White. Paper. Enterprises Need Hybrid SSO Solutions to Bridge Internal IT and SaaS. January 2013

Transcription

1 White Paper Enterprises Need Hybrid SSO Solutions to Bridge Internal IT and SaaS By Jon Oltsik, Senior Principal Analyst January 2013 This ESG White Paper was commissioned by McAfee. and is distributed under license from ESG by The Enterprise Strategy Group, Inc. All Rights Reserved

2 White Paper: Enterprises Need Hybrid SSO Solutions to Bridge Internal IT and SaaS 2 Contents Executive Summary...3 SaaS Is Well Established in the Enterprise...3 SaaS Presents Challenges for User Management... 4 Large Organizations Need an IAM Bridge for SaaS...5 SSO: On-premises or On-demand?...6 The Bigger Truth...8 All trademark names are property of their respective companies. Information contained in this publication has been obtained by sources The Enterprise Strategy Group (ESG) considers to be reliable but is not warranted by ESG. This publication may contain opinions of ESG, which are subject to change from time to time. This publication is copyrighted by The Enterprise Strategy Group, Inc. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the express consent of the Enterprise Strategy Group, Inc., is in violation of U.S. copyright law and will be subject to an action for civil damages and, if applicable, criminal prosecution. Should you have any questions, please contact ESG Client Relations at

3 White Paper: Enterprises Need Hybrid SSO Solutions to Bridge Internal IT and SaaS 3 Executive Summary For the past several years the IT industry has been buzzing about cloud computing, yet most organizations continue to maintain a cautious plan for Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) use. At the same time however, enterprises are rapidly embracing SaaS applications as replacements for in-house systems or for supporting and automating business processes. While far from perfect, SaaS applications such as Salesforce.com, Google apps, and box.com are helping organizations cut cost, improve communications, and improve efficiency. As promising as these benefits are, however, SaaS can carry a fundamental problem because it circumvents time-tested internal IT processes and controls such as Identity and Access Management (IAM). This white paper concludes: SaaS introduces a layer of management complexity. Bringing SaaS into corporate governance conformance can introduce unwelcome manual processes or new technical integration. This is especially true with Identity and Access Management (IAM) tasks such as provisioning user accounts, managing passwords, and monitoring user behavior. Large organizations need an IAM bridge. Integrating with SaaS on an application-by-application basis can t scale as enterprises deploy more SaaS applications. To bridge this gap, large organizations need IAM tools that centralize internal and SaaS-based user administration, authentication, and monitoring/reporting. These tools should also provide flexible methods for SaaS connectivity. SSO solutions to the rescue? A number of SSO products and services have the potential to act as a nexus for internal and SaaS-based IAM needs. Unfortunately, many organizations find it difficult to choose between on-premises products and on-demand services as neither is a perfect match for their needs. This has led to market confusion and delays in SSO implementation in some cases. Enterprise organizations would benefit from hybrid solutions. Large, geographically dispersed organizations will find use cases for SSO products and services in various business units and locations. Given this, they will benefit most from a hybrid SSO architecture of tightly integrated products and services that integrate into the existing IAM infrastructure, provide flexible options for SaaS integration, and offer common management across product and service deployment. SaaS Is Well Established in the Enterprise Cloud computing can be a controversial topic where opinions range from the future of IT to pure hyperbole. However, this polarization does not apply to one of the variants of cloud computing, Software-as-a-Service (SaaS). According to ESG research, 46% of large midmarket (i.e., 500 to 999 employees) and enterprise (i.e., more than 1,000 employees) organizations already use SaaS services today. Another 17% of organizations plan to use SaaS services in the future and 21% of firms have no concrete plans but are interested in purchasing SaaS services in the future. 1 ESG research indicates that organizations are consuming a wide range of SaaS services led by CRM, , human resources, and project management (see Figure 1). 2 Why are these firms turning to SaaS? Business managers like the flexibility, choices, and instant access offered by SaaS offerings while CIOs are happy to eliminate capital and operating costs. Growth in BYOD and mobile computing is also driving more and more SaaS consideration and implementation. 1 Source: ESG Research Report, 2012 Public Cloud Computing Trends, March Source: Ibid.

