Identity And Access Management From The SaaS Application Perspective

Identity And Access Management From The SaaS Application Perspective

The SaaS Application Perspective

Software-as-a-Service (SaaS) has taken the enterprise by storm as the go-to delivery model for applications, and the cloud service is here to stay…for better or worse. Enterprises look to its benefits including dramatic cost savings, app availability from anywhere, and seamless updates and upgrades pushed to users from the SaaS provider.

There’s certainly no trepidation surrounding the benefits that the cloud rains down on enterprises, but what makes CISOs uneasy about SaaS delivery of apps is the lack of control and visibility into who has access to them while floating around in the cloud. Enterprises can obviously call the shots when data and apps are stored on-premise, but the fear of data breaches is amped up when applications and data, and who controls the access to them, is out of the hands of the enterprise and in the hands of the SaaS provider.

So what should a SaaS application developer or provider do so enterprises can govern their identity and access issues effectively? There are three key Identity and Access Management (IAM) areas that deserve close attention.

Authentication

SaaS apps can take several routes for authenticating users. The first is independent authentication with a private user directory and independent user account management. This is a poor choice because it forces the SaaS application to manage passwords and forces users to remember separate credentials for the SaaS app.  In addition, from an enterprise perspective, supporting joiners, movers and leavers (who’s moving in and out of your organization) here becomes difficult.

A variant of the independent option is internal authentication with a private user directory synched to an external user repository, usually Active Directory. While this approach may seem to be fine for a single application, as the number of applications scales, IT administrators have trouble managing the synching, and the risk of a breach goes up significantly when credentials are transmitted outside the perimeter.

The ideal authentication setup for a SaaS app is token-based authentication and SSO based on directory federation. SAML (Secure Access Markup Language) tokens issued by corporate identity providers fit the bill perfectly. Why? A single corporate username and password enables access across multiple SaaS applications. The process is intelligent, too, because user attributes relevant to authorization can be delivered in the token, and “just-in-time” provisioning (automated account setup for a first-visit user) can be supported.  While this approach requires the management of trust relationships between individual enterprises and the SaaS application in question, and at least basic user account management, the headaches of syncing and having hundreds of passwords are off the table here.

Entitlements

So your users have been authenticated to your SaaS apps. That’s the easy part, but effective management of entitlements – what your users can do within those apps at a fine-grained, nitty-gritty level, is far more difficult.

Most SaaS applications come with their own entitlement model, with internal administration of entitlement policies and an application-specific user interface for defining who gets what entitlements within the application. From an application developer’s perspective, this approach seems convenient, but in reality, it provides poor support for enterprise identity and access lifecycle management and compliance.  Setting up joiners and movers or de-provisioning leavers requires manual intervention, and tracking “who has access to what” often means the creation of application-specific reports.

The best option here is for SaaS applications to support an entitlement model that includes pre-defined application roles, and an API that supports the collection of current user-role and user-entitlement bindings as well as the provisioning or de-provisioning of user-to-role and user-to-entitlement bindings.  With this approach, administering user-to-role policies is done by each enterprise outside of the SaaS application, while the runtime authorization enforcement based on provisioned user bindings or user attributes is done within the SaaS application. Leaving policy administration out of the application and up to the enterprise makes change management and compliance much easier.

The benefit of having application roles is that it’s far easier to track and change user access to SaaS apps when each application’s access can be described in terms of tens of application roles and a few out-of-role entitlements, versus  thousands of entitlements.

It’s likely that a standards-based protocol will emerge someday for the API referenced above, but SPML (Secure Provisioning Markup Language) fell short, and SCIM (Simple Cloud Identity Management), while useful for account and user profile provisioning, doesn’t help with entitlements.

Auditing

Your users have been authenticated and can wield the power they’ve been given by individual application roles and entitlements within SaaS applications. But are you taking notes on every move they make within your organization? Probably not!  Automated logging of user activity for each SaaS app is crucial to both the audit trail needed when the auditor comes knocking and the real-time alerting required by enterprise SOCs (security operations centers). If a subset of the application roles and entitlements for a SaaS app is considered sensitive or privileged, it is up to the SaaS application developer and provider to ensure that the use of this privileged access can be closely and continuously scrutinized.

It is important to note that mobile and cloud computing is causing the Identity and Access Management industry to adopt new models and consider new standards.  OpenID Connect and OAuth, for example, are very promising standards, but SaaS applications targeted for broad-based enterprise use can’t rely exclusively on them today.

While SaaS applications, being outside the perimeter, aren’t inherently ideal for meeting enterprise identity and access lifecycle management and compliance initiatives, SaaS app developers and providers should look to these areas as the first action items when rolling out cloud-based applications across the enterprise.

By Deepak Taneja,

Contributor Deepak Taneja is Founder and CTO of Aveksa, provider of the industry’s most comprehensive Business-Driven Identity and Access Management platform.  By uniquely integrating Identity and Access Governance, Provisioning and Authentication, Aveksa enables enterprises to manage the complete lifecycle of user access for SaaS and On-premise applications and data.  Learn more at www.aveksa.com.

About CloudTweaks

Established in 2009, CloudTweaks is recognized as one of the leading authorities in connected technology information and services.

We embrace and instill thought leadership insights, relevant and timely news related stories, unbiased benchmark reporting as well as offer green/cleantech learning and consultive services around the world.

Our vision is to create awareness and to help find innovative ways to connect our planet in a positive eco-friendly manner.

In the meantime, you may connect with CloudTweaks by following and sharing our resources.

View All Articles

Sorry, comments are closed for this post.

Comic
How Secure Is Your School Campus Network?

How Secure Is Your School Campus Network?

