Enforcing Least Privilege Mitigates Identity Provider Takeover Attacks
5 MIN READ Published on
October 24, 2023
Share this blog
Written by Timothy Jester
Edited by Anne Cutler
Reviewed by Darren Guccione
Single Sign-On (SSO) solutions are designed to provide seamless access to important resources for employers and contractors at millions of organizations worldwide. By enabling only one point of access for all the applications a user needs to perform their job, SSO has become ubiquitous for enterprises to streamline operations.
Providing convenient access to services and improving the user experience greatly improves productivity – but what happens when the SSO solution is the target of an Identity Provider (IdP) takeover attack?
SSO is a Single Point of Failure
SSO has many advantages for organizations, such as a reduction of the number of identities and logins to protect, but with seamless access comes security gaps and risks that must be addressed.
If an SSO system is not properly implemented, maintained and supplemented with additional security controls, cybercriminals can potentially compromise it to gain pervasive access to multiple services. If the SSO provider itself is breached, threat actors could compromise not just one organization’s access credentials but that of several organizations.
Setting up an SSO solution, especially for organizations with multiple legacy systems or a mix of on-premises and cloud-based applications, can be complex. Integration challenges can arise and not all applications may support the desired SSO standards and protocols.
Furthermore, in the event that the SSO system goes down, users could be left stranded without access to any of the services that they rely on, driving significant disruption.
SSO Solutions Don’t Provide Enterprise-Wide Authentication and Encryption
SSO solutions provide streamlined authentication for SAML-based applications, sites and systems. SSO solutions are not a cybersecurity “silver bullet,” as they are not designed to be a ubiquitous security solution. SSO has several gaps that must be addressed with an additional layer of security to protect every user, on every device, from every location.
Hundreds of thousands of cloud and native applications do not support SSO. Employees often need to access internal apps, security as a service applications and infrastructure that may not support SAML authentication, or employees may need to securely share passwords or secrets among team members. These gaps leave companies vulnerable to data breaches.
The larger the enterprise is, the wider these coverage gaps become. Large organizations have thousands of sites, apps and systems that employees need to access that are not covered by SSO.
This is why an SSO solution, when used in isolation without proper configuration and added technology, can be a single point of failure that gives attackers the “keys to the kingdom.”
Keeper SSO Connect solves this by providing critical controls to secure organizations while preserving the seamless user experience.
Integrating SSO With Keeper for Increased Security
Keeper SSO Connect solves this issue by providing secure authentication and end-to-end encryption across all of an organization’s websites, systems and applications without the need to remember a master password.
Available for use with any SSO provider leveraging SAML 2.0 authentication, Keeper SSO Connect enables organizations to securely and seamlessly authenticate users into their Keeper Vault and easily provision and decommission user vaults when employees either join or leave the organization. Keeper SSO Connect, when properly configured with SSO, provides enterprise-wide authentication and end-to-end encryption with zero-knowledge and zero-trust security.
Combining Keeper’s password management and secure vault with SSO helps organizations protect resources, prevent unauthorized access and mitigate the risk associated with password-related breaches.
Keeper Provides an Additional Layer of Protection
Keeper Administrators have elevated privilege in the platform and must be secured against both outside and inside attack vectors, as well as identity provider attacks. Keeper recommends organizations enforce the use of Multi-Factor Authentication (MFA) on Keeper Administrator roles and any other role with administrative privileges. To maximize the security posture, all accounts should have MFA enabled at the Keeper application level in addition to the IdP MFA requirements.
Many organizations allow their administrators to log in to Keeper with an SSO provider. Despite the assumed security that SSO provides, Keeper recommends adding the additional layer of MFA on the Keeper side for any administrators to protect against IdP account takeovers and other insider threats.
Allowing access to Keeper through SSO enhances the user experience and streamlines access but it is important that at least one administrator account is able to log in to Keeper with a master password.
Should an organization find itself in a situation where all admins rely on SSO and the SSO provider experiences an outage, everyone within the organization could be locked out.
For organizations looking to prevent users from accessing their work vaults outside of approved locations and networks, administrators should enable IP Address Allowlisting. This role-based enforcement setting in the Keeper Admin Console enforces that users can only access their vaults when their device is on an approved network. Keeper recommends this setting always be enforced for administrative roles.
Keeper recommends creating an Admin “service account” only accessible with a strong Master Password, MFA and IP Address Allowlisting.
To achieve visibility into unusual activity, activate Keeper’s Advanced Reporting and Alerts Module into your security operations. Keeper integrates into any popular SIEM solution including Splunk and Datadog. Alerts for more than 200 different event types can be configured to notify your security team of any issues in the Keeper Admin Console.
Enforce the Principle of Least Privilege
No matter the size of the organization, users should be given only the access they require to do their jobs and no more. Ensuring users do not have unnecessary privileges decreases the attack surface and in the event of a breach, reduces the potential pathways that cybercriminals can use to access systems and data.
Keeper’s role enforcement policies enable customers to create administrative roles within nodes and sub-nodes and it is imperative to always ensure least privilege for administrators.
Keeper recommends the following to enforce least privilege:
Only have as many administrators as is essential to operate efficiently
Reduce privilege within the Administrator roles. Not all Administrators need to have full privileges. For example, if one does not need to be able to manage roles, remove that privilege.
When an Administrator leaves the organization, transfer the necessary contents of the vault to those who need access. Do not leave old Administrator accounts from former employees in a locked state longer than necessary.
Shared Security to Protect Customer Data
At the core, Keeper is a zero-knowledge encryption platform with controls and policies to protect your data, within the rules set by the Keeper Administrator.
Customers are ultimately responsible for implementing security policies that work for their organization and also ensure least privilege, break-glass access and the highest levels of data protection.
Keeper has outlined several recommended security settings to help organizations secure the data stored within the Keeper environment while maintaining the seamless experience users require to perform their jobs.
For more information about Keeper’s security and encryption model, visit our Security page.
Timothy Jester is the Senior Product Marketing Manager for Keeper Security, with more than 10 years of experience in consulting, cloud, security and identity marketing. Timothy now leads product marketing to apply Keeper’s award-winning technology to solve real world problems. Timothy holds a bachelor’s degree in Communication from Kennesaw State University.
Get the latest cybersecurity news and updates sent straight to your inbox
Share this blog
You May Also Like
What Are Identity-Based Attacks?
An identity-based attack is a type of cyber attack that targets and compromises the digital identity of individuals and organizations. In this type of attack, a cybercriminal tries to steal, alter and misuse an individual’s identity-related...