Session overview

This LinkedIn Live presents the findings of a research study conducted by Cerby in collaboration with the Ponemon Institute, focused on nonfederated applications and their associated risks in organizations.

Speakers

- Matt Chiodi, Chief Trust Officer at Cerby

Agenda

- Introduction to nonfederated applications

- Goals of the research

- Research methodology

- Findings and insights

- Recommendations for addressing nonfederated application risks

Takeaways

Takeaway #1: One in every seven breaches can be traced back to applications that can't be managed with identity providers

In the webinar, Matt Chiodi revealed that their research found that "one out of every seven breaches can be traced back to applications that you can't manage with your identity provider." This finding highlights the importance of addressing the risks associated with nonfederated applications. These applications lack support for common standards such as SSO (single sign-on), SAML (Security Assertion Markup Language), SCIM (System for Cross-Domain Identity Management), and security APIs.

Chiodi noted that nonfederated applications could be found across various industries and are not limited to just one category of applications. He emphasized the need for organizations to be aware of these applications and to take the necessary steps to manage them effectively. Effective management of nonfederated apps includes understanding their security risks and implementing processes and solutions to extend identity providers to these nonfederated apps.

The research showed that nonfederated apps are generating a significant percentage of breaches. Chiodi stated, "We can say now definitively that nonfederated apps are generating a significant percentage of breaches. It's not a 1% number. It's one out of seven, give or take a few percentage points." This highlights the need for organizations to prioritize the management of nonfederated apps to reduce their risk of breaches.

Takeaway #2: Organizations are spending a significant amount of time and money on managing nonfederated applications

During the webinar, Chiodi shared that organizations spend "just under 5,000 hours annually on investigating and remediating incidents specifically related to nonfederated applications." This number of hours equates to around $300,000 per year in hard costs for organizations, reaching the seven-figure range for larger organizations.

Chiodi also mentioned that organizations have around five incidents per year related to nonfederated applications, indicating that these applications are a significant risk that organizations must manage. He suggested that organizations can recover costs by extending their identity providers to nonfederated apps, which would help reduce the risks associated with these applications.

Additionally, Chiodi pointed out that organizations must prioritize the security of nonfederated applications. The Ponemon research found that "34% of organizations do not prioritize the security of nonfederated applications." This lack of prioritization can lead to increased risks and potential breaches.

Takeaway #3: Identifying and addressing the risks associated with nonfederated applications is crucial for organizations

To effectively manage the risks associated with nonfederated applications, Chiodi suggested, organizations start by identifying them in their environment. He provided a set of questions to help organizations find nonfederated apps. Questions include whether apps require separate usernames and passwords, manual onboarding and offboarding, or shared accounts.

Chiodi also recommended that organizations add nonfederated apps to their risk register. He noted they should also explore processes and solutions to extend their identity providers to these apps. By doing so, organizations can significantly reduce the risks of nonfederated applications and better protect their data from potential breaches.

Lastly, Chiodi emphasized the importance of security leaders taking the risks of nonfederated applications seriously. He stated, "44% of security leaders underestimate the risk of nonfederated apps," and urged organizations to prioritize the security of these applications to mitigate potential breaches and incidents.

Insights surfaced

  • One in seven breaches can be traced back to applications that can't be managed with an identity provider.
  • Business units, not IT or security teams, manage most nonfederated application access.
  • Most organizations are not actively tracking nonfederated application use.
  • Over half of the surveyed organizations have experienced a real-world incident directly stemming from a nonfederated application.
  • Organizations spend an average of 5,000 hours annually investigating and remediating incidents related to nonfederated applications.

Key quotes

  • "One out of every seven breaches can be traced back to applications you can't manage with your identity provider."
  • "Nonfederated applications lack support for common standards."
  • "Nonfederated apps are generating a significant percentage of breaches."
  • "52% [of organizations] have experienced a real-world incident directly stemming from a nonfederated application."
  • "The average cost in staffing costs [for managing nonfederated applications] is about $1,000 to onboard and offboard a single employee."
  • "Most of the risks we discussed, discovered in this research, can be managed by simply extending your identity provider to those nonfederated apps."

Download the full report to learn more.