
	Home > Ask the Security Experts > Identity Management and Access Control Questions & Answers > Does single sign-on (SSO) improve security?

Ask The Security Expert: Questions & Answers

EMAIL THIS

Does single sign-on (SSO) improve security?

EXPERT RESPONSE FROM: Joel Dubin

		Pose a Question

		Other Security Categories

		Meet all Security Experts
		Become an Expert for this site

Digg This!

StumbleUpon

Del.icio.us

QUESTION POSED ON: 17 July 2007
My organization is trying to determine whether single sign-on should be a corporate priority. Under what circumstances can it significantly improve security?

EXPERT RESPONSE
Single sign-on (SSO) is a two-edged sword. SSO by itself doesn't really improve security and, in fact, if not deployed properly can degrade security. SSO is used more for user convenience.

As a company's systems multiply, with each one requiring its own password, SSO eases the burden of having to spend time logging on to each system individually. But at the same time, if SSO is compromised, it gives the keys to the castle to a malicious user. On the other hand, having fewer credentials around, means there's fewer to lose or compromise.

So even though SSO isn't a security panacea in and of itself, it can make positive contributions to an enterprise information security program. Here's how.

SSO systems are often based on complex systems management applications, like IBM Tivoli, or hardware-based appliances, like those from Imprivata Inc. As a result, SSO systems can centralize authentication on special servers. They do this by using dedicated servers for holding the SSO modules. These server acts as the SSO gatekeeper, making sure all authentication passes first through the SSO server, which then passes along the credential it has stored for authenticating the particular application registered with the SSO system. This centralization requires more planning, tuning and auditing to prevent malicious access than single authentication systems do.

Also, SSO systems usually have more secure storage of authentication credentials and encryption keys, making them more of a challenge for a hacker to crack. They also sit deep inside a company's IT architecture, usually tucked safely behind multiple firewalls.

All of this requires a lot of extra documentation, which auditors and regulators love. So, although compliance may not necessarily equal security, the extra steps needed for compliance can enhance security. Section 404 of the Sarbanes-Oxley Act (SOX) requires documentation of controls and most SSO systems meet that requirement.

These documentation requirements include logging and monitoring of user accounts. Keeping track of users, pruning out inactive accounts of long-gone employees and monitoring suspicious activity are all part of SSO and can increase an organization's IT security.

For more information:

Learn how to test an enterprise single sign-on login.

In this expert response, security pro Joel Dubin discusses if enterprise single sign-on (SSO) can be used to provide authentication for remote logons.

Digg This!

StumbleUpon

Del.icio.us

RELATED CONTENT

	Identity Management and Access Control
	What are the pre-requisites for implementing single sign-on (SSO) in an organization?
	To what exactly would a request for biometric data from an insurance provider pertain?
	Is it possible to support users to have their own IDs with root privilege so they aren't sharing a root password?
	What is the purpose of RFID identification?
	CardSpace vs. user IDs and passwords
	Biometrics vs. biostatistics
	What are the dangers of using radio frequency identification (RFID) tags?
	What are the risks of connecting a Web service to an external system via SSL?
	What should an internal support model for identity management look like?
	How are biometric signatures more than a fingerprint scanner?

Enterprise Single Sign-On (SSO)

What are the pre-requisites for implementing single sign-on (SSO) in an organization?

Startup Symplified delivers SSO in the cloud

SaaS Offering Handles SSO

Kerberos security evolves for B2B, mobile tech

IBM acquires Encentuate for single sign-on software

Security360: Identity management market

Top 10 access-related controls for PCI compliance

What type of protections should security question and answer authentication credentials have?

Traditional single sign-on (SSO) products versus federated identities

Best practices for deploying enterprise single sign-on (SSO)

Enterprise Single Sign-On (SSO) Research

RELATED GLOSSARY TERMS

Terms from Whatis.com − the technology online dictionary

single sign-on (SearchSecurity.com)

RELATED RESOURCES

2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems

Search Bitpipe.com for the latest white papers and business webcasts

Whatis.com, the online computer dictionary

Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.

Browse our Expert Advice
Operating Systems IT Management Networking Database	Security Servers and Storage Applications and Development Career Center

Find Security Solutions for Your Business
Targeted Security Channel Tips for Resellers, Integrators and Consultants

View this month\\'s issue and subscribe today.

Apply online for free conference admission.

SEARCH :

Advanced Search | Site Index

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.


TechTarget Corporate Web Site \| Media Kits \| Reprints \| Site Map All Rights Reserved, Copyright 2003 - 2008, TechTarget \| Read our Privacy Policy