Light Dark
August 28, 2024 By Josh Nadeau 4 min read
News

The Cybersecurity and Infrastructure Security Agency (CISA) recently conducted a comprehensive study of various small and medium-sized businesses to help identify common challenges and opportunities associated with Single Sign-On (SSO) adoption.

SSO has garnered considerable chatter across several industries, especially regarding its ability to improve security while extending a certain level of convenience to employees using this protocol. However, it hasn’t yet been widely adopted as a best practice standard. Some businesses rave about SSO’s security benefits, while others are skeptical of its value and concerned about the costs.

In 2024, CISA released a report summarizing the viewpoints of multiple SSO vendors and customers while providing recommendations to help companies overcome the common barriers to implementing more secure SSO policies in their organizations.

What is Single Sign-On (SSO), and why is it important?

Single Sign-On (SSO) has gained traction in various industries since the early 2000s, although not all businesses widely understand its practical application. SSO is a centralized authentication protocol that gives users access to multiple applications or systems using a single set of credentials.

By working with a chosen SSO provider, businesses can have their employees use one central login that verifies their identity and gives them access to a set number of authorized applications rather than needing to have employees remember multiple usernames or passwords.

Businesses can experience significant convenience when using this type of solution, but its security benefits are much more pronounced. Since SSO eliminates the need to create and remember multiple credentials, it significantly reduces the risks of employees experiencing password fatigue and opting to reuse credentials across various platforms, leading to weaker security.

With the addition of SSO, organizations can harden their digital security practices while mandating stronger password-building practices, enforcing the use of multi-factor authentication (MFA), and supporting a centralized administration of all their access controls.

What are the common barriers to SSO adoption?

When polling various third-party vendors and organizations, CISA identified common barriers associated with SSO adoption. Some of these barriers include:

Financial constraints

As with all security initiatives, SSO requires a certain level of financial investment to establish itself. This can be a difficult cost of entry for smaller businesses with more limited budgets.

Since some organizations still don’t fully recognize or accept the importance of SSO adoption, it can often be viewed more as an additional “expense” rather than a long-term investment that can lead to “cost-savings” since it helps to maximize productivity while minimizing the chances of a costly data breach.

Lack of technical expertise or resources

Depending on the size of the organization, SSO implementation and management can require varying levels of technical expertise, which may not be immediately available in-house. The configuration of SSO solutions can involve the configuration of various applications and third-party tools, which can take time and resources to manage.

Misconceptions about the complexity or relevance of SSO

One of the largest barriers to adoption is the need for organizations to be more aware of the relevancy of SSO in their business. Many need to pay more attention to their current security risks by trusting employees to manage a diverse set of login credentials across multiple platforms and applications.

According to a LastPass report, only 3 in 10 employees actually set strong enough passwords for their work accounts. It is hard to police since many organizations make it a point not to let their employees share their credentials with anyone. Other businesses overestimate the effort it can take to set up SSO in their organization and abandon the idea altogether.

Misalignment between SSO vendors and SMB needs

SSO implementations are believed to provide the most amount of value to large enterprises with hundreds or even thousands of employees.

However, this demand has created a certain amount of segmentation in the market, with many SSO vendors primarily catering their services (and pricing models) to larger businesses. This has made SSO solutions less affordable to SMBs and with limited options for more flexible deployments.

Explore IBM Verify

CISA’s recommendations to improve SSO adoption rates

CISA’s study revealed an apparent disconnect between SSO vendors’ perceptions of what the business market needs and their customers’ actual experiences. While SSO vendors have traditionally focused on providing solutions with a comprehensive list of features and services, they haven’t always considered how to make their solutions more approachable for businesses of all sizes.

In an effort to help bridge this gap and improve SSO adoption rates, CISA has offered recommendations to both SMBs (small and medium-sized businesses) and third-party vendors.

Recommendations for SMBs

  1. Conduct a thorough needs assessment: Businesses should complete a thorough needs assessment before deciding whether or not an SSO solution is appropriate for their organization. This includes identifying the number of applications being used, the number of users, and the desired level of security readiness. This will help to determine the appropriate type of SSO solution required.
  2. Prioritize affordability and scalability: To ensure long-term adoption of SSO, organizations should look for more flexible pricing options, including subscription — or usage-based solutions. This ensures the business can adapt and grow along with the organization and prevent costly replacements down the road.
  3. Get vendor support and training: Businesses should make SSO training a priority and work with vendors that offer clear documentation and support for their solutions. This can also include creating a pilot program of SSO implementation to test the solution’s effectiveness while training staff on best practices for its use.

Recommendations for third-party vendors

  1. Unbundle SSO and offer more tailored solutions: Third-party vendors should consider decoupling their basic SSO services, allowing smaller businesses the ability to purchase only the features they need. This helps to lower costs and ensures each organization maximizes the value of its investment.
  2. Provide flexible licensing options: SSO providers should begin offering more flexible user seat thresholds and licensing options. This includes the potential for managed service providers or smaller business groups to pool their licensing, accommodating the varying sizes and unique requirements of smaller organizations with limited budgets.
  3. Improve support and training materials: Vendors should start prioritizing the development of clear, accurate support materials to provide adequate training resources to businesses. User-friendly guides and responsive technical support are critical to help ensure long-term SSO adoption in businesses, especially post-implementation.

CISA’s guidance on SSO adoption is a timely reminder for third-party vendors and business organizations not to devalue its importance. By working collectively together, vendors and their clients can increase the rate of SSO adoption while improving the overall security posture of all organizations.

 |  |  |  |  | 
Josh Nadeau
Cybersecurity Writer

More from News
December 23, 2024

Ransomware attack on Rhode Island health system exposes data of hundreds of thousands

3 min read - Rhode Island is grappling with the fallout of a significant ransomware attack that has compromised the personal information of hundreds of thousands of residents enrolled in the state’s health and social services programs. Officials confirmed the attack on the RIBridges system—the state’s central platform for benefits like Medicaid and SNAP—after hackers infiltrated the system on December 5, planting malicious software and threatening to release sensitive data unless a ransom is paid. Governor Dan McKee, addressing the media, called the attack…

December 16, 2024

FBI, CISA issue warning for cross Apple-Android texting

3 min read - CISA and the FBI recently released a joint statement that the People's Republic of China (PRC) is targeting commercial telecommunications infrastructure as part of a significant cyber espionage campaign. As a result, the agencies released a joint guide, Enhanced Visibility and Hardening Guidance for Communications Infrastructure, with best practices organizations and agencies should adopt to protect against this espionage threat. According to the statement, PRC-affiliated actors compromised networks at multiple telecommunication companies. They stole customer call records data as well…

December 9, 2024

Zero-day exploits underscore rising risks for internet-facing interfaces

3 min read - Recent reports confirm the active exploitation of a critical zero-day vulnerability targeting Palo Alto Networks’ Next-Generation Firewalls (NGFW) management interfaces. While Palo Alto’s swift advisories and mitigation guidance offer a starting point for remediation, the broader implications of such vulnerabilities demand attention from organizations globally. The surge in attacks on internet-facing management interfaces highlights an evolving threat landscape and necessitates rethinking how organizations secure critical assets. Who is exploiting the NGFW zero-day? As of now, little is known about the…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature