IS Decisions logo

IS Decisions Blog

Context-aware access security stems from single sign-on (SSO) services vulnerabilities

Single sign-on (SSO) services are convenient, but not without risk. Here's how context-aware access security adds layers of protection.

Published July 4, 2017

Single sign-on, to the user, is a godsend. No more wasting time putting in passwords to individual sites or applications, no more trying to remember a fistful of different username/password combinations.

To businesses, the benefits are also compelling. How? Let's take a look.

The benefits of single sign-on

First, single sign-on improves staff productivity. IS Decisions research found that complex IT security costs each employee 21.88 minutes every week, which equates to 182 days of lost productivity for companies of 250 people, and 21.9 days for companies with 30 people.

Single sign-on services help lower this figure, which translates to major cost savings.

Secondly, single sign-on means fewer help requests to the IT department. Since fewer users will forget their login, this means the IT team has more time to focus on other important work.

However, while the charge to productivity is all well and good, it must not and cannot compromise security.

Anything that makes your corporate systems less safe is not worth pursuing. At the end of the day, convenience is not more important than security.

This is why the recent hack on password manager OneLogin is worrying. Attackers managed to obtain the login credentials of users “served by our [OneLogin’s] US data center” — and the even more worrying part of the breach is that the perpetrators have the power to crack the encrypted data they now have their hands on. This spells bad news for businesses

Why single sign-on services are now vulnerable

The implications of an attack of this kind are serious. Consider this analogy — each individual login is a troop on the frontline of security for the defence of the network. The more troops you have, the stronger that frontline is.

However, by implementing single sign on, a company effectively reduces the number of troops on the front line, rendering what’s left very vulnerable.

To mix that metaphor with a simile, it’s a bit like putting all your eggs in one basket.

We’re not the only ones who hold this opinion. Gartner financial fraud analyst Avivah Litan agrees, saying:

“It’s just such a massive single point of failure.

And this breach shows that other [cloud-based single sign-on] services are vulnerable, too.

This is a big deal and it’s disruptive for victim customers because they have to now change the inner guts of their authentication systems and there’s a lot of employee inconvenience while that’s going on.”

Single sign-on services are certainly a massive point of failure. All it takes is one instance of bad user behavior to lead to a severe breach, for example, an employee sharing a password or leaving a workstation unlocked, an employee falling victim to a phishing attack, or a malicious user stealing a colleague’s credentials.

The OneLogin attack has therefore cast doubt over the security of single sign-on services, and understandably, businesses who use single sign-on services are wondering how to better protect their corporate systems.

Whatever the method, the key is to protect whatever basket you've put your eggs in.

How context-aware technology can protect single sign-on services

One way to do that is through context-aware security. The trouble with passwords is that they behave exactly like keys.

As long as you have the key, you can unlock the door. Context-aware security, though, goes way beyond keys and analyses the situation in which an access attempt takes place to determine whether the person trying to log in is exactly who they say they are.

For example, context-aware security can analyze what geographical area the login is taking place, what device the user is logging in on, what time it’s happening, what the IP address is, and many other pieces of contextual information.

All of this information together builds up a profile of the person logging in, and can shed light on anything suspicious.

For example, say you restrict single sign-on logins to particular workstations, departments, devices, IP addresses, times of day or geographies, organisations can reduce the size of the opportunity for would-be attackers.

To put it another way, if Chuck were using Larry’s credentials to log in from his desktop, and the company had restricted Larry’s logins to just his own devices, Chuck wouldn’t be able to gain entry.

Or if someone in one department used the credentials from someone in another department to gain entry from the wrong workstation, again, the system would deny access.

The value of context-aware security

Context-aware technology has been around for several years but its popularity is growing as a key complement to multi-factor authentication (MFA).

Some of the most devastating security breaches occur as a direct result of compromised credentials. And, with the rise in single sign-on popularity, the consequences of compromised credentials are only set to get worse.

That makes context-aware security plus MFA the equivalent of trading in your wicker egg basket for a virtually impenetrable titanium box.

Try UserLock for free

3400+ organizations like yours choose UserLock to secure access for Active Directory identities and meet compliance requirements.

Download a free trial