Light Dark
August 28, 2024 By Josh Nadeau 4 min read
News

The Cybersecurity and Infrastructure Security Agency (CISA) recently conducted a comprehensive study of various small and medium-sized businesses to help identify common challenges and opportunities associated with Single Sign-On (SSO) adoption.

SSO has garnered considerable chatter across several industries, especially regarding its ability to improve security while extending a certain level of convenience to employees using this protocol. However, it hasn’t yet been widely adopted as a best practice standard. Some businesses rave about SSO’s security benefits, while others are skeptical of its value and concerned about the costs.

In 2024, CISA released a report summarizing the viewpoints of multiple SSO vendors and customers while providing recommendations to help companies overcome the common barriers to implementing more secure SSO policies in their organizations.

What is Single Sign-On (SSO), and why is it important?

Single Sign-On (SSO) has gained traction in various industries since the early 2000s, although not all businesses widely understand its practical application. SSO is a centralized authentication protocol that gives users access to multiple applications or systems using a single set of credentials.

By working with a chosen SSO provider, businesses can have their employees use one central login that verifies their identity and gives them access to a set number of authorized applications rather than needing to have employees remember multiple usernames or passwords.

Businesses can experience significant convenience when using this type of solution, but its security benefits are much more pronounced. Since SSO eliminates the need to create and remember multiple credentials, it significantly reduces the risks of employees experiencing password fatigue and opting to reuse credentials across various platforms, leading to weaker security.

With the addition of SSO, organizations can harden their digital security practices while mandating stronger password-building practices, enforcing the use of multi-factor authentication (MFA), and supporting a centralized administration of all their access controls.

What are the common barriers to SSO adoption?

When polling various third-party vendors and organizations, CISA identified common barriers associated with SSO adoption. Some of these barriers include:

Financial constraints

As with all security initiatives, SSO requires a certain level of financial investment to establish itself. This can be a difficult cost of entry for smaller businesses with more limited budgets.

Since some organizations still don’t fully recognize or accept the importance of SSO adoption, it can often be viewed more as an additional “expense” rather than a long-term investment that can lead to “cost-savings” since it helps to maximize productivity while minimizing the chances of a costly data breach.

Lack of technical expertise or resources

Depending on the size of the organization, SSO implementation and management can require varying levels of technical expertise, which may not be immediately available in-house. The configuration of SSO solutions can involve the configuration of various applications and third-party tools, which can take time and resources to manage.

Misconceptions about the complexity or relevance of SSO

One of the largest barriers to adoption is the need for organizations to be more aware of the relevancy of SSO in their business. Many need to pay more attention to their current security risks by trusting employees to manage a diverse set of login credentials across multiple platforms and applications.

According to a LastPass report, only 3 in 10 employees actually set strong enough passwords for their work accounts. It is hard to police since many organizations make it a point not to let their employees share their credentials with anyone. Other businesses overestimate the effort it can take to set up SSO in their organization and abandon the idea altogether.

Misalignment between SSO vendors and SMB needs

SSO implementations are believed to provide the most amount of value to large enterprises with hundreds or even thousands of employees.

However, this demand has created a certain amount of segmentation in the market, with many SSO vendors primarily catering their services (and pricing models) to larger businesses. This has made SSO solutions less affordable to SMBs and with limited options for more flexible deployments.

Explore IBM Verify

CISA’s recommendations to improve SSO adoption rates

CISA’s study revealed an apparent disconnect between SSO vendors’ perceptions of what the business market needs and their customers’ actual experiences. While SSO vendors have traditionally focused on providing solutions with a comprehensive list of features and services, they haven’t always considered how to make their solutions more approachable for businesses of all sizes.

In an effort to help bridge this gap and improve SSO adoption rates, CISA has offered recommendations to both SMBs (small and medium-sized businesses) and third-party vendors.

Recommendations for SMBs

  1. Conduct a thorough needs assessment: Businesses should complete a thorough needs assessment before deciding whether or not an SSO solution is appropriate for their organization. This includes identifying the number of applications being used, the number of users, and the desired level of security readiness. This will help to determine the appropriate type of SSO solution required.
  2. Prioritize affordability and scalability: To ensure long-term adoption of SSO, organizations should look for more flexible pricing options, including subscription — or usage-based solutions. This ensures the business can adapt and grow along with the organization and prevent costly replacements down the road.
  3. Get vendor support and training: Businesses should make SSO training a priority and work with vendors that offer clear documentation and support for their solutions. This can also include creating a pilot program of SSO implementation to test the solution’s effectiveness while training staff on best practices for its use.

Recommendations for third-party vendors

  1. Unbundle SSO and offer more tailored solutions: Third-party vendors should consider decoupling their basic SSO services, allowing smaller businesses the ability to purchase only the features they need. This helps to lower costs and ensures each organization maximizes the value of its investment.
  2. Provide flexible licensing options: SSO providers should begin offering more flexible user seat thresholds and licensing options. This includes the potential for managed service providers or smaller business groups to pool their licensing, accommodating the varying sizes and unique requirements of smaller organizations with limited budgets.
  3. Improve support and training materials: Vendors should start prioritizing the development of clear, accurate support materials to provide adequate training resources to businesses. User-friendly guides and responsive technical support are critical to help ensure long-term SSO adoption in businesses, especially post-implementation.

CISA’s guidance on SSO adoption is a timely reminder for third-party vendors and business organizations not to devalue its importance. By working collectively together, vendors and their clients can increase the rate of SSO adoption while improving the overall security posture of all organizations.

 |  |  |  |  | 
Josh Nadeau
Cybersecurity Writer

More from News
September 11, 2024

DHS awards significant grant to improve tribal cybersecurity

4 min read - The Department of Homeland Security (DHS) has awarded $18.2 million in grants through the Tribal Cybersecurity Grant Program to boost cybersecurity defenses among Native American Indian Tribes. The program takes a big step in addressing the unique digital threats faced by tribal communities — a dedicated effort to improve cybersecurity infrastructure across these regions. The $18.2 million grant is just one component of DHS's broader strategy to enhance national cybersecurity. Administered by the Federal Emergency Management Agency (FEMA) in partnership…

September 9, 2024

ONCD releases request for information: Open-source software security

3 min read - Open-source software is a collective partnership across the development community that requires both private and public buy-in. However, securing open-source software can be tricky. With so many different people working on the coding, security measures are often overlooked, increasing the chances that a vulnerability will fall through the cracks and be exploited. The Open-Source Software Security Initiative (OS31) aims to provide governance over open-source security processes. After the Log4Shell vulnerability, securing open-source software became a top priority for the federal…

September 4, 2024

3,000 “ghost accounts” on GitHub spreading malware

3 min read - In the past, cyber criminals directly distributed malware on GitHub using encrypted scripting code or malicious executables. But now threat actors are turning to a new tactic to spread malware: creating ghost accounts. A highly effective malware campaign Check Point Research recently exposed a new distribution-as-a-service (DaaS) network, referred to as the Stargazers Ghost Network, that has been spreading malware on GitHub for at least a year. Because the accounts perform typical activities as well, users did not realize that…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature