Monthly Archives: May 2023

The Hidden Cybersecurity Threat in Organizations: Nonfederated Applications

Nonfederated applications pose an unseen and severe threat because in most organizations there is a lack of visibility into who has access to what and how accounts are secured. Sponsored by Cerby, Ponemon Institute surveyed 595 IT and IT security practitioners in the United States who are involved in their organization’s identity and access management strategy. The study aims to determine organization’s level of understanding of the risks created by nonfederated applications and the steps that can be taken to mitigate the risk.

(Click here to download the full report immediately from Cerby’s website.)

A key takeaway from the research is that organizations don’t know what they don’t know when it comes to nonfederated applications. Less than half (49 percent) of organizations track the number of nonfederated applications they have that are not managed and accessed by their identity provider. Of those respondents who track nonfederated applications, 23 percent say they have between 101 to 250. The average number is 96. Despite efforts to have an accurate inventory, only 21 percent of these respondents are highly confident that they know all the nonfederated applications used throughout the enterprise.

Nonfederated applications are risky because they cannot be centrally managed using the organizations’ IdP, (59 percent of respondents). Fifty-one percent of respondents say they are risky because they do not support industry identity and security standards such as Security Assertion Markup Language (SAML) for single sign-on or System for Cross-domain Identity Management (SCIM) for the user onboarding and offboarding process.  As defined in this research, nonfederated applications lack support for the security standards organizations need to manage at scale. In the cloud and on-premises, these applications do not support common industry security standards.

NOTE: An IdP is a service that stores and manages digital identities. The use of an IdP can simplify the process of managing user identities and access, as it allows users to use a single set of credentials across multiple systems and applications. Many organizations use IdPs to manage user access to internal and external systems, such as cloud-based applications or partner networks.

The following findings are evidence of the risk posed by nonfederated applications. 

  • The cost and time of provisioning and deprovisioning access to applications quickly adds up. Before analyzing the risks, it is important to understand the costs. Seven hours is the average time spent provisioning access to a standard set of applications for one employee. At an average $62.50 hourly pay rate the cost is $437.50 per employee. To deprovision one employee takes an average of 8 hours costing $500 per employee. Organizations can use this benchmark to calculate the process’s impact based on the annual turnover in employees and contractors.
  • Salaries also need to be considered. An average of 8 people are involved in the provisioning and deprovisioning process in addition to their other responsibilities. The average annual salary per staff member is $81,000. Consequently, the total annual staff cost amounts to $648,000, with a significant portion allocated to the time-consuming manual work of provisioning and deprovisioning, which could be better utilized elsewhere.
  •  The total average annual cost to investigate and remediate cybersecurity incidents involving nonfederated applications is $292,500. This is based on 47 hours each week or 2,444 annually to investigate potential unauthorized access and 43 hours weekly, or 2,236 annually, to investigate and remediate cybersecurity incidents caused by unauthorized access to nonfederated applications.
  • Nonfederated applications are represented across all application categories and are not limited to a single business unit. As discussed previously, only 49 percent of organizations are tracking the use of nonfederated applications. Only 21 percent of these respondents say their organizations are confident in knowing all the nonfederated applications being used. Nonfederated application use across business units underscores the difficulty in managing them.
  • Fifty-two percent of respondents say their organizations have experienced a cybersecurity incident caused by the inability to secure nonfederated applications. Sixty-three percent of these respondents say their organizations had a minimum of 4 and more than 5 incidents. Loss of customers and business partners are the primary consequences of a cybersecurity incident caused by the inability to secure nonfederated applications, according to 43 percent and 36 percent of respondents respectively.
  • Security and identity teams are often left out of managing and manually controlling access to nonfederated applications. According to the research, shared management of nonfederated applications leads to a decentralized approach. Business units (63 percent of respondents) are most likely to manage these applications followed by IT teams (54 percent of respondents). Only 45 percent of respondents say the security and/or identity teams are responsible for managing these applications. Moreover, 54 percent of respondents say the granting and revoking of access are controlled by business units.
  • Organizations are using inefficient manual processes to grant and revoke access to applications. An average of 84 applications in organizations represented in this research require an admin to manually log in to add, remove or update access, meaning the application doesn’t support SCIM and the organization cannot leverage automation through its IdP. The primary reasons for not automating the process are SCIM is not supported (33 percent of respondents) and the cost (31 percent of respondents).
  • Organizations rely upon business units to report their use of nonfederated applications. While there are several methods used to collect information about current nonfederated applications, business units are most likely to self-report their use of nonfederated applications (62 percent of respondents) followed by the use of a cloud access security broker (CASB) (48 percent of respondents) and endpoint detection tools (47 percent of respondents). Only 39 percent of respondents say business units complete a form to confirm the nonfederated applications used.
  • An average of more than half of tracked nonfederated applications do not support single sign-on (SSO). As discussed previously, there is an average of 96 nonfederated applications in organizations that track their use and respondents estimate that an average of 50 of these do not support SSO. As described in the research, the benefit of SSO is that it permits a user to have one set of login credentials—for example a username and password to access multiple applications. Thus, SSO eases the management of multiple credentials.
  • Organizations lack an effective process to prevent employees from putting data in nonfederated applications at risk. Few organizations report that they are effective in preventing employees’ reuse of passwords, retaining access to critical systems after they leave or change roles and preventing the disabling of MFA.
  • There is a desire to prioritize nonfederated application security, but the risk is underestimated due to a lack of awareness. While only 34 percent of respondents say their organizations do not make the security of nonfederated applications a priority, 44 percent of respondents say management underestimates the cybersecurity risks. When educated on the risks, 82 percent of respondents say the importance of securing nonfederated applications increased.
  • Employees are sharing their account login credentials, making it critical to have the proper security safeguards in place. Seventy-six percent of respondents say employees are sharing account login credentials with both employees and external collaborators (35 percent), sharing account login credentials with other employees (21 percent) and sharing with external collaborators (20 percent).
  • Exposing, failing to rotate passwords and being unable to track who is accessing a shared account are top security concerns. Forty-one percent of respondents say employees or collaborators share accounts without concealing the password and another 41 percent say passwords are not rotated. Reused or weak credentials also create risk (36 percent of respondents).
  • Organizations are not able to reduce the cybersecurity risks caused by shared accounts. Half of respondents (50 percent) say their organizations’ access management strategy enables employees to share login credentials securely when required by the application. However, only 27 percent of respondents say their organizations are very or highly effective in reducing cybersecurity risks from shared accounts. Of those respondents (73 percent) who rank their organization’s effectiveness as low, 56 percent are motivated to reduce the cybersecurity risk.
  • Organizations lack processes and policies to make nonfederated applications secure. Only 41 percent of respondents have a process to make nonfederated applications secure and compliant with their organizations’ policies and only 35 percent of respondents say they have a policy that prevents the trial use of new nonfederated applications. Thirty-nine percent of respondents say the use of nonfederated applications is limited. As shown in this research, organizations do not like to limit the use of nonfederated applications because it can affect employee morale and productivity.
  • The challenge for organizations is that they don’t know what they don’t know. The top two challenges to securing nonfederated applications is the inability to know and manage all nonfederated applications because of the lack of visibility and not having an accurate inventory. This is followed by the inefficient use of manual processes to secure nonfederated applications. Budget and in-house expertise are not considered as much a challenge.
  • Most organizations do not follow up to ensure password and MFA policies adherence. Fifty-seven percent of respondents say employees are required and reminded to turn on MFA and about half (48 percent of respondents) say employees are required and reminded to rotate passwords regularly. However, only 40 percent of respondents say they follow up with every account to make sure MFA is turned on and passwords are rotated in accordance with their policies.

