TL;DR: Cyber security is very important in businesses today, with everyone working remotely, but isn't being taken seriously by companies. MFA goes a way to addressing the gap, but having multiple applications you need to use username, password and auth-code for, costs your business a lot, in terms of productivity.
SSO allows you to consolidate all your application log ins to a single solution, which means you log into the SSO provider once (typically backed up by MFA) and then gain access to all of your applications. From a HubSpot perspective, we don't think the system is perfect yet, but the benefits in gained productivity, outweighs the friction, especially in today's world.
Craig: Hi there, I'm with Scott Nursten. Scott is an IT and cybersecurity specialist with over 20 years experience. We were actually previously partners in a business called s2s, a CISCO network security specialist, which we built and sold back in the 00’s. And Scott has subsequently worked with a number of businesses in the UK and Channel Islands. Scott's latest project is a company called ITHQ where he is CEO and ITHQ is an IT solutions provider and there is as always a strong security aspect to everything Scott does.
I know ITHQ also has a focus around cloud and cloud-related technologies. Just from a full disclosure perspective, Scott is also a shareholder here at Struto. So we're lucky enough to get his technical input when we need it.
Scott: Yes indeed, fun times.
Craig: Fun times, especially now, which is probably where we should start to provide some context one day down the line, if someone's watching this back, they’ll understand what's going on. I guess, if we look at today, we're living in unusual times.
Scott: Yes indeed.
Craig: Certainly a time where cyber security is probably more important than ever, as people are working remotely. So Scotty, would you mind giving us a bit of insight into your thoughts on how companies should be thinking about their security now? I know I'm kind of leading you on here, because we saw the same article on LinkedIn with someone saying something along the lines of “Hey, if you've got to open up a few holes to accommodate folks at the moment, so be it.” I’m sure you would have an opinion on that?
[02:06] Scott: Yeah, there's some strange attitudes going around but I suppose with lockdown and COVID19 in progress, it has sort of accelerated a lot of the concepts that we were seeing anyway. Businesses have continued to treat cybersecurity as they did in the late 90s and early 2000s, which was very much, I guess, it's a moat-type system. A castle-and-moat type system, where you try and build walls and put down a moat, which will be your standard intrusion-prevention and firewall type systems, and you want to keep The Bad Guys out and all your information and The Good Guys inside and protected by the walls.
But with the proliferation of cloud technologies, you all of a sudden have these camps appearing outside of your traditional firewall architecture and traditional boundaries. And now, with all this remote working and no one in the office and behind those corporate firewalls and IDS’s, you’ve actually got everyone outside the castle. Trying to connect in, is to just punch walls in the castle walls so that you can connect into the main information stores that are in the business. It has accelerated a lot of bad behaviour as a result of that remote workforce.
Craig: So the point of today was really about digging into SSO specifically, because it's something that's been front-of-mind for us as a business. You’ve recently helped us deploy SSO within our own agency. And we're working with other agencies to deploy SSO for their clients. So we thought it would be a good idea to explore that a little further. So I have a loaded question here for you, it's one of those four-part jobs. Firstly, for the benefit of folks listening, what is SSO? And secondly, what is MFA? We often hear those two acronyms bandied about together. Why are they referred to together? And then from a benefits perspective, give us a bit of insights on the benefits of the SSO and MFA.
[04:37] Scott: SSO and MFA form part of a wider concept which is IAM, another three-letter acronym which is what we do in technology!
That is Identity and Access Management and for a long time it's been an issue. According to the National Cyber Security Centre (NCSC), 23.2 million users in the UK use the password 123456. Whether that's a true stat or not? I mean, I can believe it because I have dealt with many people who tell me things like that. I've seen administrative passwords on corporate networks setting things like 123456, or password, or even a really great case, where the CEO liked to login as administrator and didn't like typing password, so he had all the password policies set that he could just type dot as the password. “.” was the password.
That's the challenge that you're trying to address when talking about Identity and Access Management. It all forms part of being able to hold people accountable, knowing who did what and knowing when accounts and machines have been compromised, if that ever happens. SSO specifically is about Single Sign-On. With the proliferation of Software as a Service, as you know in your agency, you've got your Office 365, Ringcentral and all sorts of applications.
