Legacy Vs Adaptive SSO - How Machine Learning Prevents Breaches
It’s commonly known that single sign-on (SSO) reduces risk associated with poor password practices and improves security posture. But not all single sign-on solutions are created equally. This blog will go over highlights from our webinar on Legacy v.s Modern SSO, which is available on-demand here.
Why SSO matters
With SSO, strong password policies can be enforced, reducing the likelihood of users repeating passwords, creating simple or commonly used passwords, or having so many passwords they need to write them down. Access to applications is simplified, as users log in once to a web portal for access to all the resources and assigned applications needed to do their jobs. Users can take advantage of self-service options to reset passwords or unlock accounts, thus reducing the burden on IT departments, as the volume of password related help desk calls and tickets decreases.
Additionally, SSO solutions simplify partner collaboration by enabling one-click access to applicatins for partner employees. With SSO, partners securely access your applications according to their policies and processes. Finally, SSO also makes it easy to meet compliance requirements around data access. As users log in to a portal to use assigned apps, there is complete visibility into all access events, making it easy to run reports to prove compliance to auditors.
The evolution of IAM
Originating in the 1960s, IAM focused on login names and passwords with humans acting as gatekeepers, manually denying or granting access to users. Not much progress was made in the IAM space until the late 1990s, when Active Directory became the primary way of controlling user access. With the introduction of web apps hosted on-premise, the pace of change accelerated significantly.
Initially, each application had its own authentication engine and required users to create application-specific credentials. However, the rise in the number of applications and the proliferation of cloud apps created the need for a common authentication mechanism. By the mid to late 2000s, authentication standards such as SAML, OAuth, and OIDC became widely adopted by developers of cloud applications.
The adoption of authentication standards gave rise to a category of dedicated access management solutions, called Web Access Management (WAM). Most WAM solutions relied either on agents deployed on each web server or the reverse proxy architecture, which made them more suitable for the apps hosted on-premises rather than in the cloud.
WAM vs. Modern SSO
Traditional WAM solutions focused on controlling access within a network perimeter and did not address security concerns around employees working from home or on the road. WAMs had to be upgraded and patched, and integrations with other systems required custom work. The total cost of ownership of a WAM solution was high, and the time to value was long.
Modern SSO solutions, in contrast, are designed to work with standards out of the box and are meant to secure boundaryless environments that include mobile workers and cloud apps. The total cost of ownership of modern SSO solutions is lower, and the implementation time and time to value are much shorter.
In addition to cloud apps, some Modern SSOs also work with legacy apps and on-prem directories. For example, the Idaptive Single Sign-On solution includes capabilities for remote access to on-premises web apps such as SharePoint and SAP without the need for a VPN. You can also install a lightweight windows service that connects to your Active Directory or LDAP proxy, so on-premises user repositories can easily be used.
Security and User Experience
Single Sign-On solutions greatly improve user experience and productivity. However, just as it is a bad practice to use the same password across various applications and services, it is also dangerous to let one set of credentials unlock all the resources an employee has access to.
If hackers are able to obtain an employee’s password, they will be able to access everything that an employee can.
To prevent identity-related breaches, companies implement additional security controls such as Multi-factor Authentication. The stronger security controls are, the more steps users need to take in order to gain access to the resources they need. This can ultimately impact both user productivity and overall happiness.
One solution that provides both the security and great user experience is adaptive MFA. Unlike traditional MFA, adaptive MFA leverages device, network, and other contexts to assign risk to each access event and allows the creation of access policies that are only triggered when risk is deemed high. When used together, SSO and adaptive MFA enables companies to realize the advantages of SSO while minimizing the risk.
MFA powered by machine learning
Although static-rules and context-based MFA solutions are certainly better than no MFA at all, hackers continue to evolve and use more sophisticated methods to gain access to your data. To stay ahead of these attempts and detect malicious access attempts, choose new data intelligence-driven MFA solutions that are based on machine learning and artificial intelligence.
These solutions not only take into consideration the context of each access attempt, but also create a baseline profile for each user, leveraging user-specific contextual attributes such as location, device, network, and time of the access request. This enables you to analyze access requests against historical patterns, assign a more accurate risk score to each access attempt, and create dynamic access policies that are triggered when anomalous behavior is detected.
While these solutions offer superior security with elevated user experience, they are also future-proof as machine learning models analyze millions of data points and constantly learn, evolve, and improve.
To dive deeper into how Idaptive leverages machine learning and how you can use our AI-based MFA solution to secure your environment, watch the webinar available on-demand.