Latest news
Separating single sign-on myths from fact
by Geoff Webb - Director of Solution Strategy at NetIQ - Tuesday, 26 February 2013.
Myth #1: SSO is password synchronization
Some IT professionals label the process of synchronizing username and password across applications as single sign-on; meaning there is one username and password that is synchronized across applications. The truth is that this is a relic of the early years of distributed computing, before true SSO solutions arrived on the market. This old (and frankly, crude) solution to the problem of multiple usernames and passwords provides only some convenience but fails to deliver greater compliance, administration or security benefits. Fortunately, however, modern solutions have phased out this approach, and now offer far more integrated and seamless functionality with tighter security controls as well as a far better audit trail than mere password synchronization could ever provide.
Myth #2: In SSO environments, users still enter their passwords and/or know the actual credential that is passed onto the application
Somewhat related to Myth #1, this misconception assumes that SSO provides no automation but rather is just passes through whatever the user enters. Not true, as this approach would provide little convenience with almost no security or compliance benefits! The truth is that SSO solutions provide authentication automation for each application accessed. Once the users have logged into their SSO solution, it automates the process of providing each application with a set of credentials for the user and ensures that the granular access policies for each application are applied. The SSO solution can also provide a detailed audit trail and centralized control over application access in the event of a security incident.
Myth #3: SSO reduces security
This outdated belief stems from that assumption that SSO provides a single set of keys to the kingdom, and that once those keys are in the wrong hands, then all applications will be at risk. But the truth is that when used properly, SSO actually increases security by enabling more complex authentication policies, randomizing passwords, enabling re-authentication within an application as needed.
In addition, SSO solves one of the biggest, long-standing and most intractable problems of security: leaving password management in the end users’ hands. Everyone knows that having strong, unique and regularly-changed passwords (that are not all written down in one place) is important for maintaining basic security of end user accounts. However, whether we are talking about work or personal accounts, as we all know that these best practices are seldom followed by end users without some form of enforcement mechanism from IT. A SSO solution requires users to remember one, secure password for everything they access, rather than forcing them to have many similar passwords (which will often be much weaker.)
Myth #4: SSO is only for internal users, not public-facing services
This last misconception deals with much more recent trends in IT, and requires a more thorough response.
As we discussed earlier in this article, SSO allows you increased efficiency in management, security and the ability to grant users access to online services. As organizations start to deepen their interactions with their customers or users, then they want to provide online access to services which are more personalized. One approach is to use the concept of social identity. This approach uses existing online identities, such as those created with services like Facebook or LinkedIn, and allows the same identity to be used to access a business’ or government entity’s services.
Some IT professionals label the process of synchronizing username and password across applications as single sign-on; meaning there is one username and password that is synchronized across applications. The truth is that this is a relic of the early years of distributed computing, before true SSO solutions arrived on the market. This old (and frankly, crude) solution to the problem of multiple usernames and passwords provides only some convenience but fails to deliver greater compliance, administration or security benefits. Fortunately, however, modern solutions have phased out this approach, and now offer far more integrated and seamless functionality with tighter security controls as well as a far better audit trail than mere password synchronization could ever provide.
Myth #2: In SSO environments, users still enter their passwords and/or know the actual credential that is passed onto the application
Somewhat related to Myth #1, this misconception assumes that SSO provides no automation but rather is just passes through whatever the user enters. Not true, as this approach would provide little convenience with almost no security or compliance benefits! The truth is that SSO solutions provide authentication automation for each application accessed. Once the users have logged into their SSO solution, it automates the process of providing each application with a set of credentials for the user and ensures that the granular access policies for each application are applied. The SSO solution can also provide a detailed audit trail and centralized control over application access in the event of a security incident.
Myth #3: SSO reduces security
This outdated belief stems from that assumption that SSO provides a single set of keys to the kingdom, and that once those keys are in the wrong hands, then all applications will be at risk. But the truth is that when used properly, SSO actually increases security by enabling more complex authentication policies, randomizing passwords, enabling re-authentication within an application as needed.
In addition, SSO solves one of the biggest, long-standing and most intractable problems of security: leaving password management in the end users’ hands. Everyone knows that having strong, unique and regularly-changed passwords (that are not all written down in one place) is important for maintaining basic security of end user accounts. However, whether we are talking about work or personal accounts, as we all know that these best practices are seldom followed by end users without some form of enforcement mechanism from IT. A SSO solution requires users to remember one, secure password for everything they access, rather than forcing them to have many similar passwords (which will often be much weaker.)
Myth #4: SSO is only for internal users, not public-facing services
This last misconception deals with much more recent trends in IT, and requires a more thorough response.
As we discussed earlier in this article, SSO allows you increased efficiency in management, security and the ability to grant users access to online services. As organizations start to deepen their interactions with their customers or users, then they want to provide online access to services which are more personalized. One approach is to use the concept of social identity. This approach uses existing online identities, such as those created with services like Facebook or LinkedIn, and allows the same identity to be used to access a business’ or government entity’s services.
Spotlight
The security of WordPress plugins
Posted on 18 June 2013. | Checkmarx’s research lab identified that more than 20% of the 50 most popular WordPress plugins are vulnerable to common Web attacks, such as SQL Injection.
Information security executives need to be strategic thinkers
Posted on 17 June 2013. | George Baker, the Director of Information Security at Exostar, talks about the challenges in working in a dynamic threat landscape, offers tips for aspiring infosec leaders, and more.
Large orgs in denial about own security breaches?
Posted on 14 June 2013. | Over two thirds (66%) of large organizations said they either had not experienced a security incident in the last 12-18 months or were unsure if they had.
Vulnerability scanning with PureCloud
Posted on 12 June 2013. | nCircle PureCloud is a cloud-based network security scanning product built upon the companies' vulnerability and risk management system IP360.
Reactions from the security community to the NSA spying scandal
Posted on 11 June 2013. | Read on for comments on this scandal that Help Net Security received from a variety of security professionals and analysts.
Daily digest
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
Weekly newsletter
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
