The Importance of Identity for SaaS Applications
The enterprise cloud revolution is here. IT organisations everywhere, from small and mid-sized businesses to Fortune 500 companies, are moving from on-premises software to on-demand, cloud-based services. As enterprise IT makes this transition to a new hybrid on-demand/on-premises configuration, controlling who is granted access to which applications becomes increasingly important. This presents CIOs and their teams with a whole new set of identity management challenges. In addition, users must keep track of multiple URLs, user names, and passwords to get access to their applications.
There are eight main identity and access management (IAM) challenges associated with adopting and deploying cloud and SaaS applications.
1. User Password Fatigue
Although the SaaS model initially makes it easier for users to access their applications, complexity quickly increases with the number of applications. Each application has different password requirements and expiration cycles. The variety of requirements multiplied by the variety of expiration cycles equals diminished user productivity and increased user frustration as they spend time trying to reset, remember, and manage these constantly changing passwords and URLs across all of their applications.
Perhaps of even greater concern are the security risks caused by the same users who react to this “password fatigue” by using obvious or reused passwords written down on Post-it notes or saved in Excel files on laptops.
2. Failure-Prone Manual Provisioning and De-Provisioning Process
When a new employee starts at a company, IT often provides the employee with access to the corporate network, file servers, email accounts, and printers. Since many SaaS applications are managed at department level (Sales Operations manages Salesforce.com, Accounting manages QuickBooks, Marketing manages Marketo, etc.), access to these applications is often granted separately by the specific application’s administrator, rather than by a single person in IT.
Almost certainly, an employee termination is a bigger concern. IT can centrally revoke access to email and corporate networks, but they have to rely on external application administrators to revoke the terminated employee’s access to each SaaS application. This leaves the company vulnerable, in that critical business applications and data are in the hands of potentially disgruntled former employees and auditors looking for holes in your deprovisioning solution.
3. Compliance Visibility: Who Has Access to What?
It’s important to understand who has access to applications and data, where they are accessing it, and what they are doing with it. This is particularly true when it comes to cloud services. However only the most advanced offerings like Salesforce.com offer any compliance-like reporting, and even then, it’s siloed for just one application.
4. Siloed User Directories for Each Application
Most enterprises have made a significant investment in a corporate directory (such as Microsoft Active Directory) to manage access to on-premises network resources. As organisations adopt cloud-based services, they need to leverage that investment and extend it to the cloud, rather than create a parallel directory and access management infrastructure just for those new SaaS applications.
5. Managing Access across an Explosion of Browsers and Devices
One of the great benefits of cloud applications is that access is available from any device that is connected to the Internet. But more apps means more URLs and passwords, and the rise of mobile devices introduces yet another access point to manage and support.
IT departments must facilitate access across multiple devices and platforms without compromising security—a difficult feat with existing IAM systems.
6. Keeping Application Integrations Up to Date
Truly centralising single sign-on and user management requires building integrations with numerous applications and keeping track of the maintenance requirements for new versions of each application. For the vast majority of organisations, having their IT department maintain its own collection of “connectors” across that constantly changing landscape is unrealistic and inefficient.
Today’s enterprise cloud applications are built with cutting-edge, Internet-optimised architectures. The modern web technologies underlying these applications provide excellent choices for vendors to develop their service and its associated interfaces. Unfortunately for the IT professionals, that also means that every new vendor may require a new approach when it comes to integration, particularly concerning user authentication and management.
In addition, like on-premises applications, SaaS apps change over time. A good cloud-based IAM solution should keep up with these changes and ensure that the application integration, and thus your access, is always up to date and functional. Your IAM service should mediate all the different integration technologies and approaches, making these challenges transparent for IT. And as the various services’ APIs change and multiply, the cloud IAM provider should manage these programmatic interfaces, offloading the technological heavy-lifting away from your IT department, so they no longer have to track dependencies between connectors and application versions.
7. Different Administration Models for Different Applications
As cloud applications become easier and less expensive to get up and running, companies are adopting more point SaaS solutions every day. These solutions are often managed by the corresponding functional area in a company, such as the Sales Operations group in the case of Salesforce.com. This can benefit IT (because it leaves application administration to others and frees up time), but it can also create a new problem because there is no central place to manage users and applications, or provide reports and analytics.
8. Sub-Optimal Utilisation, and Lack of Insight into Best Practices
One reason for the rise of cloud applications is that monthly subscription models have replaced the upfront lump sum of the old, on-premises software license purchase. CFOs clearly prefer to pay for the services that employees use as they go. With no centralised insight into usage, however, IT and financial managers cannot manage these subscription purchases and have little idea whether they are paying for more than they actually use.
What does this mean for you?
A best-of-breed cloud-based IAM solution can address each of the above concerns. DOWNLOAD THIS WHITEPAPER from our Identity Manegement partner, Okta, which talks to the concerns as well as best practices for addressing each of them.
Ask the Author