4 White Paper: Enterprises Need Hybrid SSO Solutions to Bridge Internal IT and SaaS 4 Figure 1. SaaS Applications Deployed What specific applications has your organization currently deployed via a SaaS model? (Percent of respondents, N=283, multiple responses accepted) CRM (Customer Relationship Management) Human resources Project management Internet / marketing Security (anti-spam, anti-virus, etc.) Sales force automation Industry-specific applications Content management / document management Data protection (backup and recovery, data Collaboration / file sharing Accounting / financial Business analytics Legal (e-discovery, case management, etc.) 11% 36% 35% 31% 28% 28% 27% 25% 24% 24% 24% 23% 22% 20% 0% 10% 20% 30% 40% SaaS Presents Challenges for User Management Source: Enterprise Strategy Group, Given the pace of implementation, it seems clear that SaaS is delivering strong business and IT benefits. In spite of these positive results, however, SaaS implementation and management challenges remain, especially with regard to IAM. For example: Business managers need to align SaaS with governance and regulatory compliance. While SaaS applications offload IT costs, they also limit management oversight and visibility. This can present a problem for regulated organizations that need to manage and audit role definition, separation of duties, and access controls. Yes, many SaaS vendors provide administration portals and data feeds for ease of use, but each SaaS provider tends to have its own proprietary tools for monitoring, reporting, and auditing. This forces organizations to manage and audit regulatory compliance activities of a growing number of individual SaaS reports. This creates operations overhead and can lead to more frequent human error. Users struggle with a multitude of authentication methods and credentials. Unfortunately, employees are forced to create a new username and password for each new SaaS application. To manage this situation, many users simply use the same username and password across a multitude of SaaS applications, creating a security vulnerability. Some firms address this situation by demanding strong passwords and active password management for SaaS but this can be counterproductive. Many security researchers find that these strategies alienate employees, compromise user productivity, or force them to write down and display each username/password combination near their desktops. All of these situations limit the value and security of SaaS. User administration becomes an IT nightmare. IAM activities such as provisioning/de-provisioning user accounts, strong authentication, and single sign-on are difficult enough within the enterprise. The addition of SaaS increases IAM complexity further by introducing a host of new applications with minimal control and oversight. Integration with internal tools is possible but can be complex and time consuming.

5 White Paper: Enterprises Need Hybrid SSO Solutions to Bridge Internal IT and SaaS 5 Ironically, the SaaS model strength is also its weakness in this case. Since SaaS is independent of internal IT options, it can provide great opportunities for flexibility, business process enablement, and cost control. At the same time however, this independence means that user accounts and activity monitoring spans across multiple internal and external IT departments, each with its own methodology for user management and reporting. This can only lead to operations overhead, security vulnerabilities, and user productivity issues. Large Organizations Need an IAM Bridge for SaaS ESG believes that the situation described above has reached a tipping point. Large organizations are increasingly turning to SaaS solutions, resulting in user management difficulties and additional IT risk. This Faustian compromise is simply unsustainable. So what s needed? Rather than attempt to perform user management on a SaaS-by-SaaS basis, large organizations need a bridge that centralizes: User lifecycle management. Internal IT must have the ability to provision, de-provision, and change user accounts (i.e., change user role, group, password, etc.) for all SaaS applications from a central console. To minimize redundant operations, these administrative activities must be tightly integrated with existing user repositories such as Active Directory. Authentication controls. User authentication into SaaS applications demands flexible options. IT administrators need the ability to enforce strong password management, leverage existing multi-factor authentication technologies, or seamlessly tie into SaaS-based authentication methods while remaining transparent to user activities. SaaS connectivity. IT managers need tools for single sign-on (SSO) connectivity to disparate SaaS applications. Since these connections will vary, SSO technology must support federated ID standards such as SAML tokens and provide native connectors for proprietary sign-on techniques such as shared secrets. The best SSO tools will also provide form-based authentication for connections with elementary SaaS applications lacking technical integration points. Monitoring, reporting, and auditing. Collecting and analyzing user activity is essential for risk management, compliance, and incident detection/response. Unfortunately, ESG research indicates that the ability to track user behavior for security analysis is an area of weakness at many organizations (see Figure 2). 3 To address this shortcoming, IAM technologies that bridge internal IT and SaaS applications must provide strong monitoring, reporting, and auditing. 3 Source: ESG Research Report, The Emerging Intersection Between Big Data and Security Analytics, November 2012.

