Upselling Cybersecurity: Why Baseline Security Features Shouldn’t Be a Commodity

By: Larry Kinkaid, manager, cybersecurity consulting

When it comes to implementing and maintaining a strong cybersecurity posture within any organization, accountability is key.

An information security program is only effective when controls—i.e., internal processes designed to manage and mitigate the risk of cyber threats—are clearly outlined and when all stakeholders understand what they’re accountable for in terms of managing those controls. Up to this point, burdensome manual controls related to user identification and authorization have largely fallen on the shoulders of consumers and small businesses, rather than the Software as a Service (SaaS) vendors whose platforms they rely on. But things could soon be changing.

In the spring of 2023, the White House published a new cyber threat mitigation strategy that Acting National Cyber Director Kemba Walden said “will rebalance the responsibility for managing cyber risk onto those who are most able to bear it.” The Biden administration promised to hold software developers “liable when they fail to live up to the duty of care they owe consumers, businesses, or critical infrastructure providers,” arguing that “too much of the responsibility for cybersecurity has fallen on individual users and small organizations.”

It’s a sentiment that security professionals like myself have been echoing for years as SaaS providers have set a precedent for upselling customers for access to critical security features—namely, single sign-on.

Single Sign-On: What It Is and Why It’s Important

At its core, single sign-on (SSO) is a method for authenticating identity that allows a user to use a main set of credentials in order to authenticate with other websites, applications, or other online services. On an individual level, implementing SSO typically looks like signing in to an application or service using an Apple, Google, or Microsoft account. Not only is it more convenient, but it is also more secure: By leveraging a single, normalized account to sign in across all services, users only have to remember one password and are more likely to have deeper logical access controls in place, such as app-based multi-factor authentication (MFA) and security email notifications.

For organizations, it’s more complicated: IT leaders aren’t just trying to juggle one list of users to one service, but an entire web of users and services with varying levels of access controls. Even for small companies, having the ability to create and remove user accounts using one central application saves time and can help with achieving or maintaining compliance against frameworks that require the timely removal of separated users from all systems.

This is why for many IT and cybersecurity professionals, choosing vendors that support their organization’s chosen identity management provider is a priority. Unfortunately, especially for start-ups and small businesses, it’s become increasingly out of reach.

A GitHub user posting under the handle @robchahin has published a list of SaaS providers that “treat single sign-on as a luxury feature,” making it available only to customers who upgrade to more premium versions of their products. This leaves IT decision-makers with a challenge: overlook a core security feature and ignore proven best practices surrounding identity and access management, or find room in their already tight budgets to pay up—in some cases, at an increased cost of 200% per user or more.

Admittedly, not all organizations would have chosen the vendors’ most basic plans, so that number may be a little skewed. Many SaaS providers that offer different “tiers” of their services also place limits on other key features that, for large companies, take lower-level plans off the table. For instance, if a SaaS vendor requires customers to subscribe to their “Gold” or “Premier” tiers in order to integrate their service with an external application like Salesforce, a high-budget company that needs the integration likely would not have even considered lower tiers that may not have supported centralized single sign-on.

But it’s not just large organizations with big budgets that have a responsibility to keep stakeholders’ data secure. Even for start-ups with only a handful of employees, implementing SSO across all accounts and systems is vital for ensuring user access is managed in accordance with the controls set by the organization, either to adhere to regulatory requirements or to improve their security posture overall.

What’s Driving the “SSO Tax”?

So if single sign-on is so important for organizations both large and small, then why are many SaaS providers failing to offer it to customers even at the lowest-level—or least expensive—subscriptions?

The first reason is that they simply don’t have to. Under most compliance frameworks, the security functionality offered by the company is not in scope. Instead, examinations like SOC 1, 2, and 3 focus on internal users (i.e., employees). And while the vendor might be responsible for keeping consumer data secure within its own systems, customer-facing access management falls squarely on the customer’s shoulders.

In today’s fragmented services approach, the shared responsibility aspect is a critical piece to focus on. These SaaS providers are putting a huge onus on the organizations they serve to manage logical access, then upselling them on functionalities designed to make access management easier and improve security outcomes. In many cases, it seems companies view it as upselling convenience, rather than upselling a critical security feature.

And it’s not just SSO. SaaS vendors across industries are also limiting support for data loss prevention (DLP) tools and constraining access to other processes widely known to be effective in minimizing the risk of data leaks and breaches.

The biggest issue is that features like DLP and SSO do come at an increased cost for SaaS vendors to implement. When we’re talking about a material amount of money, it’s hard to argue that it shouldn’t be an upsell to customers. But should it be anywhere close to the tune of double the price per user—or more? 

For businesses striving to achieve or maintain compliance and position cybersecurity as a value-add that sets them apart from competitors, the cost of not implementing sound identity and access management practices can often be much greater. 

Even SaaS vendors themselves aren’t immune from the consequences: By gatekeeping access to SSO as a method of managing user accounts, software providers are missing out on opportunities to sell to organizations that make security a priority. But when their competitors are driving up prices by similarly locking access to features like these behind more expensive versions of their products, it’s all too easy for SaaS providers to fall in line with the imprudent trend.

A Look Ahead

For IT leaders currently in the throes of vendor risk assessments, it’s important to lean on security fundamentals in order to make the best decisions for your organization. This means completing comprehensive risk assessments and making conscious efforts to examine vendors from all angles of the CIA triad. The National Institute of Standards and Technology (NIST) defines the three core components of information security as:

• Confidentiality, which covers who should be allowed access to certain data and ensures logical access controls have been put in place;
• Integrity, which ensures the data is accurate and unchanged except by those who have explicit permissions to do so; and, 
• Availability, which ensures systems remain operational even in the event of an incident or crisis.

For SaaS providers debating whether to extend access to SSO and DLP support to even their lowest-margin customers, the bottom line is simple: Baseline security shouldn’t be a commodity. Single sign-on makes life easier—and safer—for both vendors and the customers they serve. 

Technology is past the point of considering SSO an “enhancement.” Security features like these shouldn’t come at an upcharge; they should be the bare minimum. 

Looking forward, I am optimistic that organizations of all sizes will start to demand security features like single sign-on when signing contracts with software vendors. SSO will likely be the start of it, and hopefully, more security functionalities follow.

About the Author

Larry Kinkaid
Manager, Cybersecurity Consulting

As manager for BARR’s cybersecurity consulting practice, Larry supports small- to medium-sized and enterprise companies in need of a virtual CISO (or CISO on retainer). He plans and executes various engagements including readiness assessments, policy and procedure documentation, vendor risk management assessments, and external audit assistance.

He is an experienced consulting professional with a history of working in IT governance, risk, and compliance for large companies. He maintains the CISA and CRISC certifications to fortify his reputation as an IT professional in audit and risk. Larry graduated from Bowling Green State University with a Bachelor of Science in Business Administration, Information Systems Auditing and Control, and Management Information Systems.