Colin Mc Hugo

0 %
Colin Mc Hugo
Security Engineer Manager & CEO at Quantum Infinite Solutions Group Ltd.
  • Residence:
  • County:
  • Country:
Cyber Security Incident Response
Management & Architecture of Cyber Security Teams
Solutions & Coaching
  • Cyber Security Incident Response
  • Management & Architecture of Cyber Security Teams
  • Solutions
  • Training & Coaching

Is Single Sign-On Enough to Secure Your SaaS Applications?

May 20, 2021
Single Sign-On

If there’s one factor all nice SaaS platforms share in frequent, it is their deal with simplifying the lives of their end-users. Eradicating friction for customers in a protected means is the mission of single sign-on (SSO) suppliers.

With SSO on the helm, customers do not have to recollect separate passwords for every app or conceal the digital copies of the credentials in plain sight.

SSO additionally frees up the IT’s bandwidth from dealing with recurring password reset requests whereas enhancing productiveness for everybody in your group. Nevertheless, there’s additionally a degree of danger that comes with SSO functionality.

How to protect against SSO fails

Actual-Life Dangers Concerned in SSO

Whereas SSO facilitates ease of entry to an excellent extent, it additionally comes with some quantity of imminent danger. SSO is an efficient enabler of effectivity, however not the end-all safety resolution with its personal flaws that permit for bypass.

There is a particular class of vulnerability that Adam Roberts from the NCC Group detected in a number of SSO providers. He discovered that the vulnerability particularly affected Safety Assertion Markup Language (SAML) implementations.

“The flaw may permit an attacker to switch SAML responses generated by an id supplier, and thereby acquire unauthorized entry to arbitrary consumer accounts, or to escalate privileges inside an software,” described safety researcher Roberts.

Security researchers from Micro Focus Fortify showcased in 2019 the risks related to SSO vulnerabilities in Microsoft’s authentication mechanism. The vulnerabilities enabled unhealthy actors to hold out both a denial of service or impersonate one other consumer so as to exploit their consumer privilege. Microsoft fastened the vulnerability within the SSO authentication in July of the identical 12 months.

There’s additionally the troubling rise of account takeover (ATO) attacks the place the unhealthy actor is ready to bypass SSO. In accordance with credit standing large Experian (no stranger to damaging fraud assaults), 57% of organizations say they’ve fallen sufferer to ATOs over the course of 2020.


By design, SSO doesn’t supply 100% safety. Many organizations will allow multi-factor authentication (MFA) as well as, and but, there are nonetheless cases when all these preventative measures may fail. This is a typical situation:

Tremendous admins—probably the most highly effective customers within the SaaS safety posture — will typically bypass SSO and IAM parameters with none hiccups. This functionality will be bypassed for a lot of causes, stemming from try for straightforward entry and comfort or want. In an IdP outage state of affairs, for sure SaaS platforms, the tremendous admins authenticate straight in opposition to the platform to make sure connectivity. In any case, there are legacy protocols that permit admins to avoid its obligatory use.

Shield Towards SSO Fails

SSO instruments alone aren’t sufficient to guard in opposition to unauthorized entries into a company’s SaaS property. There are particular steps you possibly can take to keep away from the dangers introduced by SSO.

  • Run an audit and determine customers and platforms that may bypass SSO and deploy app-specific MFA to make sure correct configured password insurance policies for customers.
  • Determine legacy authentication protocols that do not help MFA and which might be in use, akin to IMAP and POP3 for e mail purchasers.
  • Then, scale back the variety of customers utilizing these protocols after which create a second issue, akin to a selected set of units that may use such legacy protocols.
  • Overview distinctive indicators of compromise, akin to forwarding guidelines which might be configured in e mail purposes, bulk actions, and many others. Such indicators could also be totally different between SaaS platforms and due to this fact require intimate information of every platform.

A strong SaaS security posture management (SSPM) tool, like Adaptive Defend, can automate these steps to assist forestall potential leaks or assaults.

Along with vetting every consumer in your SaaS ecosystem, Adaptive Defend will allow you to take a look at the configuration weak spot throughout your entire SaaS property, SSO area included, by way of each setting, consumer function, and entry privilege.

Adaptive Defend provides your safety workforce the total context of a breach and its danger to your group and offers you the correct directions each step of the way in which till the risk is resolved.

How to make the most of your SaaS security.

Posted in SecurityTags:
Write a comment