Q

Extending SSO outside the company: Is it worth the risk?

Thinking of extending SSO outside your company? Read this Identity Management and Access Control Ask the Expert Q&A. Resident expert Joel Dubin examines it's potential risks and what organizations can do to prevent malicious access to your network systems.

What are the risks of trying to extend SSO outside of a company? Is it worth it?
Single sign-on (SSO) has always been a double-edged sword. On one hand, it provides users with a convenient way to log on to multiple systems with one password, replacing the multiple passwords they had before. On the other hand, it is a single point of failure from a security perspective. If a user's SSO password is compromised, or the SSO server is attacked, the whole system becomes a gateway for uninvited guests.

Whether you should extend SSO outside your company is really a business decision you have to make. You need to

ask yourself if there's a real business purpose for allowing a partner or vendor to have complete access to your system.

If the answer is yes, you need to perform two thorough risk analyses, one on your systems that will be accessed, and one on the outside party who will have SSO access to your system. If the risk analysis determines that the systems being accessed are low risk, meaning they don't have sensitive customer data or aren't used for financial transactions, then it may be worthwhile. For example, your company might be partnering with a marketing outfit that uses demographic data from your sales for market research. Such data usually can't be traced back to individual customers, where it could be used for draining accounts or stealing identities.

Make sure you perform a complete security review of any outside vendor you allow to access your system to verify that they meet your stringent security standards. The review should include tours of data centers for both physical and information security, whether employees go through background checks and if they have an information security policy or security awareness training program. Otherwise, they could be the weak link that allows malicious access to your system.

For More Information on SSO and authentication:

  • Attend our Security School and learn how to build an effective identity and access management program.
  • Learn how SSO can benefit enterprises.
  • This was first published in August 2006

    Dig deeper on Enterprise Single Sign-On (SSO)

    Pro+

    Features

    Enjoy the benefits of Pro+ membership, learn more and join.

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    0 comments

    Oldest 

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    SearchCloudSecurity

    SearchNetworking

    SearchCIO

    SearchConsumerization

    SearchEnterpriseDesktop

    SearchCloudComputing

    ComputerWeekly

    Close