T

The Power and Responsibility
of Single Sign-On

Single Sign-On (SSO) is a powerful productivity tool used by many organizations today. It facilitates access to on-premises and cloud-based applications, all based on the user authenticating once. This dramatically simplifies the user experience, allowing the user to simply logon to Windows, open a web browser or portal application, and open any and every application provisioned for them by IT.

But as Peter Parker’s Uncle Ben taught us “with great power comes great responsibility”, and the potential power SSO wields is rather robust:

  • One Account, Lots of Access – From a user perspective, this is great! But the head of your security team is developing nervous tics just thinking about it.

  • One Click Away from Disaster – Ok, we’ll admit we’re being a bit over-dramatic, but a simple provisioning mistake on the part of IT and a user not only has access to data that has nothing to do with their role in the organization, but IT put the icon to the application right in front of the user!

  • Instant extension of the security perimeter – gone are the days where the corporate network is defined by endpoints in cubicles and four walls of concrete; the use of SSO takes users beyond those logical walls, providing local and remote users alike instant access to web-based data and applications, making the globe your perimeter.

  • An Attacker’s Nirvana – Once external attackers have a foothold in your organization (likely an endpoint infected with malware), they’re next move is to attempt to move laterally within the organization; a move that usually requires additional credentials. They do this in order to gain access to data and applications outside the endpoint itself. But, wait… that sounds really familiar, doesn’t it? Kind of like exactly what SSO does? Granted, SSO is only providing access to the applications and data the user needs to do their job (as long as IT implements it error-free…), but it’s not like you’re making it difficult for the attacker, are you?

Does this make SSO a bad choice for organizations? Of course not. But, it’s important to recognize that unlike most enterprise-wide initiatives, SSO is introducing some serious capabilities that may include additional risk to the organization. Think about it - as a general rule, simplifying the ability to access lots of different applications for users that can be anywhere in the world – potentially on any device, all adds up to a potential for disaster (remember – great power...).

So, what are IT’s responsibilities, given this great power of SSO?

There are a number of aspects of SSO IT can employ to improve the security of the organization as it uses SSO to increase the productivity of its users.

In general, IT has a responsibility to recognize:

  • The Abundance of Access – Uncle Ben’s warning was as much about Peter Parker exercising self-control, as it was simply acknowledging that the power exists. You can’t do the former without the latter. So, the first step in taking responsibility of SSO is to fully understand the scope of SSO’s capability.

  • The Potential for Disaster – Cyber-criminal organizations today are systematically investigating, documenting, coding and testing against vulnerabilities, making them as effective at being “bad guys” as the security vendors you use are “good guys”. Which means you need to be on a constant state of alert; one infected endpoint can wreak havoc can spell data breach, lost productivity, or organizational loss of reputation.

  • The Necessity for Validation – SSO generally supports two or more factors of authentication. Because you’re potentially giving a user anytime, any device access to a ton of data and applications, validate the living daylights out of them. Use authentication questions, texting, email verification, certificates – anything and everything your SSO solution supports.

  • The Criticality of the Logon – Because SSO is more about productivity than security for most organizations, put your focus on the single most important point in the SSO process – the logon. You do this for two reasons: 1) no logon, no access and 2) once logged on, it’s game over. Because the Windows logon is often the only security verification used, putting as many controls in place around the logon – whether native to Microsoft Windows environments, or by leveraging third-party solutions that monitor and manage logon security – will put some needed “responsibility” around this pivotal action in the security of SSO

Responsibility is a mindset; one that eventually turns into a change in behavior. SSO’s power demands that IT take a responsible stance around the security SSO requires. By doing so, IT harnesses the power of SSO, leveraging it as not just a productivity tool, but a security tool as well.

White Paper
Overcoming the Security Risk in Active Directory Single Sign-On

Learn more about the risk Single Sign-On
introduces by reading the whitepaper.

Download the white paper