Exam SY0-601 topic 1 question 648 discussion

Single sign-on (SSO) is an identification method that enables users to log in to multiple applications and websites with one set of credentials. So both B and C are out of question because C does not make sense in the context having one password has nothing to do with how complex it is and B feel empathetic to efforts of staff remembering the complex password. Then we have A which indicates having only one password makes it easier for attacker to "guess" it, if the wording was compromised that would make more sense. Lastly D fits well with the a "risk analysis has not been performed" but then there is the "training and guidance have not been provided to frontline staff". So i will go with A.

Strangely worded answers, but D is the only one that is not completely incorrect, so let's go with that.

A: If is in the D answer. single sign on simplifies logons... hence making it easier for passwords to be guessed or brute forced.

CSO is concerned with staff lack of training and no risk assessment being performed.. those are his main concerns, so why would SSO provider going offline (making system unavailable) be the right answer? It's A, SSO is a single point of failure, employee fumbles that login and bad actor can get in with unknown limits to risk.. A is the answer ppl

Honestly I was really confused at first reading this question. But after reading the discussion, I think it is D. The sentence that threw me off the most was "The Chief Risk Officer (CRO) is concerned that training and guidance have not been provided to frontline staff" which made me think this would be a user issue so I was leaning towards a password issue. But after reading about what DaEdge said, it isnt really an issue of passwords per se, but an issue of availability. So I think it is D

I work in IT at a hospital, and we have designated shared clinical devices utilizing SSO with the clinician's badge and an RFID reader. In a network downtime, the biggest concern is the availability of the SSO, because there would be no way for the identity provider to communicate with the SSO server. In our case, we have designated downtime machines that are always ready to go with a generic service account and a specific downtime application that routinely downloads reports for use by the staff. The staff is trained to use the downtime or "business continuity" workstations in a downtime. The answer that makes sense is D.

Option D seems to align most closely with these concerns: If SSO is implemented without proper planning and consideration of potential failures, such as the identity provider going offline, it could lead to significant disruptions in accessing critical systems and patient data. Without a risk analysis, the hospital might not fully understand the impact of such potential disruptions or have strategies in place to mitigate them. Therefore, the most likely cause of the CRO's concerns is that the implementation of SSO could reduce the resilience and availability of systems in the event of an issue with the identity provider.

makes more sense

D is correct - key word "hospital" - these folks are moving around a lot, especially nurses and they share devices when they rotate. If a user does not sign off, it creates problems for the next user who is trying to sign on. If they are not trained, its chaos for them and IT

Between A and D: "concerned that training and guidance have not been provided to frontline staff" => A

D. SSO would reduce the resillience and availability of systems if the identity provider goes offline.

Is corretc.

Even though A seems correct the question is asking why the CRO is concerned. The CRO reason for not wanting SSO is because he, "is concerned that training and guidance have not been provided to frontline staff, and a risk analysis has not been performed." When i see RISK ANALYSIS and TRAINING I think of a disaster or incident happening and the employes not knowing what to do for it and the only answer that's close to an incident happening is D. SSO would reduce the resilience and availability of systems if the identity provider goes offline

A. SSO would simplify username and password management, making it easier for hackers to guess accounts. I did some research on what the to risks are for SSO. Based on what I am seeing from a number of sources, A is the best answer. These are the biggest risks of SSO: Users creating weak passwords. If an attacker gets the password they have access to many systems.

A. Would be a good fit too

Going through a process of elimination: A - SSO does not make user passwords easier to guess. B - SSO will reduce password fatigue but it doesn't require a change to the password complexity policy for it to be implemented. C - Same logic for eliminating option B. SSO does not require a change in password complexity policies. D - This is the most logical. The CSO is concerned frontline staff have not been given training as they will need to be extra vigilant and watch out for suspicious activity or phishing attempts which would make the job of hackers a little easier and second, a risk analysis needs to be done on what happens should the identity provider go offline (either for technical reasons or a compromise on the providers environment), this could inform a decision to have a redundant identity provider. I choose D

d is correct