Single sign-on (SSO) is an authentication method that allows users to authenticate their identity to multiple applications with only one set of credentials. From a security perspective, SSO is the gold standard. Ensure access without requiring users to remember multiple passwords, and further protect with MFA. Additionally, an estimated 61% of attacks are due to stolen credentials. Eliminating usernames and passwords also reduces the attack surface. SSO helps businesses meet stringent compliance regulations by not only allowing them to secure their accounts, but also demonstrating that they have taken the necessary steps to meet regulatory requirements. increase.
SSO is an important step in securing SaaS apps and their data, but just having SSO in place to secure the entire SaaS stack is not enough. SSO alone does not prevent attackers from accessing her SaaS apps. It also doesn’t protect his SaaS apps, which were onboarded without the knowledge and approval of the IT team.
Organizations should take additional steps to protect valuable data within their SaaS stack. Here are five use cases where SSO alone isn’t enough.
See how Adaptive Shield can help protect your entire SaaS stack.
Companies are not enforcing SSO-only logins
Almost any SaaS app can be integrated with SSO and most organizations have it enabled. Our research shows that a staggering 95% of employees allow her to log in to Salesforce using her SSO. However, less than 5% of companies require SSO login. Allow employees to access her SaaS with a username and password, rather than using proven and highly secure access governance tools.
SSO is most effective when an enterprise eliminates local credential access. By allowing access with local credentials, businesses using SSO can fall victim to threat actors who steal credentials and log in through the front door.
Administrators need non-SSO access
Even in organizations that require SSO, administrators should be able to log in directly to the application. Most applications prefer to allow administrators to log in directly with their username and password so that they can handle SSO outages and other issues.
This is especially problematic given that admin access is the most coveted access for attackers. Obtaining that information would give cybercriminals complete access to the entire app instance, allowing them to create new user accounts, download her data, or encrypt and hold her data for ransom purposes. Become. Companies that rely solely on her SSO for SaaS security can be caught off guard by her SaaS intrusion into admin accounts with username and password credentials.
SSO is useless for overly permissive or malicious third-party applications
Third-party apps integrate with the hub application to provide additional functionality or improve processes. Most of these integrations are harmless and improve employee productivity. However, as noted in the 2023 SaaS to SaaS Access report, 39% of apps connecting to Microsoft 365 request scopes that allow them to write, read, and delete files and emails.
In some cases, some connected apps are malicious and leverage scoped permissions to steal or encrypt sensitive information from within the application.
SSO has no knowledge of third-party applications, their scope of permissions, or capabilities. There is no way to alert security teams or app owners when third-party applications are putting your company at risk.
Learn more about third-party app risks in the latest SaaS-to-SaaS Access Report
SSO must work with a SaaS Security Posture Management Solution (SSPM)
SaaS security is strongest when done in conjunction with SSO. Combining SSO and SSPM solutions can provide comprehensive identity and access governance, including user deprovisioning. SSO handles access control and is an integral part of identity and access management. Beyond access control, SaaS Security Posture Management solutions such as Adaptive Shield also add a layer of protection to areas where SSO is vulnerable, identifying misconfigurations, recognizing connected third-party applications, identifying device hygiene issues, and data loss management. .
Watch a 15 minute demo on how to secure your SaaS stack