6 White Paper: Enterprises Need Hybrid SSO Solutions to Bridge Internal IT and SaaS 6 Figure 2. User Behavior Activity Monitoring Remains a Weakness for Many Enterprises In which of the following areas do you believe your organization s security monitoring is weakest with regard to incident detection? (Percent of respondents, N=257, multiple responses accepted) User behavior activity monitoring/visibility 28% Alternative endpoint monitoring/visibility 25% Current threat intelligence 24% Sensitive data access/activity monitoring/visibility 23% Network traffic monitoring/visibility 22% 0% 5% 10% 15% 20% 25% 30% Source: Enterprise Strategy Group, Recognizing these new requirements, several technology vendors introduced new single sign-on technologies over the past few years. These SSO tools provide a combination of user management, password management, authentication, federated identity management, and SaaS connectivity to bridge the IAM gap described above. SSO: On-premises or On-demand? Since SSO technologies have the ability to unify internal IT and SaaS IAM, enterprise organizations adopting SaaS applications are actively pursuing these solutions. They then realize that leading SSO solutions can be deployed as on-premises solutions or cloud-based services. This begs an obvious question: Which type of solution is best? The answer here may be obvious to highly regulated companies or organizations associated with law enforcement, defense, or intelligence. These firms will almost always opt for on-premises security solutions. For the vast majority of remaining organizations, however, the answer to this question will depend on a multitude of factors. Is the company centralized or globally distributed? How many user accounts are managed? Is the company highly skilled at IAM? How aggressively is the organization adopting SaaS? While the answers to questions like these may guide IT toward on-premises or on-demand SSO, smart CIOs recognize that their requirements will change over time. Additionally, large global organizations may have business units that align with on-premises SSO products and others that fit the on-demand model. Clearly, the future is uncertain and requirements will undoubtedly change over time. This is exactly why ESG recommends that large organizations work with vendors offering both on-premises and on-demand SSO solutions. By doing so, CIOs can implement SSO where appropriate and have the flexibility to swap on-premises products for on-demand services (or vice versa) in the future. When selecting vendors, however, large organizations should make sure that their SSO solutions:

7 White Paper: Enterprises Need Hybrid SSO Solutions to Bridge Internal IT and SaaS 7 Provide comprehensive IAM capabilities. Look for a portfolio of features/functionality that includes things such as user administration (i.e., user provisioning, change management, password management), SaaS connectivity, strong authentication, and broad reporting (i.e., user behavior, logging, runtime metrics, etc.). The best SSO systems will supplement the existing IAM infrastructure with new capabilities such as onetime passwords (OTP), device authentication, and federated identity support. Integrate into the existing IAM infrastructure. SSO products and services must seamlessly connect with LDAP directories, RADIUS servers, and existing user authentication technologies of all kinds. The best solutions will also provide a wide range of provisioning and SSO custom connectors to leading SaaS solutions and alternative methods for integrating with the plethora of burgeoning SaaS options. Work with leading SaaS providers. In addition to providing connectors, top-tier SSO solution vendors will also work directly with leading SaaS providers to enhance useability and security for their integrated solutions. Offer common management across products and services. Organizations deploying a combination of SSO products and services should demand common command-and-control for policy management, identity administration, monitoring, and reporting. This common management layer can help CIOs align disparate identity management requirements with the right SSO products or services today and provide the flexibility to make changes in the future. CIOs looking for a one-stop shop for SSO products and services may be disappointed as few vendors offer both the form factors and the requirements defined above. McAfee (an Intel company) is one notable exception. While the company s products have different naming conventions, the McAfee Cloud Identity Manager and Cloud SSO service are actually a tightly integrated combination of on-premises and cloud-based SSO with rich IAM feature sets. Both systems support leading SaaS providers such as Salesforce, Google, and Box; offer necessary user administration capabilities; and provide flexible options for authentication. The products and services integrate into existing IAM infrastructure elements and provide good out-of-box reporting and analytics capabilities. As a security market leader, McAfee also surrounds its SSO offering with other leading products and services. For example, McAfee Cloud Identity Manager and Cloud SSO can use Intel Identity Protection Technology (IPT) for device authentication and integrate with McAfee security products such as its Web Gateway. Given these attributes, CIOs should willingly evaluate McAfee s SSO products and services to see how they align with present and future SaaS plans.

8 The Bigger Truth White Paper: Enterprises Need Hybrid SSO Solutions to Bridge Internal IT and SaaS 8 ESG and industry data clearly points to a new direction for enterprise IT. Cloud computing is increasingly attractive and many organizations are actively evaluating use cases. While large organizations are taking a pragmatic approach to IaaS and PaaS, they are aggressively deploying SaaS applications. SaaS simply introduces flexibility and business enablement benefits that internal IT systems can t match. While SaaS continues to gain momentum, ESG recommends that CIOs temper their enthusiasm and assess what this trend means for existing policies, procedures, and technologies. In the case of IAM, SaaS can usurp internal control, add administrative overhead, and increase risk. To maximize SaaS benefits, CIOs need to find ways to bridge the growing gap between internal IT and SaaS. From an IAM perspective, this can be done effectively with the right SSO products and services. Large organizations will likely need to consider and implement both for different facilities and business units. Given this, ESG recommends tightly integrated SSO products and services from vendors such as McAfee and Intel as they can support SSO with the right resources, support, innovation, and industry partnerships.

9 20 Asylum Street Milford, MA Tel: Fax: