Though end users might not notice a difference between systems and applications hosted on-site or in the cloud at their organization, administrators who manage them often have to do so quite differently. Each solution has different requirements pertaining to security, and access and authentication management. System admins want to be able to easily manage user rights, as well as authentication, but it can often be difficult with different types of applications. Because of the different requirements amongst on-premise and cloud applications, solutions that work with them often must be different.
So how are they the same, how do they differ and how can system admins easily manage on-site and cloud applications? Let’s take a look.
When it comes to access management, whether it be in the cloud or self-hosted, managing user accounts and access manually can be a burden. Think of how time consuming this task can be for an organization of a few hundred then add in the fact that large organization often hire outside temps, who need quick access put in place, as well as revoked. Additionally, it is important that access rights are correct so that each employee only has access to resources they need to perform their jobs. When it comes to cloud and in-house systems, an identity governance and administration (IGA) solution can be used to easily handle the access management task. Both types of applications can easily be managed by a single IGA solution.
How is this done? An IGA solution allows for automated user provisioning to synchronize user account information between the HR system (for example, SAP or PeopleSoft, and the network). A change in the HR system is detected by the IGA solution and is then automatically implemented in the network and any connected systems.
(RBCA Matrix Image Source: itsecurityideas.blogspot.com)
Additionally, the source system can be utilized in conjunction with a role-based access control (RBAC) matrix to determine employment status along with the employee’s title, department and location. The RBAC matrix can then determines what applications and data they should be granted rights to, so that it can be ensured that employee access is correct when their account is created. In the case of a terminated status, an admin simply disables the employee in the source system and all access will be revoked. So, when an employee joins an organization it is ensured that they received the correct access from the start.
Even further, a workflow management module can be utilized to administer all requested changes to the network and cloud applications. A self-service portal is established where all users are directed to make requests for new and enhanced requests. Once the end user processes the request, it is routed to the appropriate manager and systems owner for approval. Only after the user gets correct approval will the change then be made.
When it comes to authentication management, solutions such as single sign-on (SSO) have to be treated differently for on-site and cloud applications. Often, many companies use a SSO solution to allow end users to be more productive and not need to remember eight, or more, sets of credentials. While this type of solution can be beneficial, SSO for in house compared to cloud solutions is different.
For cloud applications, a web SSO solution should be used. A web portal is created that contains icons or shortcuts to all of the organization’s authorized web applications. Users log into this portal with their standard network credentials and are easily and securely validated for all of these applications. Web SSO solutions provide the greatest benefit for an organization where the majority of applications are cloud based and the user’s access data from personal devices.
One of the downsides to web SSO, however, is that it is typically limited in functionality, since it only works with cloud-based applications and those that comply with one of the industry standards, such as SAML, OAuth or OpenID. Communicating with legacy apps, or those that have not adopted one of these standards, requires a more traditional or enterprise-level solution. For these situations, an enterprise SSO would generally be utilized. Enterprise SSO products typically require a plugin to authenticate back to a directory service, such as Active Directory, to capture the credentials of a user in a secure database rather than using an identity provider. These types of solutions have been available for many years and are widely implemented in locations where the vast majority of user’s access On-Premises applications from a computer attached to the company network.
Overall, both on-site and cloud applications can easily be managed with identity and access governance solutions. Though some require different methods or add-ons, access and authentication can both be automated and managed in each with simple solutions.
By Dean Wiech