End of the road for single sign-on

Cost and complexity means the users' nirvana of a single password may never arrive, writes Julia Vowler

Cost and complexity means the users' nirvana of a single password may never arrive, writes Julia Vowler

For a good few years now single sign-on (SSO) has been held up as the longed-for nirvana of corporate IT security. Given IBM's figures of seven password and identification combinations that the average IT user has to remember, it is not surprising that the idea of SSO is popular.

But, argues Geoff Norman, research associate at technical consultancy Xephon, despite enthusiasm for the technology by both suppliers and users, it is more chimera than nirvana and it is time to give up on it.

SSO, he says, is simply too difficult and too expensive to grapple with. "Corporate IT is very complex - Xephon's surveys consistently show that the average enterprise runs four different server platforms, each of which has its own standard for access security and may support more than one database product, each with its own access criteria," points out Norman.

On top of that, third party software products have their own sign-on variations, and the arrival of e-business and the extended enterprise means that users in one organisation will need to access software in other organisations as well, compounding the problem.

The final straw to break the SSO back, says Norman, is the spread of mobile computing, with more access devices out in the field to take into the bulging SSO fold.

Put all of that into a prevailing environment of high structural volatility, endless restructurings, acquisitions, mergers and de-mergers, and achieving SSO gets even tougher.

"SSO must handle high levels of heterogeneity, and must be capable of crossing enterprise boundaries," warns Norman. "Maintaining the mapping of the access privileges of thousands of users against hundreds of computing resources is an enormous undertaking. Existing methods are very labour intensive, with limited help from the user of templates, grouping of users and so on."

On the cost-justification front too, there are difficulties, says Norman, although he concedes that helpdesk costs are reduced with SSO.

All in all, SSO as we now know it will soon cease to have any relevance, says Norman. It will be, he believes, nothing more than "one of the many oddities in the history of computing".

Instead, the future for secure, manageable access in the new world of heterogeneous, highly extended mobile IT lies with the new platform-independent technologies such as Java (security cookies on every access device), piggybacking security access on messaging and queuing technologies, organisational level access privileges (HR cancels access rights of staff-leavers) and data-level security enacted at the storage sub-system level rather than the increasingly complex application level.

Read more on IT risk management