There are some technologies federal agencies are adopting because of policy or because that is where the IT market is headed, with cloud being a perfect example of both. However, there are some technologies prescribed by law for agencies to implement, and one of them is single sign-on.
Specifically, 6 U.S. Code § 1523(b)(1)(D), a provision of law governing federal cybersecurity regulations, states that agency heads must “implement a single sign-on trusted identity platform for individuals accessing each public website of the agency that requires user authentication,” as developed by the General Services Administration in collaboration with the Department of Homeland Security.
Single sign-on is not a new technology for government, and many agencies have been using on-premises instances of the technology for years to authenticate users and allow access to the applications. And in 2017, the GSA’s 18F unit and the U.S. Digital Service worked together to create login.gov, an SSO solution for government websites “that lets the public access services across select agencies with the same username and password.”
As agencies move more apps to the cloud, they will likely adopt cloud-based SSO solutions to help users manage access to all of them, according to experts. Although adoption of cloud-based SSO from companies such as Okta and OneLogin is still nascent, it is almost certain to grow in the years ahead.
What Is Single Sign-On?
At its most basic, SSO is “a high-level term used to describe a scenario in which a user applies one set of credentials to access multiple domains,” Tracy David, a cloud client executive at CDW, explains in a blog post. “Simply put, you sign in one time with a single high-strength password and gain access to all the applications you are authorized to use.”
Under SSO, users no longer need to remember different passwords for each application they access. SSO uses the Security Assertion Markup Language protocol, which is an Extensible Markup Language standard that allows a user to log on once for affiliated but separate websites, David notes. Instead of using individual passwords to access apps, SSO uses “highly complex encrypted keys, which the end user has no access to view or change.”
For years, SSO systems or identity management systems were on-premises applications, from vendors such as CA, IBM, Oracle and RSA, notes Thomas Pedersen, CTO and founder of OneLogin. It was an age of cybersecurity defined by perimeter security and firewalls.
“Single sign-on is really becoming one of the most important security products for companies that operate in the cloud, and these days you cannot operate if you are not in the cloud,” he says. “The only way to control access to the cloud is single sign-on.”
Employees today in the federal government and the private sector use many apps at work, notes Ted Girard, Okta’s vice president of public sector, and they need a distinct password for each.
“This actually makes organizations less secure, because users are reluctant to create multiple complex passwords and instead adopt poor habits, like using the same password across all of their apps,” he says. “This is one of the reasons why 80 percent of breaches are due to weak or stolen credentials. Instead, by having just one complex, single-sign-on password and protection with multifactor authentication, organizations can become more secure and help their workforces become more productive.”
Pedersen notes that very few organizations forgo anti-virus software, but very few are willing to eliminate passwords. “The two weakest links in the security chain are people and passwords,” he says. “We can’t eliminate people. We can only eliminate passwords.”
Why Is Single Sign-On Technology Important for Feds?
According to a survey of 150 federal IT professionals OneLogin released in February, federal IT teams said they have 51 percent of their apps in the cloud and 49 percent on-premises, on average. “Most use less than 50 business apps now but expect that number to grow significantly over the next two years,” OneLogin says in a press release.
“As enterprises get familiar with and excited by the ease of cloud applications, they will start deploying single sign-on in the cloud as well,” Pedersen predicts, though he acknowledges that adoption of cloud-based SSO is low in the government right now.
Earlier this week, OMB issued a new, formal policy on identity, credential and access management, and while it does not specifically mention single sign-on technology, it does mention “cloud identity” being a possible result of continuing government innovation around ICAM.
“The federal government has a mature practice around identity management and single sign-on and has been doing it for a while — they’ve just been doing it with legacy solutions,” Girard says. “Federal agencies are now realizing that they need to modernize IT, and the Office of Management and Budget’s identity and security memo is rooted in that realization. Legacy systems are brittle and don’t serve modern needs, so federal agencies are pulling them out at the root.”
As agencies modernize and roll out more apps, their IT leaders are realizing that SSO becomes more and more important, Girard says.
“Agencies and their workers are using cloud-based services, with a focus on best-of-breed,” he adds. They are using Skype for Business for communication, Salesforce for customer management, and so forth. “Identity needs to be its own independent platform that allows users to choose what service is best for them,” he says.
Both Pedersen and Girard say that as agencies shift more apps to the cloud, adopting a cloud-based SSO solution will become more necessary and make more sense.
The Shift to Cloud-Based Single Sign-On
Adoption of cloud-based SSO is low in the government right now. Pedersen notes that fewer than 10 agencies in the Federal Risk and Authorization Management Program marketplace are using it.
Many agencies are still using on-premises SSO, he says. However, he predicts agencies will face challenges with those solutions as they shift more apps to the cloud. “It’s expensive and labor-intensive to turn on single sign-on for just one app,” he says.
OneLogin, which has achieved “FedRAMP Ready” status, is working with a handful of agencies on projects. Pedersen says he expects to get full authorization to operate from FedRAMP later this year.
Girard notes that the Defense Department’s forthcoming Joint Enterprise Defense Infrastructure cloud contract is a signal that cloud adoption is hitting its stride in government. Many other agencies are continuing their push to the cloud and will accelerate the “the idea of moving identity with it,” he says.
Okta became FedRAMP certified in April 2017. It also added native integration with Personal Identity Verification cards/Common Access Cards, and has a Federal Information Processing Standards 140-2 accreditation. Okta currently works with the Centers for Medicare and Medicaid Services, the State Department and other civilian and defense agencies, Girard says.