Deciding to adopt an enterprise SSO solution is a major decision. Get it right, and you’ll protect the organization’s assets and employees for years to come. Get it wrong, and you’ll increase security risk. There’s also significant testing and implementation work involved to bring an enterprise SSO (single sign-on) solution online, so take your time.
The Five Key Qualities Your Enterprise SSO Solution Must Have
As you review the options on the market, ask your team to use these criteria as must-haves. Depending upon your situation, you may give more weight to one quality over others. For example, if your organization has high security needs, you may be comfortable with a high-priced solution to meet your requirements.
1. Does the Enterprise SSO Solution Have the Right Technical Capabilities?
Without the right technical capabilities, no single sign-on solution can work effectively. On the other hand, there’s no such thing as a comprehensive solution. Therefore, we recommend identifying two tiers of technical capabilities. First, determine the “must have” technical capabilities. Is it coverage for your most critical systems, such as integration with your directory? Second, define your “nice to have” added value capabilities, such as SaaS coverage and terms of use tracking.
In evaluating vendor comments about their capabilities, exercise skepticism about future or planned features. It’s easy to promise new technical features 12 months from now.
2. What’s the SSO Solution’s Impact on Employee Experience?
In our view, an enterprise SSO solution has a significant impact on the employee experience. In short, SSO should make it easier for employees to get there work done. Put yourself in the end user’s shoes for a moment. Right now, they might have an Excel file with a long list of passwords. Five times per day, they have to open up that file to locate login information. Alternatively, they may ask to use a third-party password management tool, which introduces greater uncertainty into your security.
To assess the impact on the employee experience for various SSO solutions, there are two routes you can use. First, start with quantitative evaluation. You can measure how long authentication activities (including password reset requests) currently take. Next, you can compare that situation to the impact of implementing single sign-on. Ask the SSO solution provider if you can do a small pilot test to measure the productivity impact.
3. Is the Enterprise SSO Solution Credible in Terms of Cybersecurity?
Cybersecurity credibility expectations are continually increasing. As you evaluate different solutions on the market, ask tough questions to assess their credibility. To streamline the process, we recommend assessing credibility using the following criteria.
- Technology: Ask about the software development process used by the SSO vendor. How does it build in security controls, monitoring, and testing throughout the process? You may also ask how the organization manages its security internally (e.g., patch management practices).
- People: Verify the credentials and expertise of the company’s technology professionals. With a small company (i.e., under 100 total employees), you might ask about security certifications such as ISACA certifications. With a larger vendor, focus your attention on senior management and oversight. Does the organization have a robust culture to develop security expertise?
- Process: Seek to understand the day-to-day processes and methods the company uses to ensure high levels of security. For example, the company might hire an outside expert to conduct penetration testing on each monthly release. Alternatively, look for examples of how the company detects and responds to security flaws in its software. Is it proactive in finding problems and advising customers about them?
4. What’s the Total Cost of Ownership for the SSO Solution?
It shouldn’t be the primary point to consider, but you do need to factor in cost. There are several aspects to an enterprise SSO solution’s cost to look at. Start with understanding the pricing model of the software itself. Is it easy to understand? Complicated pricing models tend to involve more work for the customer to understand. Next, find out about typical implementation and training costs and understand the options involved (e.g., minimal vs. extensive customization). Finally, ask about maintenance and support packages. If an SSO solution breaks down, your employees won’t be able to do anything, so rapid support is critical.
5. What Management Reports Are Available?
Without reports and data, managers can’t detect problems in their environment. That’s why an effective SSO solution will need to include extensive reporting capabilities. Here are some of the monitoring and reporting capabilities to consider:
- Terms of use reporting: Obtain data showing whether staff is following terms of use requirements for the software. This tracking will also help to increase user awareness of security as they use different applications.
- SaaS license usage: You probably pay for many different SaaS applications. How many of them are used? Some SSO solutions can deliver SaaS license usage to help managers understand this part of the business.
- SSO coverage: Track what percentage of your users and systems are using the SSO platform. To maximize productivity gains, we suggest aiming for 100% coverage as soon as possible.
Your Next Step After Creating a Shortlist of Enterprise SSO Solutions
With the five SSO qualities outlined above, you can take the dozens of SSO solutions on the market and create a shortlist. After that step, the next will vary depending upon your company. Large firms may have an RFP (request for proposal) or RFQ (request for quote). Less process-driven organizations may simply need to see a reasonably strong business. For guidance on creating a business case, check out our post: Get Your SSO Software Project Funded with a Business Case.