Risk
1/10/2013
02:27 AM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Single Sign-On Mythbusting

SSO is not an IAM or security cure-all, but it isn't a security killer either

It's no secret that single sign-on (SSO) has been hunted down for years like a mythical identity management treasure--get it right and all those identity and access management (IAM) woes are cured, right? Well, not exactly, say experts.

"Just like the Holy Grail and the Golden Fleece, most people who go on a quest for SSO start their journeys with some mistaken ideas about what they are after," says Jonathan Sander, director of IAM business development for Quest Software, now a part of Dell.

In order to avoid tilting at windmills, it makes sense for IT executives to clear up some of the common misconceptions in advance to ensure that their pursuit of SSO makes sense for their needs.

[Are you making a big IAM mistake? See 7 Costly IAM Mistakes.]

SSO Solves All IAM Ills

One of the most dangerous myths that IT executives hold onto is that SSO is the answer to their entire messy identity and access management (IAM) problem, Sander says.

"I can't blame them. SSO is the end user-facing part of the problem," he says. "People's problems with remembering passwords, signing in again and again, and sharing credentials to get business tasks done are the parts of the IAM challenge they see."

But counting on SSO to solve all of IAM's ills is kind of like building a car with an amazing dashboard and steering wheel and putting in a lawnmower engine.

"SSO may give the end user their amazing steering wheel, but there are many things IAM needs to do under the hood that SSO doesn't touch," he says.

Take, for example, one of IAM's thornier issues: account provisioning. Many executives are under the misconception that under an SSO regime, account deprovisioning headaches go the way of the dodo. It's one of the most dangerous myths out there, says Nishant Kaushik, chief architect for Identropy.

"This approach, which is cited far more often than it should, actually creates a security risk, because the account being protected by SSO remains active even after SSO access is cut off," he says.

Not only are the accounts open to being abused by insiders or attackers who could exploit a surfeit of orphaned accounts, but the user in question could maintain access to systems if they still have active sessions open, say on a computer at home, at the time that SSO access is shut office.

"This problem can have significant consequences in the context of employee termination," says Tom Cross, director of security research for Lancope. "If the employee still has active login sessions from their systems at home, they may still be able to get access to the network after their account has been deactivated."

Security Is A Gimme With SSO

Organizations that believe SSO is an IAM panacea also tend to fall into the trap of believing that SSO automatically ups the security quotient within an organization. But as many authentication and IAM experts will tell you, not all SSO technologies and implementations are created equally.

"There is a big distinction between SSO solutions that look to eliminate passwords and that embrace standards, versus the SSO solutions that simply mask passwords and just replay them on behalf of the user like password managers replay passwords," says Patrick Harding, CTO of Ping Identity. "The solutions that simply mask passwords are doing nothing to alleviate poor password security."

Not only is it critical to choose the right technology, but identity governance plays a big part in how well SSO improves security.

"The claim about SSO providing security because it avoids the use of multiple passwords for multiple accounts only holds up if an organization has stringent governance controls in place around the 'one and only actual sign-on' that occurs and controls around all the entitlements a person gets across multiple applications as a result of the sign-on," says Deepak Taneja, CTO and founder of Aveksa. "Without such controls, SSO can actually lead to a less secure environment that is more susceptible to breaches."

SSO Is Only A Tool Of Convenience

Because so many organizations have implemented SSO without those controls, the flip side of the SSO security myth is another camp's perception that all SSO tools are only built for convenience. The argument is that SSO can never be a secure tool because all of the authentication eggs are in one basket.

"This case would be true, if you were to enable the same poor password security at the authentication point that occurs at most websites," Harding says. "The premise is false because the authentication point is where the toughest security standards are enacted. This is the whole idea behind SSO – it's simply not cost-effective to enable strong security at hundreds of thousands of individual applications."

In reality, SSO isn't the problem, says Don Turnblade, information security architect for BestIT, a Phoenix-based IT service provider. It is just a lens that magnifies already existing risk management problems within the organization.

"In my view, SSO itself is largely not a security risk, rather the uncured, uncontrolled, status quo defects in account and access rights management is the true danger," he says. "SSO simply clarifies the hidden risk that was always there."

Paul Hill of SystemExperts agrees.

"To control that risk, organizations must have a solid handle on account provisioning, entitlement management, de-provisioning, and credential management including password resets," says Hill, a senior consultant for his firm. "If an organization can correctly and accurately determine that all accounts are using strong credentials, and good identity management practices are in place, then SSO does provide a return on investment."

SSO Eliminates Need For Passwords

This myth is pretty natural given SSO's name, but the fact is that there's nothing single about SSO, says Aaron Berman, security solution strategy advisor for CA Technologies.

"With the advent of high security applications on the Web and risk-based and step-up authentication systems, plus the need to limit the scope of any potential security ticket or impact to the business of a server shutdown, the SSO system has moved away from 'single' to more of a 'controlled and managed' sign-on solution," he says.

More appropriately, SSO should probably be called reduced sign-on, says Andy Smith, vice president of product management for Bitzer Mobile.

"It is very difficult to have all applications a user needs access to support a single standard or able to be mapped to a password bank," Smith says.

But that doesn't mean that SSO won't make end users' jobs easier, says Sander of Quest, who says that many executives have an all-or-nothing attitude about SSO and tend to "throw in the towel on the whole thing" when they learn they can't roll up every authentication process into the proposed SSO system. But plan things well enough and the users will still be satisfied.

"If you can give them SSO for the core application they use most often or if you can give them SSO for those applications that they don't use that often but are critical a few times a year, they will likely be very happy with that result," he says.

On the administrator side, IT just has to keep this myth in mind when it comes to monitoring accounts, says Cross of Lancope. Because many enterprise accounts will still exist outside of the SSO system, IT can't just rely on SSO logs to keep tabs on user activity.

"These accounts and systems can become backdoors that allow access that can't be monitored by watching authentications at the central identity store," he says. "Organizations must not assume that they can see all system and network accesses merely by observing the logs on the SSO system."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Latest Comment: LOL.
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6213
Published: 2014-04-19
Unspecified vulnerability in Virtual User Generator in HP LoadRunner before 11.52 Patch 1 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1833.

CVE-2013-6214
Published: 2014-04-19
Unspecified vulnerability in the Integration Service in HP Universal Configuration Management Database 9.05, 10.01, and 10.10 allows remote authenticated users to obtain sensitive information via unknown vectors, aka ZDI-CAN-2042.

CVE-2014-0778
Published: 2014-04-19
The TCPUploader module in Progea Movicon 11.4 before 11.4.1150 allows remote attackers to obtain potentially sensitive version information via network traffic to TCP port 10651.

CVE-2014-1974
Published: 2014-04-19
Directory traversal vulnerability in LYSESOFT AndExplorer before 20140403 and AndExplorerPro before 20140405 allows attackers to overwrite or create arbitrary files via unspecified vectors.

CVE-2014-1983
Published: 2014-04-19
Unspecified vulnerability in Cybozu Remote Service Manager through 2.3.0 and 3.x before 3.1.1 allows remote attackers to cause a denial of service (CPU consumption) via unknown vectors.

Best of the Web