Q

Does single sign-on (SSO) improve security?

In this expert response, security pro Joel Dubin discusses the impact that enterprise single sign-on (SSO) can have on a security program.

My organization is trying to determine whether single sign-on should be a corporate priority. Under what circumstances

can it significantly improve security?

Single sign-on (SSO) is a two-edged sword. SSO by itself doesn't really improve security and, in fact, if not deployed properly can degrade security. SSO is used more for user convenience.

As a company's systems multiply, with each one requiring its own password, SSO eases the burden of having to spend time logging on to each system individually. But at the same time, if SSO is compromised, it gives the keys to the castle to a malicious user. On the other hand, having fewer credentials around, means there's fewer to lose or compromise.

So even though SSO isn't a security panacea in and of itself, it can make positive contributions to an enterprise information security program. Here's how.

SSO systems are often based on complex systems management applications, like IBM Tivoli, or hardware-based appliances, like those from Imprivata Inc. As a result, SSO systems can centralize authentication on special servers. They do this by using dedicated servers for holding the SSO modules. These server acts as the SSO gatekeeper, making sure all authentication passes first through the SSO server, which then passes along the credential it has stored for authenticating the particular application registered with the SSO system. This centralization requires more planning, tuning and auditing to prevent malicious access than single authentication systems do.

Also, SSO systems usually have more secure storage of authentication credentials and encryption keys, making them more of a challenge for a hacker to crack. They also sit deep inside a company's IT architecture, usually tucked safely behind multiple firewalls.

All of this requires a lot of extra documentation, which auditors and regulators love. So, although compliance may not necessarily equal security, the extra steps needed for compliance can enhance security. Section 404 of the Sarbanes-Oxley Act (SOX) requires documentation of controls and most SSO systems meet that requirement.

These documentation requirements include logging and monitoring of user accounts. Keeping track of users, pruning out inactive accounts of long-gone employees and monitoring suspicious activity are all part of SSO and can increase an organization's IT security.

More on this topic

 

This was first published in September 2007

Dig deeper on Enterprise Single Sign-On (SSO)

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close