Tuesday, October 16, 2018

Establishing a User Base When Using SSO or IP Authentication

For some widely held services it makes sense to migrate from a password-based access program to a single sign-on (SSO) or IP Authentication program:
  • The administrative overhead can be lower: depending on the vendor, you may waste a lot of time getting accurate and current user inventory counts;
  • Better access controls as you can immediately deactivate user access without relying on the vendor to cancel user accounts;
  • Improved compliance from reduced or eliminated password sharing;
  • Improved visibility into who is using what services.
But it's important to ensure you have a plan for establishing an accurate user base in the absence of vendor supplied user lists. Don't simply implement a new access program for a resource without also knowing who is accessing the service, and how often. 

Accurate user and usage data is an absolute must, for several reasons: 
  • You can't determine the value of a service if you don't know who is using it, and how often;
  • You can't negotiate effectively with the vendor if you don't know how many users are using the service;
  • You can't offer training and remediation to users who aren't using a service but who should be.
So how do you do this without usage data from the vendor? 

Many SSO utilities will give you data on who is accessing a website or application, but it may not be as granular as you need, or capture all the metadata you want. And with IP Authentication the situation is even more dire: for the most part you're still stuck with using vendor supplied data. 

Instead, I recommend installing a usage monitoring token on your proxy server. Firms that offer these services include LucideaOneLogResearchMonitor and H&H. With a usage monitoring service you will have detailed information on who you users are and how they are using the service. When combined with a SSO access program, you're not really compromising anything with respect to establishing a user footprint for such services.

No matter what access program (or programs) you use, it's imperative that you have accurate and reliable user and usage data. Don't switch from vendor-managed access control (passwords) to SSO or IP Authentication without having a plan in place to capture this valuable information.

- Kevan Huston

at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)