This week we looked at Single Sign-On, and standards that can allow authentication even outside the organizational boundaries. We also familiarized ourselves with these technologies in our case study review. In this week’s discussion, let’s continue the conversation… are there any security concerns with using authentication services outside our organizational boundaries? When would the benefits outweigh the risks? How can we mitigate risks?
Reader Interactions
Comments
Leave a Reply
You must be logged in to post a comment.
Single Sign On (SSO) is a cost effective and convenient solution for most organizations. SSO allows employees to easily sign in and switch between applications but there are great security concerns when using SSO outside organizational boundaries. First, your organization is depending on a third-party company to perform the authentication process, which means that you have to trust that the company is reliable and data is secure. Second, if the third-party authentication provider gets attacked, it will affect your organization as well. Lastly, if the authentication provider has any downtime, it will impact your organization as well. On the second questions, I think it all depends on the organization and type of information that the company is storing. If the applications that are being used have sensitive informational, I would think twice before implementing SSO. On the last question, you can either create your own SSO, which will eliminate the risk of depending on third-party provider or have backs-ups in place (hardening security).
Donald,
I do agree that Single Sign On provides an convenient solutions for so many companies to help employees and third parties to access to resources remotely, but this technology have a great security concerns such as giving a limited access to third parties to have access to the resources since it doesn’t have Access Controls management that can provide increasing security.
Some security concerns that come along with using an authentication service outside our organizational boundaries can be that we could possibly have no control over the service leaving us vulnerable if the service provider becomes compromised. Also if a user is using his device from home and tries to log in to his company using an authentication service, his company has no control over how secure the employees personal device is. This device can have malicious software installed on it that can get personal information off the device, or other things such as a keylogger that can rip any credentials the user types from their device. I think that the benefits of using an authentication service provider outweigh the risks as your organization doesn’t need to manage large numbers of passwords and you will have a reduced exposure to the risks of data loss and your users already trust the identity provider. The best way to mitigate the risk of using a service provider is to address your concerns to the service provider, think about the impact to business the service provider may cause in the case of security risks and to put in controls for securing third-party access and also monitor network traffic from your organization to the service provider.
Using authentication methods outside the organization poses a security threat because sometimes the company hosting it can get hacked by an outside or inside threat in order to gain access to the main organization. Case in point would be the Target hack where intruders got in by using an external source. We want to make sure using outside organization for authentication methods are keeping up with security updates and auditing their own systems as to expose any weaknesses that can be fixed. The benefits would outweigh the risks because of the upkeep and implementation costs while the other organization who manages it can handle the costs and allow the internal IT department focus on making sure the SSO works and add/remove users when appropriate making it easier to focus on that and other internal IT matters. We can mitigate risks by making sure internal and external IT departments audit their own systems, bring in external auditors to keep the companies honest and monitor log files and system usage so if anything of the ordinary pops-up, they can act on it right away.
Neil,
Single Sign On (SSO) is a good way for so many companies to let an employee or a third party authorized user to access to one or more of its applications. It’s a very good way to access to multiple applications. However, it is very risky since it can put the organization resources (Data and Hardware).
Leveraging third party authentication services such as SAML and oauth2 can offer convenience to both the Service Provider and their end users. It reduces the need to manage user credentials and provides the end user with a familiar, and often seamless, authentication experience. With this convenience there are certainly security risks that must be considered. The Service Provider is relying significantly on a third party Identity Provider to manage the storage and transmission of credentials used by employees and/or customers that are accessing the service. Inadequate design or effectiveness of controls could result in a data breach or inappropriate access to the organization’s systems.
With any security decision a risk based approach is warranted to assess if the benefits outweigh the risks of using a third party Identity Provider to manage user authentication. A proper risk assessment would help to identify the classification of the data that is being accessed, the ability to conduct fraud or theft via the application functionality (e.g. wire transfers), and the regulatory requirements associated with the application. The greater the risk of the application would determine the level of authentication control required and whether the use of an Identity Provider is within the organization’s risk appetite.
