ConnectWise Authentication & Authorization Update
As committed in my March 11 email (subject line: “ConnectWise | SSO Update for Partners”), I would like to share another update. I want to assure you that our team has been taking every step possible to improve each aspect of our SSO strategy. At the bottom of this email, we’re inviting you to a live (and on-demand) webinar with Q&A to hear more, but in the meantime, I’m summarizing the key points here.
Before I do that, I want to thank the many partners who joined our “candid conversations” webinar calls and submitted feedback via email to us. We reviewed every piece of feedback and appreciate you taking the time to provide it.
Here is where we are today:
- CW SSO Stability Updates – We are pausing any major updates and requirements to use ConnectWise SSO and are focusing all our efforts on continuous stability and redundancy. Our teams are working diligently on reviewing processes, removing single points of failure, and improving user experience in specific areas. Please be aware ConnectWise SSO will still be required to continue to access our services for Home, University, Marketplace, and Virtual Community.
- Alternative Forms of SSO – Based on ongoing partner feedback and, after reviewing impacted services, our engineering and product teams are exploring optional alternative forms of authentication. We currently support alternative directory services coupled with our own SSO, but we are also exploring the ability to support standalone SAML or other third-party options, as well. For example, we intend to support SAML for Manage and Automate natively. We will continue to update partners on this, and further information will be available at the upcoming webinar.
- Ongoing Security – As part of our overarching security strategy, we continue to roll out mandatory MFA for partners using SSO and will soon require some form of MFA for other products.
- Multi-region Disaster Recovery – ConnectWise has successfully deployed multiregional active/passive disaster recovery capability for our SSO in addition to the multizone redundancy we have always had. This capability is now in place with rigorous functional and performance testing with full scale data sync happening over the last several weeks. Our team will perform the first full-scale failover during a low traffic window in the next weeks and will perform failover testing on a periodic basis.
We also invite you to join our webinar on Thursday, April 7 at 1:30pm EDT hosted by Jeff Bishop, EVP & GM, Platform & Control, Amy Lucia, Chief Marketing Officer, and me. Come learn our go-forward plans for authentication and authorization, including how we're incorporating feedback from partners, and an opportunity to ask us questions in the live forum. This session will also be recorded and available on-demand. Please register here.
Once again, I greatly appreciate your partnership, patience, and flexibility.
Chief Technology Officer
As an update on the below, we have made the decision to revoke the requirement for CW SSO for ConnectWise CPQ™ (formerly Sell) until we have reviewed and communicated our strategic intent, which will impress greater resiliency. It will be optional for now, just like it has been for our other products. Access to services, Home, Marketplace, University, and Virtual Community will still require SSO. Instructions for how to disable SSO are here. Please review the blog below in detail for very important updates on our SSO plans. Also, we invite partners to attend SSO feedback cohort sessions; or to provide any feedback to us at SSOfeedback@reply.connectwise.com. For those that are wondering about how this decision relates to security, see the message directly below from our CISO:
Single sign-on (SSO) is a login method in which users have one set of credentials to access multiple applications. The main benefit of SSO is the streamlined approach to access multiple systems, it is not an essential security control for system access. The absence of SSO does not affect degrade or hinder Multi-Factor Authentication (MFA, which is required for our RMM, BDR, and remote control products and is supported and highly recommended for most other ConnectWise products/systems). With MFA the combination of a password, physical token, and biometric can significantly reduce the risk of data and software breaches.
As head of engineering for ConnectWise, I wanted to take a moment to provide more transparency into our authentication and authorization strategy and to answer some key questions we have received from partners recently.
First, as you all likely know, having a credible, competent authentication and authorization approach is a critical cornerstone of a reputable software company’s cybersecurity program. ConnectWise has been working toward a more modern, unified SSO (single sign-on) and MFA (multifactor authentication) approach, and this includes evolving toward requiring SSO and MFA for all users of our systems. I’m going to focus the rest of this blog on SSO, but it is important to clarify that MFA will remain an important part of our strategy, and should be taken very seriously by all TSPs, as more than 61 percent (source: Verizon’s 2021 Data Breach Investigations Report) of data breaches in 2020 were executed using unauthorized credentials. I cannot emphasize enough that MFA is a protective layer that no one should be trading off in today’s cyberthreat landscape.
Our SSO Journey to Date
Now onto SSO, another important component of our cybersecurity program:
In addition to the benefits of how SSO can improve and personalize your experience over time within our environment, we believe SSO should play a role in our security and product strategy. The SSO service we are embarking on allows us to have more oversight into who comes in, their permissions, and the level of security they have. Unlike many solutions in the market today, it handles authentication and authorization—this is very important given the number of solutions in our portfolio and access points to our portfolio. You, our partners, rely on us to keep you and your customers’ systems secure, and we can most effectively do this if we have a common, streamlined approach to authentication and authorization.
