Single sign-on (SSO) is an authentication methodology that enables customers to authenticate their identification for a number of functions with only one set of credentials. From a safety standpoint, SSO is the gold normal. It ensures entry with out forcing customers to recollect a number of passwords and could be additional secured with MFA. Moreover, an estimated 61% of assaults stem from stolen credentials. By eradicating usernames and passwords, the assault floor is decreased as properly. SSO helps corporations meet strict compliance laws by not solely enabling companies to safe their accounts, however by serving to them exhibit that they’ve taken the mandatory steps to satisfy regulatory necessities.
Whereas SSO is a crucial step in securing SaaS apps and their knowledge, having simply SSOs in place to safe the SaaS stack in its entirety just isn’t sufficient. SSO alone will not stop a risk actor from accessing a SaaS app. It additionally will not shield SaaS apps which can be onboarded with out the IT crew’s data or approval.
Organizations have to take extra steps to safe priceless knowledge inside their SaaS stack. Listed below are 5 use circumstances the place SSO by itself falls brief.
Find out how Adaptive Defend may also help you safe your whole SaaS stack.
Corporations Are NOT Implementing SSO-Solely Login
Practically each SaaS app can combine into an SSO, and most organizations allow it. Our analysis exhibits that an astounding 95% permit their staff to log into Salesforce with SSO. Nevertheless, fewer than 5% of these corporations require SSO login. Reasonably than use a confirmed, extremely safe entry governance device, they permit staff to entry their SaaS with a username and password.
SSO is handiest when corporations remove entry with native credentials. By permitting entry with native credentials, corporations with SSO can nonetheless be victimized by risk actors who steal credentials and log in via the entrance door.
Admins Require Non-SSO Entry
Even in organizations that require SSO, directors want to have the ability to log in on to the appliance. Most functions favor that admins have direct login entry with a username and password to allow them to reply to an SSO outage or different points.
That is notably problematic contemplating that Admin entry is essentially the most coveted entry to risk actors. By capturing that info, cyber-criminals have full entry to the complete app occasion, enabling them to create new consumer accounts, obtain knowledge, or encrypt knowledge and maintain it for ransom. Corporations that rely solely on SSO for SaaS safety could be blindsided by SaaS infiltrations into admin accounts utilizing a username and password credentials.
SSO Cannot Assist with Over-Permissioned or Malicious Third-Get together Functions
Third-party apps combine with hub functions to offer extra performance or enhance processes. The vast majority of these integrations are innocent, and enhance worker productiveness. Nevertheless, as famous within the 2023 SaaS to SaaS Entry report, 39% of apps that hook up with Microsoft 365 request scopes that allow them to jot down, learn, and delete recordsdata and emails.
Sometimes, some linked apps is likely to be malicious and make the most of the scoped permissions to steal or encrypt delicate info from throughout the software.
SSOs haven’t any visibility into third-party functions, their permission scopes, or their performance. They haven’t any approach to alert safety groups or app homeowners if a third-party software is placing the corporate in danger.
Be taught extra about third-party app danger within the newest SaaS-to-SaaS Entry Report
SSOs Ought to Work with a SaaS Safety Posture Administration Resolution (SSPM)
SaaS Safety is at its strongest when finished in coordination with an SSO. An SSO resolution, along with an SSPM resolution, permits a holistic Id and Entry Governance, comparable to de-provisioning customers — SSO handles entry management and is an integral a part of Id and Entry Administration. SaaS Safety Posture Administration options, like Adaptive Defend, additionally transcend entry management, with extra layers of safety in areas the place SSOs are weak, in addition to figuring out misconfigurations, recognizing linked third-party functions, figuring out gadget hygiene points, and knowledge loss administration.
