What Cybercriminals Don't Want You to Know about SSO

Back
February 19, 2019

When it comes to your enterprise security, you know better than anyone what’s at stake. Your proprietary data and critical applications, not to mention the personal information about your employees and customers, all must be protected.

That’s not an easy job to be sure. But it’s even more complicated when you also have to make it easy for many users to access those same sensitive resources and information. Many of whom aren’t as well-versed in the threats—and the damage a breach can cause—as you are.

You know your challenges all too well, and unfortunately, the bad guys do, too.

 

Your Users are Tired and Their Passwords are Weak
As demands to digitize business functions and adopt digital technologies increase, you’re under the gun to deliver greater business value and agility. This includes rethinking the way your enterprise addresses security and grants user access.

As an enterprise, you’re no longer bound by a traditional perimeter. And your users, whether employees, customers or partners, are consumers first and foremost. They’ve grown accustomed to being able to get what they want, when they want it and from wherever they are—whether that’s a software fix or a sugar-free latte. Your employees and customers expect the same easy access from you, regardless of the business you’re in.

And more than ever, you have the ability to provide it. There are apps for pretty much everything nowadays. It’s estimated that the average enterprise has 200 apps in use (1), and for some, that number is much bigger. The use of apps can boost productivity, efficiency and revenues by making solutions to problems more accessible than ever before.

But while all of those apps can do wonders for both your bottom and top lines, you also have to make them accessible to your users. And remember, your users have grown accustomed to convenient and seamless experiences. If you’re requiring them to log in multiple times and remember more than one password, you’re falling short in more ways than one.

From your users’ perspective, they resent that they need to generate and manage potentially hundreds of passwords. At the same time, your enterprise security is vulnerable because your users’ password fatigue is causing them to resort to risky practices like reusing passwords or choosing weak ones that are easy for them to remember—and equally easy for hackers to guess.

In fact, the only ones who stand to win in this situation are the criminals themselves. They prey on the tired and weak. And they count on the fact that your users and their passwords will fit the bill. Not to put too fine a point on it, but weak or stolen credentials are still the top way bad actors slip past security measures (2).

Furthermore, you must resist the urge to blame your employees or customers for the problem. If you’re managing hundreds of apps, it stands to reason that they’re also managing hundreds of passwords. And another revision to your already complicated password policy isn’t the answer. Just because we know better, doesn’t mean we do better, especially when we’re exhausted. Suffice it to say, your users’ password fatigue is real.

You might feel like there’s just no winning. And it’s true that you face a tough balancing act. On the one hand, you must safeguard your enterprise resources, and at the same time, you must make them easily accessible to a growing number of users and their devices.

SSO to the rescue.

 

How Single Sign-on Helps You Outsmart the Bad Guys
You know what hackers love? When your users are so overwhelmed by remembering passwords that they start getting sloppy. And that means that hackers also despise single sign-on.

Single sign-on (SSO) eliminates the need for individual passwords for each account and replaces them with a single set of corporate credentials. Your users are able to sign on with one set of credentials to access all of their applications and services. This not only improves their experience and boosts their productivity, it strengthens your security.

Because SSO enables a single login, it reduces the number of passwords your users have to manage. This effectively shrinks your password-attack surface, which in turn reduces your odds of being the victim of the next successful data breach. And when you consider that the cost of a breach in 2018 averaged $3.86 million (3), the security gains from SSO alone make it worthy of your attention.

The benefits of SSO don’t end at outsmarting the cyber creeps and potentially saving millions of dollars on a data breach. Implementing single sign-on can actually decrease your IT and administrative costs. The right SSO solution is both simple to integrate and easy to administer, and should offer self-service capabilities that enable users to manage their access to enterprise data and applications, including resetting passwords. A recent Forrester research study found that it costs large organizations up to $1 million each year to handle password resets when you add up the associated time and expenses (4). So this capability alone can translate to big savings.

With all the time you save, you can focus on more strategic tasks, like onboarding and developing new applications. Some SSO solutions even make adding and removing access for users a snap. If you’re manually provisioning and de-provisioning users today, you know what a drain this is on your time and resources. SSO can enable automated provisioning and deprovisioning of users, and provide centralized authentication and control over user management.

When you add it all up, SSO delivers an incredible return on investment. It delivers a simpler and more convenient user experience, while also strengthening security. And it lowers your IT costs at the same time. It may even sound too good to be true.

 

Is One Password Really Stronger than Several?
As a thorough decision maker, you’re smart enough to weigh your options. When considering whether to SSO or not to SSO, you may question if a single password is a good thing. I mean, if it only takes one password to give your users access, doesn’t the same apply to bad actors? Not really, and there are a couple reasons why.

First, by needing to create only one password, your users are already implementing one of the strongest and best password practices: avoiding password reuse. As discussed earlier, the more passwords you require, the more opportunities there are for hackers to exploit. Furthermore, your users are more likely to create strong passwords when they have to create just one instead of many.

But a discussion of SSO shouldn’t end at passwords. An enterprise SSO solution should allow you to easily add additional security that extends beyond passwords alone. For example, it should allow you to limit access based on user attributes (ABAC) and require additional authentication methods, like multi-factor authentication (MFA), based on risk.

A contextual MFA solution in combination with SSO allows you to apply authentication policies based on context, such as the risk of the action being taken or the sensitivity of the resource being accessed. You can use ABAC policies or variables like IP address and web session attributes to further ensure users are who they claim to be before approving certain actions or access.

 

Build a Secure Foundation with Single Sign-on
Implementing SSO is a great first step in safeguarding your enterprise against cybercriminals. Single sign-on decreases your attack surface by dramatically reducing the number of passwords for each user. When you start with SSO, you not only provide a stronger security posture for your enterprise, you give your users the convenient and streamlined access they expect.

To learn more about how easy it is to implement SSO, read the Essential Guide to Single Sign-on.



(1) 2018 The State of Application Delivery Report, F5 Networks Inc.
(2) 2018 Verizon Data Breach Investigation Report
(3) 2018 Cost of a Data Breach Study, Ponemon Institute.
(4) Maxim, Merritt and Andras Cser with Stephanie Balaouras, Salvatore Schiano, Madeline Cyr and Peggy Dostie, “Best Practices: Selecting, Deploying, And Managing Enterprise Password Managers,” Forrester, Jan 8, 2018.