(article in development, perhaps will change or be elaborated in future).
How to protect company's network infrastructure?
there are many ways to be used together, one of them is using the Single Sign On server, for example: compatible with the Kerberos Service.
Single Sign On service is protecting other services, to access other services users must go through Single Sign On authentication first.
this can be compared to setting up a check point with security personnel that checks anyone wishing to go into company & gives them signed set of keys, according to privilege needs.
only way to go into company is either stealing key-set from someone, or cheating the security guard.
no key-borrowing as well.
Kerberos is stable & mature solution, many of security experts maitain it for long time.
Drawbacks, Costs & Advantages.
while Single Sign On service is extra cost - there must be the extra computer system dedicated to authentication that requires maintenance, hardware costs, software costs, electricity costs - overall security of company is better, less of work as well.
there's need for network as well, but this is just a part of the system anyway.
for large applications, distributed for example, overall cost is lower with Single Sign On service.
Single Sign On is also a convenience for users as well, no need to login many times into every software's part.
if i wished to hack Single Sign On protected system, i could go following routes:
- checking for misconfiguration in the secure system,
- stealing tickets (keys) from users who are often not the security experts by themselves.
- if the Single Sign On server fails, access to secured system is paralyzed, but perhaps better that way.
What to do when protected system is compromised?
i'd check the log files in Single Sign On authentication server & in compromised service(s) then decide.
probably would employ security talks with compromised personnel as well.