Organizations are now implementing Cloud/SaaS based applications (including PaaS, IaaS, MaaS, BaaS etc) at a rapid pace within. It has become mainstream now!!!
According to Forrester and Gartner, enterprise-wide adoption of SaaS is widespread and has reached a tipping point. 62% of enterprises have multiple SaaS apps today, and that number is growing quickly. As enterprises turn to SaaS as a way to reduce IT costs, new security and compliance challenges are created as confidential data moves across the firewall onto 3rd party systems.
You may or will be facing the following questions/challenges soon…(I did)!!
- How do you efficiently manage user access (authentication) to SaaS apps based on their roles & responsibilities?
- How do you efficiently manage data access (authorization) based on the roles & responsibilities?
- How do you manage authentication and authorization differently for Private vs Public Cloud/SaaS apps?
- How do you prevent behind the door access or from an unsecured environment?
- How do you centrally authenticate users?
- How do you provide a simple and efficient Single Sign-On (SSO) to all SaaS apps from any place, any location and more important from any device?
- How do you extend your organization’s access/data policies and procedures to the cloud?
- How do you monitor, audit, report and log all access activity for all the SaaS apps – to comply with organization policies & procedures, regulations etc?
- How do you leverage existing user identity/infrastructure such as Active Directory, LDAP etc to manage identity management for all the SaaS apps?
- How do you bring in and implement more SaaS apps into the environment?
- How do you build and manage SSO adapters (both SAML and HTTPS) for SaaS apps quickly & easily?
- How do you minimize the maintenance, administration & support of all the above – especially for new employees or when they leave?
You are not alone, we faced this when we reached 10 SaaS apps. We addressed all the above challenges by implementing a robust Hybrid Cloud based Identity & SSO Management solution (from Symplified) for both internal and external SaaS apps (see related case study).
Why Hybrid? It bridges the benefits of SaaS and on-premise security – behind the firewall and close proximity to network security, AD, Private Cloud SaaS based apps.
See related post on SaaS Vendor Evaluation and Selection Process – Framework, Reference architectures, SaaS identity Management
We built and integrated an SSO widget within our Enterprise Collaboration Platform dashboard (see related architecture). This provided an easy and quick way for employees to access SaaS apps based using the network (AD) credentials.
Following is the typical “in the flow” process:
- Employees access the Enterprise Collaboration platform from their desktop/Citrix/Blackberry and this sends an encrypted identity of their profile via a NTLM (similar to IWA) challenge. (As the Collaboration platform is listed in the employee’s browser as a trusted site)
- The Collaboration platform validates the NTML challenge. This then authenticates the employees to access the platform automatically.
- By default employees land on the Collaboration’s dashboard page. (The external SaaS SSO widget is part of the dashboard).
- Employees enter their network/AD credentials into the SaaS SSO widget to access SaaS apps.
- This request is then processed by the Cloud Identity/Access Management solution and authenticates employee’s credentials (again) against the AD server. (This ensures secuity and integrity)
- Employees then see all the SaaS applications to which they have been granted access privileges. (This is achieved via AD policy management).
- Employees can select any of the SaaS applications and they are automatically logged into them.
- All the above steps are logged and audited for future reporting and compliance requirements.
Benefits & Value
- Seamless auto single sign-on to Enterprise Collaboration platform (Social Intranet, Social Business platform) from employee’s desktop/Citrix.
- Provided employee’s with a one stop “hub” to single sign-on and access internal and external SaaS applications seamlessly, both SAML-supported and non-SAML.
- Increased user adoption of the Enterprise Collaboration platform.
- Reduced number of password resets/forgotten passwords for SaaS apps.
- Leveraged existing network security (AD) for authentication and authorization. So when employees leave, you can just disable their identity in AD and that cuts-off access to SaaS apps.
- Ability to extend SSO & Identity Management to new SaaS apps quickly and easily.
- Less or no internal maintenance and support for the entire cloud security & identity management infrastructure – “A true Hybrid Cloud Solution”.
- Strong foundation architecture ready to enable access to SaaS apps from employee’s new & shiny mobile devices – iPad, iPhone, Droid etc.
- Meet audit and regulatory compliance, policies & procedures.
- Met the goal of a robust central user identity repository, access and identity management to address current and future requirements.
A common question that many have raised or may be thinking about – What’s the trade-off between easy access to SaaS apps Vs risk? What are the compelling reasons? The following 5 “value” points should help answer this question.
- A single point for access and identity control. Enable (new hire) and disable (termination) access for SaaS apps for employees, temps, consultants etc. quickly and easily.
- A single point to log, report and audit all access activities. This helps meet regulatory and compliance requirements easily.
- A single point for authentication to all SaaS apps. This helps to leverage the existing AD/LDAP infrastructure.
- A single point for authorization to all SaaS apps. This again helps to leverage the existing AD/LDAP authorization policies and extend them to SaaS apps.
- Last but not least – be/get ready for the world of “2.0″ platforms coming in to the enterprise – web, collaboration, mobile (BYOT – iPad, iPhone, Droid), identity, social etc.
Appreciate your feedback and comments.