My organization is trying to determine whether single sign-on should be a corporate priority. Under what circumstances...
can it significantly improve security?
Single sign-on (SSO) is a two-edged sword. SSO by itself doesn't really improve security and, in fact, if not deployed properly can degrade security. SSO is used more for user convenience.
As a company's systems multiply, with each one requiring its own password, SSO eases the burden of having to spend time logging on to each system individually. But at the same time, if SSO is compromised, it gives the keys to the castle to a malicious user. On the other hand, having fewer credentials around, means there's fewer to lose or compromise.
So even though SSO isn't a security panacea in and of itself, it can make positive contributions to an enterprise information security program. Here's how.
SSO systems are often based on complex systems management applications, like IBM Tivoli, or hardware-based appliances, like those from Imprivata Inc. As a result, SSO systems can centralize authentication on special servers. They do this by using dedicated servers for holding the SSO modules. These server acts as the SSO gatekeeper, making sure all authentication passes first through the SSO server, which then passes along the credential it has stored for authenticating the particular application registered with the SSO system. This centralization requires more planning, tuning and auditing to prevent malicious access than single authentication systems do.
Also, SSO systems usually have more secure storage of authentication credentials and encryption keys, making them more of a challenge for a hacker to crack. They also sit deep inside a company's IT architecture, usually tucked safely behind multiple firewalls.
All of this requires a lot of extra documentation, which auditors and regulators love. So, although compliance may not necessarily equal security, the extra steps needed for compliance can enhance security. Section 404 of the Sarbanes-Oxley Act (SOX) requires documentation of controls and most SSO systems meet that requirement.
These documentation requirements include logging and monitoring of user accounts. Keeping track of users, pruning out inactive accounts of long-gone employees and monitoring suspicious activity are all part of SSO and can increase an organization's IT security.
- Learn how to test an enterprise single sign-on login.
- In this expert response, security pro Joel Dubin discusses if enterprise single sign-on (SSO) can be used to provide authentication for remote logons
Dig Deeper on Single-sign on (SSO) and federated identity
Related Q&A from Joel Dubin
Learn about the purpose of CAPTCHA challenges that enable websites to differentiate bots from authentic users to stop spammers from hijacking forums ... Continue Reading
Proper planning is at the top of the list for single sign-on best practices, but it's important to get enterprise SSO implementations off to a good ... Continue Reading
After a server room door has been compromised, finding a more secure solution is of utmost importance. Learn how to choose a server room door that ... Continue Reading