School Networks School related networks are one of the most attacked sectors today, coming in third worldwide to healthcare and retail. Because of the ever growing threat of cybercrime, IT professionals everywhere aren’t thinking in terms of “what if our network gets attacked?” Now, they think in terms of “when will our network be attacked?”…

IBM and VMware Expand Partnership to Enable Easy Hybrid Cloud Adoption

IBM and VMware Expand Partnership to Enable Easy Hybrid Cloud Adoption

IBM and VMware Expand Partnership More than 500 new clients, including Marriott International are now running VMware software on IBM Cloud since the strategic cloud partnership was announced;Introduction of VMware Cloud Foundation on IBM Cloud helps move existing apps to the cloud within hours; More than 4,000 IBM service professionals trained to help organizations extend…

Fully Autonomous Cars: How’s It REALLY Going To Work?

Fully Autonomous Cars: How’s It REALLY Going To Work?

Pros and Cons and What the Experts Think Science fiction meets reality, and modern civilization is excitedly looking forward to the ubiquity of self-driving cars. However, an omnipresence of fully autonomous cars won’t happen as quickly as even some hopeful experts anticipate. While the autonomous car pros versus the cons race (See infographic discovered via…

The Lighter Side Of The Cloud – Bottlenecking

The Lighter Side Of The Cloud – Bottlenecking

By David Fletcher Please feel free to share our comics via social media networks such as Twitter, Facebook, LinkedIn, Instagram, Pinterest. Clear attribution (Twitter example: via @cloudtweaks) to our original comic sources is greatly appreciated.

Recent Articles - Posted by
Connecting With Customers In The Cloud

Connecting With Customers In The Cloud

Customers in the Cloud Global enterprises in every industry are increasingly turning to cloud-based innovators like Salesforce, ServiceNow, WorkDay and Aria, to handle critical systems like billing, IT services, HCM and CRM. One need look no further than Salesforce’s and Amazon’s most recent earnings report, to see this indeed is not a passing fad, but…

Multi-Cloud Integration Has Arrived

Multi-Cloud Integration Has Arrived

Multi-Cloud Integration Speed, flexibility, and innovation require multiple cloud services As businesses seek new paths to innovation, racing to market with new features and products, cloud services continue to grow in popularity. According to Gartner, 88% of total compute will be cloud-based by 2020, leaving just 12% on premise. Flexibility remains a key consideration, and…

Data Breaches: Incident Response Planning – Part 1

Data Breaches: Incident Response Planning – Part 1

Incident Response Planning – Part 1 The topic of cybersecurity has become part of the boardroom agendas in the last couple of years, and not surprisingly — these days, it’s almost impossible to read news headlines without noticing yet another story about a data breach. As cybersecurity shifts from being a strictly IT issue to…

Using Cloud Technology In The Education Industry

Using Cloud Technology In The Education Industry

Education Tech and the Cloud Arguably one of society’s most important functions, teaching can still seem antiquated at times. Many schools still function similarly to how they did five or 10 years ago, which is surprising considering the amount of technical innovation we’ve seen in the past decade. Education is an industry ripe for innovation…

Protecting Devices From Data Breach: Identity of Things (IDoT)

Protecting Devices From Data Breach: Identity of Things (IDoT)

How to Identify and Authenticate in the Expanding IoT Ecosystem It is a necessity to protect IoT devices and their associated data. As the IoT ecosystem continues to expand, the need to create an identity to newly-connected things is becoming increasingly crucial. These ‘things’ can include anything from basic sensors and gateways to industrial controls…

The Cloud Is Not Enough! Why Businesses Need Hybrid Solutions

The Cloud Is Not Enough! Why Businesses Need Hybrid Solutions

Why Businesses Need Hybrid Solutions Running a cloud server is no longer the novel trend it once was. Now, the cloud is a necessary data tier that allows employees to access vital company data and maintain productivity from anywhere in the world. But it isn’t a perfect system — security and performance issues can quickly…

New Report Finds 1 Out Of 3 Sites Are Vulnerable To Malware

New Report Finds 1 Out Of 3 Sites Are Vulnerable To Malware

1 Out Of 3 Sites Are Vulnerable To Malware A new report published this morning by Menlo Security has alarmingly suggested that at least a third of the top 1,000,000 websites in the world are at risk of being infected by malware. While it’s worth prefacing the findings with the fact Menlo used Alexa to…

Cloud Computing Offers Key Benefits For Small, Medium Businesses

Cloud Computing Offers Key Benefits For Small, Medium Businesses

Cloud Computing Benefits A growing number of small and medium businesses in the United States rely on as a means of deploying mission-critical software products. Prior to the advent of cloud-based products — software solutions delivered over the Internet – companies were often forced to invest in servers and other products to run software and…

Cloud Infographic – Interesting Big Data Facts

Cloud Infographic – Interesting Big Data Facts

Big Data Facts You Didn’t Know The term Big Data has been buzzing around tech circles for a few years now. Forrester has defined big data as “Technologies and techniques that make capturing value from data at an extreme scale economical.” The key word here is economical. If the costs of extracting, processing, and making use…

6 Tech Predictions To Have A Major Impact In 2016

6 Tech Predictions To Have A Major Impact In 2016

6 Tech Predictions To Have A Major Impact The technology industry moves at a relentless pace, making it both exhilarating and unforgiving. For those at the forefront of innovation it is an incredibly exciting place to be, but what trends are we likely to see coming to the fore in 2016? Below are six predictions…

Cloud Computing Is Greener Than You Think

Cloud Computing Is Greener Than You Think

Cloud Computing Is Greener Than You Think Last week we touched upon how a project in Finland had blended two of the world’s most important industries, cloud computing and green technology, to produce a data centre that used nearby sea water to both cool their servers and heat local homes.  Despite such positive environmental projects, there…