Business software

Shopping for business software? Beware of the SSO Trap

It’s long been an open secret among business software buyers that “enterprise” is synonymous with “expensive.” That’s why companies on tight budgets tend to shy away from self-proclaimed enterprise software, not to mention that they have no use for a catalog of features designed for large companies with thousands of employees. But imagine their surprise when they find themselves sucked into exorbitant corporate prices because they just need a characteristic.

This feature is single sign-on (SSO). This is a feature typically provided by identity management systems, such as Azure Active Directory, Okta, or OneLogin. Once installed, users only log into the network once, and the SSO system takes over, granting them access to applications using an encrypted token-based method. It’s much more secure than traditional password-based logins, making it a must-have security measure for businesses of all sizes.

However, while most business applications and services today support single sign-on, there is a catch. Unfortunately, vendors almost always unlock single sign-on support only at their most expensive enterprise pricing tiers, which is inevitably a rude awakening for small and medium-sized businesses, especially once they get started. realize that single sign-on is a feature they can’t live without. This predatory sales tactic needs to stop.

Why is single sign-on so crucial?

There are several reasons why SSO is considered an IT best practice. First, SSO eases the burden on employees who have to come up with strong passwords for multiple systems. The more credentials an employee has to remember, the more likely they are to use weak passwords, reuse passwords for multiple accounts, or store passwords insecurely. (Password managers can also help here, but only if used correctly. Even then, they’re still not as secure as SSO.)

More importantly, SSO helps reduce what is called the “attack surface” of a network. Each application requiring single sign-on is another opportunity for an attacker to gain access to corporate data. But with SSO, it’s like building a wall around your data with a single front door. No one can access an application without approval from the SSO system. This is a significant security upgrade, especially when paired with multi-factor authentication.

SSO also facilitates IT operations. If an employee has an SSO account, authorizing access to a new app is as simple as connecting the app to that account. But the biggest benefit comes when the employee leaves the company. Without SSO, IT staff would have to manually close each of their accounts, leaving room for error. But with SSO, a push of a button and it’s all off.

These and other security benefits of SSO are so significant that even small businesses (and their financiers) have begun to mandate SSO authentication as part of their IT policy. Once this policy is in place, however, the shock of the SSO sticker can hit like a fist.

How much will single sign-on cost you?

It’s not that SSO support isn’t worth paying for. Considering its value, something like a 10% SSO surcharge might seem reasonable. Unfortunately, that’s not the kind of price increase we’re talking about.

According to the Wall of Shame SSO(Opens in a new window), a site run by security expert Rob Chahin, the difference between a provider’s base price and what you’ll pay for SSO support is often double or more. Among the 53 vendors sampled by Chahin, the median price increase was 108%, but some vendors increased their prices by 300%, 500% or more. In one case, the bump was a whopping 6,300%. Other providers refuse to list their corporate rates, instead forcing customers to negotiate their own rates.

Something like a 10% SSO surcharge may seem reasonable. Unfortunately, this is not the type of increase we are talking about.

Such tactics can have a profound impact on IT budgets, especially for small and medium-sized businesses (SMBs), to the point that they can even hamper business agility and growth. So how to justify them?

What is their excuse?

We can only speculate what reasons enterprise software vendors might have for classifying SSO support as an enterprise-only feature. They rarely offer it. Maybe it’s because nothing seems to point to a legitimate answer.

For example, integrating SSO support into an application is neither expensive nor particularly difficult. The technology is based on open standard protocols, including SAML and OIDC. These protocols are well documented and understood, and there are even many free software projects that implement them.

You could argue that a security feature like SSO requires careful code review and auditing, which increases development costs. But just about any commercial codebase requires such an audit today, especially if a vendor hopes to sell its software to highly regulated industries, such as healthcare and finance.

Recommended by our editors

Enterprise pricing shouldn’t be the hammer that vendors impose on businesses that want essential security functionality like single sign-on.

Once an application is connected to an SSO system, it also does not require much ongoing maintenance. SSO integrations will not increase the number of support calls an app provider will have to handle by any measurable amount.

In short, supporting SSO does not, in and of itself, create additional or unusual costs for software vendors to recover from customers. So it’s hard not to conclude that the practice of tying a critical security feature like single sign-on to enterprise pricing is almost literally exorbitant, as in “That’s very good business data you’re storing in our app. Too bad if something happened to that.”

The industry must do better

There’s nothing inherently wrong with enterprise software vendors tying features to specific pricing tiers. Most companies are willing to pay extra for the necessary features and service levels. There’s even a case for best-priced enterprise pricing when supporting thousands of users, ensuring near-perfect uptime, or serving multiple geographic regions.

But enterprise pricing shouldn’t be the hammer that vendors impose on businesses that want essential security functionality like single sign-on. Industry and government experts agree that threats such as malware, data breaches, identity theft and ransomware are all on the rise. The last thing the tech industry needs is to remove barriers to data security, especially if it’s for no other reason than almighty money.

For the benefit of the entire Internet, application vendors should decouple critical security features such as single sign-on from their pricing plans and make them more widely available to customers of all sizes, and at reasonable rates. If they did, it would actually be a win-win. Not only would this increase their customers’ confidence in their software, but it’s also the right thing to do.

What's New Now to get our top stories delivered to your inbox every morning.","first_published_at":"2021-09-30T21:30:40.000000Z","published_at":"2022-03-29T17:10:02.000000Z","last_published_at":"2022-03-29T17:09:22.000000Z","created_at":null,"updated_at":"2022-03-29T17:10:02.000000Z"})" x-show="showEmailSignUp()" class="rounded bg-gray-lightest text-center md:px-32 md:py-8 p-4 mt-8 container-xs">

Receive our best stories!

Register for What’s up now to get our top stories delivered to your inbox every morning.

This newsletter may contain advertisements, offers or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You can unsubscribe from newsletters at any time.

Source link