Cloud single sign-on adds convenience, but does it sacrifice security?

Cloud SSO has become desirable as more companies adopt applications using multiple cloud services. But providers must not jeopardize security.

It's challenging enough for service providers to manage security for a single cloud service, let alone multiple cloud services. But many companies are pursuing a multi-cloud strategy, a reality that seemingly conflicts with customer expectations of bulletproof yet uncomplicated security policies. 

Customers are demanding single sign-on (SSO) capabilities, but providers and customers will have to ask themselves if the convenience of cloud SSO is worth its potential security risks.

Cloud providers say they now face a frustrating challenge: They must either force end users and IT administrators to use multiple logins to maintain security, or they must figure out how to securely federate identity in the cloud in a way that protects data and stays on the right side of regulatory compliance.

"There are really two aspects to this," said Adam Stern, president of and systems engineer at Infinitely Virtual, a cloud provider based in Los Angeles. "One is how annoying [multiple logins] can be for the end user. The other side of this is the IT-department-security side: When you have to disable a user, how many places do you have to go to manage a user account?"

Is the need for cloud SSO growing more acute?

The demand for secure cloud SSO capabilities isn't exactly blindsiding providers, but some say the need is growing more urgent as adoption grows.

More on cloud SSO and cloud security

Cloud authentication: Avoiding SSO land mines

Guide: Tackling cloud security risks

Cloud security: Talk enterprises through their concerns

"This issue has been around for a while, but is becoming acute as the number of services that an average end user consumes grows," Stern said.

Each small and medium-sized business (SMB) that adopted cloud in 2011 used an average of four cloud services, according to a recent survey by Microsoft of 3,000 SMBs, about a third of which identified themselves as cloud users. The average number of cloud services SMBs adopt is expected to creep upward to six services per company over the next two to three years.

The ability to help businesses manage and secure multiple cloud services within an account is becoming a competitive differentiator, according to several service providers that have dealt with this problem.

Managed service provider (MSP) Alvaka Networks Inc. developed a single management portal to help customers sidestep this issue, according to Oli Thordarson, founder and CEO of the Irvine, Calif.-based company. Through this cloud SSO portal, customers receive one login, which keeps security and access behind the scene for the users.

"Clients shouldn't have six logins to manage," Thordarson said. "We are certainly touting this as an advantage, because not everyone has a client-facing portal that can handle all these applications and technologies."

Convenience isn't the only driver for cloud SSO. Another challenge providers face is that many customers adopt cloud services without coordinating with their IT teams, Stern said. As a result, it becomes difficult or even impossible for providers to create a single or federated sign-in process to accommodate a company's multitude of cloud applications when there is no centralized point of control.

"It is far from being [just] annoying or time-consuming," Stern said. "Not everybody plays by the same rules when it comes to authentication."

Cloud single sign-on: A ripe services opportunity

This confusion and complexity is playing into the hands of MSPs and value-added resellers (VARs) because they are able to use their skills in federated identity management and SSO products to their advantage. Meanwhile, it has become far easier over the past two years to offer federated access to applications via cloud SSO capabilities, according to several service providers.

The first step is helping businesses select cloud services that complement one another from a federation point of view. This is done by helping corporate IT teams develop proactive security policies that should be considered whenever a new cloud application is being evaluated, Stern said.

People have really thought hard and long about the security architectures within their companies, and cloud needs to be considered in this context.

Saurabh Verma, senior director of global services at Acumen Solutions

Whenever possible, service providers should also steer customers away from services that cannot be federated, said Saurabh Verma, senior director of global services at Acumen Solutions Inc., an IT services firm in McLean, Va. The reason for this is twofold: Not only will federation allow a cloud service to interoperate well with complementary offerings, but it also makes it easier to integrate the service with a customer's existing infrastructure.

"People have really thought hard and long about the security architectures within their companies, and cloud needs to be considered in this context," Verma said.

One way VARs and MSPs can address the cloud SSO issue quickly is by working with vendors that have already built that integration into their products, said Mike Gold, president of Inc., a service provider in Mountain View, Calif.

Intermedia is improving the login experience for customers by using application program interfaces (APIs) that integrate cloud applications with managed service platforms it uses for administration and billing, including ConnectWise.

"From an IT administrator's point of view, at the end of the day, their job is to maintain a secure, always-available environment and have employees that are productive," Gold said.

Two emerging standards are making cloud SSO easier to achieve: Security Assertion Markup Language (SAML), an XML-based open standard that evolved out of the OASIS Security Services Technical Committee; and OpenID, an open source approach to identity management that is used by big names like Facebook, Google, Microsoft and Novell.

There are also specific tools available that secure cloud services, including CipherCloud, a service embraced by the ecosystem and Amazon Web Services; Intel Expressway Cloud Access 360: Identity Federation, which offers two-factor authentication for integrated cloud services; and Ping Identity, which offers federated management and secure single sign-on.

"All the tools in the market are trying to move toward standard SaaS [Software as a Service] authentication models," Verma said.

About the author: Heather Clancy is an award-winning business journalist and a regular contributor for several TechTarget publications.

Dig Deeper on Managed security for the cloud