The Lighter Side Of The Cloud – The iCloud
The Lighter Side Of The Cloud – Falling Behind
The Lighter Side Of The Cloud – The Restroom
The Lighter Side Of The Cloud: Someday
The Lighter Side Of The Cloud – Techwear
Identity And Access Management From The SaaS Application Perspective

Identity And Access Management From The SaaS Application Perspective

Identity And Access Management From The SaaS Application Perspective

Software-as-a-Service (SaaS) has taken the enterprise by storm as the go-to delivery model for applications, and the cloud service is here to stay…for better or worse. Enterprises look to its benefits including dramatic cost savings, app availability from anywhere, and seamless updates and upgrades pushed to users from the SaaS provider.

There’s certainly no trepidation surrounding the benefits that the cloud rains down on enterprises, but what makes CISOs uneasy about SaaS delivery of apps is the lack of control and visibility into who has access to them while floating around in the cloud. Enterprises can obviously call the shots when data and apps are stored on-premise, but the fear of data breaches is amped up when applications and data, and who controls the access to them, is out of the hands of the enterprise and in the hands of the SaaS provider.   data-breaches

So what should a SaaS application developer or provider do so enterprises can govern their identity and access issues effectively? There are three key Identity and Access Management (IAM) areas that deserve close attention.

Authentication

SaaS apps can take several routes for authenticating users. The first is independent authentication with a private user directory and independent user account management. This is a poor choice because it forces the SaaS application to manage passwords and forces users to remember separate credentials for the SaaS app.  In addition, from an enterprise perspective, supporting joiners, movers and leavers (who’s moving in and out of your organization) here becomes difficult.

A variant of the independent option is internal authentication with a private user directory synched to an external user repository, usually Active Directory. While this approach may seem to be fine for a single application, as the number of applications scales, IT administrators have trouble managing the synching, and the risk of a breach goes up significantly when credentials are transmitted outside the perimeter.

The ideal authentication setup for a SaaS app is token-based authentication and SSO based on directory federation. SAML (Secure Access Markup Language) tokens issued by corporate identity providers fit the bill perfectly. Why? A single corporate username and password enables access across multiple SaaS applications. The process is intelligent, too, because user attributes relevant to authorization can be delivered in the token, and “just-in-time” provisioning (automated account setup for a first-visit user) can be supported.  While this approach requires the management of trust relationships between individual enterprises and the SaaS application in question, and at least basic user account management, the headaches of syncing and having hundreds of passwords are off the table here.

Entitlements

So your users have been authenticated to your SaaS apps. That’s the easy part, but effective management of entitlements – what your users can do within those apps at a fine-grained, nitty-gritty level, is far more difficult.

Most SaaS applications come with their own entitlement model, with internal administration of entitlement policies and an application-specific user interface for defining who gets what entitlements within the application. From an application developer’s perspective, this approach seems convenient, but in reality, it provides poor support for enterprise identity and access lifecycle management and compliance.  Setting up joiners and movers or de-provisioning leavers requires manual intervention, and tracking “who has access to what” often means the creation of application-specific reports.

The best option here is for SaaS applications to support an entitlement model that includes pre-defined application roles, and an API that supports the collection of current user-role and user-entitlement bindings as well as the provisioning or de-provisioning of user-to-role and user-to-entitlement bindings.  With this approach, administering user-to-role policies is done by each enterprise outside of the SaaS application, while the runtime authorization enforcement based on provisioned user bindings or user attributes is done within the SaaS application. Leaving policy administration out of the application and up to the enterprise makes change management and compliance much easier.

The benefit of having application roles is that it’s far easier to track and change user access to SaaS apps when each application’s access can be described in terms of tens of application roles and a few out-of-role entitlements, versus  thousands of entitlements.

It’s likely that a standards-based protocol will emerge someday for the API referenced above, but SPML (Secure Provisioning Markup Language) fell short, and SCIM (Simple Cloud Identity Management), while useful for account and user profile provisioning, doesn’t help with entitlements.

Auditing

Your users have been authenticated and can wield the power they’ve been given by individual application roles and entitlements within SaaS applications. But are you taking notes on every move they make within your organization? Probably not!  Automated logging of user activity for each SaaS app is crucial to both the audit trail needed when the auditor comes knocking and the real-time alerting required by enterprise SOCs (security operations centers). If a subset of the application roles and entitlements for a SaaS app is considered sensitive or privileged, it is up to the SaaS application developer and provider to ensure that the use of this privileged access can be closely and continuously scrutinized.

