Securing Multi-Cloud with Single and Same Sign On

The May 2022 edition of Chartered Institute of Information Security Pulse magazine is available to members, and I’m delighted to share that I have contributed an article to it.

Securing Multi-Cloud with Single and Same Sign On

In today's modern society, its becoming commonplace for organisations large and small to adopt a multi-cloud strategy. Instead of a company electing to throw all their eggs into one proverbial basket, they will often use multiple public and hybrid clouds from several different cloud providers.

There are many advantages in adopting this strategy, such as removing single points of failure and playing to a vendors set of core strengths. One cloud provider may provide a best in class SaaS, (Software-as-a-Service), CRM product, but a competitor could offer a better project management platform. In a way we’ve never had it so good, but as IT and Information Security professionals we must be wary of the downsides of multi-cloud.

For every cloud platform and SaaS product there is inevitably going to be data that needs properly storing and user accounts that need both strong and effective protective measures. These disparate systems are designed with their own user permission models; Some have built in Multi-Factor authentication but others don’t. Oh, and don’t forget about the pitfalls of Shadow IT. Seemingly well meant teams across departments will sign up for product trials, but all too often they’re too keen on seeing what the platform is capable of that they don’t stop to properly secure access to it.

So, how do you how do you keep abreast of all these developments, ensure company-wide security on the many multi-cloud solutions that have popped up in production whilst keeping usability in check? One popular route is to adopt Single Sign On or Same Sign On, which I pair up with a robust set of internal policies and supplier reviews. This will give you the assurances that all existing and future products will be behind a single point of management and enforcement of your authentication policies. You don’t need to be aware of, and check, each systems disparate logs and alerts for security events.

Single Sign On is a term used to mean users can log in once and other systems will automatically sign in thereafter, without asking them to reenter their username or password. Same Sign On refers to users having a single set of credentials, but having to reenter them on to every multi-cloud application they wish to use.

As a quick recap, let’s be clear of the small but important difference between Single Sign On and Same Sign On. Single Sign On is a term used to mean users can log in once and other systems will automatically sign in thereafter, without asking them to reenter their username or password. Same Sign On refers to users having a single set of credentials, but having to reenter them on to every multi-cloud application they wish to use.

No matter if you are a small startup or a large multinational organisation, the first thing you should do is take stock of what applications and vendors you’re using. (You will already have these to hand if you’re ISO 27001 compliant). Working alongside your Data Protection Officer and Compliance Team, understand when each vendor was last properly reviewed. What does their product offer around Single or Same Sign On opportunities? Don’t be surprised if you end up having to reach out to some of these vendors, or dig through their documentation to find the answer but I recommend jotting down what options are available.

Ask each vendor whether they offer SAML integration at an extra cost or is it part of the existing product offering? Can you use Single or Same Sign On in parallel to any existing accounts for testing, or will it automatically apply to all users when you switch it on? Is it possible to block all other authentication methods, so your users must go through your integration?

Next, ask yourself does your business have any Single Sign On or Same Sign On capabilities yet? If you have Azure Active Directory then yes, you do. Other products like Okta, Auth0, JumpCloud and Duo Security are all providers of Single Sign On solutions that you can take advantage of here too.

Does your company have a policy in place to get official approval before using a cloud product? Ideally all of these requests should be put in front of your DPO and Compliance team to conduct a DPIA. The ICO defines a DPIA as, “a process designed to help you systematically analyse, identify and minimise the data protection risks of a project or plan”. One of these risks is user access control, to which we want to standardise with Single Sign on or Same Sign On.

At the very least, to put a stop to any new cloud products and platforms springing up in the business, agree with the leadership team that any new trials and deployments must first be vetted. Then we focus on the multi-cloud deployments already out there in the company. Work out which ones contain the most risktof the business and its customers if there were to be a breach and work down from there. Using all the information you gathered during the supplier review and the vendor documentation phases, you can now go ahead and configure the SAML integration's into your Single or Same Sign On solution.

As each one goes into testing, communicate the upcoming change with your users clearly and effectively. A huge part in a successful adoption of Single and Same Sign On is the education and training for colleagues and contractors. Users need to know when they must stop using their separate credentials and be aware of any change to the login process. Perhaps they now visit a single portal where they can get one click access to all the multi-cloud applications they’re authorised to use.

By the end of the project, you’re going to have standardised your authentication method and have the confidence that they’re all adhering to your password policies and multi-factor authentication requirements. Your security and compliance teams’ workload will go down, as they need only monitor one central log repository. Your IT Help Desk will love you too, as support requests will almost certainly come down.

You’re making life easier for your colleagues, whilst shoring up your security practices and sleeping better at night. What could possibly be better than that?

Support Me

If you'd like to support me in what I'm doing then you can always buy me a coffee, and I'll pick it up myself!