Decentralized identity and verifiable credentials

CISA: How MSPs Can Help SMBs Adopt SSO

single sign on (SSO) to login other webpage with one username and password vector

MSPs are the keystone of providing SMBs with help to improve their security posture through the implementation of single sign-on. That's one of the conclusions of a new report from the Cybersecurity & Infrastructure Security Agency (CISA) that addresses the challenges SMBs face with this technology.

Among the recommendations made by CISA is this -- vendors should provide a more flexible schedule of seat thresholds for SMBs. Specifically, CISA recommends vendors allow pooling SSO licenses at the MSP level or SMB-group level rather than the individual subscriber organization level.

MSPs are not only a big part of the recommended solution to the issue. CISA also consulted with experienced MSPs to prepare this study. In addition, CISA worked with other stakeholders including SSO vendors, non-profit organizations dedicated to improving cybersecurity, and SMBs that have experience with adopting SSO and migrating across SSO platforms.

CISA's report is titled Barriers to Single Sign-On (SSO) Adoption for Small and Medium-Sized Businesses: Identifying Challenges and Opportunities. CISA’s accompanying blog post, Why SMBs Don’t Deploy Single Sign-On (SSO), urges software manufacturers to consider how their business practices may inadvertently reduce the security posture of their customers.

Lack Of SSO Entices Cyberattacks

SMBs often lack the means to establish and maintain efficient and scalable IT systems internally. Therefore, they are frequently targets for cyberattacks due to perceived vulnerabilities in their security systems. However, CISA believes that SSO adoption can help SMBs improve their security posture.

CISA asserts that connecting all business and applications under centralized identity management can improve effectiveness and yield efficiencies. However, current pricing structures can hinder SSO adoption. Organizations may be unable to realize the advantages of SSO and instead rely on manual identity and access management practices, such as tracking and managing passwords using spreadsheets.

Noting the advantages of SSO adoption for SMBs, the CISA report states, “Users can easily enable and disable the capability to enter multiple systems, platforms, apps, and resources. Also, it may effectively resolve the problem of password-related downtime and reset expenses. When properly implemented and configured, SSO technology offers numerous advantages to SMBs in terms of improving cybersecurity.”

SSO Adoption: Advantages and Challenges

An MSSP or MSSP looking to sell an SMB customer on the merits of SSO can point to a simplified and improved login and user experience. And SSO may also help facilitating e-commerce and IT adoption, with more robust cybersecurity practices potentially serving as a factor in product or service differentiation, according to CISA.

The willingness to adopt SSO might not be a top priority when profit is crucial for some SMBs. However, SMBs tend to be constrained in resources and expertise when it comes to managing new technologies. Thus, the cost of SSO implementation coupled with a lack of requisite technical expertise to configure and deploy the solution hinders SSO adoption among SMBs, CISA said.

Small enterprises often opt for manual passwords and hands-on approaches over an SSO option. But these methods tend to have a reduced initial adoption cost. This cost difference does not reflect the hidden administrative costs associated with maintaining manual passwords.

CISA notes a primary reason for lack of SSO adoption is that SSO is often available only as a premium enterprise-level service. As such, an enterprise service can cost significantly more per user than a lower-tier service that lacks SSO and typically requires a minimum number of users. These can be substantial barriers for many organizations. 

Another factor damming up SSO adoption is a lack of technical know-how and awareness. Vendors feel confident that they offer sufficient training materials and how-to guides to support customers in effectively deploying SSO technology, but customers have different perceptions and user experiences. They may see SSO as a complex solution with numerous moving parts that may impede its successful deployment. These implementation challenges need to be addressed before customers consider adopting SSO, CISA said.

Recommendations for Vendors

Based on user feedback, CISA said that vendors can significantly improve their service offerings by implementing the following recommendations:

  • Gather customer requirements and offer tailored solutions that meet their needs, while eliminating unnecessary services
  • Offer more flexible seat thresholds or requirements
  • Improve the accuracy and completeness of support materials for their essential set of services such as SSO.
Jim Masters

Jim Masters is Managing Editor of MSSP Alert, and holds a B.A. degree in Journalism from Northern Illinois University. His career has spanned governmental and investigative reporting for daily newspapers in the Northwest Indiana Region and 16 years in a global internal communications role for a Fortune 500 professional services company. Additionally, he is co-owner of the Lake County Corn Dogs minor league baseball franchise, located in Crown Point, Indiana. In his spare time, he enjoys writing and recording his own music, oil painting, biking, volleyball, golf and cheering on the Corn Dogs.