You don't need to be an 'investor' to invest in Singletrack: 6 days left: 95% of target - Find out more
Hello!
I have been given another side-quest at work - to look into SSO/MFA Providers. However, I know very little about them.
My organisation is linked to the Scottish Government but not part of it.
SG are moving to using Okta for SSO/MFA, and while we can piggy-back on that (as SG provide our IT systems), our data protection folk are worried about it being controlled by SG's IT team and them being able to access info about when we access our IT systems (as we have some independent cloud-based systems that are outside of SG's IT department). So while we could get Okta for free through SG, to set it up ourselves independently is looking to cost around £20k/year as their pricing is for huge enterprise setups.
So, are there other SSO/MFA providers out there who are good and would cost less, for a requirement of around 200 licenses?
FWIW, I disagree with the data protection folk's approach here and think they cost/benefit/likelihood of breach calculations don't add up, but the motions must be gone through.
I'm currently using Microsoft Azure Active Directory B2C.
I'm not sure of the costs but have been told that the pricing is very good compared to others that were looked at.
So might be worth a look? I'm pretty certain a proof of concept could be done without charge.
Duo and Azure Active directory MFA (Needs an Azure AD P2 plan to do properly) are the two other big players.
The question is are you wanting M/2FA for sso web apps only or do you want this for servers and client desktops too? If it’s the latter then rule out Azure AD.
Is this SSO/MFA for your own people, partners or consumers/customers?
What existing IT do you have? Are you a Microsoft 365 customer, Google, Amazon? If you're already paying for something, start with that.
Azure AD is included in a lot of the Office 365/Microsoft 365 subscriptions and will almost certainly do what you need. Otka is another widely used solution.
If it's for consumers, AAD B2C gives a chunk of free capacity with certain licencing levels.
(Disclaimer - I'm a Microsoft technical lead working with big customers. Internally we're SSO for everything with risk based MFA, using Microsoft Authenticator alongside Windows Hello. We're essentially passwordless now too).
The question is are you wanting M/2FA for sso web apps only or do you want this for servers and client desktops too? If it’s the latter then rule out Azure AD.
You can be pure AAD for desktops/laptops, if you set it up correctly with Intune managing (See Microsoft Managed Desktop, that's pure AAD). On-prem servers would need on-prem AD though.
data protection folk are worried about it being controlled by SG’s IT team and them being able to access info about when we access our IT systems
Sounds like more of an internal governance issue. Can you ensure the audit controls are in place to ease their worries?
Sorry, more info - it's for our own staff to access cloud hosted applications for internal use.
We're on a Microsoft set up through Scottish Government, though they haven't gotten to O365 yet. They are moving to Okta soon and can give it to us for free.
So, we haven't got an IT department and have no access to our Microsoft administration control panels so I don't think the Microsoft solutions will work so we need to find something like Okta, but cheaper?
As @jimmy says, I think this issue can be solved with internal controls, but I have been asked to look at options.
^^ This 100%. Id jump on back of Okta, save money but ensure adequate controls are in place. Decent tool, no need to reinvent the wheel, especially if you don’t have the team / support / budget to manage AD.
Make sure it meets your needs via high level RFP into pre sales. E.g Full list of on prem and cloud services you need it to work with. Make sure you have budget for ongoing fees.
Many large CO’s will have same issue putting in place Chinese Walls to stop data leaks that Okta should be able to deal with.
If you haven’t got an IT Team and are using SG Active Directory for majority of access then you have very limited options for SSO. You can set up separate logons for the applications if security and audit is critical. You could get SG to set up a child domain or you could set up your own and get trusts set up for AAD but again you’ve got no IT Team to manage it.
I’d look at setting up internal reporting to monitor access to assure no unauthorised logons. Everything else is complex for your use case.
I've been deploying Azure AD extensively for SSO authentication in my current place of work, and I think Okta is the only alternative I would seriously consider due to these products being the most widely supported by the various services we've purchased. Auth0 is the other product that is sometimes mentioned, but it doesn't seem to have as much industry support. If you did want to use a less mainstream OAuth2.0/SAML provider for authentication, you would need to get more into the detail of configuration and user admin, which is a big overhead for a small organisation without a large IT dept.
I'd be going back to your data protection team and querying their concerns. Okta will be used for authentication but you'll still have responsibility for authorising these users to access your systems. The Okta administrators won't have direct access to the underlying data you are protecting, and auditing & alerting can be used to capture the assigning of users to your authentication group. I'd also query what value they are placing on access logs, and why they are concerned that a trusted(?) third party can tell when you access your data
It also looks like Okta can do multi-tenant or delegated administration, so it sounds like you get retain autonomy over your subset of users. See https://github.com/oktadev/okta-dac
If you want to obscure what systems you are accessing from the SG IT dept then you can daisy chain systems. I.e. use their Okta for sign in and MFA. Have them configure a connection to say Auth0 or another Okta tenant that you control. Connect third party apps to 'your' tenant. Auth works by thirdy party app asking 'your' auth provider who the user is. 'your' provider in turn askes the SG Okta tenant which will authenticate the user. Pretty it is not but work it will, looking at Auth0 pricing I think you could get away with the B2E basic tier at $220pm.
I also think you data governance are worrying needlessly. Why would SG care when you are accessing systems. If they already supply you IT then the horse has long since bolted if they did wish to monitor your org.
^my thoughts entirely.
I also think you data governance are worrying needlessly. Why would SG care when you are accessing systems. If they already supply you IT then the horse has long since bolted if they did wish to monitor your org.
+1
Actually, if your org deals with sensitive information then I can see a case for having independence from SG in this area.