There are several ways to limit the risk associated with single-sign on. A few examples include strong contractual provisions with the Identity Provider, adding a layer of multi-factor authentication (e.g. one time tokens distributed via SMS), and continuous logging and monitoring of logon activity. The Service Provider should engage their Information Security team to evaluate third party solutions and should ensure that the appropriate internal controls are in place for integrating with the service provider (usually provided as recommendations by the Identity Provider).
The most important consideration for an organization implementing single-sign on with an Identity Provider is the acknowledgement that they will ultimately retain accountability for the authentication of users to their system. Although an organization may ultimately decide to outsource the mechanics of authentication to an Identity Provider, the Service Provider will still bear the financial, reputational, and/or regulatory compliance burden if controls are not sufficient and a breach or loss is experienced.
There are indeed security concerns with having authorization done outside of company boundaries. First of all, when doing authorization outside of company’s boundary, there is reliance on a third party. If that organization’s service is down for any reason, users will not be able to access their accounts if they try logging in. This can be mitigated if users are able to create user accounts and login without using SSO. Another way to mitigate this is by allowing different SSO. For example, instead of relying primarily on Facebook login, also allow users to login using Google or Yahoo. There also needs a resiliency plan in place that describes the options and Business critical functions that can be restored in case authentication is down by the third party.
It’s fairly clear to most people that SSO technology can greatly increase convenience for the end user, particularly in organizations that utilize multiple applications and platforms to deliver different services and information. This increased convenience can also account for less downtime for the organization’s network and more productivity. However, entrusting authentication to a third party service does expose the organization to additional risks pertaining to this key security function. Outsourcing to a third party in any capacity always means giving up a certain level of control, over both processes and security. If your SSO provider, and therefore your authentication process, is compromised by an attack or other incident, this can pose serious threats to the integrity and confidentiality of your data. The most important thing you can do before outsourcing this process is to closely examine the SSO identity provider and, with input from your information security team, ensure that there is appropriate monitoring and controls in place for this process.
are there any security concerns with using authentication services outside our organizational boundaries? When would the benefits outweigh the risks? How can we mitigate risks?
The main security concern with authentication services outside the organizational boundaries is validating the user is actually the user. In a SSO environment, usernames and passwords are managed by an authentication system. The authentication system determines if the user credentials are valid and grants access. The same user credentials can be used to grant access to organizational systems. Since only one username and password is used to access multiple systems, a “bad guy” will only have to get one set of credentials to have access to multiple systems, vs. having to get 2, 3, or 4 usernames and passwords.
Another security concern with OAuth is a cookie is created when you are authorized, which sits on your computer. If the cookie is deleted, the user will be prompted to sign back in to the authorizing site. If the cookie is compromised, the “bad guy” could get your user credentials.
The benefits would outweigh the risks if the organization only allows outside authentication for “low” risk systems. Meaning, they don’t have PII or highly valuable information. If the information is simply recipes, or movie reviews, or something of little value, the benefit may outweigh the risk. But even in this case, I would only recommend an organization paying for this service if they have a system with a lot of users, and new users signing up. The cost value in outside authentication is username, password, and access management. There should be a break-even point to determine if the cost justifies the service.
The proper ways to mitigate this risk is to use repeatable authentication service. Research the authorizing organization. Implement the proper controls from a “No Access –> Some Access –> All Access” model. Insure the system that is access is completely segregated and on it’s own network. And, consistently conduct a risk assessment to determine if it is still wise to mitigate the risk, or just avoid it.
There are a lot of benefits to end users with Single Sign-On (SSO). In an organization that uses multiple applications, SSO provides an increase in productivity by not having end users to constantly log in with their credentials when accessing different applications.. Having a service like SSO be outside of the organization opens a lot of a risk. There is a reliance on the third party company that may open a lot of vulnerabilities to the organization was to be hacked or have a data leak. The primary organization would have all of their applications accessible by the attackers. If there are to be any disasters or downtime that affects the third party company, the organization wouldn’t be able to access their applications and be stuck in a limbo. There has to be clear confidentiality in the external company or else availability may be affected. The benefits of having a third party organization for SSO is the cost reducing efforts. For smaller organizations or start ups with a small IT team or infrastructure, they may have the budgetary means to manage their own database. A way of mitigating risks in using a third party company would be having periodic IT Audits of controls and systems. There should be a thorough analysis of their infrastructure and servers to ensure that their systems are hardened to mitigate any potential risks.
