and mobile. SSL VPNs are making it easier for users to access corporate IT resources through their standard Web browser, a tool that they're intimately familiar with. What makes SSL VPNs simple is that the security, for the most part, is transparent to the user.
By seeking systems that improve the user experience, enterprises can make tremendous strides in productivity and security without burdening users with cumbersome systems that, in the long run, don't always have a good cost-benefit rationale. Security should be about enablement, not about restrictions.
About the author:
Lawrence M. Walsh is executive editor of Information Security magazine.