The Future is Loading

Visibility, Control, and Modern SSO: Elevating IAM Hygiene

Chad Gerstensang  |  December 16, 2024

During his session on “Guidance for Achieving IAM Resilience in a Cloud-First World” at the Gartner IAM Summit 2024, Michael Kelley introduced a concept that I found incredibly impactful: Identity Hygiene.

Identity Hygiene refers to the practices and standards organizations adopt to maintain a secure and well-governed IAM environment. Several critical elements determine an organization’s Identity Hygiene:

Visibility

Visibility is perhaps the most vital – and yet often underestimated- aspect of an organization’s IAM landscape.

Surprisingly, the vast majority of organizations we’ve spoken to lack discovery tools for identifying Shadow SaaS. Many don’t see Shadow SaaS as a significant risk because tthey believe they are aware of most SaaS applications in their ecosystem. However, this assumption can be dangerous.

The truth is, anyone with access to corporate email can create accounts across various platforms, which ultimately leads to sensitive organizational data spreading across countless unknown applications. Not everyone in an organization has the knowledge or training to assess whether a particular application is secure. For example, 80% of employees adopt SaaS applications without IT approval, with 10% reporting data breaches or data loss as a result. And let’s not forget how common password reuse is, which compounds the risks further.

Organizations must prioritize comprehensive visibility into their SaaS ecosystem. Without this foundation, it’s impossible to establish robust Identity Hygiene.


Control

Once visibility is achieved, the next critical step is enforcing governance. Simply knowing about risks isn’t enough; it’s decisive action that elevates security.

In an era where Phishing attacks are escalating and traditional SSO solutions are falling short, organizations must take proactive measures to secure their SaaS environments. This includes implementing controls such as approval workflows to regulate the adoption of new SaaS applications and ensuring only secure, approved platforms are in use.

Governance transforms visibility into actionable security, reducing risks and ensuring compliance with organizational policies.

Thus, allowing the organization to insure its security and keep its visibility over the SaaS ecosystem.


SSO vs. Passwords

The debate between SSO and traditional password systems continues. While SSO is often touted for simplifying authentication and enhancing user experience, traditional SSO solutions come with inherent vulnerabilities that organizations must address.

  1. Token Storage Risks: Traditional SSO providers act as token relays due to their reliance on protocols such as SAML and AuthO. In the event of a breach, these tokens can be stolen, allowing attackers to gain unauthorized access to multiple applications. This creates a single point of failure with potentially devastating consequences.
  2. Credential Theft and Phishing: Traditional SSO requires user authentication via a login page, which is often publicly accessible. This makes the login page a prime target for phishing attacks. For attackers, compromising the credentials of an SSO provider is a highly attractive option, as it grants access to all connected applications. Instead of targeting individual applications, attackers can focus on a single entry point, making traditional SSO an appealing target for cybercriminals.

Despite these vulnerabilities, the advantages of SSO in maintaining Identity Hygiene remain clear. SSO simplifies authentication, reduces password-related vulnerabilities to some extent, and improves user experience. However, not all SSO solutions are created equal. Traditional SSO providers often leave gaps by covering only a fraction of SaaS applications, requiring costly integrations and creating unnecessary friction.

The key to better Identity Hygiene lies in adopting modern solutions that provide Universal SSO capabilities, ensuring 100% coverage of SaaS applications without additional complexity or cost. This approach enhances control while significantly reducing risk.


Conclusion

Identity Hygiene is no longer a concept that organizations can afford to overlook. In today’s security landscape of identity first, rising cybersecurity threats and increasing SaaS adoption, strong Identity Hygiene practices are essential to protecting sensitive data and maintaining trust.

Organizations that invest in visibility, control, and modern SSO solutions will not only strengthen their IAM posture but also future-proof their security strategies. 

The risks are too significant to ignore—the time to act is now.