CCSK

Expand all | Collapse all

SSO & Defense-in-Depth?

  • 1.  SSO & Defense-in-Depth?

    Posted Aug 31, 2021 03:45:00 PM
    Hello,

    In the CCSK training and in the security guidance (domain 12) they talk a little about SSO (Single Sign On). In some ways this seems like it would be more secure, using a federated identity manager, however it also seems a bit contradictory to the defense-in-depth concept? Wouldn't using SSO create a single point of failure and thus be less secure?


    ------------------------------
    Jenna Morrison
    Training Department Intern
    Cloud Security Alliance
    ------------------------------


  • 2.  RE: SSO & Defense-in-Depth?

    Posted Aug 31, 2021 04:07:00 PM

    Single sign-on increase security by centralizing identity management, authentication and identity lifecycle management, therefore preventing identity sprawl and scenarios such as users leaving the company but still having their cloud privileges active.
    It's also enables enforcing password complexity controls and multifactor authentication in a centralized place.

    Defense in depth suggest multiple layers of security where SSO is one of those layers. Defense in depth Not relates to whether a specific layer of defense has a single point of failure. Most single sign-on systems are implemented using multiple  redundant and HA  back ends such as multiple directory services that can authenticate the user or a cloud service such as Azure active directory or OKTA deployed across multiple cloud regions and therefore have very high availability.

    Hope that helps,
    Mark 


    ------------------------------
    Mark Carter
    General Manager
    AWS
    ------------------------------



  • 3.  RE: SSO & Defense-in-Depth?

    Posted Sep 01, 2021 09:28:00 AM
    Thank you for your response! SSO as one layer in a multi-layered defense in depth security model makes sense.

    ------------------------------
    Jenna Morrison
    Training Department Intern
    Cloud Security Alliance
    ------------------------------