The final part of this series focuses on the pros and cons of single sign-on and federated sign-on. First, I will highlight the key challenge that is faced when any functionality is centralized. Only then will we focus on the benefits.
In previous parts of this article series, we covered:
- the background of single sign-on and defined the term single sign-on
- modern connection practices used for single sign-on
- single sign-on management model
Too big to break
The phrase “too big to fail” (TBF) is probably better known in economics than in computer science. It refers to a situation where a single company grows so large that it plays such a significant role in consumers’ everyday lives that its failure would have a catastrophic impact on the surrounding economy. This type of company could be classified as a familiar multi-billion dollar company, such as Google, Apple, Amazon, etc.
Another risk of single sign-on is that a single sign-on policy becomes so widespread in a company or network that the company or network's operations are interrupted if single sign-on is not available. Over the years, it may happen that single sign-on is the only way to use services.
A common fear in the proxy service model is centralizing all authentication in one point. If the proxy service fails, no service can be used, as the authentication of all services is handled by the proxy service.
Both are clear risks and a risk assessment must also be carried out regarding single sign-on. The identified risks must be prepared for.
Preparing for the risk of concentration
Nowadays, services are produced in cloud environments or from reliable data centers produced using a hybrid model, which makes the risks related to the server or telecommunications environment more manageable than before. Services can be easily duplicated across the entire architecture stack. In the brokerage service model, it is an absolute requirement that the brokerage service is implemented with high availability (HA) principles.
The management of the intermediary service must have planned processes for the establishment and maintenance of the service (devops) and for incident management/disaster recovery. It may be necessary to identify the organization's core (IT) maintenance functions separately and differentiate their identification from other daily services.
A proxy service reduces the risks associated with identification when multiple identification methods are connected to it. When connecting single sign-on to one identification method, the company is dependent on this identification method. Multiple identification methods can be connected to a proxy service, and if there are problems with one identification service, it is possible to use another.
A good analogy for the risk of single sign-on centrality is urban district heating. If a district heating system fails in winter, a large number of households will quickly cool down. The district heating network also has smaller peak power plants that come to the rescue when capacity is at full capacity or if there are problems with the actual power plants.
The same type of contingency planning should be followed for single sign-on. The organization's most important services must be identified and planned for how they will be used in the event of exceptionally rare, but possible, problems with the single sign-on system. A serious deviation can be prepared for with an alternative separate point solution to the district heating model, which will be used in the event of a disaster.
Additionally, just as fireplaces are built into houses in sparsely populated areas as a safety precaution, it may also be necessary to add an alternative login method to a company's most important services. Single sign-on is the standard usage method under normal circumstances, but in exceptional circumstances, more cumbersome methods may have to be resorted to.
Preparing for exceptions must be proportionate to the probability of the risk and the damage caused by its possible occurrence. It helps to assess risks if the company has experts specifically focused on single sign-on and the previously mentioned management model.
One ID for all services
Another risk of centralization is that individual user accounts could end up in the wrong hands. When a single account can be used to log in to numerous services, the risk of abuse increases accordingly.
As organizations begin to protect their services at the network edge, by relying on more secure cloud services and taking better care of service updates, the attack surface for malicious attackers is narrowing. The next best way to attack systems is to steal user credentials.
It would be wrong to argue that decentralizing identification behind multiple passwords would be a solution to password misuse. However, there is an exception to this, and just as it is a good idea to separate the passwords of the maintenance service when preparing for the risk of centralizing the authentication solution. Decentralization is not a solution for end-user passwords, as it usually ends up in a weaker situation, for example because users come up with bad methods for remembering numerous different passwords. The more passwords, the weaker the overall security.
Instead, the risk of phishing that is increased by centralizing login credentials is prepared by strengthening identification factors. Today, credentials are strengthened with multi-factor authentication, i.e. by adding a third authentication factor in addition to the traditional username and password. How the third authentication factor is implemented depends on the security level requirements of the service. The most obvious way to implement additional steps is to do it as close as possible to the actual identification methods.
The most incomparable protection against phishing is also user education. When login is centralized, users learn what the company's login service is and what it looks like. Users are taught to protect the company's centralized login service and the associated identification factors with the utmost care. In addition, there are many smaller, important details that an organization must pay attention to in its information security. Do not repeat the same methods in the organization's processes that an attacker would use. For example, links to services are never sent by email. This is what a phisher would do. Instead, the company's service links are collected behind the login in one familiar place where the user can find them.
Benefits of single sign-on
Nothing is black and white, and that's also true when it comes to single sign-on. Despite the risks, including services in the scope of single sign-on brings such great benefits that implementing single sign-on cannot be ignored just because of the risks. This is especially true when there are ways to prepare for the risks.
The following subsections present some of the benefits, but the benefits may be very local, starting with user satisfaction and well-being at work, for example. The benefits listed in this article are therefore not an exhaustive list.
