Last week, the popular file-sharing service Dropbox (News - Alert) announced it is shifting its focus from individual consumers to business customers. It’s also supporting single sign-on (SSO), which lets users access multiple applications using just one name and password.
Dropbox’s support is indicative of SSO’s coming-of-age, and we predict that those who have yet to adopt it will soon move in that direction, just as Dropbox has.
It also highlights the ever-increasing usage of cloud apps like Dropbox by global enterprise. In fact, our 2013 State of Cloud Adoption Access Study – based on a survey of IT decision makers – found that 78 percent of respondents planned to increase the number of cloud applications in their organizations this year.
Alongside the increase in cloud apps within the enterprise, SSO has enjoyed a rapid adoption rate among enterprises of various sizes due to a few key benefits, including the fact that it significantly reduces inbound calls to IT help desks and improves worker productivity by removing the onerous task of having to track multiple passwords for multiple enterprise apps. It also minimizes security risks in an enterprise environment where 43 percent of IT managers admit that employees are managing passwords in spreadsheets or, worse, Post-It Notes (another finding from our study).
However, the news is significant for a host of other reasons. SSO leverages Security Assertion Markup Language (SAML), an XML-based open standard data format for exchanging authentication and authorization data between an identity provider and a service provider. By adopting this open standard, Dropbox is making life easier for end users while at the same time allowing IT to tightly control employee access to the application – which is the biggest advantage of the SAML standard.
Just as importantly, by adopting SAML, Dropbox is helping to shine a light on an almost ubiquitous source of serious IT department headaches, shadow IT.
What is shadow IT? Any IT system built or used inside an organization without approval qualifies, from instant messaging apps to web-based E-mail to self-developed apps or macros – and of course file sharing apps like Dropbox and Google (News - Alert) Docs. Anytime data or apps are moved outside of protected networks, it becomes a serious security risk for the organization.
In fact, in the same survey on cloud application adoption cited earlier, in which Dropbox was specifically mentioned, results showed that 71 percent of respondents admitted to using cloud applications – like Dropbox and Gmail – that had not yet been sanctioned by their IT department to get work done. I'm going to make a prediction that when this survey is conducted again a year from now, we're going to see a significant drop in that number.
We’ve actually seen this coming for a while. In addition to Dropbox, which uses an open source SAML toolkit from OneLogin, we’ve had over 70 other SaaS (News - Alert) vendors use it, including file sharing companies Egnyte, YouSendIt and Citrix ShareFile.
Clearly, the momentum is building.
Another benefit: SAML’s unique properties increase overall security. The mathematical principles behind SAML are quite strong and are also used in asymmetric encryption. Identity providers issue key pairs (public/private) and makes the public key available to the applications enterprise users are signing into. At the same time, the private key can be used to provide XML-based security assertions with digital signature, at which point the assertion is delivered to the intended app via an employee’s browser. The app is then able to verify via the public key that a given user’s security assertion is permitted, which leads to successful sign-on on the part of the user.
When a company like Dropbox jumps on the SAML bandwagon, it becomes a significant validation that cloud application security and ease of use can be mutually reinforcing. IT departments and end users both win.
Thomas Pedersen is co-founder and CEO of identity access provider OneLogin.
Edited by Stefania Viscusi