Way back in the early snow-drenched days of 2014, when starting down the road that would eventually lead us to Data Freedom, I threw together a high-level, totally incomplete diagram to illustrate how many tools a company like Control Group needs. This is just the top half (names were edited to protect the innocent), with each of the blue boxes representing a stand-alone third-party system:
This was meant to highlight the importance of widely spread information, but it incidentally made another point: Holy a-number-and-capital-letter-are-required, Batman! That’s a lot of logins to manage. Beyond the personal annoyance every time system X asks you to change their password (always at the most inconvenient time), that breadth of authentication brings on some real worries:
- Ever reuse a password? Lots of people do, and as we’ve learned from hacks out there in the real world, it only takes one of those vendors to slip up before a chunk of employee’s login credentials are being tried on several sites, possibly successfully. More vendors plus more employees with passwords to manage equals a pretty high risk.
- That not direct-cost enough for you? Well, simply onboarding new CG’ers had become more of a task for our support center. It takes time to go from system to system to carefully not misspell the new guy’s name over and over. And not only does it take time, it’s separated from HR and errors are just a simple typo away.
- That not risky enough for you? Try remembering to remove all those accounts when the time comes, especially if the systems are managed across groups. Nobody wants orphaned logins hanging around on systems with key data.
Enter Single-Sign-On identity management. Now, there’s not exactly a solitary genius patent to file on this one. SSO is well known and already a big deal across many Enterprises. There are good reasons for that: multiply those risks above by more employees in-and-out, add in a (probably) very central IT which may not be so keen on adding new vendors quickly, and it can happen. Of course, while it may be done, it’s not always done well. Often, security ends up more something you “have to use”, which you know if you’ve ever had to use those cumbersome corporate VPNs that might let you in, but lock out everything else.
However, for those of us a bit smaller than the average “multi-national mega-corp”, there are several types of challenges. You want to have the flexibility to add in new systems quickly, when the need arises or when somebody releases a great application. You don’t fear SaaS. You don’t have a single, central legacy system to reflexively lean on. You don’t see personnel comings and goings as frequently (even though we’re growing plenty fast).
You can also easily end up with a tangle of logins and permissions, as you can see in our diagram. Don’t forget that they all have their own security rules, which can be a mess just for users to navigate. We wanted SSO for reasons of security…and convenience.
So, by the time we got to the snow-drenched days of 2015 (in New York, that took us through about May this year), we were using Okta as our identity manager to implement SSO across most of those vendors. Okta uses the SAML standard to hook into each of those vendors to essentially take over user provisioning, de-provisioning and logging in. While it’s only one of the many ways to implement SSO, SAML is nice because it negates the need to convey credentials to the vendor. That means that there’s nothing for the bad guys to steal in a hack. In addition, by “closing the front door” to those applications, we can add multi-factor authentication and other strong security practices even to vendors who don’t offer it themselves.
The catch is, each of those vendors need to offer SSO (and hopefully SAML) as a feature. If we’re telling them to log a user in, they have to be listening. Otherwise, Okta is just a fancy password manager. Not all do, though, in the levels that a company like CG would need.
A few examples along the road to “SSO-nirvana”:
- Gold star: Dropbox offers SSO by default for every Dropbox for Business account. It was easy to set up and there’s an API to add and remove users…from your identity provider. So everything can be done on Okta.
- Red star: On the other hand, InvisionApp only offers SSO as part of an Enterprise package. So to get it, get ready to fork over a good chunk of extra money just to get that plan. The small and middle-sized company ends up caught in the pricing structure.
- Somewhere In-betweens: There are systems who offer SSO, but in a variety of ways. Zendesk goes a different way, it uses a JSON based SSO option (JSON Web Token, or JWT). Business Intelligence vendor Looker offers Google Apps-based single sign-on, which gets us the security. But, this means all users need a Google Apps account to use that login which may be trouble if we wanted a client or partner to be able to log in.
- Likewise, linking up WordPress for this blog (talk about meta) utilized a third party plugin for SSO. It works well, but setting it up took some doing because many WordPress hosts will not be familiar with that particular plug-in. As a side note: If you do set it up on WordPress, this document is invaluable but also note this thread about implementing it for existing users’ accounts. It took us some time to figure out how to handle migrating existing accounts, and we actually took the tactic of changing every user to a new account to ease the transition.
Okta has to be flexible enough to handle all these cases, and it is. Make no mistake, though, it does take some time to implement on our side (never underestimate how hard it can be to modify ingrained login-behavior through a full organization). But, through that, it’s worth it for all the reasons above and more. Plus, now our support staff only needs to click a few buttons on Okta to provision new folks’ accounts all around.
We may never get to full “SSO nirvana”. New vendors pop up every day, and everybody uses more and more constantly. But, every step closer is one less risk along the way. As we continue down the road, implementing further features like “push” second-factor authentication, (so you only have to hit an “OK” on your phone) make it easier for users to accept the second factor. Shoot, that’s even a useful application of a smart watch. Who knew those existed?
The process even allowed for a forest-for-the-trees moment or two: For every headache caused by implementing SSO, there’s a silver lining when you roll it out. Suddenly, onboarding new people is done in a single click. Users, including us, don’t need to remember a myriad of passwords. They don’t even have to change them at that inopportune moment. It relieves the CG’er managing each system from the email threads asking to create usernames. It also relieves them from the new fake passwords they have to scribble on sticky notes for the new folks (and reminding them to change it right away). Let’s hope we’ve retired the sticky notes.
Convenience: a nice add-on on the road to “SSO nirvana.”