Archive

Posts Tagged ‘Security’

Cloud Security, Identity Management & SaaS Single Sign-On – What’s the business value?

July 23, 2011 1 comment

Organizations are now implementing Cloud/SaaS based applications (including PaaS, IaaS, MaaS, BaaS etc) at a rapid pace within. It has become mainstream now!!!

According to Forrester and Gartner, enterprise-wide adoption of SaaS is widespread and has reached a tipping point. 62% of enterprises have multiple SaaS apps today, and that number is growing quickly. As enterprises turn to SaaS as a way to reduce IT costs, new security and compliance challenges are created as confidential data moves across the firewall onto 3rd party systems.

You may or will be facing the following questions/challenges soon…(I did)!!

  1. How do you efficiently manage user access (authentication) to SaaS apps based on their roles & responsibilities?
  2. How do you efficiently manage data access (authorization) based on the roles & responsibilities?
  3. How do you manage authentication and authorization differently for Private vs Public Cloud/SaaS apps?
  4. How do you prevent behind the door access or from an unsecured environment?
  5. How do you centrally authenticate users?
  6. How do you provide a simple and efficient Single Sign-On (SSO) to all SaaS apps from any place, any location and more important from any device?
  7. How do you extend your organization’s access/data policies and procedures to the cloud?
  8. How do you monitor, audit, report and log all access activity for all the SaaS apps – to comply with organization policies & procedures, regulations etc?
  9. How do you leverage existing user identity/infrastructure such as Active Directory, LDAP etc to manage identity management for all the SaaS apps?
  10. How do you bring in and implement more SaaS apps into the environment?
  11. How do you build and manage SSO adapters (both SAML and HTTPS) for SaaS apps quickly & easily?
  12. How do you minimize the maintenance, administration & support of all the above – especially for new employees or when they leave?

You are not alone, we faced this when we reached 10 SaaS apps. We addressed all the above challenges by implementing a robust Hybrid Cloud based Identity & SSO Management solution (from Symplified) for both internal and external SaaS apps (see related case study).

Why Hybrid? It bridges the benefits of SaaS and on-premise security – behind the firewall and close proximity to network security, AD, Private Cloud SaaS based apps.

See related post on SaaS Vendor Evaluation and Selection Process – Framework, Reference architectures, SaaS identity Management

We built and integrated an SSO widget within our Enterprise Collaboration Platform dashboard (see related architecture). This provided an easy and quick way for employees to access SaaS apps based using the network (AD) credentials.

Following is the typical “in the flow” process:

  1. Employees access the Enterprise Collaboration platform from their desktop/Citrix/Blackberry and this sends an encrypted identity of their profile via a NTLM (similar to IWA) challenge. (As the Collaboration platform is listed in the employee’s browser as a trusted site)
  2. The Collaboration platform validates the NTML challenge. This then authenticates the employees to access the platform automatically.
  3. By default employees land on the Collaboration’s dashboard page. (The external SaaS SSO widget  is part of the dashboard).
  4. Employees enter their network/AD credentials into the SaaS SSO widget to access SaaS apps.
  5. This request is then processed by the Cloud Identity/Access Management solution and authenticates employee’s credentials (again) against  the AD server. (This ensures  secuity and integrity)
  6. Employees then see all the SaaS applications to which they have been granted access privileges. (This is achieved via AD policy management).
  7. Employees can select any of the SaaS applications and they are automatically logged into them.
  8. All the above steps are logged and audited for future reporting and compliance requirements.

Benefits & Value

  1. Seamless auto single sign-on to Enterprise Collaboration platform (Social Intranet, Social Business platform) from employee’s desktop/Citrix.
  2. Provided employee’s with a one stop “hub” to single sign-on and access internal and external SaaS applications seamlessly, both SAML-supported and non-SAML.
  3. Increased user adoption of the Enterprise Collaboration platform.
  4. Reduced number of password resets/forgotten passwords for SaaS apps.
  5. Leveraged existing network security (AD) for authentication and authorization. So when employees leave, you can just disable their identity in AD and that cuts-off access to SaaS apps.
  6. Ability to extend SSO & Identity Management to new SaaS apps quickly and easily.
  7. Less or no internal maintenance and support for the entire cloud security & identity management infrastructure – “A true Hybrid Cloud Solution”.
  8. Strong foundation architecture ready to enable access to SaaS apps from employee’s new & shiny mobile devices – iPad, iPhone, Droid etc.
  9. Meet audit and regulatory compliance, policies & procedures.
  10. Met the goal of a robust central user identity repository, access and identity management to address current and future requirements.

