Single sign-on (SSO) solutions were rapidly rising in popularity even before the COVID-19 pandemic prompted a mad rush to the cloud. Now, SSO is more popular than ever due to the convenience and security benefits it provides organizations with distributed workforces, including:
Only one password for employees to remember. The elimination of “password fatigue” is one of the biggest drivers for SSO adoption. Instead of a different password for every app and service, employees need only memorize their single sign-on password. Only one password to enter, once a day. Besides not having to remember multiple passwords, employees don’t need to enter multiple passwords throughout the workday. They enter their SSO password once, at the beginning of their workday, eliminating wasted time typing in passwords throughout the workday. Cut help desk tickets in half. The Gartner Group estimates that password resets account for up to 50% of help desk tickets. SSO promises to virtually eliminate these tickets, enabling support employees to spend more time helping end-users with more complex problems. Easier deployment of identity access and management (IAM). SSO reduces the complexity of configuring authentication and access controls, enabling the faster and simpler deployment of IAM solutions, as well as and a faster path to a zero-trust environment. Easier compliance reporting. Many common compliance frameworks require user audit trails for user sign-on data. SSO makes it easier to include this data in compliance reports.
SSO’s Shortcoming: Password-Related Security Gaps
The purpose of SSO is to make accessing resources easier. That’s great for productivity, but not from a security perspective:
A single password equates to a single point of failure. If an employee loses or forgets a password to a single account, they’re locked out of that account. If they forget their SSO password, they’re locked out of all of their accounts. Even more concerning, if a cybercriminal gets hold of an SSO password, they can get into all of the employee’s work-related accounts. Verizon estimates that over 80% of successful data breaches result from compromised passwords, which is an enormous drawback. Legacy line-of-business (LOB) apps don’t support SSO. Despite the COVID-19 pandemic having accelerated digital transformation efforts by several years, most organizations still use at least a few legacy LOB apps that don’t support SSO. Because they’re so old, modernizing them isn’t realistic; because they’re so highly specialized, replacing them isn’t feasible, either. Not all modern apps support SSO. Legacy apps aren’t the only sticking point. Many modern apps and services don’t support SSO either, particularly desktop apps. It is rare for an organization’s SSO deployment to cover all of the apps their employees use, especially in larger enterprises, where literally hundreds of apps may be in use. Different apps may use different SSO protocols. Your employees may need to use apps that use a different protocol than your organization’s identity provider (IdP) uses. For example, if your IdP uses the SAML protocol, your SSO solution won’t support apps that use OAuth. No control over user password habits. SSO deployments don’t provide any visibility into bad password security practices. Employees may choose a weak or previously compromised password for their SSO login, or they may reuse a password that they’re using on multiple additional accounts. They may do the same thing for all of the apps that your SSO deployment doesn’t support. They may also share their passwords with unauthorized parties. No protections for privileged users or sessions. Typically, users must enter separate credentials to access especially sensitive systems and data, but the purpose of SSO is to give users an all-access pass with a single authentication.
4 Ways to Bridge the Password-Related Security Gaps Left by SSO
Despite these risks, security-minded organizations shouldn’t toss out their SSO deployments. No security solution is a panacea. By pairing their SSO solutions with complementary technologies, organizations can shore up password-related security gaps while retaining the productivity and ease of SSO use benefits.
#1. Implement role-based access control (RBAC) with least-privilege access for all users
The principle of least privilege, which dictates that users should have access to only the minimum level of system privileges to do their jobs and no more, is critical to reducing an organization’s potential attack surface. Enter RBAC, which simplifies the assignment and management of access control levels. To make RBAC role assignments more manageable, avoid assigning roles directly to users. Instead, create groups, assign privileges to the groups, and add users to the groups accordingly. In addition to minimizing the number of role assignments, this practice saves time if a privilege change needs to be made to every user within a group. Make sure your groups are reusable and avoid creating too many custom roles.
#2. Implement Privileged Access Management (PAM) with Privileged Session Management (PSM) for privileged users
Unlike SSO, which focuses on making access as easy as possible, PAM focuses on restricting access to a company’s most sensitive systems and data. Organizations use PAM to restrict and monitor access to their most critical and sensitive systems. Privileged users are typically high-level company insiders, such as IT and security admins and C-level executives, although trusted vendors and partners may also fall into this category. PAM and PSM go hand-in-hand. While PAM controls user access to sensitive resources, PSM prevents privileged users from abusing that access by controlling, monitoring, and recording privileged user sessions. Typical PSM monitoring and recording are very granular and include keystrokes, mouse movements, and screenshots. In addition to ensuring security, PSM audit trails are required by several compliance frameworks, including HIPAA, PCI DSS, FISMA, and SOX.
#3. Implement multi-factor authentication on all apps and services that support it
Multi-factor authentication (2FA) is one of the most powerful defenses against compromised passwords. Even if a cybercriminal compromises a password, they can’t use it without the second authentication factor. 2FA protects all users from those with the most minimal systems access to the company’s most privileged users. It enhances zero-trust by allowing organizations to authenticate user identities. Some organizations hesitate to implement 2FA for fear it will impede productivity by forcing employees to go through additional steps to log in. This problem is easily rectified by pairing 2FA with a modern password security solution that enables users to store their 2FA credentials along with their passwords.
#4. Deploy an enterprise password security and encryption platform company-wide
Password security and encryption platform enable employees to securely store all of their login credentials in one centralized, private, encrypted repository. Like SSO, users memorize only one “master password,” which is used to access all of the credentials in their digital repository. Unlike SSO, a good enterprise password security and encryption platform is designed to work with all services and apps, including legacy apps; they include additional features, such as automatic strong password generators and autofill tools. They also give IT administrators complete visibility into user password habits and enforce password security policies. Make sure to deploy an enterprise-grade password security and encryption platform that seamlessly integrates with your existing SSO deployment and provides support for RBAC, 2FA, auditing, and event reporting. SSO poses security risks only if organizations see it as a standalone solution. By acknowledging the password-related security gaps inherent in SSO and compensating for them by implementing complementary technologies, such as 2FA, RBAC, PAM/PSM, and a password security and encryption platform, organizations can enhance efficiency, improve the end-user experience, and protect themselves against password-related cyberattacks. Written by Teresa Rothaar