Light Dark
August 28, 2024 By Josh Nadeau 4 min read
News

The Cybersecurity and Infrastructure Security Agency (CISA) recently conducted a comprehensive study of various small and medium-sized businesses to help identify common challenges and opportunities associated with Single Sign-On (SSO) adoption.

SSO has garnered considerable chatter across several industries, especially regarding its ability to improve security while extending a certain level of convenience to employees using this protocol. However, it hasn’t yet been widely adopted as a best practice standard. Some businesses rave about SSO’s security benefits, while others are skeptical of its value and concerned about the costs.

In 2024, CISA released a report summarizing the viewpoints of multiple SSO vendors and customers while providing recommendations to help companies overcome the common barriers to implementing more secure SSO policies in their organizations.

What is Single Sign-On (SSO), and why is it important?

Single Sign-On (SSO) has gained traction in various industries since the early 2000s, although not all businesses widely understand its practical application. SSO is a centralized authentication protocol that gives users access to multiple applications or systems using a single set of credentials.

By working with a chosen SSO provider, businesses can have their employees use one central login that verifies their identity and gives them access to a set number of authorized applications rather than needing to have employees remember multiple usernames or passwords.

Businesses can experience significant convenience when using this type of solution, but its security benefits are much more pronounced. Since SSO eliminates the need to create and remember multiple credentials, it significantly reduces the risks of employees experiencing password fatigue and opting to reuse credentials across various platforms, leading to weaker security.

With the addition of SSO, organizations can harden their digital security practices while mandating stronger password-building practices, enforcing the use of multi-factor authentication (MFA), and supporting a centralized administration of all their access controls.

What are the common barriers to SSO adoption?

When polling various third-party vendors and organizations, CISA identified common barriers associated with SSO adoption. Some of these barriers include:

Financial constraints

As with all security initiatives, SSO requires a certain level of financial investment to establish itself. This can be a difficult cost of entry for smaller businesses with more limited budgets.

Since some organizations still don’t fully recognize or accept the importance of SSO adoption, it can often be viewed more as an additional “expense” rather than a long-term investment that can lead to “cost-savings” since it helps to maximize productivity while minimizing the chances of a costly data breach.

Lack of technical expertise or resources

Depending on the size of the organization, SSO implementation and management can require varying levels of technical expertise, which may not be immediately available in-house. The configuration of SSO solutions can involve the configuration of various applications and third-party tools, which can take time and resources to manage.

Misconceptions about the complexity or relevance of SSO

One of the largest barriers to adoption is the need for organizations to be more aware of the relevancy of SSO in their business. Many need to pay more attention to their current security risks by trusting employees to manage a diverse set of login credentials across multiple platforms and applications.

According to a LastPass report, only 3 in 10 employees actually set strong enough passwords for their work accounts. It is hard to police since many organizations make it a point not to let their employees share their credentials with anyone. Other businesses overestimate the effort it can take to set up SSO in their organization and abandon the idea altogether.

Misalignment between SSO vendors and SMB needs

SSO implementations are believed to provide the most amount of value to large enterprises with hundreds or even thousands of employees.

However, this demand has created a certain amount of segmentation in the market, with many SSO vendors primarily catering their services (and pricing models) to larger businesses. This has made SSO solutions less affordable to SMBs and with limited options for more flexible deployments.

Explore IBM Verify

CISA’s recommendations to improve SSO adoption rates

CISA’s study revealed an apparent disconnect between SSO vendors’ perceptions of what the business market needs and their customers’ actual experiences. While SSO vendors have traditionally focused on providing solutions with a comprehensive list of features and services, they haven’t always considered how to make their solutions more approachable for businesses of all sizes.

In an effort to help bridge this gap and improve SSO adoption rates, CISA has offered recommendations to both SMBs (small and medium-sized businesses) and third-party vendors.

Recommendations for SMBs

  1. Conduct a thorough needs assessment: Businesses should complete a thorough needs assessment before deciding whether or not an SSO solution is appropriate for their organization. This includes identifying the number of applications being used, the number of users, and the desired level of security readiness. This will help to determine the appropriate type of SSO solution required.
  2. Prioritize affordability and scalability: To ensure long-term adoption of SSO, organizations should look for more flexible pricing options, including subscription — or usage-based solutions. This ensures the business can adapt and grow along with the organization and prevent costly replacements down the road.
  3. Get vendor support and training: Businesses should make SSO training a priority and work with vendors that offer clear documentation and support for their solutions. This can also include creating a pilot program of SSO implementation to test the solution’s effectiveness while training staff on best practices for its use.

Recommendations for third-party vendors

  1. Unbundle SSO and offer more tailored solutions: Third-party vendors should consider decoupling their basic SSO services, allowing smaller businesses the ability to purchase only the features they need. This helps to lower costs and ensures each organization maximizes the value of its investment.
  2. Provide flexible licensing options: SSO providers should begin offering more flexible user seat thresholds and licensing options. This includes the potential for managed service providers or smaller business groups to pool their licensing, accommodating the varying sizes and unique requirements of smaller organizations with limited budgets.
  3. Improve support and training materials: Vendors should start prioritizing the development of clear, accurate support materials to provide adequate training resources to businesses. User-friendly guides and responsive technical support are critical to help ensure long-term SSO adoption in businesses, especially post-implementation.

CISA’s guidance on SSO adoption is a timely reminder for third-party vendors and business organizations not to devalue its importance. By working collectively together, vendors and their clients can increase the rate of SSO adoption while improving the overall security posture of all organizations.

 |  |  |  |  | 
Josh Nadeau
Cybersecurity Writer

More from News
November 18, 2024

Research finds 56% increase in active ransomware groups

4 min read - Any good news is welcomed when evaluating cyber crime trends year-over-year. Over the last two years, IBM’s Threat Index Reports have provided some minor reprieve in this area by showing a gradual decline in the prevalence of ransomware attacks — now accounting for only 17% of all cybersecurity incidents compared to 21% in 2021. Unfortunately, it’s too early to know if this trendline will continue. A recent report released by Searchlight Cyber shows that there has been a 56% increase in…

November 4, 2024

Cyberattack on American Water: A warning to critical infrastructure

3 min read - American Water, the largest publicly traded United States water and wastewater utility, recently experienced a cybersecurity incident that forced the company to disconnect key systems, including its customer billing platform. As the company’s investigation continues, there are growing concerns about the vulnerabilities that persist in the water sector, which has increasingly become a target for cyberattacks. The breach is a stark reminder of the critical infrastructure risks that have long plagued the industry. While the water utility has confirmed that…

October 28, 2024

CISA and FBI release secure by design alert on cross-site scripting 

3 min read - CISA and the FBI are increasingly focusing on proactive cybersecurity and cyber resilience measures. Conjointly, the agencies recently released a new Secure by Design alert aimed at eliminating cross-site Scripting (XSS) vulnerabilities, which have long been exploited to compromise both data and user trust. Cross-site scripting vulnerabilities occur when a web application improperly handles user input, allowing attackers to inject malicious scripts into web pages that are then executed by unsuspecting users. These vulnerabilities are dangerous because they don't attack…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature