Historically, I’d tell you that a Single Sign-On (SSO) platform is far more beneficial as productivity enhancement to an organization than something that improves security. The reason is simple: SSO is about connecting users to multiple applications via a single user account. In a world where cybersecurity best practices demand that users have unique passwords between systems, the idea of using a single account (and, therefore, a single set of credentials) to access a wide range of corporate applications feels like it goes against the cybersecurity grain.
But modern SSO solutions, such as Azure AD, are built with an organization’s security stance in mind, adding on heightened risk-based security policies, multifactor authentication, conditional access, and more; all of this to ensure that the simplified user experience on the front end is equally matched with an improved state of security on the back end.
So, what does all this have to do with Remote Access?
In short, a lot.
Start with a scenario where a threat actor has compromised a user’s credentials that can be used to access an SSO platform. And let’s say that said SSO platform gives the user entrée to a web-based remote access solution which, in turn, provides access to an internal endpoint (which may or may not provide further access to other internal endpoints). This is the kind of step-by-step thinking that threat actors have; inching their way into a victim network, taking whatever access they can garner and using it as a launch point for another step in an attack, repeating the process until access to something valuable is achieved. So, putting remote access and SSO in the same room together could have an adverse effect down the road.
Does this mean you shouldn’t use Remote Access with an SSO? Absolutely not. It just means that integrating the two creates risks that need to be mitigated by the SSO platform.
In fact, there are some great security enhancements that happen when you take a web-based Remote Access solution and marry it with an SSO, providing you take advantage of them. Let me cover three of them here, for your consideration.
1. SSO Centralizes Authentication
While we all know it makes sense to have a centralized identity provider (IdP), nearly every Remote Access solution supports the use of application-specific credentials that only exist within the solution itself. Additionally, in larger organizations that are multi-national or those that have subsidiaries, the use of multiple different solutions is a reality. In either case, the result is decentralized authentication. This puts the organization at risk because of the potential for varying credential security and authentication requirements.
By leveraging SSO, there is an opportunity to use a sanctioned set of password requirements, require authentication assurance levels that match the risk associated with a given account (think basic text-based MFA for a low-level user, but requiring the use of an authentication app for higher-risk user).
2. SSO More Granularly Protects Remote Access
Many Remote Access solutions certainly provide levels of protection around what a user can do once authenticated (regardless of who the authentication provider is). But what’s needed is an ability to both centralize and improve the levels of protection.
The integration of Remote Access with an SSO provider can result in a few specific security enhancements. First off, any Role-Based Access that the Remote Access solution may provide (e.g., differentiating user- versus admin-level sessions) can be centralized using the IdP’s accounts, helping to give security teams visibility into who is allowed specific levels of access.
Additionally, some IdPs – such as Azure AD – can utilize their conditional access features to further restrict a user’s ability to leverage Remote Access based on several of the user’s connection details including (in the case of Azure AD) group membership, IP address, device used, and other real-time risk detection factors. Requests can be denied, or simply require MFA, use from an approved device, and more.
3. SSO Enables Enterprise Visibility
OK, so I’ve already said visibility a few times in this article. But I can’t emphasize enough how important visibility is when it comes to letting a user (that could very well be a threat actor) remotely access an internal endpoint and/or move laterally using your Remote Access solution.
SSO solutions can log when applications are requested, providing you an ability to – at a minimum – know when a specific user account is attempting to utilize your Remote Access solution across the Enterprise. This, matched with alerting, can be a powerful tool in the interest of ensuring any and all Remote Access use is done under the watchful eyes of security teams.
Achieving Better Remote Access Security with SSO
It’s pretty likely that your Remote Access solution provides you with a fair amount of security features. But the cybersecurity stance required today can no longer survive on application-centric settings and features. What’s needed is to upscale any and all Remote Access security with the help of an enterprise IdP and it’s SSO features to bring the necessary controls up to an Enterprise level.
By doing so, organizations will improve the protective layers around authentication and access to the Remote Access application, increase the visibility into the application’s use, all while simultaneously making it easier for users to remotely utilize such solutions.