Get rid of extra passwords
The most important and most often cited benefit of single sign-on is getting rid of extra passwords. And that's true, it's a clear benefit. Instead of a user having to log in to services with a separate password, with single sign-on, they might only need one password across the organization.
Nowadays, difficult practices must be followed when using passwords to ensure that a password can be a secure method of identification. Passwords must be changed regularly, they must be complex enough that they cannot be guessed, and different passwords must be used for different services. In fact, a password is a very undesirable method of user identification.
Passwords should no longer be used anywhere. The previous part of the article introduced Fido and WebAuthn, one of the features of which is the ability to give up passwords. In this regard, getting rid of passwords should not be an explicit argument for implementing single sign-on, but rather giving up the use of passwords should be a general goal in itself that improves information security.
Centralizing identity management
Rather than getting rid of passwords, a more specific argument for single sign-on is centralizing identity management. Even if an organization does not have a comprehensive identity management (IdM) system, investing in single sign-on already helps with identity management.
If users are registered separately for each service used in the organization, it is difficult to remove access rights when a user leaves the organization. If login is centralized within single sign-on, when a user leaves the organization and closes their account, they will no longer be able to log in to the services, even if their user profiles are still active.
Of course, the goal of user account processes should be to centralize identity management in one place. However, companies evolve along their own paths and implementing single sign-on is better than no processes at all.
Data protection
A single sign-on system can be used to implement functions that improve user data protection. A generally poorly understood feature of single sign-on is that a user can be identified as a user of the service even without identifying their identity.
There are services where access is restricted to a subset of users, for example, but the nature of the service does not require the identity of the users. This could be the case, for example, in a company intranet where only members of the company are allowed to read articles. However, for an intranet, the identity of the user is not relevant today, when the actual media is separate.
In a single sign-on service, only the information about the user can be disclosed that they are a company user and only an opaque identifier that is provided to a single service and cannot be linked to the user's identity is disclosed.
The single sign-on service therefore protects the user's privacy by only providing the service with the amount of information about the user that is necessary for the service. This limitation of the amount of personal data is at the heart of the new European Data Protection Regulation and is in fact an obligation of the organization.
Generally improved information security
Single sign-on has countless features that improve data protection and information security. Having one instead of many identification services allows an organization to centralize information security functions in one service instead of protecting many different services.
When technically protecting the identification service, one must also remember the risks of a centralized service and follow the onion defense. The identification service must therefore be protected at all possible layers against various threats, for example: data traffic must be protected, the management model must be secure, the service must be audited regularly, users must be trained against social phishing, etc.
When users become familiar with one login method, they are significantly better equipped to protect the credentials associated with that login method. If a user uses a variety of different credentials or services to log in, they will not be as careful about them. When they learn to use one key service for logging in, they will also understand the need to protect the method and will approach protection with the required care.
Improved comfort
In terms of usability, it is in a completely different category if he is able to log in to different services using the same identifiers than if there are multiple identifiers and multiple ways to log in. If you calculate the time spent on the login process, it is easy to conclude that centralizing login increases employee efficiency.
Remembering, learning and using multiple identifiers is not only time-consuming, but also exhausting for employees. It is much easier for new employees to familiarize themselves with one than with multiple identification methods.
Understanding the meaning of recognition
Often, identification is not seen as a core technology and entity in an organization. When identification is centralized within single sign-on, a function that was not seen before begins to take shape in the organization: identification.
While at the end of the previous millennium, organizations began to recognize the need to protect information networks, now that the third millennium is well underway, a trend is clearly visible in which identification is becoming a key topic in the same way as firewalls, information network protection, and information security in general were in the past.
Information management and information technology are difficult disciplines. As a company grows, it is necessary to find clear areas of responsibility in information management that the organization's information management professionals can focus on. Information management as a whole is too large a piece to grasp at one time.
Identification is increasingly becoming a special area in any company that requires its own expert, possibly even its own team of experts. The challenge in putting together a team has proven to be that it is very difficult to find experts in the field of identification, perhaps because they are not specifically trained. Becoming an identification expert is learned through experience.
Single sign-on as a company brand factor
A strong single sign-on implementation can also be seen as a factor that strengthens the company's image. Not only does single sign-on show a careful approach to information security and data protection, it also shows as the users' identity to the company's services.
The article has considered single sign-on as an internal function within an organization, but we should not forget about the customers of companies, who are also users in many companies. Many companies have added social media identifiers to their services, which are a feature of federated identification.
Customer users do not want to learn new usernames and passwords for corporate services and an alternative must be found today. However, when implementing social media identification methods, a company must exclude non-social media users or implement an alternative method. It must also consider which identification methods will be implemented and how their use will be reflected in the company's public image.
It doesn't matter how a company organizes single sign-on for its services.
Summary
We have now come to the end of this series of articles. I hope you had time to read the entire series of articles, or at least skimmed the headlines and delved into the topics that interested you the most.
This series of articles is not comprehensive, complete, and may contain errors. We welcome your feedback and comments on the topic using your preferred channel.