Establishing a User Base When Using SSO or IP Authentication

For some widely held services it makes sense to migrate from a password-based access program to a single sign-on (SSO) or IP Authentication program:

• The administrative overhead can be lower: depending on the vendor, you may waste a lot of time getting accurate and current user inventory counts;
• Better access controls as you can immediately deactivate user access without relying on the vendor to cancel user accounts;
• Improved compliance from reduced or eliminated password sharing;
• Improved visibility into who is using what services.

But it's important to ensure you have a plan for establishing an accurate user base in the absence of vendor supplied user lists. Don't simply implement a new access program for a resource without also knowing who is accessing the service, and how often. 

Accurate user and usage data is an absolute must, for several reasons: 

• You can't determine the value of a service if you don't know who is using it, and how often;
• You can't negotiate effectively with the vendor if you don't know how many users are using the service;
• You can't offer training and remediation to users who aren't using a service but who should be.

So how do you do this without usage data from the vendor? 

Many SSO utilities will give you data on who is accessing a website or application, but it may not be as granular as you need, or capture all the metadata you want. And with IP Authentication the situation is even more dire: for the most part you're still stuck with using vendor supplied data. 

Instead, I recommend installing a usage monitoring token on your proxy server. Firms that offer these services include Lucidea, OneLog, ResearchMonitor and H&H. With a usage monitoring service you will have detailed information on who you users are and how they are using the service. When combined with a SSO access program, you're not really compromising anything with respect to establishing a user footprint for such services.

No matter what access program (or programs) you use, it's imperative that you have accurate and reliable user and usage data. Don't switch from vendor-managed access control (passwords) to SSO or IP Authentication without having a plan in place to capture this valuable information.

- Kevan Huston

Help Your Vendors Help You with a Robust Access Control Program

It's the little things that matter in information services management.

One of the "little things" that matters most to vendors is sharing of passwords.

I get why. It's perfectly fair that vendors be compensated for the services they offer. And in all likelihood you've agreed to do so in your service agreement with them.

Nothing will drive a vendor crazier than repeated sharing of passwords.

As an information services manager, it should drive you crazy too.

I won't hesitate to "lower the hammer" on password abuse by my users. I won't tolerate it.

Every time a password is shared, every time an unauthorized user is caught using a service, you irritate your vendor, reduce your negotiating leverage, and expose your firm to reputation and legal risk.

You run the risk of being found in breach of contract and losing access to the service. You may face stiff penalties - termination, compensation or equitable relief. Not good.

You owe it to your vendor relationship, your company and your professional ethics to assiduously oversee the use of the products you subscribe to.

You can do this with a robust access control program that uses an identity and access management solution like Ping, Centrify or Okta.

Or look at an Electronic Resource Management (ERM) utility that also offers a basic password management and access control solution. Lucidea, OneLog, ResearchMonitor and H&H offer access control modules.

The way it works is this: you ensure that if you have one user for a product and the seat is not transferable, only that user can access the product.

You can block the product website from all users apart from the named user. This is a somewhat clumsy approach - there may be free content on the site that other users can take advantage of.

A better approach is to centrally administer the passwords used to access the pay-walled content. Again you can use a full-service company like Ping for this, an ERM solution, or a lighter weight access management solution like LastPass.

If access is based on IP Authentication or a Single-Sign-On (SSO) protocol like SAML, that's even better. Rather than worry about administering passwords, you can simply permission access to the site for those users or groups of users its licensed for.

There are many options for access control. You should look into it carefully. Your vendors will appreciate it. This will build goodwill and trust with your vendor, which should translate into better prices for the products you buy.

- Kevan Huston