How Many Passwords Do You Manage and Why Leverage Single Sign-on

Passwords are a problem.  We have seen this statement echoed by numerous security professionals over the years, yet we all still heavily rely on passwords every day to access applications at work and at home.  As the proliferation of mobile devices continues at a rapid pace, more and more employees are using personal devices to access corporate networks.  As the number of applications they use continues to grow, it becomes increasingly difficult for IT teams to track and manage users and their permissions.

During Infosecurity Europe 2014, the Centrify team conducted a flash poll which found that 94 percent of IT security professionals use third party applications for work.  Of those surveyed, more than half admitted they had accessed sensitive corporate information over unsecure networks, such as in coffee shops or airports.  Even more worrisome was that eight percent did not have a password or a PIN code protecting the device.  This just reiterates our industry concerns as these findings highlight an alarming trend in which employees appear unconcerned about the potential exposure of sensitive corporate data.

We don’t believe the employee is the problem; the problems are the passwords they use.  As the number of applications being used grows exponentially, so does the number of passwords.  Users have the choice of using the same password across multiple applications and systems, or having the challenge of remembering a different one for each.  From a business perspective we don’t see this as being feasible and only those highly security conscious users are likely to do the latter.

The cost of too many passwords

As we see businesses developing, they are investing in new systems and technologies, such as additional servers for on-premise applications or hosted Software-as-a-Service (SaaS) applications, to help drive the business forward.  Logging in to these new systems requires an additional username and password for employees.  This creates islands of identity, each with significant management challenges for IT teams which lower the productivity of users who are forced to memorise yet more login credentials.  The explosion in usernames and passwords for business and IT staff has led an increasing number of users to develop coping techniques such as creating weak or decisively memorable passwords that are easy for hackers to determine,  which, as we have seen, can lead to costly data breaches.

We know that data breaches are not the only problem with lost or stolen passwords.  Ask any IT helpdesk how much time they spend having to reset passwords and they’ll likely tell you it happens far more often than anyone realizes.  The time IT staff spend handling user accounts across different identity stores can be measured in hours, taking time away from focusing on important security projects to instead deal with these commonplace and avoidable tasks.

So as this painful problem grows, where we are all trying to use, remember and manage far too many passwords both in our work and personal lives, the solution is simple – leverage single sign-on (SSO).  It gives the ability for a user to enter one username and password that enables them to logon to multiple applications within an enterprise.  Not only will SSO significantly reduce the time IT needlessly spends on resetting passwords, it provides the capacity to enforce authentication policies across an organization.

We expect to see more and more products and services being used by organizations as time goes on and we’re approaching a tipping point where the management of usernames and passwords is becoming unmanageable.  For the security conscious there is always going to be solutions that can be leveraged, such as two-factor authentication, and whilst it will certainly keep an organization secure, the time needed to sign in to each account continues to grow, reducing the productivity across the organization.  We at Centrify know that single sign-on can increase business agility and security by leveraging an organization’s existing identity infrastructure.