Lack of Features
Simply put, SSO (Single Sign-On) is the ability for one application, known as an identity provider, to tell other applications, known as service providers, who you are. In this context, identity providers are systems that contain digital identity information about users (Microsoft’s Active Directory is one such identity provider), and service providers are all of the applications employees use to get work done. Employees can use SSO to access desktop apps such as Outlook or Skype® for Business, and web-based apps such as SharePoint and Outlook Web App—without the employee having to log in to each application. With SSO, employees use a single, secure point of authentication to log into the identity provider, which then gives them access to individual apps.
A 2014 survey commissioned by Intermedia found that the average large organization gives employees access to 15 applications. Add to that the thousands of web apps such as QuickBooks, Twitter, and Salesforce that employees can sign up for (with or without informing IT). This proliferation of apps and their passwords makes it very difficult for IT to protect the network and all of the company data it contains. By enabling employees to use just one sign on, SSO solves the IT problem of managing far too many passwords.
But the very thing that makes SSO so convenient for users and IT departments alike is what can also make it dangerous. By enabling employees to access all the apps they have been given permission to use with just one login, SSOs can potentially give that same broad access to hackers. To realize the full security benefits of SSO, IT departments must first institute some form of identity governance. Many companies do this by centralizing identity authentication on special servers that act as SSO gatekeepers. When an employee signs in, their authentication passes through the SSO server, which then passes on the credential it has stored for authenticating that person to use that app.
To make SSO even more secure, many companies implement two-factor (2FA) or multifactor (MFA) authentication. Both of these approaches improve security by asking users to provide one or more additional authentication factors in addition to their SSO login. This additional factor could come from software on the user’s smartphone, a fingerprint or voiceprint or a security code transmitted to the user via email or SMS. With these protections in place, hackers who get hold of an SSO login would still have to provide the additional factor(s) to gain access to sensitive corporate, customer or partner data.
One of the biggest security threats companies face begins with the passwords employees create. Simple passwords are easy to remember—and to crack. But even strong passwords can quickly fall to hackers armed with massive parallel GPGPUs (general purpose graphics processing units). Some password-cracking tools are capable of producing more than a half-billion passwords per second and defeat even the most well-constructed passwords. And the more IT departments require employees to construct highly complex passwords, the more user requests for password assistance they must field. At the same time, social engineering tactics such as baiting, phishing, spear phishing, pretexting and scareware can trick employees into giving up access codes to bad actors. Properly implemented SSO, running on secure servers buried deep within a company’s IT architecture and behind multiple firewalls, can dramatically reduce the ability of hackers to use these tools and ploys.
Another potential security threat appears when employees (especially disgruntled ones) leave an organization. To maintain security, IT must typically go through and decommission the employee’s access to dozens (or more) desktop and/or cloud-based apps. This process is made even more difficult when access to these services has been granted on a departmental level without informing IT. With SSO, IT administrators only need to decommission the employee’s identity provider account. Without this account, the employee (or the hacker) can’t access any of the applications he or she had been given permission to use—whether by IT, their department or themselves – and use that access to compromise the network.
LACK OF FEATURES