Top Six Things to Consider with an Identity-as-a-Service (IDaaS) Solution – Blog 3 of 6

Centrify Logo3. Complete App Access Lifecycle Management

When a user is new to the organization or takes on a different role within the company, an IDaaS solution should make it easy — and automatic — for you to provision users to cloud or on-premises apps with automated account creation, role-based license and authorization management, single sign-on, mobile app client management and automated account deprovisioning. This automation frees up your precious few IT resources and empowers the user to be productive sooner than through existing and often manual onboarding checklists.

Full app access lifecycle management offers key benefits, enabling IT organizations to save time and money by automatically creating user accounts across cloud apps for new employees. Provisioning can eliminate helpdesk calls by allowing you to deploy the right apps — with the right access — the very first time. Provisioning eliminates any follow-on tasks by IT for enabling the user, and also eliminates user confusion. Automatic identity federation provides single sign-on to those apps, without requiring multiple passwords that can be easily lost, stolen or forgotten. Role-based licensing and authorization management for key apps such as Office 365, Salesforce, Box, and more further reduces your IT burden and allows you to quickly get users productive. The same capabilities make it possible to offboard users automatically (disabling or removing users from a group triggers user account de-provisioning) ensuring security and compliance by removing access immediately, removing mobile client apps and their data, instantly deactivating app accounts, and freeing up app licenses.

Centrify manages the complete lifecycle for
app access including account provisioning,
federation for SSO, mobile app management,
centralized visibility and complete deprovisioning
when the users changes roles

Top Six Things to Consider with an Identity-as-a-Service (IDaaS) Solution – Blog 2 of 6

2. Identity Where You Want It

An IDaaS solution also needs to be flexible, providing robust access to corporate identities managed on-premises (e.g., Active Directory or LDAP), a directory service in the cloud for non-AD users such as partners or customers, and when appropriate, a hybrid of the on-premisesand cloud directories. This is in stark contrast to other startup IDaaS vendors who only allowyou to store identity data in their cloud directory. In order to leverage user data stored andmanaged in Active Directory, they first require that a portion of this data be replicated to their cloud and out of your control.

This cloud-only approach may not appeal to some organizations that — rightly or wrongly —
have concerns about losing control of the proverbial keys to the kingdom. Organizations may
also have reservations of creating another silo of identity to manage, unique security or privacy
concerns, or legitimate concerns about the long-term viability of the vendor.

To enable this “identity where you want it,” a well-engineered IDaaS solution should deliver
robust integration with on-premises Active Directory or LDAP, should support cloud-only
deployments consisting of non-Active Directory or LDAP -based user identities, as well as a
hybrid of Active Directory, LDAP, and / or cloud deployment.

Active Directory support should offer built-in integrated windows authentication (IWA) without
separate infrastructure and should automatically load balance and failover without any
additional infrastructure or configuration. Most importantly, it should not replicate Active
Directory data to the cloud where it is out of the organization’s control — even if you choose to
manage some of your users via a cloud model.

The diagram below shows the deployment options an IDaaS solution should support. As you
can see, this hybrid approach gives you the best of both worlds in terms of flexibility.

Contact Us for more information on your IDaaS or Centrify Solutions. 

Top Six Things to Consider with an IDaas Solution – Blog 1 of 6

1. Single Sign-On

Single Sign-On (SSO) is the ability to log into an app (cloud-based, on premises, or mobile app)
every time using a single/federated identity. For consumers this identity can be their social
media identity, such as Facebook or Google, while an enterprise identity is typically the user’s
Active Directory ID. Without SSO, users need to remember complex passwords for each app.
Or worse, they use common or easily remembered (i.e. weak) passwords. For users, the result
is a frustratingly fragmented workflow, which can include signing into dozens of different apps
during the workday. For IT, the problems of too many passwords, or insecure passwords, are
obvious—with a costly data breach ranking at the top among concerns. A properly architected
SSO increases both user productivity and corporate app security.
So what should you look for when deploying SSO? At the simplest, a solution should enable
you to improve end-user satisfaction and streamline workflows by providing a single identity
to access all business apps — whether the apps reside in the cloud, or on-premises behind
your firewall. It also needs to unify and deliver access to apps from all end-user platforms—
desktops, laptops and mobile devices.
In a properly architected system, once users authenticate by logging in with their enterprise ID
(e.g., Active Directory) they should enjoy one-click access to cloud, on-premises or mobile apps.
Remote access to on-premises apps should be just as simple as accessing cloud apps: without
requiring VPN hardware or client software. This type of SSO — using standards like SAML — will
not only reduce user frustration and improve productivity but also enhance security. Federated
SSO is better because it does not transmit the user name and password to the app over the
network, but instead sends a time-limited and secured token verifying that the user who
is attempting access is known and trusted. In addition, by eliminating the use of passwords
and their transmission across networks, you can reduce the likelihood of users locking their
accounts and calling the helpdesk, eliminate password risks such as non-compliant and usermanaged passwords, and make it possible to instantly revoke or change a user’s access to apps
without an admin having to reach out to each and every app.

Contact Us for more information on your IDaaS or Centrify Solutions.

 

Start With The End In MInd: Blog #4 – Manage Access Across On-premises and Cloud Applications

(Source: SailPoint Technologies, Inc. Identity and Access Management Buyers Guide)

“We’ve lost visibility and control over applications in the cloud. We’re not even sure about what’s out there.”

As enterprises accelerate their adoption of the cloud, they must cope with the challenges of managing a hybrid IT environment where some applications reside on-premises and some reside in the cloud. Adding to the complexity of this environment, business units are gaining more autonomy to buy and deploy applications — which can often house sensitive, corporate data — without consulting or involving the IT organization.

Signs that your organization is struggling to manage new cloud applications include:

  • IT is not fully aware of the mission-critical cloud applications in production across various departments and business units
  • Business units are performing their own user administration via spreadsheets and manual updates
  • Business units are requesting that IT integrate cloud applications with directories for periodic synchronization
  • Business units are purchasing their own identity and access management solutions — without consulting IT or considering what IAM infrastructure is already in place
  • IT audit processes, such as access certifications, have not been extended to cover cloud applications

A proper identity and access management solution should help enterprises embrace the cloud while at the same time allowing the IT organization to effectively apply centralized security policy, detect violations and demonstrate full regulatory compliance. Successful IAM solutions will allow you to automate compliance and provisioning processes for cloud applications in the same manner as on-premises applications. At the same time, it should provide end users with convenient access to cloud applications and empower them with single sign-on from any device — at work, home or on the go with mobile devices.

Check back for blog #5, Reduce the Cost of Managing Access Change

Visit SailPoint Technologies, Inc. here.

Learn more about PathMaker Group IAM MAP here.