Identity and Access Management is a Great Start! Now What?

You have so many solutions to so many problems spread across every department and, as we’ve discussed previously, it’s quite an undertaking to identify, much less qualify, each and every one of them for appropriate ROI, security, and just plain efficiency.

One technology that is super helpful and can bring an organization into a much tighter focus is Single Sign On (SSO). SSO identity and access management allows individuals to have a single identity/password that works for all the various services they use throughout their workday.

Identity and access management in a nutshell

The major IDAAS providers – big names like Microsoft, IBM and Salesforce as well as specialists like Okta, Centrify, OneLogin and Sailpoint – use authentication protocols or authorization frameworks like OAuth2, SAML, or OpenID Connect to pass around tokens or assertions or, you know what – if you want to learn more about the technology,  here’s a great explainer on the gluu blog.

Obviously this goes a long way towards cleaning up a couple of the top line problems companies may face with SaaS:

  • If the software is enabled for SSO, that means you know what it is and how to access it – it is no longer phantom IT
  • You can enforce more stringent and modern security protocols – force a change every 3 months with a more complex password, for instance
  • For all the solutions that are identified, some of the major issues with employee offboarding become easier
  • Suddenly you have centralized data which you can refer to about how many times an employee is accessing any given app

Sounds great! Let’s do that and all our problems are solved, right?

Well, not ALL of your problems, but it is a great start!

What else do you need to do?

Logins don’t tell much of the story.

Let’s look at an application that is very important to my work, for example Pixelmator. I write blog articles, and do social media, and a variety of other things that require images. And images need to be sized properly and optimized (not to mention named, tagged, and filed properly, but that’s another DAM story). It’s the web – images are critical. But I try to plan my work so I only do images every so often – the work is repetitive and quick – so I log in, do a couple dozen things, tilt my head a few times, and then move along. So the value of the login is pretty substantial, but the interactions are quick and not really that numerous. If you take the tool away from me, I guess I could use my phone and the copier…

And what about something from ERP? I was at my last job for 3 years and logged into the HR system maybe a dozen times. Most of those were very critical – PTO logging, or looking up my healthcare plan – and some were less so – annual self-reviews, bleechcchchc. But my logins aren’t the measure of the value of that system – it is the logging and tracking of very important metadata about my term as an employee.

SSO doesn’t address Phantom IT

SSO is complex and hard to set up. If you have a few vendors that aren’t built with the specific SAML compliance, say, you are likely to make allowance for them so as to keep your business from stalling. Then as departments buy new products, if there aren’t a ton of users or the process of SSO set-up is unwieldy, then it tends to be dismissed. This proliferates and grows inside the org and the problem is back.

And, of course, rogue applications – the unknown or unlisted – will not show up on the SSO list.


Identity and access management is about security. it’s not about management of systems. It’s not about reporting. It’s not about identifying waste. The purpose of SSO is to allow you to manage the passwords for users centrally rather than having one password for every person on every system. It can help you identify the lion’s share of systems being used, and is a great step in your security plan, but it should not be relied on as the end all of vendor security management.