5 Reasons SSO Can’t Completely Solve SaaS Security

Single sign-on (SSO) has become a core security requirement for companies who want to implement SaaS security and a popular way to comply with the access control requirements defined in standards such as SOC2 or ISO 27001. There are many benefits such as better password policy enforcement, multifactor authentication,and less time wasted for password recovery, among others. SSO works great for sanctioned applications that have been integrated with the SSO solution. However, the world of SaaS has changed dramatically, and organizations are now finding that 80% of the SaaS applications used by employees are not in their SSO portals. The reasons for this are both technical and operational, and the problem is only getting worse every day.

Recent research from Grip Security polled 100 CISOs to understand how SSO has helped companies improve their SaaS security and why more SaaS applications are not monitored through their SSO implementations. The respondents confirmed that SSO is a key component to their overall architecture, but identified five key reasons why SSO is not able to fully solve the SaaS security problem completely.

‍SSO License Cost

SaaS companies fully realize that SSO is a core security requirement for most enterprises, and they charge a hefty premium to allow companies to manage their users through a third-party identity provider. The site sso.tax displays what they call ‘The SSO Wall of Shame’ that shows the difference between base pricing and SSO pricing. In many cases, they charge 200% or more of the base price for users managed through SSO. Another common tactic is to bundle SSO integration with other features in an enterprise tier with large user minimums and contract minimums. The increase in licensing costs could force CISOs to choose between security and the exorbitant licensing costs and forgo SSO integration.

‍SSO Isn’t Supported

SSO vendors have an extensive list of pre-integrated applications that are supported, and they are constantly adding more. The problem is that there are new SaaS applications being created and coming online every day, and the pace of new applications is far higher than the number of new integrations. The reality is that, today, many workers also use consumer applications for work, and these are unlikely to support SSO integrations. In this case, companies may want to add the application to their SSO product but they are unable to do so.

Third-Party-Owned SaaS

Even if an application is supported by the SSO application, there are instances when the company cannot integrate it into their SSO product. One scenario where this frequently occurs is when two companies are collaborating but use different cloud-based storage applications. Company A might use Box.com while Company B uses Dropbox. When Company A’s employee sends a Box.com file or folder to Company B’s employee for collaboration, Company B’s employee must create a Box.com account. In this scenario, the security team at Company B would not even be aware of the Box.com account, and even if they were, they would not be able to add it to their SSO product since they do not own the subscription.

‍SSO Implementation Backlog

Assuming the security or IT team knows the SaaS applications that are being used and SSO is supported, the applications may still not be set up in the SSO product. Most companies have a backlog of applications waiting to be added to their SSO portal. Adding them requires IT or security to evaluate the risk and prioritize it. Once an application has been identified for SSO, the SSO upgrade license needs to be purchased, which usually means a significant budget increase and a new contract. If it is a new vendor, they would need to go through the entire vendor onboarding process, which is not easy at large enterprises. Especially in today’s world, facing one of the worst staffing shortages the industry has seen and with an unprecedented existing workload, working through the SSO backlog is a cumbersome process that often gets deprioritized. 

Shadow SaaS

Employees today expect to be able to use any SaaS application they want, at any time, to get their job done; increasingly, they are just going out and acquiring it themselves. New applications are created daily and employees will adopt them if they find them useful. As a result, most companies have a serious SaaS sprawl problem, and it has gotten to the point where IT and security teams can no longer manage them effectively. The problem with this so-called ‘shadow SaaS’ is that these apps are completely unknown, meaning they cannot be monitored or closed down even when an employee is no longer with the company. This poses a risk far greater than those applications that are known but are not supported.

What’s the Solution?

Employees are going to use SaaS to get their job done, and that means a company’s SaaS security strategy needs to take this into account. The solution starts with discovery but does not end there, since SSO cannot take over automatically once a new SaaS application has been discovered. In addition to discovery, access control and data governance are required.

Avatar photo

Young-Sae Song

Young-Sae Song is a category creating CMO with a proven track record of scaling marketing teams for rapidly growing companies. He has a deep understanding of technology and combines it with expertise in articulating compelling messages and value propositions to help companies identify and penetrate their target markets. His experience spans public corporations and market-disrupting startups including AMD, Menlo Security, and Arctic Wolf. Young-Sae received his BS in industrial engineering from Northwestern University and an MBA from the Booth School of Business.

young-sae-song has 13 posts and counting.See all posts by young-sae-song