What is SAML and why do you need it?

Stage two of the ATO’s operational framework is here with more accounting apps being mandated with Two Factor Authentication. This means imminent changes to the way accountants and their teams manage and control access to an ever increasing suite of cloud apps.

This article will help you understand what’s coming from an operational perspective and how to prevent these changes from impacting on your firm’s productivity. 

The cloud app sprawl conundrum

Throughout this decade as the cloud phenomenon has swept through the accounting industry, each cloud vendor has been forced to build out their own identity system meaning a separate set of credentials for each app. As accountants have taken advantage of the benefits of cloud apps, the overwhelming number of passwords and identities to track across all team members has made it a challenge to stay in control of access.

Aside from the operational headaches presented to practice managers when onboarding and offboarding team members, the real killer has been the data risks created with firms increasingly having mailboxes and other critical applications breached and the damage that’s had on hard earnt reputations. 

As a response, the ATO has mandated apps which lodge, contain superannuation fund details or payroll information will need to adopt two factor authentication this year thus compounding what was cloud ‘password sprawl’ into cloud ‘two factor sprawl’.

Consolidating cloud identities the easy way 

While the emergence of two factor is what’s bringing this issue to a head, two factor is not the problem itself. The core of the problem is the sprawl of logins that cloud apps bring to the table and the dangerous habits users form in order to manage them all. Remember the old server days when a team member logged in once per day and accessed files, email and any other server-based apps? If someone left, your IT provider only needed to disable a single account?

With each cloud app having its own identity system, user on/off-boarding is a manual and risky process given each app needs to be enabled or disabled individually. While the industry has responded with a accounting specific password vaulting solutions, the problem remains – each cloud app has its own individual identity database that isn’t unified across all apps… until now. 

The new cloud standard for Single Sign On

Cloud vendors globally have finally settled on a unified and centralised identity system called SAML or Security Assertion Markup Language. All major accounting apps either have or are in the process of releasing their integration with SAML as the centralised standard of identity management. This is going to be big. It’s going to make life easier for team members to access apps productively and give firms absolute control over how, where and by who their clients’ information can be accessed from.  

SAML is an app agnostic identity technology which unifies access to all applications into a single cloud identity.  

Here’s how it works at a practical level: 

When a new team member joins an accounting firm a SAML account is created for them and linked to the apps they need. Usually by a practice manager.

If the team member leaves, the SAML account is disabled and all access is revoked giving the firm peace of mind that their privacy remains intact and that the team member can no longer access anything. No more having to remember what passwords or shared accounts they might have encountered during their tenure. All is disabled from one screen.

How SAML works practically

This brings true single sign on to the accounting industry and solves a big productivity and security problem for all accounting firms.

Given users are accessing all apps from a single identity, an accounting firm can also: 

  • Restrict access to specific locations – For example an outsourced or remote team member could be restricted to a single office, preventing anyone from accessing your firm’s data from home.
  • Restrict access to specific devices – Quite often it’s a home or shared computer that can be infected with key logging software, compromising a firm’s data. Preventing logins from unauthorised devices helps protect against this.
  • Prevent overseas attacks – just like a credit card, access to your data can be restricted by country, protecting your firm from brute force attempts from overseas.
  • Two factor across everything – Your SAML identity can (and should) have two factor authentication over it so all apps are protected and the user only needs to enter a token once.
  • Maintain access visibility – Firms can track where, when and what was access in real time or a retrospective log to help with forensic analysis in the event of a breach or fraud. 

This is good news and it’s finally hitting the accounting industry thanks to the ATO’s operational framework that’s forcing app vendors to rethink how they deliver identity to their clients.

To find out more about SAML and how your firm can start to take advantage of this technology request a Cyber Security Consultation here.