CISA Announces New Guidance for Single Sign-on Adoption

On June 20th, 2024, the Cybersecurity & Infrastructure Security Agency (CISA) released a new guidance: “Barriers to Single Sign-On (SSO) Adoption for Small and Medium-Sized Businesses: Identifying Challenges and Opportunities”.  

What is SSO? 

Single Sign-On is a software technology that provides authentication and identity verification for a user across multiple applications, websites, and tools with one set of credentials. Traditionally, users must make individual accounts with separate passwords for each application and website. With SSO all these services can be accessed with a single account and password. 

When a user logs onto the first tool in the SSO environment, they must submit their credentials. If these credentials are recognized, an authentication token for the user is created. When the user logs onto other tools and applications in the SSO environment rather than asking for their credentials again, it will check the token and allow access.  

SSO tools also provide an integrated unified tool for user credential management. Users’ accounts change throughout their time at an enterprise for various reasons. Without an SSO solution in place, each account for each user must be managed and updated in their own system. With SSO in place, changes and maintenance for user authentication can be performed for all these systems in one place.  

SSO Benefits 

CISA’s new guidance lays out a variety of benefits that an organization can gain from implementing an SSO solution. While the largest benefit is the improvements it makes to an organization’s security posture, it provides the following benefits as well:  

  • When users don’t need to establish and maintain multiple accounts, it reduces password duplication across platforms. This reduces the potential for password leakage and improves an organization’s overall security surface. Similarly, the fewer passwords a user has, the less chance there is of one being compromised. It also reduces the amount of personal information shared among service providers.  
  • With SSO, when a user logs out, they are logged out of all tools and applications in the SSO environment. This reduces incidents in which users stay logged onto to accounts unintentionally. It also reduces the risk of unmanaged accounts existing unnoticed on an enterprise’s systems.  
  • SSO offers a significantly improved user experience.  It makes the login process simpler when accessing multiple systems. It also makes password management a more streamlined process, no longer forcing the user to reset individual passwords for each of the different tools and programs they use. These improvements can lead to an increase in user productivity and satisfaction.  
  • SSO provides administrators and managers that oversee user accounts  a unified tool to manage accounts on multiple applications within one resource, thus saving the enterprise time and money. 
  • SSO provides the benefit of a more streamlined authentication and access system that  can reduce the barriers to the adaption of additional IT solutions. Similarly, SSO adoption could also encourage Small and Medium Businesses (SMBs) to pivot toward more online business.  

With SSO in place, authentication for multiple systems can be managed centrally, simplifying user access. However, it’s important to note that while SSO handles authentication, the specific privileges and permissions within each system still need to be managed individually. This means that although users can access various systems through a SSO, the authorization for what they can do within each system is maintained separately and may change over time. 

Barriers to SSO Adoption 

Despite the benefits of SSO technologies, SMBs are unlikely to employ them. CISA met with a variety of stakeholders and relevant parties to research what the barriers to SSO adoption for SMBs are and what can be done to improve SSO utilization rates. CISA identified several barriers that can keep SMBs from implementing SSO:  

  • Implementing an SSO solution costs time and money. Frequently SMBs that are interested in SSO in the abstract do not prioritize it. There are other expenses, factors, and market forces that have more visible impacts than the benefits of SSO. The desire to increase profits takes precedence over implementing technologies with more opaque benefits. These cost issues are compounded by the fact that SSO is frequently only offered as part of premium, enterprise-level service packages. To access SSO technologies, companies must spend extra money for additional services they may not want or need. Many vendors require a minimum number of users/seats for SSO services, a number which can be higher than an SMB’s need. These extra costs can deter SMBs from utilizing SSO solutions.  
  • SMBs often find that there is insufficient information on the logistics of using a new technology like SSO and the benefits of doing so. What limited information is available is often inadequate, not sufficiently outlining the costs or where to acquire a suitable solution. There can also be limited comparative information on the SSO services offered by different vendors, making shopping for one that works for an individual business difficult.  
  • Implementing SSO requires knowledge and expertise. Many SMBs do not have staff with the necessary skills to do so. Even those that do have SSO-proficient employees do not have the time and money to divert their focus to the installation of SSO. 
  • Many SMBs use legacy systems that are not compatible with SSO technologies. To use SSO they would need to make significant capital investments in upgrading these systems. These costs and changes can be seen as unnecessary and risky, thus deterring SSO adoption.  

Recommendations for SSO Adoption 

Ultimately, CISA came up with recommendations for four different types of entities with an interest in encouraging SSO adoption. They are as follows: 

For SMBs: CISA recommends the creation of a systematic approach to SSO implementation to make it easier for businesses to deploy the technology. They lay out a sample approach with the following steps: 

  • Analyze the organization’s needs. 
  • Look for affordable SSO options. 
  • Compare different SSO offerings and solutions. 
  • Evaluate how each SSO offering integrates with the organization’s existing systems. 
  • Conduct a pilot project before the full SSO implementation. 
  • Roll out SSO across the entire organization. 
  • Educate staff. 
  • Continuously monitor the SSO.  

For Vendors: CISA recommends that they stop bundling SSO offerings with other premium services. They also recommend vendors be more flexible when setting minimum seat requirements for SSO services. Finally, CISA recommends that vendors significantly improve the support and training they provide. SMBs are encouraged to reach out to vendors to encourage them to comply with these recommendations.   

For Government Agencies: CISA recommends that relevant government agencies provide guidance and recommendations for SSO that businesses and the public can use. They also recommend that these agencies consider offering incentives for the adoption of SSO and other security technologies. SMBs are encouraged to reach out to government agencies to inquire about these recommendations.   

For Non-Profit Organizations: CISA recommends that such non-profits include SSO in their community education and engagement activities.  

 

For more information about CISA’s findings on SSO adoption for SMBs, see: https://www.cisa.gov/sites/default/files/2024-06/Barriers-to-SSO-Adoption-for-SMB-508c.pdf 

Disclaimer of Liability: This publication is intended to provide general information to our clients and friends. It does not constitute accounting, tax, investment, or legal advice; nor is it intended to convey a thorough treatment of the subject matter.