This LinkedIn Live presents the findings of a research study conducted by Cerby in collaboration with the Ponemon Institute, focused on nonfederated applications and their associated risks in organizations.
- Matt Chiodi, Chief Trust Officer at Cerby
- Introduction to nonfederated applications
- Goals of the research
- Research methodology
- Findings and insights
- Recommendations for addressing nonfederated application risks
Takeaway #1: One in every seven breaches can be traced back to applications that can't be managed with identity providers
In the webinar, Matt Chiodi revealed that their research found that "one out of every seven breaches can be traced back to applications that you can't manage with your identity provider." This finding highlights the importance of addressing the risks associated with nonfederated applications. These applications lack support for common standards such as SSO (single sign-on), SAML (Security Assertion Markup Language), SCIM (System for Cross-Domain Identity Management), and security APIs.
Chiodi noted that nonfederated applications could be found across various industries and are not limited to just one category of applications. He emphasized the need for organizations to be aware of these applications and to take the necessary steps to manage them effectively. Effective management of nonfederated apps includes understanding their security risks and implementing processes and solutions to extend identity providers to these nonfederated apps.
The research showed that nonfederated apps are generating a significant percentage of breaches. Chiodi stated, "We can say now definitively that nonfederated apps are generating a significant percentage of breaches. It's not a 1% number. It's one out of seven, give or take a few percentage points." This highlights the need for organizations to prioritize the management of nonfederated apps to reduce their risk of breaches.
Takeaway #2: Organizations are spending a significant amount of time and money on managing nonfederated applications
During the webinar, Chiodi shared that organizations spend "just under 5,000 hours annually on investigating and remediating incidents specifically related to nonfederated applications." This number of hours equates to around $300,000 per year in hard costs for organizations, reaching the seven-figure range for larger organizations.
Chiodi also mentioned that organizations have around five incidents per year related to nonfederated applications, indicating that these applications are a significant risk that organizations must manage. He suggested that organizations can recover costs by extending their identity providers to nonfederated apps, which would help reduce the risks associated with these applications.
Additionally, Chiodi pointed out that organizations must prioritize the security of nonfederated applications. The Ponemon research found that "34% of organizations do not prioritize the security of nonfederated applications." This lack of prioritization can lead to increased risks and potential breaches.
Takeaway #3: Identifying and addressing the risks associated with nonfederated applications is crucial for organizations
To effectively manage the risks associated with nonfederated applications, Chiodi suggested, organizations start by identifying them in their environment. He provided a set of questions to help organizations find nonfederated apps. Questions include whether apps require separate usernames and passwords, manual onboarding and offboarding, or shared accounts.
Chiodi also recommended that organizations add nonfederated apps to their risk register. He noted they should also explore processes and solutions to extend their identity providers to these apps. By doing so, organizations can significantly reduce the risks of nonfederated applications and better protect their data from potential breaches.
Lastly, Chiodi emphasized the importance of security leaders taking the risks of nonfederated applications seriously. He stated, "44% of security leaders underestimate the risk of nonfederated apps," and urged organizations to prioritize the security of these applications to mitigate potential breaches and incidents.
Download the full report to learn more.