Single Sign-On

-
There are two kinds of organizations. Those that manage their single sign-on (SSO) system, and those that let their users manage their SSO.

The other day I was in a discussion with a number of security leaders about how important identity management is to your security strategy. Obviously, everyone agreed that identity is very important. After all, if you don’t have a strong identity strategy pretty much no other component of your strategy will be strong. There is a reason that the first function of the NIST CSF is Identity. 

However, the discussion then turned to SSO and whether it didn’t constitute putting all your eggs in one basket, and whether doing so is a good idea.

Yes. SSO does constitute putting all your eggs in one basket.

But, that is a good thing. Why? Because you, as a security leader control that basket. You know where it is. You know how it is configured. You have already required strong multi-factor authentication (MFA) on it. (You have right? If not, stop reading this, go do that, and then come back). 

Users* in every organization have multiple accounts for multiple different services. You have your account for Active Directory, GSuite, or whatever other Identity Provider you are using. You have an account for the Human Resources Information System (HRIS), for the file sharing service with customers, for databases, and for innumerable other services. 

Organizations that recognize the benefits it provides use a managed centralized SSO system (Sign-in with Google/Microsoft/Okta/etc) to provide SSO. They onboard as many services as they possibly can to this system. They provision users with SCIM to it. And, if they are particularly enlightened, they provide staff with a password safe - also tied into the managed SSO system - to store credentials for things that cannot be integrated with SSO. This provides centralized control over most authentication, logging for when and where users authenticate, and the ability to trigger alarms and alerts on unusual or suspicious activity, Superman events, and so on. 

Organizations that do not use a managed SSO system still have an SSO system. However, it is managed by their end users; by just using the same password everywhere. They will because passwords are hard to generate and hard to remember. They get in the way of doing work. Consequently, users will develop their own SSO system because that gets their job done, and that’s what we are paying them for. Even amongst security professionals password reuse is endemic, except among the few who choose to use a password safe for everything. 

Nearly 40 years ago, Gordon Davis published a seminal article: Caution: User-development Decision Support Systems Can Be Dangerous To Your Organization. Professor Davis did not consider how this applies to security. It does. User-managed security systems can be dangerous to your organization! 

You can choose to manage security centrally, professionally, and to defined standards; or you can leave it up to your end-users. I argue strongly that the former is going to be the better approach. When we rolled out a system to scrape password dumps from the “dark web” we learned that, of the usernames that match, 2/3 also matched on the password. Furthermore, when we told those people their password had leaked and forced a password change 40%(!) changed it to the password we told them had already been stolen! Using the same password everywhere is a functional SSO system, and probably the most common one. Our choice as security professionals is not whether to have an SSO system, but rather, whether to have a managed SSO system. 


* By “user” I use the convention that it denotes your internal users; staff, contractors, vendors, interns, etc. Your external users, those who you build your services for, I refer to as customers. 

Comments

  1. Daniel MiesslerSeptember 17, 2021 at 9:46 AM

    Agreed. This reminds me of how Google unified all their authentication activity behind a single system many years ago.

    Is that a single point of failure? Sure. But it's also a single point of success.

    It's like once you hit a threshold of scrutiny and professionalism, it's better to centralize than to have many random solutions. But if you don't have that level of quality, then (maybe) it's better to have many so that one can't hurt you?

    Worth thinking about, but I think you're absolutely correct on this.

    ReplyDelete
  2. UnknownSeptember 18, 2021 at 3:22 AM

    Makes sense, @Jesper. Better to have a single point of failure vs. multiple points of failure.

    ReplyDelete

Post a Comment

Popular posts from this blog

U2F, FIDO2, and Hardware Security Keys

-
  In our journey through possession proofs we have encountered hardware factors of various kinds. HOTP and TOTP is often implemented as hardware devices, and of course, so are Smart Cards. In this post we will look at authenticators that implement the FIDO standards -  U2F, WebAuthn, and CTAP2. WebAuthn and CTAP2 are collectively part of the FIDO Alliance ’s FIDO2 protocol suite. U2F and UAF are older FIDO protocols that are supported under FIDO2. They can all be thought of as being part of the FIDO2 suite of protocols.  To understand these protocols, and their advantages and disadvantages, we need to be familiar with the three fundamental actors: Relying party (RP) - Also known as the server. This is the service that a user wishes to log into. Client - This is the application that brokers the authentication from the relying party to the authenticator and eventually the user. Much of the time, this is a web browser, but it could be any application. Authenticator - This is a thing tha
Read more

The Busy Executive’s Guide to Personal Information Security

-
Congratulations. As an executive you are the favorite target of ne’er-do-wells across the world. They will spoof email messages to staff and business partners in your name. They will try to hack your corporate account, your bank account, your email account, and your phone. In addition to hundreds of messages per week from semi-legitimate vendors who want to sell you their most recent search engine optimization snake-oil you will also get a variety of Word documents, PDF files, and PowerPoint presentations, most of which are laden with malware. If this sounds depressing, it is. It is the world of Information Security. There are ways to protect yourself, however. This document will tell you the most important things you can do. 1. Patch Your Stuff! The first thing you need to do is to patch. Software and hardware vendors provide regular security updates to fix security bugs. Or, rather, the reputable ones do. The first step is to use devices and software that provide timely and reliable
Read more