It is important to note that mobile and cloud computing is causing the Identity and Access Management industry to adopt new models and consider new standards.  OpenID Connect and OAuth, for example, are very promising standards, but SaaS applications targeted for broad-based enterprise use can’t rely exclusively on them today.

While SaaS applications, being outside the perimeter, aren’t inherently ideal for meeting enterprise identity and access lifecycle management and compliance initiatives, SaaS app developers and providers should look to these areas as the first action items when rolling out cloud-based applications across the enterprise.

By Deepak Taneja,

Contributor Deepak Taneja is Founder and CTO of Aveksa, provider of the industry’s most comprehensive Business-Driven Identity and Access Management platform.  By uniquely integrating Identity and Access Governance, Provisioning and Authentication, Aveksa enables enterprises to manage the complete lifecycle of user access for SaaS and On-premise applications and data.  Learn more at www.aveksa.com.

Follow Us!

CloudTweaks

Established in 2009, CloudTweaks.com is recognized as one of the leading authorities in cloud computing information. Most of the excellent CloudTweaks articles are provided by our own paid writers, with a small percentage provided by guest authors from around the globe, including CEOs, CIOs, Technology bloggers and Cloud enthusiasts. Our goal is to continue to build a growing community offering the best in-depth articles, interviews, event listings, whitepapers, infographics and much more...
Follow Us!

Sorry, comments are closed for this post.

Recent

Mobile Connectivity Rises – 24 Billion Networked Devices By 2019

Mobile Connectivity Rises – 24 Billion Networked Devices By 2019

Mobile Connectivity Rises Mobile Technologies such as BYOD, Wearable Technology and Internet of Things are the cornerstone to strong cloud computing adoption and will continue to be the case as the number of connected devices continue to climb. In May 2015, Cisco released the complete VNI Global IP Traffic Forecast, 2014 – 2019. Global highlights…

9 Pitfalls of Providing Cloud-Based Online Government Services

9 Pitfalls of Providing Cloud-Based Online Government Services

Cloud-Based Online Government Services Pitfalls When the US government designed the Affordable Care Act, a key part of the program was to encourage enrollment through the Healthcare.gov website. This online service was supposed to make it easier for citizens to learn about the ACA, compare their health insurance options, and take full advantage of this…

IOT, Intelligent Sensors, And The Change That Is Coming…

IOT, Intelligent Sensors, And The Change That Is Coming…

Intelligent Sensors And The Future What is or isn’t connected: In the end, that is the internet of things. They, the things, represent stuff that has been around for the past 30 years. It was only recently that we have developed a way to consistently connect those devices. Despite the increasing awareness of IoT, it…

Popular Archives

The Industries That The Cloud Will Change The Most

The Industries That The Cloud Will Change The Most

The Industries That The Cloud Will Change The Most Cloud computing is rapidly revolutionizing the way we do business. Instead of being a blurry buzzword, it has become a facet of everyday life. Most people may not quite understand how the cloud works, but electricity is quite difficult to fathom as well. Anyway, regardless of…

Cloud Infographic – Guide To Small Business Cloud Computing

Cloud Infographic – Guide To Small Business Cloud Computing

Small Business Cloud Computing Trepidation is inherently attached to anything that involves change and especially if it involves new technologies. SMBs are incredibly vulnerable to this fear and rightfully so. The wrong security breach can incapacitate a small startup for good whereas larger enterprises can reboot their operations due to the financial stability of shareholders. Gordon Tan contributed an…

Sponsors

The Many Hats Of Today’s IT Managers

The Many Hats Of Today’s IT Managers

The Many Hats of IT Managers In years past, the IT department of most large organizations was much like a version of Middle Earth: a mysterious nether world where people who seemed infinitely smarter than the rest of us bustled around, speaking and typing languages that appeared indecipherable, yet, which made our world work. They…

Selling Your Business To Your Employees

Selling Your Business To Your Employees

Mobility For Your Employees It may seem a radical notion, the idea of selling your business to the people who work for you, but this is the era in which we now work. Employees of all levels are all incredibly aware of their options when it comes to mobility and employability. This doesn’t mean that…

Established in 2009

CloudTweaks is recognized as one of the leading influencers in cloud computing, big data and internet of things (IoT) information. Our goal is to continue to build our growing information portal, by providing the best in-depth articles, interviews, event listings, whitepapers, infographics and much more.

CloudTweaks Comic Library

Advertising