More debate on SSO/Authentication
Mike Farnum and I continue to debate the merits of single-sign-on and his opinion that deploying same makes you more secure.
Rothman’s stirring the point saying this is a cat fight. To me, it’s just two dudes having a reasonable debate…unless you know something I don’t [but thanks, Mike R. because nobody would ever read my crap unless you linked to it! ;)]
Mike’s position is that SSO does make you more secure and when combined with multi-factor authentication adds to defense-in-depth.
It’s the first part I have a problem with, not so much the second and I figured out why. It’s the order of the things that got me bugged when Mike said the following:
But here’s s [a] caveat, no matter which way you go: you really need a
single-signon solution backing up a multi-factor authentication
If he had suggested that multi-factor authentication should back up an SSO solution, I’d agree. But he didn’t and he continues not to by maintaing (I think) that SSO itself is secure and SSO + multi-factor authentication is more secure.
My opinion is a little different. I believe that strong authentication *does* add to defense-in-depth, but SSO adds only depth of complexity, obfuscation and more moving parts, but with a single password on the front end. More on that in a minute.
Let me clarify a point which is that I think from a BUSINESS and USER EXPERIENCE perspective, SSO is a fantastic idea. However, I still maintain that SSO by itself does not add to defense-in-depth (just the opposite, actually) and does not, quantifiably, make you more "secure." SSO is about convenience, ease of use and streamlined efficiency.
You may cut down on password resets, sure. If someone locks themselves out, however, most of the time resets/unlocks involve then self-service portals or telephone resets which are just as prone to brute force and social engineering as calling the helpdesk, but that’s a generalization and I would rather argue through analogy…
Here’s the sticky part of why I think SSO does not make you more secure, it merely transfers the risks involved with passwords from one compartment to the next.
While that’s a valid option, it is *very* important to recognize that managing risk does not, by definition, make you more secure…sometimes managing risk means you accept or transfer it. It doesn’t mean you’ve solved the problem, just acknowledged it and chosen to accept the fact that the impact does not justify the cost involed in mitigating it.
SSO just says "passwords are a pain in the ass to manage. I’m going to find a better solution for managing them that makes my life easier." SSO Vendors claim it makes you more secure, but these systems can get very complex when implementing them across an Enterprise with 200 applications, multiple user repositories and the need to integrate or federate identities and it becomes difficult to quantify how much more secure you really are with all of these moving parts.
Again, SSO adds depth (of complexity, obfuscation and more moving parts) but with a single password on the front end. Complex passwords on the back-end managed by the SSO system don’t do you a damned good when some monkey writes that single password that unlocks the entire enterprise down on a sticky note.
Let’s take the fancy "SSO" title out of the mix for a second and consder today’s Active Directory/LDAP proxy functions which more and more applications tie into. This relies on a single password via your domain credentials to authenticate directly to an application. This is a form of SSO, and the reality is that all we’re doing when adding on an SSO system is supporting web and legacy applications that can’t use AD and proxying that function through SSO.
It’s the same problem all over again except now you’ve just got an uber:proxy.
Now, if you separate SSO from the multi-factor/strong authentication argument, I will agree that strong authentication (not necessarily multi-factor — read George Ou’s blog) helps mitigate some of the password issue, but they are mutually exclusive.
Maybe we’re really saying the same thing, but I can’t tell.
Just to show how fair and balanced I am (ha!) I will let you know that prior to leaving my last employ, I was about to deploy an Enterprise-wide SSO solution. The reason? Convenience and cost.
Transference of risk from the AD password policies to the SSO vendor’s and transparency of process and metrics collection for justifying more heads. It wasn’t going to make us any more secure, but would make the users and the helpdesk happy and let us go figure out how we were going to integrate strong authentication to make the damned thing secure.