Why Your SSO Implementation Will Fail

Why Your SSO Implementation Will Fail

Single sign-on (SSO) is one of the best ways to improve the employee experience in cybersecurity. Unlike other improvements, the heavy lifting of SSO happens outside the view of most employees. While it makes a tremendous difference, it’s not magical; it still requires careful management and the right tools to succeed. To help you achieve a seamless SSO experience, we’ve prepared a short guide to the most common SSO problems.

Why Should You Bother Studying Management Mistakes Anyhow?

Studying mistakes is one of the most helpful ways to detect problems. Part of success in cybersecurity lies in learning what can go wrong. Only when you understand those mistakes can you make improvements. It’s far cheaper and better for your reputation to learn from others’ mistakes.

The SSO Management Mistakes You Need to Know About

As you review these SSO management mistakes, ask yourself one question. The question to ask isn’t, “Have I heard of this issue before?” The better question to ask is this: “Is my organization vulnerable to this issue?” Now, it’s time to dive into the different SSO management problems.

  1. Falling Victim to Password Reuse Disease

When your organization requires users to create and manage multiple passwords, what happens in practice? Your employees are likely to reuse passwords (or slight variations of passwords) repeatedly. An academic study titled “The Tangled Web of Password Reuse” found that 43% of users reuse their passwords.

Password reuse disease shows up in different ways. Users might use the same password multiple times within your company. They may also use a password from home at work. Using single sign-on cuts down the incidence of reuse by relieving users of the burden of having to memorize multiple passwords.

Even if you implement SSO correctly, password reuse disease won’t be eliminated from your organization. To help you address this serious condition, check out the following post: “Treating Password Reuse Disease In Three Steps.”

  1. Neglecting to Earn Stakeholder Support for SSO

It’s project management 101, but some security managers still make this mistake. If you want a new SSO solution to become effective, you need support from others in your organization. Let’s say you’re a manager in the technology group. Whom else do you need to consider as stakeholders? Depending on the organizational structure, you may want to consider the following:

  • End users: Aim to recruit a few front-line business users who’ll benefit from SSO each day. You’re not looking to them for technical advice; instead, they can play a role in testing the new application.
  • Risk and compliance: If these departments exist at your organization, seek their input. Ideally, they’ll support SSO since it reduces the organization’s risk.
  • The HR department: HR may have views about how and when to communicate with employees. It may be a valuable supporter of the change management process.

If you skip engaging stakeholders, SSO implementation will be less effective.

  1. Assuming SSO Implementation Solves All Cybersecurity Problems

Is it possible to become too excited about the benefits of Single Sign-On? Yes, it is. From time to time, technologists get excited about new technology. Tinkering with new technologies is exciting; however, it’s important to be realistic about how much you can achieve with SSO. If you “oversell” SSO, you run the risk of encouraging staff to forget their other cybersecurity responsibilities.

  1. Failing to Update Your Cybersecurity Program after Implementing SSO

There’s no such thing as a completed cybersecurity program. New hacking tools, state-sponsored attacks, and employee turnover are just a few of the reasons why no security defense program can stay standing still. Here are three ways you can update your cybersecurity program after you implement SSO for the first time.

  • Metrics: Are the IT metrics you track each month still helpful? You may be able to retire some metrics (e.g., number of password resets per month).
  • Adjust cybersecurity training: If employees are using a single password to access all company systems, choosing a robust password matters a great deal! You may want to improve your cybersecurity training to emphasize tips and tactics focused on improving employee passwords.
  • Cybersecurity goals: With SSO in place, it’s time to revisit your security goals. For example, you may be able to redirect resources from security operations to focus on different problems.
  1. Failing to Monitor for SSO Gaps

If you have a large company with dozens of different systems, you’ll soon face a harsh truth about SSO: it’s difficult to fully implement SSO and cover every system. That means there will still be some systems outside your SSO implementation that need to be managed. You may decide to accept that risk or make a plan to onboard those systems to your SSO solution.

If your SSO program is comprehensive today, that’ll change in the future. When employees add new cloud services, you need a way to identify those changes and integrate them with your SSO.

  1. Leaving SSO Accounts in Place too Long

A Single Sign-On account is a powerful instrument. It gives an employee the ability to quickly access all of his or her files and applications at work. What if that employee is lured away to a competitor and feels pressured to “borrow” a few company secrets? Yikes! If an SSO-enabled user account is misused, you might be in for a rude awakening.

Overcoming this issue starts with identifying the risk properly. We recommend working with the human resources department. To find out more about this strategy, read the following post: “Reduce Employee Fraud Risk: 5 Ways to Improve Offboarding.”

  1. Building an Internal SSO Solution

Unless you have a large cybersecurity department with plenty of time on its hands, you shouldn’t develop your own SSO solution. Instead, you should focus on using an off-the-shelf product. For example, look at Avatier’s Single Sign-On software solution. Not only does it make life easier for employees, but it also saves time for managers. You can assign SSO application access based on role rather than customizing the setup each time.

Written by Nelson Cicchitto