 To read the full report, visit the Cerby website.

Rules for Whistleblowers: a Handbook for Doing What’s Right

Bob Sullivan

Ever see something at work that you just knew wasn’t right, but felt like there was nothing you could do? Maybe there is something you can do. And maybe you can do it … anonymously.

When whistleblower Francis Haugen came forward and testified before Congress about what she thought was going wrong inside Facebook, she changed big tech forever. Or did she?

I recently talked about this with Stephen Kohn, author of the book, Rules for Whistleblowers, A Handbook for Doing What’s Right. He’s also one of the nation’s leading whistleblower attorneys. We discussed the lasting impact Haugen did (or didn’t) have on the tech industry. But more important, he offered a roadmap for people who work in tech to come forward if they think something terribly wrong is happening at their company. And he explained how workers can do this without putting their livelihoods at risk.

“What we’ve seen is for every one whistleblower who’s willing to go public and really risk a lot, there’s a thousand who would go non-public and provide supporting information,” he said to me on the Duke Debugger podcast that I host. But those who go public often get “crushed” by well-funded legal teams.

“That’s why Congress in 2010 with the Dodd-Frank Act created these… what I call super anonymity laws. When I discussed those with the Senate banking committee, when the law was being debated …  I’ll never forget it, the Senate staffer said to me, ‘Steve, if Wall Street knows who you are, you will be crushed no matter what, and your career will be destroyed. You know, we have to create procedures to prevent that.’ And I said, ‘Hallelujah!’ ”

Whistleblowers can come forward without making a big public display, and in fact, government investigators often prefer that, he said.

“Anonymous means you don’t have to set your hair on fire. You don’t have to burn your bridges,” he said. “And the government wants you to stay working in the company so you can provide additional information about violations. Once you have filed, sometimes the government agencies will share your information or you’re aware of other agencies that might be interested, and  … say, tell the SEC to share your information. So it begins a process. The bottom line is these laws make it easier to do the right thing to report misconduct and not necessarily lose your job and career.”

Provisions in the Dodd-Frank bill have changed the nature of whistleblowing and they include large financial incentives.

“The SEC alone has paid whistleblowers about $1.5 billion in rewards, and in almost every one of those cases, no one even knows who the whistleblower is. They don’t receive big press reports. It’s almost all under the radar,” Kohnm said.

Readers can listen to the entire interview, or read a transcript, at this site.  Kohn’s book is called  Rules for Whistleblowers, A Handbook for Doing What’s Right and will be available at  National Whistleblower Center and bookstores on June 1