
	Home > Ask the Security Experts > Identity Management and Access Control Questions & Answers > How SSOs differ from login and passwords

Ask The Security Expert: Questions & Answers

EMAIL THIS

How SSOs differ from login and passwords

EXPERT RESPONSE FROM: Joel Dubin

		Pose a Question

		Other Security Categories

		Meet all Security Experts
		Become an Expert for this site

Digg This!

StumbleUpon

Del.icio.us

QUESTION POSED ON: 06 March 2006
In a previous tip, you classified login and password as High risk and SSO as Medium risk. If login and password are HIGH risk, why would SSO, relying on login and password be a reduced MEDIUM risk?

EXPERT RESPONSE
SSO systems are quite complex and are deployed differently than single authentication systems because they have to synch with diverse types of authentication databases and directories. That means they have stronger built-in controls. Additionally, because SSO systems are a front end to applications, they sit inside a corporate firewall, behind a DMZ, and aren't exposed to users outside the company. For these reasons, I ranked IDs and passwords higher than Single Sign-On (SSO).

But what about remote users on VPNs, you might ask? Aren't these external users going through the firewall to access internal systems through an SSO system? The answer is yes. However, because the user has to log in to the VPN first, using a separate login -- they would first have to breach the VPN before they could even attempt an SSO login breach.

With that said, your point is still valid. On the surface, SSO by definition is a single point of access and could be seen as a single point of entry for a malicious user. However, with the mitigating controls just described, I felt the risk of SSO was lower than that of a simple user ID and password system.

Digg This!

StumbleUpon

Del.icio.us

RELATED CONTENT

	Identity Management and Access Control
	Should a new user have to confirm his or her email address before gaining access?
	Can home PCs provide a way for viruses and spyware to enter a corporate LAN?
	What should an enterprise look for in a password token, and in a vendor?
	Is it possible to write a batch file that allows user access to the local admin group for a short time?
	IAM best practices for employees with varying degrees of access to the same computer
	What are some good pre-boot biometric user authentication tools or strategies?
	If the encryption on the Mifare Classic RFID has been cracked, are smart cards insecure?
	How does the Group Policy Object interact with the 'Password Never Expires' flag?
	How do RFID-blocking passport wallets work?
	What are the benefits of identity managed as a service?

Enterprise Single Sign-On (SSO)

Sun launches open source OpenSSO for identity management

What are the pre-requisites for implementing single sign-on (SSO) in an organization?

Startup Symplified delivers SSO in the cloud

SaaS Offering Handles SSO

Kerberos security evolves for B2B, mobile tech

IBM acquires Encentuate for single sign-on software

Security360: Identity management market

Top 10 access-related controls for PCI compliance

What type of protections should security question and answer authentication credentials have?

Traditional single sign-on (SSO) products versus federated identities

Enterprise Single Sign-On (SSO) Research

Password Policy

Shared Identity Providers Could Soothe Password Chaos

Is it possible to write a batch file that allows user access to the local admin group for a short time?

IAM best practices for employees with varying degrees of access to the same computer

Is it illegal for anyone in an enterprise to ask an employee for his or her password?

Former LendingTree employees pilfer firm's customer database

Security360: Identity management market

Survey finds access control problems at many firms

What are the pros and cons of using stand-alone authentication that is not Active Directory-based?

Should users set up password expiries in Active Directory?

IBM releases simplified Tivoli Identity Manager

RELATED GLOSSARY TERMS

Terms from Whatis.com − the technology online dictionary

single sign-on (SearchSecurity.com)

RELATED RESOURCES

2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems

Search Bitpipe.com for the latest white papers and business webcasts

Whatis.com, the online computer dictionary

Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.

Browse our Expert Advice
Operating Systems IT Management Networking Database	Security Servers and Storage Applications and Development Career Center

Find Security Solutions for Your Business
Targeted Security Channel Tips for Resellers, Integrators and Consultants

View this month\\'s issue and subscribe today.

Apply online for free conference admission.

SEARCH :

Site Index

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.


TechTarget Corporate Web Site \| Media Kits \| Reprints \| Site Map All Rights Reserved, Copyright 2003 - 2008, TechTarget \| Read our Privacy Policy