First, let’s get this out of the way: SaaS vendors that lock Single Sign-On (SSO) behind enterprise-only plans are disadvantaging their customers and the industry. It’s no surprise that the US government’s Secure by Design Pledge expects vendors to provide SSO in the baseline version of their products. But this article isn’t complaining about vendors who don’t do this–it’s more pragmatic than that.
What should you do with the products that you had to purchase without SSO? Let’s understand the role that SSO plays in modern defense architecture. Then, we’ll cover how to implement similar security controls without such a centralized control mechanism.
First, why is SSO so important to security and IT professionals? It acts as a chokepoint. Defenders have historically used choke points to control attackers. Numerous examples include:
Just as historical defenders leveraged choke points to concentrate their resources and control the flow of attackers, SSO centralizes authentication, creating a single, controlled entry point for accessing multiple systems.
Centralizing authentication through an SSO provider allows efficient enforcement of security measures, account management, access monitoring, and attack surface reduction:
These benefits don’t apply to the SaaS products onboarded without standards-based SSO, putting defenders at a significant disadvantage.
When purchasing a SaaS product without SSO (and SCIM) support, organizations must compensate for the loss of security measures by:
Next, document the required security measures for SaaS products without SSO (and SCIM). Responsibilities may be assigned to IT, cybersecurity teams, or business units. Define expectations for:
Organizations should recognize that they take on these burdens when purchasing SaaS products without SSO. If they cannot commit to these security measures, they accept the increased risk that the SaaS product will be compromised or look for an alternative product that offers SSO.
In sum, the absence of SSO in SaaS products poses significant security challenges. Organizations can tackle them by enforcing SSO policies, negotiating for SSO capabilities, and implementing compensating security measures. By taking these steps, you can maintain robust security even without centralized access control, ensuring your SaaS environment remains secure and manageable.
Updated September 16, 2024
I transform ideas into successful outcomes, building on my 25 years of experience in cybersecurity. As the CISO at Axonius, I lead the security program to earn customers' trust. I'm also a Faculty Fellow at SANS Institute, where I author and deliver training for incident responders. The diversity of cybersecurity roles I've held over the years and the accumulated expertise, allow me to create practical solutions that drive business growth.