The Limitations of SSO in Safeguarding SaaS Applications
Single sign-on (SSO) is a widely-used authentication method that allows users to access multiple applications using just one set of credentials. It is considered the gold standard for security as it eliminates the need for users to remember multiple passwords and can be further secured with multi-factor authentication (MFA).
In fact, an estimated 61% of attacks stem from stolen credentials, and SSO reduces the attack surface by removing usernames and passwords. Additionally, SSO helps companies meet strict compliance regulations by enabling businesses to secure their accounts and demonstrate that they have taken necessary steps to meet regulatory requirements.
However, having just SSOs in place to secure the entire SaaS stack is not enough. SSO alone cannot prevent a threat actor from accessing a SaaS app, and it cannot protect SaaS apps that are onboarded without the IT team’s knowledge or approval. To secure valuable data within their SaaS stack, organizations need to take additional steps. Here are four use cases where SSO on its own falls short:
1. Companies Are NOT Enforcing SSO-Only Login: While nearly every SaaS app can integrate into an SSO, research shows that fewer than 5% of companies require SSO login. By allowing access with local credentials, companies with SSO can still be victimized by threat actors who steal credentials and log in through the front door.
2. Admins Require Non-SSO Access: Even in organizations that require SSO, administrators need to be able to log in directly to the application. This is particularly problematic considering that admin access is the most coveted access to threat actors.
3. SSO Can’t Help with Over-Permissioned or Malicious Third-Party Applications: SSOs have no visibility into third-party applications, their permission scopes, or their functionality. They have no way to alert security teams or app owners if a third-party application is putting the company at risk.
4. SSOs Should Work with a SaaS Security Posture Management Solution (SSPM): An SSO solution, together with an SSPM solution, allows a holistic Identity and Access Governance, such as de-provisioning users
In conclusion, while SSO is an important step in securing SaaS apps and their data, additional measures are necessary to protect against threats. Companies should consider implementing an SSPM solution in coordination with an SSO solution for a holistic approach to security.