Single sign-on, or SSO, is a valuable addition to your enterprise security arsenal. It doesn’t protect against every threat, but it can reduce your attack surface, lower IT costs, and provide a better login experience for your employees.
What is SSO?
Without single sign-on, employees typically create a unique login for each site and service they use at work. With SSO, employees sign onto their SSO platform with a single, strongly vetted identity. That single identity then gives them access to all the services within the SSO framework.
Each SSO provider works a bit differently, but the basics are the same. Let’s use Okta – a leader in enterprise SSO – as an example. Once deployed, employees can log into Okta to see a dashboard that lists all of the services they can access. They simply click the site or web app they want to launch from the list, and Okta launches the URL and logs them in automatically using SSO.
That’s a very different experience from opening each site and entering login information manually. But this workflow has both upsides and downsides, as we’ll see.
What are the benefits of SSO?
SSO provides a wide range of benefits, from strengthening security to making it easier for employees to get their work done.
SSO reduces your attack surface. By consolidating the number of credentials employees need to keep track of, SSO reduces the number of entry points that IT needs to secure. More than 80 percent of hacking-related data breaches can be traced back to compromised credentials, according to Verizon’s Data Breach Investigations Report. The fewer the number of passwords in circulation, the better.
SSO strengthens your minimum security requirements. With SSO, IT can focus on strengthening security at a single attack point. When they roll out a security policy for SSO, they enact that policy for all logins covered by that SSO framework. For example, they can require MFA for every service – all at once – with a single change to their SSO policy.
SSO can reduce IT support costs. IT spends about 25 minutes per day, on average, handling password-related requests. With fewer passwords in circulation, SSO can lighten that load.
SSO provides a better experience for employees. Rather than opening up services individually, SSO makes signing in to multiple services easy, reducing the likelihood that employees will use weak or reused passwords.
SSO provides a single source of truth. SSO creates a centralized directory of all employees in the company, which can dramatically simplify onboarding. With SSO, IT can configure different levels of access for different groups. Once new hires are placed in the proper group, they’ll inherit the policies of that group and get instant access to the services they’ll need to do their job.
How does SSO work?
When you deploy SSO, you’re delegating identity verification to your SSO provider. You can then use that strongly verified identity to apply various security policies on top of it. It’s a bit like gathering all your logins into a single castle, then building an alligator-filled moat around the castle.
By delegating identity verification, you’re not giving up control. Quite the opposite - with your SSO provider handling the verification process, your IT admins can focus on configuring the strength of that identity verification and adapting it to your needs.
For example, you could configure identity verification to check for specific attributes. Perhaps the entire company works out of an office in New York City, and you want to ensure that anyone logging in via SSO is located in NYC. IT can do that by adding a geographic attribute to the identity verification process.
Or, let’s say you use Lightweight Directory Access Protocol (LDAP) or Azure Active Directory (AAD) for employee directories. Your SSO provider may be able to check those directories to verify that someone is a member of a particular group during login.
SSO and Shadow IT
It’s important to note that SSO doesn’t solve all your security problems, just a subset of them. For instance, if a service isn’t integrated into your SSO platform, employees can create an account on their own, bypassing SSO altogether. (And even if a site is supported by your SSO platform, employees can still create shadow accounts for that service.)
This isn’t a small problem. When employees create their own accounts outside of IT’s purview, they leave behind a string of potential entry points for attackers that, by definition, are a blind spot for IT. These accounts are known as shadow IT, and it’s a widespread problem for security teams.
In 2020, we found that a staggering 63.5% of workers had created at least one account in the previous 12 months that IT didn’t know about.
Worse, a third of those who had created accounts reused memorable passwords. Just 2.6%created a unique password every time. It’s impossible for IT to know where these login credentials are stored. They may be in a spreadsheet in the cloud, or in plain text on a worker’s phone. They’re simply untraceable.
SSO and password managers
The average business user manages hundreds of passwords, and some won’t be accessible via your SSO provider.
For those companies, an enterprise-ready password manager makes it easy to generate strong, unique passwords. Like SSO, it’s much more secure than trying to manage all those logins manually – and it’s more convenient than typing out dozens of passwords each day.
If you’ve installed 1Password in the browser, for example, you’ll see a suggested password when you create a new login. With a single click, you can save the new login to your 1Password account. The next time you visit that site, 1Password will automatically fill in the login details, including time-based one-time passwords (TOTP) for sites that support it.
Enterprise password managers like 1Password also protect much more than passwords.
Since all your login details are stored in your account, password managers make it virtually impossible to forget any of your credentials, which in turn reduces IT help desk tickets. As long as you remember your unique account password, you’ll always have access to the sites and services you need to get things done.
Enterprise password managers like 1Password also protect much more than passwords. 1Password makes secrets management simple, whether those secrets are passwords, medical records, sensitive documents, or even the SSH keys and API tokens that developers use to gain access to digital infrastructure.
For these reasons, small businesses often start with a company-wide password manager and add in an SSO solution later. 64% of large firms utilize SSO, which is nearly 50% more than medium-sized companies, and more than twice that of small organizations, according to cloud security firm Bitglass.
SSO and password managers: a comprehensive security suite
The bottom line: SSO is an effective way for organizations to simplify the sign-in process and enforce blanket security protocols for everything within the SSO framework.
For everything else, password managers eliminate the blind spots that shadow IT leaves in its wake and protect all of your sensitive information, whatever that may be.
Together, SSO and password managers form a strong foundation for any enterprise security framework.