OneLogin hack - the future's bleak for standalone single sign-on services
By Francois Amigorena, CEO of IS Decisions
The recent hack on password manager OneLogin has reignited a huge debate within the security industry - where do companies strike the balance between convenience and security?
OneLogin is a single sign-on service that enables users to log into multiple applications, systems and networks with just one password - with no need to log into each one individually. Essentially, it's a bit like replacing all the keys to all the doors within a house with one master key.
On the face of it, OneLogin is a great solution. From the user's perspective, it's convenient, enabling employees to get on with their jobs rather than focusing on security. From the IT administrator's point of view, single sign on means having to deal with fewer support tickets from employees who have forgotten their password. And from a business point of view, single sign on helps improve employee productivity, which is at such a low now that US employees lose on average 21.88 minutes every week because of complex security. This figure equates to 182 days of lost productivity for companies of 250 people, and 21.9 days for companies with 30 people.
But for all its positives, the hack on OneLogin has exposed single sign on's weakness in effectively protecting a network. It's now a big security risk. Attackers managed to obtain the login credentials of users "served by our [OneLogin's] US data centre" - and the even more worrying part of the breach is that the perpetrators have the power to crack the encrypted data they now have their hands on.
What the implications of a single sign-on hack are
The implications of an attack of this kind are huge to organisations - and to the future of single sign-on services. Each individual Windows login is like a troop on the frontline of security for the defence of the network. The more passwords an organisation has, the stronger that frontline will be at keeping breaches at bay. However, by implementing single sign on, a company effectively reduces the number of troops on the front line, rendering what's left extremely vulnerable. At the risk of mixing metaphors, it's a bit like putting all your eggs in one basket.
Gartner financial fraud analyst Avivah Litan agrees, saying: "It's just such a massive single point of failure. And this breach shows that other [cloud-based single sign-on] services are vulnerable, too. This is a big deal and it's disruptive for victim customers, because they have to now change the inner guts of their authentication systems and there's a lot of employee inconvenience while that's going on."
Single sign-on services are indeed a 'massive point of failure' and all it takes for a breach to occur - and an attacker to gain access to vast amounts of sensitive data - is one instance of bad user behaviour. It could be an employee sharing a password or leaving a workstation unlocked. It could be an employee falling victim to a phishing attack. Or it could be a malicious user stealing colleague's credentials.
Whatever the method, it goes without saying that if you're an organisation that is effectively 'putting all your eggs in one basket', you need to make damn sure you protect that basket.
Bolstering the strength of single sign-on services
One way to do that is through 'context-aware' security. The trouble with passwords is that anybody can use them to gain entry. As long as you have the correct credentials, you can log in - no matter who you are. Context-aware security, though, pulls in supplemental information around a login attempt to decipher whether the person logging is who they say they are.
For example, context-aware security analyses what geographical area the login is taking place, what device the user is logging in on, what time it's happening, what the IP address is, and many other variables.
Then, by restricting single sign-on logins to particular workstations, devices, IP addresses, times of day or geographies, organisations can reduce the size of the opportunity for would-be attackers. For example, imagine if Sally were using Peter's credentials to log in from her own desktop. If the company had restricted Peter's logins to just his own devices, Sally wouldn't be able to gain entry. Or if someone in one department used the credentials from someone in another department to gain entry from the wrong workstation, again, the system would deny access.
Context-aware technology isn't the future - it's around already and has been for a number of years. However, its popularity in recent times has grown considerably thanks to some very high-profile data breaches that have occurred as a direct result of poor access security. The OneLogin hack is just the most recent of many giving impetus to the context-aware charge.
After all, knowledge, they say, is power.