My IBM Log in Subscribe

New CISA guidance for organizations adopting single sign-on

Security

28 August 2024

4 min read

Authors

Josh Nadeau

Cybersecurity Writer

The Cybersecurity and Infrastructure Security Agency (CISA) recently conducted a comprehensive study of various small and medium-sized businesses to help identify common challenges and opportunities associated with Single Sign-On (SSO) adoption.

SSO has garnered considerable chatter across several industries, especially regarding its ability to improve security while extending a certain level of convenience to employees using this protocol. However, it hasn’t yet been widely adopted as a best practice standard. Some businesses rave about SSO’s security benefits, while others are skeptical of its value and concerned about the costs.

In 2024, CISA released a report summarizing the viewpoints of multiple SSO vendors and customers while providing recommendations to help companies overcome the common barriers to implementing more secure SSO policies in their organizations.

What is Single Sign-On (SSO), and why is it important?

Single Sign-On (SSO) has gained traction in various industries since the early 2000s, although not all businesses widely understand its practical application. SSO is a centralized authentication protocol that gives users access to multiple applications or systems using a single set of credentials.

By working with a chosen SSO provider, businesses can have their employees use one central login that verifies their identity and gives them access to a set number of authorized applications rather than needing to have employees remember multiple usernames or passwords.

Businesses can experience significant convenience when using this type of solution, but its security benefits are much more pronounced. Since SSO eliminates the need to create and remember multiple credentials, it significantly reduces the risks of employees experiencing password fatigue and opting to reuse credentials across various platforms, leading to weaker security.

With the addition of SSO, organizations can harden their digital security practices while mandating stronger password-building practices, enforcing the use of multi-factor authentication (MFA), and supporting a centralized administration of all their access controls.

Industry newsletter

The latest tech news, backed by expert insights

Stay up to date on the most important—and intriguing—industry trends on AI, automation, data and beyond with the Think newsletter. See the IBM Privacy Statement.

Thank you! You are subscribed.

Your subscription will be delivered in English. You will find an unsubscribe link in every newsletter. You can manage your subscriptions or unsubscribe here. Refer to our IBM Privacy Statement for more information.

Your subscription will be delivered in English. You will find an unsubscribe link in every newsletter. You can manage your subscriptions or unsubscribe here. Refer to our IBM Privacy Statement for more information.

What are the common barriers to SSO adoption?

When polling various third-party vendors and organizations, CISA identified common barriers associated with SSO adoption. Some of these barriers include:

Financial constraints

As with all security initiatives, SSO requires a certain level of financial investment to establish itself. This can be a difficult cost of entry for smaller businesses with more limited budgets.

Since some organizations still don’t fully recognize or accept the importance of SSO adoption, it can often be viewed more as an additional “expense” rather than a long-term investment that can lead to “cost-savings” since it helps to maximize productivity while minimizing the chances of a costly data breach.

Lack of technical expertise or resources

Depending on the size of the organization, SSO implementation and management can require varying levels of technical expertise, which may not be immediately available in-house. The configuration of SSO solutions can involve the configuration of various applications and third-party tools, which can take time and resources to manage.

Misconceptions about the complexity or relevance of SSO

One of the largest barriers to adoption is the need for organizations to be more aware of the relevancy of SSO in their business. Many need to pay more attention to their current security risks by trusting employees to manage a diverse set of login credentials across multiple platforms and applications.

According to a LastPass report, only 3 in 10 employees actually set strong enough passwords for their work accounts. It is hard to police since many organizations make it a point not to let their employees share their credentials with anyone. Other businesses overestimate the effort it can take to set up SSO in their organization and abandon the idea altogether.

Misalignment between SSO vendors and SMB needs

SSO implementations are believed to provide the most amount of value to large enterprises with hundreds or even thousands of employees.

However, this demand has created a certain amount of segmentation in the market, with many SSO vendors primarily catering their services (and pricing models) to larger businesses. This has made SSO solutions less affordable to SMBs and with limited options for more flexible deployments.

Explore IBM Verify
Mixture of Experts | 9 May, episode 54

Decoding AI: Weekly News Roundup

Join our world-class panel of engineers, researchers, product leaders and more as they cut through the AI noise to bring you the latest in AI news and insights.
Watch the latest podcast episodes

CISA’s recommendations to improve SSO adoption rates

CISA’s study revealed an apparent disconnect between SSO vendors’ perceptions of what the business market needs and their customers’ actual experiences. While SSO vendors have traditionally focused on providing solutions with a comprehensive list of features and services, they haven’t always considered how to make their solutions more approachable for businesses of all sizes.

In an effort to help bridge this gap and improve SSO adoption rates, CISA has offered recommendations to both SMBs (small and medium-sized businesses) and third-party vendors.

Recommendations for SMBs

  1. Conduct a thorough needs assessment: Businesses should complete a thorough needs assessment before deciding whether or not an SSO solution is appropriate for their organization. This includes identifying the number of applications being used, the number of users, and the desired level of security readiness. This will help to determine the appropriate type of SSO solution required.
  2. Prioritize affordability and scalability: To ensure long-term adoption of SSO, organizations should look for more flexible pricing options, including subscription — or usage-based solutions. This ensures the business can adapt and grow along with the organization and prevent costly replacements down the road.
  3. Get vendor support and training: Businesses should make SSO training a priority and work with vendors that offer clear documentation and support for their solutions. This can also include creating a pilot program of SSO implementation to test the solution’s effectiveness while training staff on best practices for its use.

Recommendations for third-party vendors

  1. Unbundle SSO and offer more tailored solutions: Third-party vendors should consider decoupling their basic SSO services, allowing smaller businesses the ability to purchase only the features they need. This helps to lower costs and ensures each organization maximizes the value of its investment.
  2. Provide flexible licensing options: SSO providers should begin offering more flexible user seat thresholds and licensing options. This includes the potential for managed service providers or smaller business groups to pool their licensing, accommodating the varying sizes and unique requirements of smaller organizations with limited budgets.
  3. Improve support and training materials: Vendors should start prioritizing the development of clear, accurate support materials to provide adequate training resources to businesses. User-friendly guides and responsive technical support are critical to help ensure long-term SSO adoption in businesses, especially post-implementation.

CISA’s guidance on SSO adoption is a timely reminder for third-party vendors and business organizations not to devalue its importance. By working collectively together, vendors and their clients can increase the rate of SSO adoption while improving the overall security posture of all organizations.

Overview Annual report Corporate social responsibility Inclusion@IBM Financing Investor Newsroom Security, privacy & trust Senior leadership Careers with IBM Website Blog Publications Automotive Banking Consumer Goods Energy Government Healthcare Insurance Life Sciences Manufacturing Retail Telecommunications Travel Our strategic partners Find a partner Become a partner - Partner Plus Partner Plus log in IBM TechXChange Community LinkedIn X Instagram YouTube Subscription Center Participate in user experience research Podcasts United States — English Contact IBM Privacy Terms of use Accessibility