Why SSO isn’t a silver bullet for enterprise security

Why SSO isn’t a silver bullet for enterprise security

Jeff Shiner by Jeff Shiner on

SSO plays a huge role in business security – we love it, we use it, and we understand the enormous contribution it makes. But by itself, SSO doesn’t solve every challenge businesses face with securely signing in to services. And it can’t replace an enterprise password manager. Let’s talk a little bit about why that is.

Only SSO far

When we took another look at our survey of knowledge workers and IT professionals, a contradiction became clear:

  1. For every company that uses an enterprise password manager, there are two that see SSO or password resets as a sufficient alternative.
  2. One in five employees admits to breaking IT rules.

The first stat suggests a significant number of companies see SSO as fulfilling the same core security need that an enterprise password manager does. But the second highlights one big reason why that’s a mistake: almost all companies will use apps that don’t fall under the scope of SSO. People breaking the rules and using non-SSO-enabled apps is just one of several reasons.

Illustration: A mini city scape that features the words two thirds of companies think SSO or password resets are a sufficient alternative to an enterprise password manager. Below are five avatars representing office workers, with one highlighted with an exclamation point as an IT rule-breaker, featuring the words one in five employees admits to breaking IT rules.

Shadow IT – the apps your employees use under the radar – is prevalent in almost every company. By its very definition, Shadow IT is a blind spot for business – companies don’t know what software their employees are using. And our survey goes further, suggesting that most companies aren’t even aware that they don’t know what software their employees use. If they did, they wouldn’t see SSO as a panacea for their security needs.

And beyond Shadow IT, many companies will use approved apps that don’t support SSO, as well as apps that do but, for whatever reason, the feature isn’t used. This may well be the case for apps which were used under the radar by a few individuals, have been approved for wider use, but which aren’t used by the whole company.

SSO is a great layer of security to have on your most important business apps, but if not all the apps your team uses are protected by SSO, questions start to emerge about your security as a whole.

Illustration: A Venn diagram shows a small circle labelled manager tools within a larger circle labelled maker tools. The manager tools, also shared with all makers, are highlighted as the sweet spot for SSO. The remaining maker tools are identified as where a password manager is needed.
SSO often covers the tools used by everyone in your business – but that's not always the whole story.

Here’s a quick illustration that I hope shows what I mean. I bet for many of us, when we think of the apps and software we use at work, we tend to think of those core services used by almost the whole company: communication and collaboration tools, HR apps, your productivity suite – the day-to-day tools of business we all know and love. These tools often support SSO, and maybe it’s the ubiquity and high-visibility of these apps that explains why some companies feel that SSO has all their security bases covered.

But beyond those are what I’ll generically call maker tools: software used by anyone from your engineers, designers, writers – or anyone else in your business responsible for a tangible output. Some you’ll know about. Others you won’t. Numbers will vary enormously from business to business but there may be more of these tools than you’d guess.

What I hope this image shows is that an enterprise password manager and SSO aren’t in competition to solve your company’s sign-in needs: they’re complementary. And by the way, when you do use SSO, hopefully the password is a strong, unique one created with a safe password generator.

You may think it’s low stakes if any one of these tools is compromised. But a compromised account may give hackers the information they need to access more important data elsewhere. Now, you might make the case that all your important data is behind an SSO login – and perhaps that is the case. But given the average cost of a data breach, that’s a multi-million dollar bet you’re making.

The case for an enterprise password manager

I’m not going to use this post to go deep on explaining how a password manager helps keep your company safe. Quick version: reused passwords = bad. Strong, unique passwords = good.

The companies that do adopt a password manager see the benefit, but there’s a big disconnect with those that don’t. In our survey of IT professionals, of those at companies which have adopted an enterprise manager, 89% report that it has measurably improved security. And yet 66% of IT professionals overall reported that strict password requirements aren’t worth the hassle, which again speaks to the scale of the blind spot when it comes to password security. In any case, a good enterprise password manager negates this hassle by implementing password requirements business-wide.

Graphic: Graph showing that 89% of companies that have adopted a password manager say it has had a measurable impact on security. Second graph shows that 57% of companies say that a password manager has saved time for employees, 45% of companies say that a password manager saves time for IT, 37% say that a password manager say that a password manager enhances productivity, 26% say that a password manager leads to fewer breaches and 26% say that it's lead to happier employees.

Needless to say, adopting a password manager doesn’t solve Shadow IT overnight. But in 1Password, you also get the tools you need to make sure your password manager is adopted and used. If you combine this with efforts to encourage visibility of the apps your team prefers to use, you can begin to bring the whole picture of your organizational security into focus – and make sure it’s robust. Businesses that have deployed a password manager are 30% more likely to report having a more complete view of the apps and devices employees use at work.

Ultimately, an enterprise password manager is the only way to make sure your team logs in securely to every service they use. This should mean your business can be more expansive about the software it lets employees use.

Jeff Shiner

Try 1Password Enterprise

All the benefits of 1Password Business plus bespoke services for larger organizations.
Get custom quote


Jeff Shiner - CEO Jeff Shiner - CEO

Tweet about this post

Continue Reading