A common question that many have raised or may be thinking about – What’s the trade-off between easy access to SaaS apps Vs risk? What are the compelling reasons? The following 5 “value” points should help answer this question.

  1. A single point for access and identity control. Enable (new hire) and disable (termination) access for SaaS apps for employees, temps, consultants etc. quickly and easily.
  2. A single point to log, report and audit all access activities. This helps meet regulatory and compliance requirements easily.
  3. A single point for authentication to all SaaS apps. This helps to leverage the existing AD/LDAP infrastructure.
  4. A single point for authorization to all SaaS apps. This again helps to leverage the existing AD/LDAP authorization policies and extend them to SaaS apps.
  5. Last but not least – be/get ready for the world of “2.0” platforms coming in to the enterprise – web, collaboration, mobile (BYOT – iPad, iPhone, Droid), identity, social etc.

Appreciate your feedback and comments.

Contact Info

LinkedIn  kchakkarapani@yahoo.com

Advertisements

Top 12 Questions and Requirements for SaaS & Cloud Vendors – Technology, Security, Identity Management, Compliance, Standards**

July 20, 2011 2 comments

Evaluating, selecting and implementing a SaaS or a Cloud based application goes beyond just the application functionality. This is just 50% of the equation or value proposition. Looking into the other technology aspects of the SaaS vendor is very very important such as Security, Compliance, Data, Identity Management, Integration, Standards, Support, Hosting facility, SLAs etc.

Business has a lot of urgency and temptation to select and implement SaaS applications. As IT we need to help them in choosing the right solution that meets both business and technology requirements. This is where IT can partner with the Business to provide additional value in evaluating and selecting the right SaaS vendors that meets both business and technology objectives. By doing this you can avoid the pitfalls of business selecting and implementing SaaS applications outside of IT.

Following are the Top 12 questions & requirements you will need to ask SaaS and Cloud vendors. This is based on my experience in evaluating, selecting and implementing 12+ SaaS applications and 3 cloud environments over the past 4 plus years.

**See related detailed post on SaaS Vendor Evaluation and Selection Process – Framework, Reference architectures, SaaS identity Management)**

**See Cloud ROI framework from Forrester**

1. Hosting Provider & Data Location

  • Who is the hosting provider?
  • Where is the hosting location? Country, State?
  • What type of infrastructure is used? Hardware, software, operating system, technology platform?
  • Ask for the architecture diagrams for all layers? Business, Application, Integration, Data & infrastructure layer diagrams?
  • Where is the primary data being stored? In order to comply with local jurisdiction, privacy and regulation requirements
  • Where is the backup data being stored?
  • What type of virtualization software is used? VM Ware, Hyper-V?
  • What type of network bandwidth is available (min 100 Mbps) ? What options are available for dedicated bandwidth?
  • What type of scalability is provided for additional computing power – CPU, RAM, Storage? Costs? Time to implement?

2. Data Access, Security, Segregation & Encryption

  • Is it a dedicated or a shared environment?
  • If it a shared environment, how is the data segregated from other shared environments?
  • What type of data architecture is implemented? Diagrams?
  • How is security managed in the shared environment? What controls are in place?
  • Who has access to the infrastructure, hardware, software, data? Ask for specific info on the roles & responsibilities of administrators, profiles, hiring practices etc
  • What application & data access audit logs are available? How often can you get this?
  • How is the primary data encrypted? What encryption schemes are used? Who has access to the decryption keys? How often is this tested?
  • How is the backup data stored? Is the data in raw files or encrypted format? What locations are the backup data stored? Who has access to this backup data?
  • What type of investigative support is provided in cases of breach?
  • Is the vendor is acquired, sold or dissolved? What options are available to get the data? Costs? How is the data wiped out of the environment?

3. Regulatory Compliance

Business is responsible for the data security, integrity and privacy even if it is a SaaS app that is management by the vendor.