Craig: I think we use something like 27 applications and that's after consolidating our software stack.
[06:18] Scott: So because of that, if your average user even uses half of those everyday, call that 13 applications. If they have to login with MFA, even if that only takes 20 or 30 seconds, you're still losing six and a half minutes a day. And that’s if they log in only once and don't get logged out of these applications. A lot of applications force you to be logged out and log back in again and that can happen multiple times in a day.
Then the cost of a password change according to the NCSC is around £40. That's what they say a password change costs, because of time, people locking themselves out etc
When you think that a lot of these sites, again, makes you change your password every 30, 60, 90 days, whatever the case may be. You’re talking about, over the 27 applications, having to do it once a quarter equals 100 password changes a year. And you've got 20 staff in your agency, so you're looking at 2000 password changes. If you're saying that they actually do cost 40 quid each, you’re looking at £80000 pounds worth of lost productivity just in changing passwords.
The concept of SSO, is to give you a central place where you sign in once, and you manage one username and password, which gets you into all your platforms. That also has MFA (Multi Factor Authentication), which is taking the concept of passwords, which is something you know, and combining it with a device you have. So adding a second factor of authentication, normally that's on your mobile phone or another application on your computer that gives you a one-time password which only lasts for 30 seconds. That way you don't have to remember it and it can't be brute forced easily. You have to have something like a phone or another application to be able to use it. It's something you know (password) and it's something you have (mobile), and putting the username and password in one place, in one platform, allowing you to access all of your platforms. Instead of times 27, in your case, it's only in one place where you actually have to change passwords and manage your MFA, etc.
[08:38] Craig: So from a benefits perspective, we’re really talking about saving time through multiple password changes. You mentioned every quarter, that would be a very lax policy that said you only needed to change your password every quarter. It's really about being able to implement much stronger security policies, I guess, without the administrative overhead.
Scott: Right, if you had to even say that it changed every week, the nice thing that with MFA you don't really need to worry about changing you password as often, but even if you did say they have to be changed every single week. You’d still only have to do it 52 times.
Craig: Exactly. Every time we did an Office password change, it was your Word, Excel applications, then Teams had a seperate password, then OneDrive had a separate password login and separate authentication. So it's just a pain in the butt.
Scott: Yeah, so when you had to change the password, you ended up having to log into your phone, which would have Outlook and Teams and Word and Excel and everything on it. Then your laptop will have the same, and your desktop will have the same, and if you log in on a browser, it'll be the same. So the basic math we did earlier is probably x10, or even more than that because of the many different places you have to log in nowadays, with all of our devices
[10:08] Craig: So that's great from a general business perspective. Let's maybe have a look at the HubSpot world more specifically. This is something I think HubSpot has not positioned very well potentially. It's not something that we are encouraged to use. I guess it's because it's a policy that sits with the business and it's dictated by the business and the business’s security posture and the policies that they deploy. We’ve recently started working with agencies around deploying SSO for HubSpot specifically and agencies. So there's a couple of sides to this: how do we go about deploying SSO for HubSpot and what is the impact and what have we learnt from an agency side that people need to be aware of? There’s probably the client-side vs the agency side which I guess is what I'm getting at.
[11:07] Scott: First thing that I get quite annoyed by with most SaaS platforms - platforms I use and love like HubSpot or Lucidchart - we use Lucidchart literally every day. These platforms have decided that Single Sign-On, and even sometimes MFA are Enterprise features, and not features that are inherent in the platform. That’s something I think is completely wrong. I personally think that saying only Enterprises need security, only Enterprises have problems with password changes, only Enterprises have problems with login issues? Well we know it's not true. You’ve got a 20-person agency and you're definitely not considered a large Enterprise and yet you need SSO.
If we were to differentiate between HubSpot and Lucidchart for example, the quantum of money that you have to spend to get Enterprise features in HubSpot is a massive subscription. It's not an extra couple of hundred bucks a month, it is several thousand dollars or pounds a month to do that upgrade. I personally think that's wrong and I think a lot of these organisations, not just HubSpot, need to view SSO differently. It's not an enterprise thing. Security is not for the Enterprise. It's not elitist. It's for everyone.
