Bring me a password. Now bring me another and another ...

Single sign-on authentication can eliminate user and administrator headaches

Chew on this statistic: Worldwide spending on identity and access management reached almost $3 billion in 2006, according to a 2007 IDC study of the authentication technology market. That's $3 billion to bridge the Internet Age moats around our castles, but it does not include the cost of aspirin for headaches that password issues cause network administrators and users alike every year.

There is, however, an emerging set of solutions that can reduce the pain of password management: single sign-on (SSO) technology allows a user to have one password that provides entry to a system and then manages all of the application authentications seamlessly and transparently. Better yet, SSO offers some relief – even some advantage – to network administrators who support multiple password-protected applications.

The SSO effect on money and time

As small and midsize businesses (SMBs) grow, so do the number of applications that require user authentication. This is usually driven by sensible concerns about confidentiality and protection of sensitive data, such as customer information or company financial information. In highly regulated industries, such as financial services and insurance, CDW has seen organizations with as many as 30 applications that require user authentication.

IT help desks can potentially spend hours on password resets. In fact, according to IDC, 40% of help desk calls are for password resets, and the price of password reset calls can accrue to astronomical sums, costing up to $50 per reset. To put the costs in perspective, if each user in a 500-person enterprise makes four reset calls each year, the company may spend $100,000 annually on resets – and they may avoid all or most of that by implementing a secure SSO solution. In many companies, that is at least the cost (in salary and benefits) of one experienced IT professional.

The objective of SSO is to avoid the hidden costs of flawed "human software." It is simply easier for any user to remember one password instead of several. If users forget passwords, not only does the help desk have the burden and expense of a password reset, but there can be a substantial period of time where users will not have access to the application they need, wasting still more time and money.

Auditing and Compliance

In addition to reducing user and network administrator frustration, SSO solutions can help alleviate the increasing challenges of compliance with corporate governance or regulatory measures such as the Health Insurance Portability and Accountability Act, the Gramm-Leach-Bliley Act, and the Sarbanes-Oxley Act. With SSO authentication, organizations can easily identify and catalog security breaches, and fewer passwords mean fewer records to keep, reducing the manpower that companies spend on regulatory compliance each year. This is becoming an important consideration, as Gartner predicts that the number of regulatory requirements directly affecting IT operations is expected to double in the next few years.

Any new technology meets healthy skepticism. We often hear customers expressing anxieties that SSO may compromise network security. However, this is a misconception. SSO is not a shortcut that end-runs authentication processes; it is an application that admits the user to other applications only by validating their identity through a secure internal protocol. Administrators are able to monitor user log-ins more easily. For example, if a user is logging in many more times than usual or at odd hours of the day, the help desk will see a red flag and be able to act accordingly to make sure that sensitive data is not being compromised. With multiple user passwords, that would be much more difficult to detect.

In fact, there is nothing less secure than burdening users with responsibility for multiple passwords. Let's face it: with everything going on during the work day, who has the time to memorize five or more passwords? Those passwords are being jotted on sticky notes and attached to monitors or slid under mouse pads – which is practically begging for a security breach. Having "one key to the castle" also makes it easier for IT managers to fix security problems. For example, if there is a problem with a password on a network that employs SSO technology, IT professionals can easily identify and shut down the account. With multiple passwords, it would be difficult to know which caused the breach.

SSO is also helpful when an employee leaves a company. The IT department can easily terminate the user's access to all applications simultaneously and watch for subsequent attempts to log in.

Things to consider

While there are good reasons for SMBs to consider SSO technology, it isn't for everyone. Here are some things to consider before jumping in.

* Within your business, look at the number and types of applications that require user authentication. Consider the frequency of password reset requests. The cost/benefit calculation of SSO technology should be fairly straighforward.

* If you decide that SSO deserves consideration, evaluate a range of prospective providers. There are several vendors that provide SSO solutions, including IBM, Oracle, Novell, Citrix and Imprivata, among others. The licensing, costs and operations vary, so research each solution to determine the best fit for your organization.

If implemented wisely in the right situation, SSO can help SMBs save money, maintain productivity and monitor for compliance more easily. SSO is an investment, but it will pay off with improved protection for your network, more satisfied users, long-run cost savings -- and (at least in this regard) your own sanity.

Contact for more information.


Copyright © 2008 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022