Evaluating SSO Systems: Page 2
Deploying a single sign-on system can improve productivity and lead to better password hygiene, but it also carries some risks.
SSO Evaluation Factors
The various experts had much to say about what to look for when evaluating SSO tools.
Compatibility with legacy systems should be the top criterion, advised Ullrich. Further factors he urged users to pay attention to included which standards the solution supports and whether those are the standards the organization needs.
“Organizations should also evaluate if the solution matches up with current business processes,” said Ullrich. “For example, user privileges could either be assigned centrally or in a more decentralized manner.”
- Capability around centralized management of passwords
- Simplified security compliance requirements without compromising the productivity of employees and IT staff
- Effortless integration with biometrics, smart cards and other two-factor authentication systems
- Ability to implement social sign-in for externally-facing apps, which are generally used by customers.
Platt listed more factors for users to consider before signing on the dotted line:
- Understand the performance and availability implications of using a given service. For example, does it introduce a single point of failure to their application architecture?
- Understand the data processing model – specifically where identity data is processed and stored – in order to make sure they can manage risk and be compliant with emerging privacy regulations.
- Pay attention to last mile integration options that are provided for corporate applications to ensure a migration path that is achievable.
- Know a vendor’s strategy for supporting emerging standards including OpenID Connect, OAuth and FIDO.
“What we are often doing is bringing together disparate application infrastructure under one session system,” said Platt. “Support for these standards enables a system to ultimately have influence on a broader set of applications and reduce the number of ‘islands of identity’ within the enterprise.”
SSO Vendor Choices
The good news is that there are plenty of vendor options these days. Gartner analyst Gregg Kreizman said that competitive forces have increased due to large vendor presence in the market. Microsoft, for example, is having profound effects on the market in terms of downward price pressure.
Here are just a few of the many possibilities:
- CA Technologies
- Ping Identity
- RSA SecurID Access
- Oracle Enterprise Single Sign-On
- IBM Security Access Manager for Enterprise Single Sign-On
- Fischer International
- Dell Enterprise Single Sign-On
- Optimal IdM
There is, of course, one big drawback to SSO. If someone manages to penetrate its defenses, they gain access to every other system.
“In the unlikely case that SSO gets hacked, it affects all the linked accounts relying on it,” said Van De Walle.
Omri Iluz, CEO and founder, PerimeterX, advised that organizations implementing single sign on, whether on premise or cloud-based, should take extra care to secure both the main authentication flow and subsequent authorization to connected apps.
“Account take over (ATO) is a major risk for anyone implementing SSO as it is a very high value target for attackers,” said Iluz.
For example, adversaries will try to attack an SSO account by sending hordes of bots to guess passwords, composed of leaked lists of known username/passwords combinations. With the common practice of passwords reuse, some attacks are successful — with rates of one to four successful logins for every 100 attempts. With thousands of bots trying a hundred million combinations, the amount of stolen accounts can skyrocket. Hardening the login process is extremely important when protecting access to critical apps.
Questions to ask, Iluz said, include the following:
- How am I protected against brute-force attacks that lead to account take over, especially by fourth generation bots that mimic human behavior?
- How am I protected against fake account creation?
- How am I identifying automated threats overtaking the user session in real time?
- How much does an account takeover cost my company short term and long term, in particular as customer loyalty is severely damaged?
Photo courtesy of Shutterstock.