3. Complete App Access Lifecycle Management
When a user is new to the organization or takes on a different role within the company, an IDaaS solution should make it easy — and automatic — for you to provision users to cloud or on-premises apps with automated account creation, role-based license and authorization management, single sign-on, mobile app client management and automated account deprovisioning. This automation frees up your precious few IT resources and empowers the user to be productive sooner than through existing and often manual onboarding checklists.
Full app access lifecycle management offers key benefits, enabling IT organizations to save time and money by automatically creating user accounts across cloud apps for new employees. Provisioning can eliminate helpdesk calls by allowing you to deploy the right apps — with the right access — the very first time. Provisioning eliminates any follow-on tasks by IT for enabling the user, and also eliminates user confusion. Automatic identity federation provides single sign-on to those apps, without requiring multiple passwords that can be easily lost, stolen or forgotten. Role-based licensing and authorization management for key apps such as Office 365, Salesforce, Box, and more further reduces your IT burden and allows you to quickly get users productive. The same capabilities make it possible to offboard users automatically (disabling or removing users from a group triggers user account de-provisioning) ensuring security and compliance by removing access immediately, removing mobile client apps and their data, instantly deactivating app accounts, and freeing up app licenses.
2. Identity Where You Want It
An IDaaS solution also needs to be flexible, providing robust access to corporate identities managed on-premises (e.g., Active Directory or LDAP), a directory service in the cloud for non-AD users such as partners or customers, and when appropriate, a hybrid of the on-premisesand cloud directories. This is in stark contrast to other startup IDaaS vendors who only allowyou to store identity data in their cloud directory. In order to leverage user data stored andmanaged in Active Directory, they first require that a portion of this data be replicated to their cloud and out of your control.
This cloud-only approach may not appeal to some organizations that — rightly or wrongly —
have concerns about losing control of the proverbial keys to the kingdom. Organizations may
also have reservations of creating another silo of identity to manage, unique security or privacy
concerns, or legitimate concerns about the long-term viability of the vendor.
To enable this “identity where you want it,” a well-engineered IDaaS solution should deliver
robust integration with on-premises Active Directory or LDAP, should support cloud-only
deployments consisting of non-Active Directory or LDAP -based user identities, as well as a
hybrid of Active Directory, LDAP, and / or cloud deployment.
Active Directory support should offer built-in integrated windows authentication (IWA) without
separate infrastructure and should automatically load balance and failover without any
additional infrastructure or configuration. Most importantly, it should not replicate Active
Directory data to the cloud where it is out of the organization’s control — even if you choose to
manage some of your users via a cloud model.
The diagram below shows the deployment options an IDaaS solution should support. As you
can see, this hybrid approach gives you the best of both worlds in terms of flexibility.
1. Single Sign-On
Single Sign-On (SSO) is the ability to log into an app (cloud-based, on premises, or mobile app)
every time using a single/federated identity. For consumers this identity can be their social
media identity, such as Facebook or Google, while an enterprise identity is typically the user’s
Active Directory ID. Without SSO, users need to remember complex passwords for each app.
Or worse, they use common or easily remembered (i.e. weak) passwords. For users, the result
is a frustratingly fragmented workflow, which can include signing into dozens of different apps
during the workday. For IT, the problems of too many passwords, or insecure passwords, are
obvious—with a costly data breach ranking at the top among concerns. A properly architected
SSO increases both user productivity and corporate app security.
So what should you look for when deploying SSO? At the simplest, a solution should enable
you to improve end-user satisfaction and streamline workflows by providing a single identity
to access all business apps — whether the apps reside in the cloud, or on-premises behind
your firewall. It also needs to unify and deliver access to apps from all end-user platforms—
desktops, laptops and mobile devices.
In a properly architected system, once users authenticate by logging in with their enterprise ID
(e.g., Active Directory) they should enjoy one-click access to cloud, on-premises or mobile apps.
