If there's one thing all great SaaS platforms share in common, it's their focus on simplifying the lives of their end-users. Removing friction for users in a safe way is the mission of single sign-on (SSO) providers.
With SSO at the helm, users don't have to remember separate passwords for each app or hide the digital copies of the credentials in plain sight.
SSO also frees up the IT's bandwidth from handling recurring password reset requests while improving productivity for everyone in your organization. However, there is also a level of risk that comes with SSO capability.
Real-Life Risks Involved in SSO
While SSO facilitates ease of access to a great extent, it also comes with some amount of imminent risk. SSO is a good enabler of efficiency, but not the end-all security solution with its own flaws that allow for bypass.
There's a specific class of vulnerability that Adam Roberts from the NCC Group detected in several SSO services. He found that the vulnerability specifically affected Security Assertion Markup Language (SAML) implementations.
"The flaw could allow an attacker to modify SAML responses generated by an identity provider, and thereby gain unauthorized access to arbitrary user accounts, or to escalate privileges within an application," described security researcher Roberts.
Security researchers from Micro Focus Fortify showcased in 2019 the dangers associated with SSO vulnerabilities in Microsoft's authentication mechanism. The vulnerabilities enabled bad actors to carry out either a denial of service or impersonate another user in order to exploit their user privilege. Microsoft fixed the vulnerability in the SSO authentication in July of the same year.
There's also the troubling rise of account takeover (ATO) attacks where the bad actor is able to bypass SSO. According to credit rating giant Experian (no stranger to damaging fraud attacks), 57% of organizations say they have fallen victim to ATOs over the course of 2020.
SSO, MFA, IAM, Oh My!
By design, SSO does not offer 100% protection. Many organizations will enable multi-factor authentication (MFA) in addition, and yet, there are still instances when all these preventative measures could fail. Here's a common scenario:
Super admins—the most powerful users in the SaaS security posture — will often bypass SSO and IAM parameters without any hiccups. This capability can be bypassed for many reasons, stemming from strive for easy access and convenience or need. In an IdP outage situation, for certain SaaS platforms, the super admins authenticate directly against the platform to ensure connectivity. In any case, there are legacy protocols that allow admins to circumvent its mandatory use.
Protect Against SSO Fails
SSO tools alone are not enough to protect against unauthorized entries into an organization's SaaS estate. There are certain steps you can take to avoid the risks presented by SSO.
- Run an audit and identify users and platforms that can bypass SSO and deploy app-specific MFA to ensure proper configured password policies for users.
- Identify legacy authentication protocols that don't support MFA and that are in use, such as IMAP and POP3 for email clients.
- Then, reduce the number of users using these protocols and then create a second factor, such as a specific set of devices that can use such legacy protocols.
- Review unique indicators of compromise, such as forwarding rules that are configured in email applications, bulk actions, etc. Such indicators may be different between SaaS platforms and therefore require intimate knowledge of each platform.
A robust SaaS security posture management (SSPM) tool, like Adaptive Shield, can automate these steps to help prevent possible leaks or attacks.
In addition to vetting each user in your SaaS ecosystem, Adaptive Shield will enable you to look at the configuration weakness across your whole SaaS estate, SSO domain included, through every setting, user role, and access privilege.
Adaptive Shield gives your security team the full context of a breach and its risk to your organization and gives you the right instructions every step of the way until the threat is resolved.