Pam Dingle and I have been recently discussing the pros and cons of using enterprise password synchronization tools with SaaS & cloud applications. We are hoping that we can convince everyone that pushing Enterprise passwords into the cloud is a bad idea and in our opinion is certainly not a security ‘best practice’.
Synchronizing passwords inside an Enterprise is reasonably common if you have a provisioning engine. It is the next best thing to SSO, reducing the burden on users memories if not reducing their typing burden. If you can push passwords from a central location such as Active Directory, help desk calls are reduced because one password reset fixes a bunch of applications, authentication becomes more about muscle memory than actual memory, and IT departments can demonstrate some streamlining in their processes.
We think a lot of people will make a simple leap towards wanting the same efficiency and automation in the cloud - but to us, this is a mistake of epic proportions. There are critical differences between pushing a password around inside a domain and pushing a password to different domains, and we personally believe that in the latter case, the ends do not justify the means, and instead expose an Enterprise to a cartload of risk.
- At the time you push a password to the cloud, it has to be translatable to clear text. It may arrive in an encrypted message with all the security around it in the world, but once you strip the transport-layer or even message-layer security off, that password is accessible to the SaaS service. You as the Enterprise have given it away. Hopefully your passwords aren't being stored in clear text in a database somewhere. Hopefully your passwords haven't been skimmed by a script on their way in. Hopefully the SaaS service you've contracted with has good security practices and honest staff.
- For every SaaS service you push passwords to, you multiply the number of people who might not be so honest, or so security conscious.
- Every external login screen you teach your users to type their enterprise credentials in represents a new phishing opportunity for attackers.
- Most Active Directory password synch tools require installing a specific software module on every domain controller. This module is needed to intercept the password changes before the password is hashed/encrypted in AD. Installing third party software modules on AD is usually an AD support/ops headache.
And yes, for the detail-oriented in the crowd, you could theoretically share a secret between the enterprise and the SaaS provider so that both parties could do password validation. If you care enough to do that, you'd be federating with SAML already.
That brings us to the human element: every external login screen you teach your users to type their enterprise credentials into represents a new phishing opportunity for attackers. A new window where muscle memory takes over and your corporate credentials are compromised.
Lastly, this isn't just about stealing access to a cloud resource. This could result in compromise of internal resources, through externally facing web applications. Imagine somebody sells a cloud-synchronized password list to bad guys: If you don't synchronize passwords, this password list could have a percentage of overlap, simply because your users independently use the same password. Your security folks have at least a chance to detect a problem, because there are going to be a suspicious number of failed logins for the percentage of employees whose passwords match. If you do synchronize passwords, you have 100% overlap - the bad guys can authenticate correctly all the time, every time. If all you are tracking is failed authentications and lockouts, you won't even know you're compromised.
We tell end users all the time that it is dangerous to use the same password in multiple places. Any enterprise that institutionalizes this practice is taking a well-known critical mistake, and multiplying that error for every single employee that they take care of.
So what’s the alternative to synchronization? Obviously having your users maintain different passwords at every SaaS application is just ad bad an idea. This is why we think SaaS/Cloud SSO is the killer app for identity federation. Enabling SSO means that your users leverage a single, centralized authentication service where additional security controls such as strengthening the login process with multi-factor strong authentication.can easily be incorporated.