More specifically, ConnectWise stepped down the SSO path many years ago based on a need to centralize our authentication and authorization across products that were both in the cloud and on-premises. There were many ways we could have done this, and we made the decision we felt was best at the time for our partners and ConnectWise. For security and simplification, we decided to centralize that experience as opposed to trying to connect 20+ products and services to various director services, MFA, and other IAM tools. Capabilities that were recognized from this were less integration work across each product for our partners, a consistent experience for logins, one service that our Cyber and external teams could easily test for security, centralization of authorization across all products, standardized Oauth2 and OpenAM implementation across all products, and the ability for our partners to easily move between products. Our intention has always been to introduce centralized user and role management for all products, based on this infrastructure.
When we began our SSO journey, we assessed third-party options, as any good software company does. Those options fell short of our requirements (not limited to but including the ability to do both pieces I mentioned above) and would have caused us to compromise which we were not comfortable doing (ex. many struggled with applications that involved LDAP, need to use different directories, and on-premises implementations). They also would have added a significant pass-through cost burden to our partners, which we were also not comfortable with. Therefore, we began our journey to build our own SSO. The benefit of doing this is that we now have—from a capabilities perspective—a comprehensive product that we can continue to evolve in support of our platform vision. But there have been challenges in the form of stability issues as we work through the growing pains of maturing our service; as evidenced by the issues of recent months (please ask product support for our RCAs for more information, although I do address this a bit further below). As you will see below, we are giving our approach a second look given partner feedback.
We know you value transparency and have even told us that you are willing to go on the journey with us when we need to work out kinks, but you would like us to be more open with you. This is an area we can be better about and have been taking measured actions on over the last few months.
We understand that any availability issues on our part pose challenges to your business. With respect to SSO specifically, our availability has averaged 99.8% over the last twelve months. This is certainly something we want to do better on, and we sincerely regret and apologize that there have been multiple issues in the last four months. We are taking many new measures to bring our SSO service to world-class at a more rapid speed. I’ve outlined them in the next section of this post.
Related, it's not unreasonable for our partners to expect greater ongoing transparency from us on how we are doing and what we’re doing to improve. So, we intend to provide more transparency on our availability scorecard. You will hear more about that in conjunction with the rollout of our new hosting status page in the coming months. <And yes, in response to partner feedback, our intention is to make that hosting status page available publicly without a login>.
I also understand that members of the partner community have been actively engaged in dialogue with our CMO about the advancements we are making in our communications approach (with both “pull” and “push” mechanisms for our partners). This includes, but is not limited to, greater transparency on issues we are working to resolve, as well as the good things you will be excited to hear about.
Earning Your Confidence
With any product we build, we expect to have to earn your confidence as we bring it to market. This means we endeavor to build high-quality products with high availability (industry average or better). Our SSO development initiative is no exception. We are 100% committed to ensuring you have a reliable, high-performing, and secure authentication and authorization service as it relates to your ConnectWise products. You can expect us to be very transparent about our plans or modifications to those plans as a result over the coming weeks and months. Here are a few important things we are already committed to:
- Failover Redundancy—Public Cloud: As a result of the Amazon (AWS) availability issues of late, we decided to move toward regional failover coverage. Therefore, by early Q2 (calendar year), we will have stood up full redundancy for infrastructure-related failures of our public cloud vendor. We are starting with active/passive (which will minimize downtime) and moving toward active/active (which operates simultaneously across regions).
- ConnectWise DevOps: As it relates to availability issues at the hand of ConnectWise: Human error will always be a factor, but we have identified opportunity for greater automation and quality assurance/ control measures. In the last four months, two mistakes were made that simply shouldn’t have happened. Therefore, corrective efforts in these areas are already underway. In addition:
- In parallel to our corrective actions, we are bringing in third-party expertise to conduct a full review of our processes and quality control measures.
- Although we still strongly recommend partners leverage ConnectWise SSO, we will slow down any plans to further require it; pending the outcome of the strategy review outlined directly below and our ability to maintain stronger stability with consistency (SSO is presently required for ConnectWise CPQ and to use some services like Home, Virtual Community, and University).
- SSO Strategy Review: Over the coming weeks, we also intend to do the following:
- We will conduct a thorough review of our plans given the direction of our platform planning and partner feedback. This review will also take a hard look at mandatory SSO rollout in the context of current service performance, any requirements for on-premises/cloud partners, and requirements for third party solutions.
- We plan to evaluate—at partner community request—the possibility of allowing partners to choose their identity access management (IAM) product.
We will report back to partners with a complete update on the outcome of our review (and our next steps) on or before March 31, 2022.
I want to thank our partners for their patience to date as we’ve worked to modernize, harden, and improve the performance of our authentication and authorization service. We’ve now dedicated a team exclusively to getting this to where we all want it to be as quickly as possible. I look forward to sharing further updates with you regularly.
All the best,
Chief Technology Officer