Single Sign-On (SSO) as an Essential Cybersecurity Practice

The rise of “password fatigue” as a real, documented phenomenon has shown that our current approach to enterprise IT security and authentication is flawed.

 
According to a 2019 report from Yubico and the Ponemon Institute, employees spend an average of 10.9 hours per year entering or resetting their passwords; this corresponds to a total annual loss of $5.2 million for the average organization. Meanwhile, Netskope’s 2019 Cloud Report has found that the average enterprise uses a staggering 1,295 cloud services.

Faced with the Herculean task of remembering too many login credentials, employees may engage in a number of undesirable practices. Some users may reuse the same password in multiple locations, increasing the risk of a security breach, while others may engage in “shadow IT” (the use of IT devices, software and services outside the ownership or control of IT) thereby undermining an organizations IT department’s security protocols.

What’s more, the COVID-19 pandemic has only increased the risk of cybersecurity issues. The Center for Internet Security’s “CSO Pandemic Impact Survey” found that 61 percent of security and IT leaders are concerned about an increase in cyber-attacks; and 26 percent have observed an increase in the volume or severity of attacks since the pandemic.  One recent reminder of this fact is the cyber attack on the Colonial Pipeline, which crimpled our fuel supply lines from Texas to much of the East Coast, equating to hundreds-of-millions of dollars in lost productivity.

Although there’s no shortage of solutions to the issue of password fatigue—including biometrics and password management software—one of the most popular options is single sign-on (SSO). Single sign-on is a cybersecurity best practice in which users only have to log in one time (hence the name) in order to access a suite of software applications or services.

The benefits of SSO include:

• Ease of use: SSO is obviously attractive from an end user standpoint because it simplifies the login process. There’s no need to memorize 10 separate passwords for 10 different applications, and your session won’t expire if you haven’t used a single application in a while.
• Lower IT burden: With telecommuting on the rise, many decidedly non-tech-savvy employees have been forced to act as their own tech support, diagnosing and resolving issues from home. Fewer forgotten passwords also mean a lower burden on your IT support team who have to help users reset their credentials.
• Increased productivity: Less time spent logging in and out, and less time spent waiting for help from the IT team, means an increase in employee productivity. This can help organizations recoup potentially millions of dollars due to inefficient login practices.
• Greater security: In addition to the monetary gain from productivity, businesses also need to consider the potential financial and reputational losses as a result of a cyber-attack. SSO helps improve IT security and decrease the risk of a devastating data breach.

Some organizations have the misconception that SSO actually weakens IT security by providing just a single point of weakness for an attacker. If a user’s password is exposed or cracked, the theory goes, a malicious actor could simply waltz into the application portal unopposed.

In practice, however, SSO improves IT security for multiple reasons. First, SSO can and should be used in combination with other IT security best practices, such as multi-factor authentication (MFA) and risk-based authentication (RBA):

• With MFA, users need to authenticate their login via at least one other means, such as entering a code from an email or verifying with a smartphone authentication app.
• RBA analyzes the metadata surrounding a particular login (such as the IP address, the device, the user’s location, and the time of day) to assess the likelihood that the login is fraudulent, alerting the user if it detects suspicious behavior.

There are several other reasons why SSO improves IT security within an organization:

SSO streamlines the login process, making it less likely that users will write down their passwords.

• Thanks to this simplification, IT departments can also place more stringent requirements on password length and complexity, making them harder for attackers to crack.
• SSO facilitates identity management (IdM), allowing organizations to create roles for users and groups of users that clearly define which applications and services they should have access to.
• Employees’ login credentials can be quickly and easily restricted or terminated (e.g., when they depart the organization), lowering the risk of an insider threat.
• More sensitive systems, applications, and data can be excluded from the SSO portal as necessary.

Looking to implement your own SSO portal for your existing cloud applications—or as part of an upcoming cloud migration? Datavail can help. To learn how we helped one client implement SSO as part of their Microsoft Azure cloud migration, check out our recent case study “Major Auto Manufacturer Migrates Application Portal to Azure Cloud.”