  • What types of regulations are being followed complied?
  • PCI & HIPPA compliance? What options are available? How is this managed?
  • How often is this audited?
  • How is this enforced?
  • Ask for availability & access to the audit reports on a regular basis

4. Hosting Facility Security & Compliance

  • Is the hosting facility SAS 70 II (Statement of Auditing Standards) compliant? This is an important requirement as this encompasses all security and regulations compliance?
  • How often is this compliance audited?
  • Auditing and compliance is just 50% of the requirement. It is important to find out how the hosting vendor actively enforcing SAS 70 II controls is & requirements in to their work processes. Ask for this info in detail.

5. Business Continuity & Disaster Recovery

  • What type of business continuity & disaster recovery options are available? Is this part of the standard services?
  • Where are the DR (disaster recovery) data centers locations located?
  • What type of infrastructure exists to replicate and synchronize data between the primary and DR data centers? Is this available in real-time, daily?
  • If the primary environment is down?  How quickly can the DR environment be made active either in the primary or the DR data center?

6. Identity Management, Security & Single Sign-On

  • What type of identity management solution is provided? (See related post on Identity management)
  • Is Single Sign-On (SSO) provided? What types of SSO options are available? SAML, HTTP-Fed, Open Auth etc?
  • Can the SaaS app be integrated with an existing Identity Management system?
  • What type of user store is available? Can this user store be integrated with Active Directory or any other user store database?
  • What type of user security, authentication and authorization options are available?

7. Standards, Policies, Procedures & Frameworks

  • What architecture and technology standards, policies and procedures do you follow and comply?
  • What architecture frameworks do you follow? TOGAF?
  • How do you manage the projects internally? Agile, PMP?
  • What type of professional services do you offer to implement and support the SaaS application? What type of PM resources do you have? Skills, experience, certifications etc?

8. Integration, APIs & Reports

  • What type of APIs and web-services are available to pull and push data?
  • Are the APIs secured and encrypted?
  • Is there an option to access the data directly from the database?
  • What type of reports can be generated or created?

9. Support & Maintenance

  • What type of support is provided? Self-service, email, phone?
  • What are the support times? 24×7, 5 days a week?
  • What are the support response times? Critical, Urgent, High & Low issues/requests?
  • Who provides the support desk and where are they located? How many employees is part of the support desk? Dedicated or shared with projects?
  • Is there a premium support model?
  • What type of monitoring and alerting does the vendor provide?
  • What type of migration and integration support does the vendor provide?
  • Is there a dedicated support manager and account rep?
  • How do you support and manage integration with the customer’s existing SaaS apps?
  • How are upgrades, patches and other maintenance performed?
  • What type of change management & risk management procedures do you follow? How often is this communicated to the customers?
  • Does the customer have any control on applying patches, upgrades and changes to the SaaS app? (this is very important to know especially if the SaaS app is integrated with other SaaS apps).

10 Service Level Agreements (SLAs)

  • What SLAs are available – reliability, availability, performance, issues, requests etc? Penalties?
  • What types of credits are available if SLAs are not met?
  • Are the terms & conditions of the contract tied to the SLAs?
  • Is the exit strategy tied to the SLAs?
  • Is there a regular meeting (monthly/quarterly) to review the SLAs, issues, requests?
  • Who will be part of the SLAs meetings?
  • How are the issues escalated if the SLAs are not complied? Who can we escalate to in the management team?

11. Vendor Management, Product Road-map & Viability

  • Who is the management? What is their experience?
  • Is it funded by a VC firm? Who is it?
  • What are their financials? How many customers do they have?
  • What is the organization structure? How many employees? Where are they located?
  • How many employees are there in the product development & support team?
  • What is their product road-map and strategy?
  • How are they managing their product strategy? Competition, Market, Positioning, Customer requirements? How is this communicated and how often?
  • How do they accommodate customer requirements into their product strategy? Is there a customer advisory council?
  • Do you provide a trial or proof of concept for your product including new features?

12. Pricing & Contract

  • After reviewing the above 11 items, the prices may vary from your initial analysis/requirements (this always happened in my case!!). Understanding the true pricing is very important.
  • What is included and excluded in the pricing? Will you charge for new product features?
  • Are you open to contract negotiations that meet the company legal needs & requirements?
  • What is the minimum contract period? Are there any discounts for long-term contract? Is there an option to exit during the contract and what are the terms & conditions, penalties?
  • See sample SaaS legal addendum

By doing the above, IT can play a valuable partner with business to evaluate, select and implement SaaS or Cloud based applications.

Contact Info

LinkedIn  kchakkarapani@yahoo.com

%d bloggers like this: