Home > Ask the Security Experts > Identity Management and Access Control Questions & Answers > Does single sign-on (SSO) improve security?
Ask The Security Expert: Questions & Answers
EMAIL THIS

Does single sign-on (SSO) improve security?

Joel Dubin, past SearchSecurity.com expert EXPERT RESPONSE FROM: Joel Dubin, past SearchSecurity.com expert

Pose a Question
Other Security Categories
Meet all Security Experts
Become an Expert for this site


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


>
QUESTION POSED ON: 17 July 2007
My organization is trying to determine whether single sign-on should be a corporate priority. Under what circumstances can it significantly improve security?

>
Single sign-on (SSO) is a two-edged sword. SSO by itself doesn't really improve security and, in fact, if not deployed properly can degrade security. SSO is used more for user convenience.

As a company's systems multiply, with each one requiring its own password, SSO eases the burden of having to spend time logging on to each system individually. But at the same time, if SSO is compromised, it gives the keys to the castle to a malicious user. On the other hand, having fewer credentials around, means there's fewer to lose or compromise.

So even though SSO isn't a security panacea in and of itself, it can make positive contributions to an enterprise information security program. Here's how.

SSO systems are often based on complex systems management applications, like IBM Tivoli, or hardware-based appliances, like those from Imprivata Inc. As a result, SSO systems can centralize authentication on special servers. They do this by using dedicated servers for holding the SSO modules. These server acts as the SSO gatekeeper, making sure all authentication passes first through the SSO server, which then passes along the credential it has stored for authenticating the particular application registered with the SSO system. This centralization requires more planning, tuning and auditing to prevent malicious access than single authentication systems do.

Also, SSO systems usually have more secure storage of authentication credentials and encryption keys, making them more of a challenge for a hacker to crack. They also sit deep inside a company's IT architecture, usually tucked safely behind multiple firewalls.

All of this requires a lot of extra documentation, which auditors and regulators love. So, although compliance may not necessarily equal security, the extra steps needed for compliance can enhance security. Section 404 of the Sarbanes-Oxley Act (SOX) requires documentation of controls and most SSO systems meet that requirement.

These documentation requirements include logging and monitoring of user accounts. Keeping track of users, pruning out inactive accounts of long-gone employees and monitoring suspicious activity are all part of SSO and can increase an organization's IT security.

For more information:

  • Learn how to test an enterprise single sign-on login.
  • In this expert response, security pro Joel Dubin discusses if enterprise single sign-on (SSO) can be used to provide authentication for remote logons.


    • BROWSE BY TAG
    Identity Management and Access Control,   Enterprise Single Sign-On (SSO),   Enterprise Identity and Access Management,   User Authentication Services,   Expert Archive: Identity Management and Access Control,   VIEW ALL TAGS

    Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   



    RELATED CONTENT
    Identity Management and Access Control
    IT business justification to limit network access
    Prevent password cracking with password management strategies
    Is Identity Management as a Service (IDaaS) a good idea?
    How to log in to multiple servers with federated single sign-on (SSO)
    How to confirm the receipt of an email with security protocols
    Learn about enterprise strategy for server virtualization single sign-on
    Employee information security awareness training for new IAM systems
    Can you combine RFID tag technology with GPS to track stolen goods?
    Is there a free enterprise-caliber password-management tool?
    Cryptosystem attacks that do not involve obtaining the decryption key

    Enterprise Single Sign-On (SSO)
    How to log in to multiple servers with federated single sign-on (SSO)
    Security on a budget: How to make the most of authentication tools
    Best Identity and Access Management Products
    Changing times for identity management
    Kerberos configuration as an authentication system for single sign-on
    How to use single sign-on for Web access control to prevent malware
    Learn about enterprise strategy for server virtualization single sign-on
    Enterprise single sign-on: Easing the authentication process
    Exploring authentication methods: How to develop secure systems
    User provisioning and SSO for PeopleSoft- and Unix-based products
    Enterprise Single Sign-On (SSO) Research

    Expert Archive: Identity Management and Access Control
    Enterprise password management policy: Finding the balance
    How to conduct a periodic user access review for account privileges
    Options for a mechanical door security system on a server room door
    Comparing access control mechanisms and identity management techniques
    User provisioning and SSO for PeopleSoft- and Unix-based products
    Could someone place a rootkit on an internal network through a router?
    Should a new user have to confirm an email address to gain access?
    Can home PCs provide a way for viruses and spyware to enter a corporate LAN?
    What should an enterprise look for in a password token and a vendor?
    Using batch files for temporary user access to the local admin group

    RELATED GLOSSARY TERMS
    Terms from Whatis.com − the technology online dictionary
    onboarding and offboarding  (SearchSecurity.com)
    single sign-on  (SearchSecurity.com)

    RELATED RESOURCES
    2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
    Search Bitpipe.com for the latest white papers and business webcasts
    Whatis.com, the online computer dictionary



    Search and Browse the Expert Answer Center
    Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.
    Browse our Expert Advice



    Find Security Solutions for Your Business
    TechTarget Security Media
    Information Security View this month\\'s issue and subscribe today.
    Information Security Decisions Apply online for free conference admission.
    		SearchSecurity.com
    HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
    SEARCH :     Site Index Powered by: Search Powered by Google

    About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
    TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

    TechTarget Corporate Web Site  |  Media Kits  |  Site Map




    All Rights Reserved, Copyright 2003 - 2009, TechTarget | Read our Privacy Policy     		  TechTarget - The IT Media ROI Experts