Modernizing Authentication — What It Takes to Transform Secure Access
Stringent password and access control requirements are tough on users. Since most enterprise systems demand a password, users can end up with dozens of different ones to remember -- which can lead to a productivity drain. The problem is worsened by demands for increasingly complex passwords.
Single sign-on (SSO) solutions, which enable a single authentication event to provide access to multiple applications, are one way to help users cope with this explosion of passwords.
In this article, we cover:
- Single sign-on solution benefits
- How to handle single sign-on solution challenges
- How to evaluate SSO solutions
- Short list of single sign-on software
- SSO's 'single point of failure' issue
Single Sign-on Solution Benefits
Among the key benefits of single-sign on solutions:
- Less friction in user experience. Users can navigate from one service to another without having to authenticate to each one uniquely.
- Less reliance on memory, resulting in better password hygiene. Because the user doesn't have to remember/manage as many passwords, he may not develop bad habits such as writing passwords down in places where others can find them.
- Authentication policy definition and enforcement. Enterprises can define policies about the types/methods of authentication that are required for a specific access request, taking into account the context of the request itself -- including information about the user, the location of the client making the request, the security posture of the device and the user's behavioral patterns. In most cases, this includes the ability to require users to employ a stronger form of authentication when they access more sensitive resources.
- Audit trail. A single sign-on solution creates an audit trail of user access information. Different approaches to SSO provide different levels of granularity in the audit trail. Federated SSO approaches are able to provide visibility into when a user logged on to a given application and the type of authentication they provided. WAM (web access management) approaches -- whether proxy or agent based -- enable greater visibility into user interactions, providing information about all of their interactions with a protected application.
- Extending trust outside the perimeter. With the use of federated identity, SSO solutions can grow beyond a particular organization's perimeter by exporting trust to other organizations like suppliers/vendors and customers. Dr. Johannes Ullrich, dean of Research, SANS Technology Institute advises organizations to implement it as part of an identity management suite. A number of commercial solutions are available to implement identity management, he said.
How to Handle SSO Solution Challenges
Still, implementing SSO software has its challenges. Integrating SSO with legacy systems is one of them. Incomplete implementations resulting from integration issues don not provide the security and efficiency payoffs users expect from single sign-on solutions. This often leads to user resistance to SSO, Ullrich said.
Deployment of SSO solutions is not always straightforward for existing applications. It is often challenging to create another way to establish an application session beyond existing login capabilities. This usually requires code changes.
"The best approach to accommodate this is to use an SSO product that provides the most options for this 'last mile' integration, including password vaulting (for applications where code change isn't feasible), HTTP Header Injection (using web access management systems) and federation (accomplished using standards-based or proprietary toolkits)," said Darren Platt, senior director of Engineering, RSA.
In addition, he said, single log-out functionality is not widely implemented by SaaS vendors. The result: end-users may think they've logged out of all of their applications when they have only logged out of one of them. This can be particularly problematic when the access device is shared across several users. This challenge is typically mitigated by educating users about how logout works, including the messages they see as they log in and out of the system.
Security professionals should also adhere to standards during implementation, said Platt. "SSO between enterprises or security domains is best accomplished using a standard like SAML or OpenID Connect."
However, enterprises may require more options than these for providing SSO to home-grown applications because in many cases it doesn't make sense for standard SSO capabilities to be built directly into every application; it may be better to leverage a centralized service to provide the standard interfaces for some apps. Many organizations, therefore, prefer to "wrap" applications in these capabilities rather than asking application developers to build these security features.
Platt believes SSO systems should be flexible enough in their integration approaches to meet an enterprise's security and risk management needs.
If a company needs centralized visibility into the actions its users take within specific applications they access, for example, a proxy or agent-based approach is the only way that they can get this visibility. But if a company only needs to know when a user is logged into a given application, a federated approach may be more expedient.
"An optimal solution enables the company to decide which approach they will take on an application-by-application basis," Platt said.
How to Evaluate Single Sign-on Solutions
Experts had much to say about what to look for when evaluating single sign-on solutions.
Compatibility with legacy systems should be the top criteria, advised Ullrich. Organizations should also consider which standards the solution supports and whether they are the standards the organization needs.
"Organizations should also evaluate if the solution matches up with current business processes," Ullrich said. "For example, user privileges could either be assigned centrally or in a more decentralized manner."
Factors Kumar considers of vital importance when evaluating SSO solutions:
- Capability around centralized management of passwords
- Simplified security compliance requirements without compromising productivity of employees and IT staff
- Integration with biometrics, smart cards and other two-factor authentication systems
- Ability to implement social sign-in for externally-facing apps, which are generally used by customers
Among Platt's recommendations:
- Understand performance and availability implications of using a given service. For example, does it introduce a single point of failure to application architecture?
- Understand the data processing model -- specifically where identity data is processed and stored -- in order to make sure they can manage risk and be compliant with emerging privacy regulations.
- Pay attention to "last mile" integration options that are provided for corporate applications to ensure an achievable migration path.
- Know a SSO vendor’s strategy for supporting emerging standards including OpenID Connect, OAuth and FIDO.
"What we are often doing is bringing together disparate application infrastructure under one session system," Platt said. "Support for these standards enables a system to ultimately have influence on a broader set of applications and reduce the number of 'islands of identity' within the enterprise."
Short List of Single Sign-on Solutions
There are plenty of SSO options these days, thanks to the growing presence of big vendors, said Gartner analyst Gregg Kreizman. Microsoft, for example, is having profound effects on the market in terms of downward price pressure.
Here are some of the many SSO possibilities, with a mix of SSO specialists and larger companies that offer a broad range of solutions:
SSO's 'Single Point of Failure' Issue
There is, of course, one big drawback to SSO. If someone manages to penetrate its defenses, they gain access to every other system. "In the unlikely case that SSO gets hacked, it affects all the linked accounts relying on it," said Bernard Van De Walle, technical director at security startup Aporeto.
Omri Iluz, CEO and founder of security company PerimeterX, advised organizations implementing single-sign on solutions, whether on premise or cloud-based, to take extra care to secure both the main authentication flow and subsequent authorization to connected apps.
"Account takeover (ATO) is a major risk for anyone implementing SSO as it is a very high value target for attackers," Iluz said.
For example, adversaries will try to attack an SSO account by sending hordes of bots to guess passwords, composed of leaked lists of known username/passwords combinations. With thousands of bots trying a hundred million combinations, the amount of stolen accounts can skyrocket. Hardening the login process is extremely important when protecting access to critical apps.
Questions to ask regarding the account takeover issue, suggested Iluz, include:
- How am I protected against brute force attacks that lead to account takeover, especially by fourth-generation bots that mimic human behavior?
- How am I protected against fake account creation?
- How can I identify automated threats overtaking the user session in real time?