How Secure is Your Enterprise Application?
Sushil Pulikkal and Doug Paulin
Senior VP of Engineering and Senior Manager
The old adage ‘an ounce of prevention is worth a pound of cure’ is as applicable when it comes to managing your business as it is to managing your health. The window to address potential threats to your business – new competition, evolving market demands, increasing customer expectations – is getting smaller and smaller in today’s business climate, where customers have more choices and news of a misstep travels faster than ever.
This adage has never been more applicable than it is now when it comes to information technology (IT) security. According to a study by IBM and Ponemon, costs associated with data breaches alone are estimated to reach $7.4 million across the United States just this year. Additional attacks, such as the 2017 global WannaCry ransomware attack are estimated to cost companies as much as $4 billion.[i] When you consider the rise in these kinds of attacks and the fact that more and more companies are utilizing cloud hosting themselves or software-as-a-subscription (SaaS) offerings from third parties, your business may be more vulnerable than ever.
What is even more concerning is that in a 2016 survey by IBM of 2,400 IT professionals, 75 percent said that their company did not have a formal cybersecurity incident response plan.[ii] Business technology and applications are becoming ever-more accessible due to the convenience and business potential of bringing them online, but this also increases the opportunities for hackers and cyber criminals to expose vulnerabilities and attack businesses.
There are numerous vulnerabilities that hackers and cyber criminals can exploit to gain access to your data and the systems that you use to manage your business. Even if your IT team and third-party vendors have exceptional security tools, programs and protocols, your employees remain one of the biggest risks when it comes to providing malevolent actors with unwarranted access. This can come in the form of phishing attacks via email, embedding malicious software within downloads that appear to be legitimate, projecting Wi-Fi networks as deceptive public networks or many other options available to these parties. One of the most common failure that grants access though is through weakly user-generated passwords.
While businesses and software vendors can put controls and restrictions in place that require users to develop more secure passwords (e.g., passwords that contain symbols, scheduled password changes, etc.), people tend to still store these passwords in very vulnerable locations, whether on a note on their desk or an unsecured file on their computer. There is a more secure method for granting access to your business systems that remove this basic vulnerability, and it is called Single Sign-On (SSO).
So what is SSO, and how does it work?
Single sign-on is a user authentication service. This service allows a user to utilize one set of login credentials to access multiple applications. The service authenticates the end user for all of the applications that the user has been approved to access. It also eliminates further prompts and processes when the user moves between applications during the same session.
Some SSO services use protocols such as Kerberos (which is a protocol that authenticates requests between trusted hosts on an untrusted network) and the Security Assertion Markup Language (SAML).
The website TechTarget provides the following explanation of SAML:
SAML facilitates the exchange of user authentication and authorization data across secure domains. SAML-based SSO services involve communications between the user, an identity provider that maintains a user directory, and a service provider. When a user attempts to access an application from the service provider, the service provider will send a request to the identity provider for authentication. The service provider will then verify the authentication and log the user in. [iii]
While SSO eliminates the need for users to manage login credentials, which is unquestionably a weakness is security protocol, some technology security personnel believe that SSO can create additional security risks. The biggest concern is that if there is one method of access across databases then the login credential is only secure as the weakest point of system security. There are many aspects of SSO that offset this concern:
- Password Security: With one login credential, and one that the user does not have to manage, it is less likely that the user will use unsecured methods to recall this data (i.e., writing passwords down, saving them on their computer, emailing their credentials to themselves, etc.)
- Employee Turnover: Centrally managed systems like SSO enable organizations to quickly remove access to all systems from a single change, rather than removing access from numerous systems
- Less Secured Environments: If a company has environments that are not as secure as they would hope, they can be excluded from the SSO structure entirely. Most enterprises are multi tiered and wouldn’t require every system to participate. Multifactor authentication can also be used in addition to SSO for less secured environments.
- Help Desk Support: SSO greatly reduces the amount of support end-users require when it comes to username and password recovery and reset. This both reduces the volume of support companies must provide, as well as the inherent security risk that may come with transmitting login data regularly.
Securing access to your data and business systems through removing employee password management addresses one of many vulnerabilities that your company has when it comes to shielding it from cyber criminals, but it is a great place to start. Challenge your IT departments and software vendors alike to enable a program like SSO, and if they cannot you may have much larger gaps in your system security than you even imagined. Given that cybercrime is on the rise and more vulnerabilities exist today than ever given the rise in enterprise applications accessible over the internet, that ounce of prevention may actually be worth significantly more than just a pound of cure.
[i] Ponemon Institute LLC, 2017 Cost of Data Breach Study: Global Overview, June, 2017, https://www-01.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=SEL03130WWEN&
[ii] IBM Institute for Business Value, Cybersecurity in the Cognitive Era: Priming Your Digital Immune System, Executive Report – Security, 2016, http://www-07.ibm.com/sg/pdf/Cybersecurity_in_the_Cognitive_Era.PDF
[iii] Tech Target. “Definition: single sign-on (SSO).” http://searchsecurity.techtarget.com/definition/single-sign-on