Questions to Ask When Conducting Single Sign-On Enrollment

August 11, 2020
| |
5 min read

Instead of asking employees to input passwords every day, single sign-on (SSO) offers a simplified but secure authentication process. SSO authentication gives a user the option of choosing a single set of credentials to access multiple accounts and services. So, how can organizations best use SSO for their purposes?

This authentication scheme works with the assistance of a dedicated SSO policy server. When a user attempts to authenticate themselves, the server sends back credentials for the user to an agent module on an application. The SSO service also verifies the user’s identity against a list of approved users. Through this, the service authenticates the user across all accounts and applications which the user is approved to access. It subsequently disables future password prompts for when the user once again seeks to access those in-scope accounts and applications.

To do this, organizations first need to be clear in their understanding of SSO. 

SSO Benefits and Challenges

SSO offers several benefits to organizations. Four in particular stand out:

  1. Reduces password fatigue. “Password fatigue” usually sets in when users need to remember passwords for multiple accounts and websites. This fatigue takes the form of users reusing their passwords across several accounts, thus freeing them from the burden of remembering a unique password for each account. In doing so, they open themselves, and, by extension the organization, to the risk of password reuse attacks. SSO addresses this problem by reducing the number of passwords that users need to remember. Therefore, users can more easily create and remember a strong password under a SSO policy.
  2. Helps out administrators. The fact that users don’t have to remember so many passwords with SSO helps out administrators, as well. When employees forget passwords, they create a burden for administrators in the form of password request tickets. Under SSO, however, users are more likely to remember their passwords, which allows administrators to concentrate on other tasks. That includes using SSO to securely provide access to resources hosted on premises, in the cloud or across a hybrid cloud environment.
  3. Assists with compliance efforts. With SSO, organizations can more efficiently control the access the employees have to certain types of information. When combined with the greater ease of enforcing password change policies, this capability helps organizations achieve and maintain compliance with regulations such as HIPAA and SOX.
  4. Prevents shadow IT. The term “shadow IT” refers to information assets that are purchased and/or managed outside of the ordinary processes of the IT department. Shadow IT poses a danger to organizations. In the absence of IT oversight, employees could share too much information with those assets or devices which might not have appropriate safeguards. IT admins can use SSO to work against this risk by specifically monitoring and whitelisting the apps employees are allowed to use.

In addition to the benefits discussed above, organizations face important challenges when implementing SSO. These include the following obstacles:

  1. A single point of failure. An organization’s linked systems could suffer a breach in the event that an attacker compromises their SSO solution or provider. Along those same lines, if an attacker compromises a user’s machine or single password used for SSO, they could potentially gain access to their connected accounts.
  2. Implementation issues. Organizations’ IT infrastructure is becoming increasingly complex. Not only that, but different departments and teams of employees have different SSO needs. They require access to resources and assets that might not be applicable to other segments of the workforce. This makes it difficult to create an SSO strategy that works for all employees.
  3. Reliability concerns. Once implemented, SSO constitutes the only way by which authenticated users can gain access to an organization’s applications. It’s also usually the element to fail when there’s a connectivity issue. When that happens, complexity can make it difficult for organizations to determine what happened. In the meantime, organizations could grapple with downtime that limits employee productivity and causes tension between business partners.
  4. Adoption challenges. Organizations adopt SSO to strengthen their information security and to make the login process more convenient for users. Even so, SSO solutions could necessitate changes in how users behave in order to successfully authenticate themselves. Changes to normal working practices could motivate users to try to bypass SSO tools. Such resistance could subsequently affect the integration of SSO across the organization more generally.

Questions to Ask 

Fortunately, security professionals can optimize their organization’s implementation of SSO in a way that helps minimize the risks discussed above. They can do so by asking themselves the following questions:

“How can I minimize the single point of failure created by SSO?”

SSO’s point of failure hinges on an attacker stealing access to an employee’s password. Acknowledging that in reality, security personnel can eliminate that single point of failure by using additional security controls to provide multiple layers of protection.

They should begin by requiring all employees to use two-factor authentication or some other means of multifactor authentication with whichever account is authorized under the organization’s SSO policy. This measure will safeguard access to the employees’ connected accounts in the event that someone gains access to their credentials. Security personnel can complement this feature by implementing the least privilege principle. This will limit the types of services, accounts and information that an attacker could access if they managed to successfully authenticate themselves into a corporate environment. For the purpose of enforcing least privilege policies on their endpoints, automatically rotating passwords and logging privileged session activity, organizations should also consider investing in a privileged account management solution.

From there, security professionals can use active directory controls to track all external access sessions within the network. This will help them to to spot suspicious connections and/or network activity.

“What is affected when the service experiences an outage?”

SSO solutions help uphold the information security triad within an organization. These tools safeguard data integrity by limiting the types of resources which users can access. In addition, they ensure confidentiality by protecting applications responsible for storing data. Finally, they guarantee availability by making applications, PCs and other assets available in the event that an employee forgets their credentials.

Given SSO’s security functions, organizations need to be concerned about the prospect of downtime. Organizations need to work with service providers to evaluate how connectivity failures could affect the confidentiality, integrity and availability of their systems.

Not only that, but organizations should include their SSO solutions in their vulnerability management programs. SSO tools are like any other software program in that they could suffer from security weaknesses. The security team needs to stay on top of these issues and prioritize patches for them accordingly. Otherwise, they could risk malicious actors abusing those vulnerabilities in order to make off with the organization’s sensitive information.

“What do we do when SSO connectivity goes down?”

At some point in its implementation, an SSO solution will lose connectivity and thereby threaten to disrupt the business. It’s important that security professionals have a plan in place for when this happens.

Security teams need not plan for an SSO outage in the dark. Indeed, they should solicit input from different departments to create an overarching disaster recovery strategy that takes SSO into account. They can then use that plan’s discrete steps as a means to keep the organization going through an SSO outage and thereby build its cyber resilience against similar types of events.

“Do we have a plan that covers employees the entire time?”

The last thing a security professional wants to do is to not manage the SSO solution on an ongoing basis. In the absence of direct oversight, the security team could fail to enroll an employee in an SSO strategy when they’re hired, thus exposing the organization to some of the risks discussed above. Conversely, if they fail to revoke credentials once the individual has left the company, that person could then leverage their details to retain access to the organization’s network and/or data long after they’ve left.

With that said, security professionals need to make sure that there’s a plan in place that covers an employee’s entire time at the organization. That strategy should specifically involve training the employee on how to use and enroll into the SSO solution when they’re first brought on. It should also make room to manage and update the employee’s SSO needs as their access requirements and/or position within the organization changes. The plan should detail the processes necessary for retiring an individual’s credentials from the SSO solution once they’ve left. Finally, it should revoke their access to any and all other digital assets that might not be covered by the organization’s SSO deployment.

David Bisson
Contributing Editor

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Trip...
read more