SSO plays a huge role in business security – we love it, we use it, and we understand the enormous contribution it makes. But by itself, SSO doesn’t solve every challenge businesses face with securely signing in to services. And it can’t replace an enterprise password manager. Let’s talk a little bit about why that is.
Only SSO far
When we took another look at our survey of knowledge workers and IT professionals, a contradiction became clear:
- For every company that uses an enterprise password manager, there are two that see SSO or password resets as a sufficient alternative.
- One in five employees admits to breaking IT rules.
The first stat suggests a significant number of companies see SSO as fulfilling the same core security need that an enterprise password manager does. But the second highlights one big reason why that’s a mistake: almost all companies will use apps that don’t fall under the scope of SSO. People breaking the rules and using non-SSO-enabled apps is just one of several reasons.
Shadow IT – the apps your employees use under the radar – is prevalent in almost every company. By its very definition, Shadow IT is a blind spot for business – companies don’t know what software their employees are using. And our survey goes further, suggesting that most companies aren’t even aware that they don’t know what software their employees use. If they did, they wouldn’t see SSO as a panacea for their security needs.
And beyond Shadow IT, many companies will use approved apps that don’t support SSO, as well as apps that do but, for whatever reason, the feature isn’t used. This may well be the case for apps which were used under the radar by a few individuals, have been approved for wider use, but which aren’t used by the whole company.
As strong as the weakest link
SSO is a great layer of security to have on your most important business apps, but if not all the apps your team uses are protected by SSO, questions start to emerge about your security as a whole.
Here’s a quick illustration that I hope shows what I mean. I bet for many of us, when we think of the apps and software we use at work, we tend to think of those core services used by almost the whole company: communication and collaboration tools, HR apps, your productivity suite – the day-to-day tools of business we all know and love. These tools often support SSO, and maybe it’s the ubiquity and high-visibility of these apps that explains why some companies feel that SSO has all their security bases covered.
But beyond those are what I’ll generically call maker tools: software used by anyone from your engineers, designers, writers – or anyone else in your business responsible for a tangible output. Some you’ll know about. Others you won’t. Numbers will vary enormously from business to business but there may be more of these tools than you’d guess.
What I hope this image shows is that an enterprise password manager and SSO aren’t in competition to solve your company’s sign-in needs: they’re complementary. And by the way, when you do use SSO, hopefully the password is a strong, unique one created with a safe password generator.
You may think it’s low stakes if any one of these tools is compromised. But a compromised account may give hackers the information they need to access more important data elsewhere. Now, you might make the case that all your important data is behind an SSO login – and perhaps that is the case. But given the average cost of a data breach, that’s a multi-million dollar bet you’re making.
The case for an enterprise password manager
I’m not going to use this post to go deep on explaining how a password manager helps keep your company safe. Quick version: reused passwords = bad. Strong, unique passwords = good.
The companies that do adopt a password manager see the benefit, but there’s a big disconnect with those that don’t. In our survey of IT professionals, of those at companies which have adopted an enterprise manager, 89% report that it has measurably improved security. And yet 66% of IT professionals overall reported that strict password requirements aren’t worth the hassle, which again speaks to the scale of the blind spot when it comes to password security. In any case, a good enterprise password manager negates this hassle by implementing password requirements business-wide.
Needless to say, adopting a password manager doesn’t solve Shadow IT overnight. But in 1Password, you also get the tools you need to make sure your password manager is adopted and used. If you combine this with efforts to encourage visibility of the apps your team prefers to use, you can begin to bring the whole picture of your organizational security into focus – and make sure it’s robust. Businesses that have deployed a password manager are 30% more likely to report having a more complete view of the apps and devices employees use at work.
Ultimately, an enterprise password manager is the only way to make sure your team logs in securely to every service they use. This should mean your business can be more expansive about the software it lets employees use.
Try 1Password Enterprise
Jeff Shiner
CEO
Tweet about this post