Single sign-on (SSO) is a two-edged sword. SSO by itself doesn't really improve security and, in fact, if not deployed properly can degrade security. SSO is used more for user convenience.
As a company's systems multiply, with each one requiring its own password, SSO eases the burden of having to spend time logging on to each system individually. But at the same time, if SSO is compromised, it gives the keys to the castle to a malicious user. On the other hand, having fewer credentials around, means there's fewer to lose or compromise.
So even though SSO isn't a security panacea in and of itself, it can make positive contributions to an enterprise information security program. Here's how.
SSO systems are often based on complex systems management applications, like IBM Tivoli, or hardware-based appliances, like those from Imprivata Inc. As a result, SSO systems can centralize authentication on special servers. They do this by using dedicated servers for holding the SSO modules. These server acts as the SSO gatekeeper, making sure all authentication passes first through the SSO server, which then passes along the credential it has stored for authenticating the particular application registered with the SSO system. This centralization requires more planning, tuning and auditing to prevent malicious access than single authentication systems do.
Also, SSO systems usually have more secure storage of authentication credentials and encryption keys, making them more of a challenge for a hacker to crack. They also sit deep inside a company's IT architecture, usually tucked safely behind multiple firewalls.
All of this requires a lot of extra documentation, which auditors and regulators love. So, although compliance may not necessarily equal security, the extra steps needed for compliance can enhance security. Section 404 of the Sarbanes-Oxley Act (SOX) requires documentation of controls and most SSO systems meet that requirement.
These documentation requirements include logging and monitoring of user accounts. Keeping track of users, pruning out inactive accounts of long-gone employees and monitoring suspicious activity are all part of SSO and can increase an organization's IT security.
For more information:
- Learn how to test an enterprise single sign-on login.
- In this expert response, security pro Joel Dubin discusses if enterprise single sign-on (SSO) can be used to provide authentication for remote logons.
This was first published in September 2007