At Microsolve, we're champions of Single Sign-On (SSO)! Apart from the core benefits around individual user security, the simplification of on/off-boarding workflows and time reductions in the login process to the plethora of apps and tools we use on a daily basis are a key pillar of driving our service efficiencies. But, as with any technological advancement, there are nuances worth exploring.
💰The SSO Dilemma: The Cost of Security Essentials
In the realm of SaaS applications, a peculiar (and alarming!) trend has established itself in the last few years - the "SSO tax." Shockingly, some platforms reserve essential security features, like robust SSO, for their high-tier enterprise plans or as paid add-ons. It's baffling, right? Security should be a standard feature, not a premium!
For those embarking on the journey of "SSO everywhere", be warned, you will need patience, you will need understanding and you will often need a a big stick - and that will just be to deal the the vendors! (In my experience, initiating a conversation with the right Business Development Manager can sometimes lead to reconsideration. If not, evaluating alternatives becomes a prudent step).
If you are still at the "considering it" stage check out http://sso.tax - if a substantial number of your core applications are listed, then you are going to need budget and/or some really good negotiation skills!
🌑 Shadowy SSO: Navigating Incomplete Solutions
Beyond the financial considerations, there's another shadow cast - incomplete SSO implementations!
Picture this: session tokens reused, vague session length parameters, or worse, negligence in terminating sessions upon browser closure!
It's like getting a puzzle with missing pieces. Surely this is NOT the norm? Hmm, well, umm, yeah... Whilst SAML IS an agreed standard, and the majority of the Identity Providers (IdP's) are compliant, there are few controls on how the Service Providers (SP's) action the session tokens - unfortunately, it is often left up to the application user to validate what works and what doesn't!
Yep, so not only do you get to pay the SSO tax, you then have to work out what you get for your "investment" - somehow, this just doesn't seem quite right.
🔍 Beyond Trust: Auditing Your SSO Environment
Are you still confident in your (planned/actual) SSO deployment?
I once read that to be truly secure you should trust no one, assume nothing and test everything - with SSO, this has never been more true.
If you have an existing deployment, audit it. Verify that each app vendor in your ecosystem adheres to the security standards you've set - test every action and expectation on every application. Then document and date the findings.
It's a proactive step that can uncover potential vulnerabilities before they turn into security breaches.
#SSO #MSP #SecurityMatters #SecurityIsAMindset
Curious to dive deeper into SSO excellence? Let's start the conversation! 🚀
