Gone are the days when the majority of computer operators and people alike maintained one user ID and password. Single Sign-on (SSO) has been a standard feature for many businesses over the past few years. Its appeal has been found in its simplicity and elevated efficiency. However, an important question to consider is: “is SSO secure?”
Although the main features of SSO include improved IT monitoring and management, and security control, the technology itself is primarily designed to improve productivity, often at the cost of security. Naturally, with the introduction of SSO, there are some implied security risks.
SSO, in general, is more concerned with access provision than restriction. During a time of widespread malware-based attacks, unrestrained access might not be the most ideal goal. Despite the benefits with its use, some of the risks associated with SSO are:
In recent years, login credentials have been a major target point for external attackers. If an attacker gains initial access to an authenticated SSO account, they are also automatically given access to all applications, data sets, environments, and systems linked to the specific account.
External attacks using malware to pursue control over an endpoint would also have immediate post-login access to all systems connected via SSO.
If a user successfully logs in via SSO and falls prey to a phishing attack, there is not always a simple solution. The attacker gets access to all the endpoints of the external applications within the cloud that the user is provisioned for.
If the attack is detected, the user account can be disabled. However, the user may still remain logged in. This could allow the attacker to stay logged on with access to the linked application, depending on the security of the application and the SSO model installed.
The principle of least privilege follows the notion that users should only be granted access to data, applications, and systems that are essential to their work. To control this, obtaining elevated levels of access require additional sign-ons.
This is contrary to SSO systems that give access to users through a single set of credentials.
Despite the risks associated with SSO, the benefits of increased productivity and reduced support costs appeal to businesses. The challenge is how to provide the streamlined benefits of SSO while maintaining adequate levels of security.
As with any challenge, there is always a way to manage or mitigate problem areas to minimize the risk involved. Specifically for SSO, this means identifying specific loopholes and implementing measures that increase security while not compromising the convenience of the solution.
The Two-Factor Authentication system addresses password vulnerabilities by placing an additional layer of security to Active Directory accounts with a compromised password. In addition, two-factor authentication prevents data breaches before any damage occurs, it protects all users, and nullifies compromised credentials.
It can also be customized by users and organizations, and used together with logon management.
Introducing a Logon Management solution provides additional security measures for the initial Windows login.
Some of these measures include the restriction of endpoints from which a user can log in, logon frequency limitations, restrictions according to the type of session, monitoring unusual login activity, managerial approval, and forced log-offs in case of a detected risk.
Privileged Session Management (PSM) is the middle ground between the Least Privilege principle and SSO.
PSM allows users to request access without the need for a password. The access request controls the systems specific users can access, can require peer/manager approval, can notify IT, and keep a track of the session activity.
For organizations with extensive cloud management, introducing AD controls help establish a secure SSO foundation. To ensure adequate security, this must be done in conjunction with other measures including least privilege, multi-factor authentication, modern authentication protocols, limited device access, and frequent password changes.