According to Auto website, the single sign-on is defined as a session and user authentication service that permits a user to use on the set of login credentials to access multiple applications. For the organization, there are many advantages to use single sign-on. One of significant advantage is users can easily access multiple files without asking for the password. That can save tremendous time for both organization and users when they at work. However, there are also many disadvantages for single sign-on, and one of the biggest problems is security. Since users just require one-time password when they log in, it’s not secure for the organization systems and user’s information
are there any security concerns with using authentication services outside our organizational boundaries? When would the benefits outweigh the risks? How can we mitigate risks?
Single Sign On (SSO) is a good way for so many companies to let an employee or a third party authorized user to access to one or more of its applications. It’s a very good way to access to multiple applications. However it will be good only if third party users need to access to a low risk information which can be provided by the company.
However, the Single Sign On can put these companies in a big risk since the users of this technologies are humans. By using a correct username and password, the system can identify the user and give an access to requested IT resources When the user enter the username and password outside the company’s resources, there is a very high risk that someone else can find those information is case if the personal computer is not well protected. In other hand, since one username and one password can grant access to multiple applications, the level of security is very low since losing the authentication information one time can cause all the applications to be under risk and not only one.
In my opinion, The proper ways to mitigate this risk is by providing the type of user who need to access to resources and limit the access to the applications. This will lower the risk and secure the sensitive information. However, changing the passwords periodically will help to reduce the risk as well.
While single sign-on seems like a great idea for trying to save money in terms of hardware, software being used, personally I feel that anything being purchased, should be managed in house. As it could become a very risky ordeal for major companies to rely on another corporation to manage their security infrastructure. If one thing went wrong then it could bring the corporation utilizing the single sign on services to a screeching halt. Not something I would want to be a part of. Would prefer that all security related tools remain in house as that could be a major risky ordeal.
The major difficulties with single sign-on service should be apparent.
Sites will be giving away their user data to a third-party provider. For some sites that will not be an important consideration, but some may have a problem with handing over their user data to another company.
By choosing the right identity provider, a company can ensure that they cover a significant subset of their potential users, but that will by no means cover everyone, leaving the option of implementing an additional authentication system, which is what they were trying to avoid, or implementing as many SSO services as they feel necessary, which largely negates the simplicity benefits for users.
There is a single point of failure. If the SSO provider goes down, a site’s users will be unable to authenticate. If the SSO provider is hacked or breached, data loss may occur SSO providers are a very juicy target for hackers, although they are also likely to have much better security than the average site.
One major security concern with single sign-on is single point of failure. The opportunity gain of reducing multiplicity of efforts may turn out to be a risk because if a users password is exposed or obtained by an unauthorized user, a lot of damage can be done. Undoubtedly, single sign on makes user access to multiple systems and applications in an organization but there should be a lot of thought applied in its implementation to avoid and reduce vulnerability that it may introduce in an organization. The risks can be mitigated if its implementations is deliberately thought out such that we apply the appropriate single sign on wherever it is deployed.
The biggest benefits of Single Sign On (SSO) are 1)Decreased “friction” in user experience when authenticating (one credential versus many); Decreases total cost of ownership for SSO – AWS just rolled out there own – for smaller companies; last a single point of management for systems administrators (potentially).
The biggest risks and threats of SSO include: Single point of failure. One credential can be used to access many systems, therefore only one credential is needed to be compromised. Potential loss of data if SSO is outsourced, you don’t know what your vendor’s security looks like (regardless of what the contract says) – as my parents say “You can delegate responsibility you can’t delegate accountability.”
I think outsourced SSO makes sense in some deployments, but you have to be very careful that expectations are written in to the contract (SLAs) as well as security practices. I would definitely want my vendor to be ISO certified!
I work in a hospital and single sign was requested by clinicians as a way to alleviate users from remembering username\passwords for all systems and AD account. It is costly to implement. I think it is easier to start single sign on from ground up or have single sign-on for applications and a separate account for AD\VPN, etc. The other drawback is the single point of failure and that could impact users and several systems. The cautionary tale is doing research on which vendor to use but it has to be supported in-house.