Remote access to on-premises apps should be just as simple as accessing cloud apps: without
requiring VPN hardware or client software. This type of SSO — using standards like SAML — will
not only reduce user frustration and improve productivity but also enhance security. Federated
SSO is better because it does not transmit the user name and password to the app over the
network, but instead sends a time-limited and secured token verifying that the user who
is attempting access is known and trusted. In addition, by eliminating the use of passwords
and their transmission across networks, you can reduce the likelihood of users locking their
accounts and calling the helpdesk, eliminate password risks such as non-compliant and usermanaged passwords, and make it possible to instantly revoke or change a user’s access to apps
without an admin having to reach out to each and every app.
(Source: SailPoint Technologies, Inc. Identity and Access Management Buyers Guide)
“We’ve lost visibility and control over applications in the cloud. We’re not even sure about what’s out there.”
As enterprises accelerate their adoption of the cloud, they must cope with the challenges of managing a hybrid IT environment where some applications reside on-premises and some reside in the cloud. Adding to the complexity of this environment, business units are gaining more autonomy to buy and deploy applications — which can often house sensitive, corporate data — without consulting or involving the IT organization.
Signs that your organization is struggling to manage new cloud applications include:
- IT is not fully aware of the mission-critical cloud applications in production across various departments and business units
- Business units are performing their own user administration via spreadsheets and manual updates
- Business units are requesting that IT integrate cloud applications with directories for periodic synchronization
- Business units are purchasing their own identity and access management solutions — without consulting IT or considering what IAM infrastructure is already in place
- IT audit processes, such as access certifications, have not been extended to cover cloud applications
A proper identity and access management solution should help enterprises embrace the cloud while at the same time allowing the IT organization to effectively apply centralized security policy, detect violations and demonstrate full regulatory compliance. Successful IAM solutions will allow you to automate compliance and provisioning processes for cloud applications in the same manner as on-premises applications. At the same time, it should provide end users with convenient access to cloud applications and empower them with single sign-on from any device — at work, home or on the go with mobile devices.
Check back for blog #5, Reduce the Cost of Managing Access Change
Visit SailPoint Technologies, Inc. here.
Learn more about PathMaker Group IAM MAP here.
By Chris Fields, Vice President of Security Strategy.
All of the predictions around the explosion in the usage of Cloud technologies have finally come true. Many organizations are taking advantage of improvements in technology and reduction in cost and moving their applications off-premise and into shared data centers (a.k.a. the cloud). As cloud adoption increased, more security and identity and access management functions have become commoditized and moved off-premise as well. Single Sign-On (SSO) and Federation are two pieces that have recently arrived in the cloud with solid vendor options. SSO and Federation are two areas that typically leverage standards based technology and uniform implementation and integration approaches. These Software-as-a-Service (Saas) products offer improved speed of deployment, ease of administration, and lower cost of ownership than their on-premise equivalents because they are operating in a cookie cutter fashion that assumes that all SSO and Federation function uniformly.
The problem is when organizations look at their more advanced IAM functions and discover that their company doesn’t do things like their peers or competitors. There is little uniformity across the business processes that have been automated in mature provisioning solutions or with governance and compliance activities. There are very few Cloud IAM solutions that have tackled these higher functions in a multi-tenant environment with success. What is a company to do?
Many in the industry think that a hybrid model, or a joining of cloud and on-premise systems, is the architecture that will bridge the time until the next advances in technology make advanced configurations in a multi-tenant environment more viable. The hybrid model allows you to take advantage of the low price and ease of use of the cloud while still utilizing the more customizable on-premise IAM applications.
Once you decide that you need to move to a hybrid architecture, there are still a lot of decisions to be made around how the architecture should look. Will the cloud and the on-premise systems be allowed to communicate in real-time over dedicated network connections? Will you use secure API technologies from the cloud to manage identities in the on-premise applications? Would a bridge or proxy be a better decision?
There is no cookie cutter solution as every customer scenario is different. PathMaker Group has been working with cloud technologies for years and has the experience and expertise to help guide your architecture decisions, product selection, implementations from beginning to end.
Who We Are
PathMaker Group is a specialized Security and Identity Management Consultancy, blending core technical and product expertise, consultative know-how, and extensive implementation experience.
635 Fritz Drive
Coppell, TX 75019
1250 Capital of Texas Hwy
Bldg 3, Suite 400
Austin, TX 78746