They are treating it that way and I don't like that. I also don't like someone like Lucidchart doing it but the difference there is I suppose it's a 60 bucks licence becomes 150 bucks licence. That’s 90 quid extra a year, so it is more affordable but if you were to multiply that out across your team, if you had a 30 or 40 man team, then you're back in the thousands of pounds for Enterprise functionality.
[13:02] I think that has been badly positioned. I don't know why people think that's an Enterprise feature but I don't agree. To answer your question, with HubSpot, bar buying Enterprise, in terms of rolling that out, what you need is some sort of SSO provider. HubSpot supports SAML (security assertion markup language). It is a standard security assertion language which allows you to either authenticate people or include things like accounting aspects and what they can access. There are privileged levels, because it's a markup language, you can add a lot of information in that authentication. It's not just username and password, you can hand through privilege strings. There's all sorts of things you can do with it basically. To get a SAML provider, you've going to need one of those directory services, Azure AD, Jumpcloud (our chosen partner), Optus and My1login. There are plenty of platforms out there that can provide it. What you need is the platform that you’re trying to log into (HubSpot), to support SSO, and then you need some sort of SSO provider (Jumpcloud).
Rolling it out is quite easy because those SSO providers generally have groups, which can access specific applications. So you’d create a group called HubSpot and add all the users you'd want to access HubSpot into the group. Then configure HubSpot to use Jumpcloud, or your SSO provider, as an authentication provider, as an IDP (identification provider). From there, if those people are in the HubSpot group, they log into Jumpcloud, click on the HubSpot icon and, boom, they'll be straight into HubSpot. They won't have to log in HubSpot anymore, basically.
[15:17] Craig: I think, for us, the transition was pretty seamless. I think there's still a few things HubSpot needs to work on, and we've discussed this before, where from an agency perspective we have access to multiple portals within HubSpot. As such, when we use single sign-on, we go straight into our portal. But when we want to change portals, we have to log in and authenticate against HubSpot again.
Scott: So they've got their own identity provider. They have a single sign-on across the HubSpot platform but when you sign in with your SSO, which is an external IDP, it does not seem to be tying it with their internal IDP. That means that you actually have to login again to access your client portals.
[16:08] Craig: I think we’re going to shout out to HubSpot and ask them to check out a few things. The first is to make security available to everyone at all levels. The second is: let's see what can be done to make that SSO experience a little bit more seamless.
Scott: Definitely. In your case, you log in as Struto, right now you use their IDP and you get an authentication token from HubSpot, you can go and access all of those other portals. Yet if you sign in with your SSO provider, and even though you are still logging in with your email, you don't have access to those other portals. I think they just need to think on how they can tie those two authentication systems together and know that once you are authenticated as Craig, that should be good enough for both platforms.
Craig: Yeah, we think there's a solution there, it just needs a little bit of focus from their side.
[17:07] So, if I'm going to sum up then, I think what's good about the chat we’ve had, is that folks will get an idea of the benefits of SSO. From having to log into multiple platforms to consolidating it into one single sign-on solution, typically backed up with MFA in order to secure the process more effectively and to gain access to your systems.
We don't think the system is perfect yet, from a HubSpot perspective, which I think is fair to say. But I think the benefits of the SSO solution, well outweigh the bit of friction that is still around, especially today.
[17:51] Scott: If you think about an organisation like yours, just having that central control and that place where you can control all your users in one application. That's a great benefit to your business and eliminates friction in your business. The HubSpot experience could definitely be more seamless but it doesn't change some of the benefits you are seeing from an SSO rollout regardless.
Craig: Exactly. Well Scott, thanks again to you and your team for helping us out with that. I think today's chat has been awesome. Hopefully we can have another one of these soon - I'm feeling RingCentral coming on.
Scott: Yeah, I'll happily have a chat around that too, and more than happy to do this as a sort of series if you want. That will be quite fun.
Craig: Fantastic. I think that's going to be the way to go - let's see how well we do and we'll take it from there.