a best practices guide Six Best Practices for Cloud-Based Identity Management Services Making Identities Work Securely in the Cloud

Transcription

1 a best practices guide Six Best Practices for Cloud-Based Identity Management Services Making Identities Work Securely in the Cloud

2 Figure 1 Cloud-based applications you might be using Identity and access management (IAM) is the great IT challenge of the SaaS era. Providing authentication and authorization in a way that is convenient for users while delivering security and compliance for IT is key. Done well, you can make IT a valuable asset in the deployment of cloud applications by offering a simple-to-use, yet highly sophisticated IAM solution. By offering a single sign-on solution, IT departments can provide an incentive for the lines of business that are adopting SaaS applications to start involving IT from the beginning thus enabling you to regain visibility and control over application usage and data security. Using the six best practices outlined in this paper, along with a comprehensive identity management platform like Symplified, any IT department can successfully strike a balance between enabling productivity and managing risk. Figure 1 : Cloud-based applications you might be using Background Wide adoption of cloud-based applications and access to them via mobile devices has made doing business much easier and more cost-effective. However, when people use their own mobile devices to access ap- plications and business units deploy SaaS applications directly, IT is often left in the dark about where their company s data and processes are moving. This leads to several challenges that can also be security risks depending on: 1 The Extended Enterprise: A Security Journey, Forrester Research, November 2011 The type of information you are working with in the cloud The amount and level of sensitive information (customer data in addition to personal identity information) that is residing in the cloud How that information is protected in the cloud How quickly you can restrict access to sensitive information in the case of user termination How many passwords accessing what types of information you are comfortable not having control over in the cloud Forrester Research describes an extended enterprise as, One for which a business function is rarely, if ever, a self-contained workflow within the infrastructure confines of the company. 1 Forrester goes on to state that most organizations now meet that definition, thanks to the use of SaaS applications and other cloud-based computing resources. These include Gmail and Google Drive; ADP Payroll and Jobvite for your HR department; marketing s Eloqua, Marketo, and almost every marketing tool; Salesforce; most of your social media tools; as well as Evernote, Dropbox, Hubspot, WorkDay, Force.com, Xactly, and scores of others. 2» Six Best Practices for Cloud-Based Identity Management Services»

3 In short, you have a lot of sensitive data residing outside of your organization. Add in to this the complex- ity of allowing contractors, partners and customers access to parts of your cloud-based solutions in order to serve themselves or smooth ERP and manufacturing processes. Also keep in mind the identity silos are created when multiple third party service providers individually manage who has access to what. One additional challenge is that everybody who has chosen to work in the cloud was sold on the idea that they would save on IT budgets. Realistically, it does dramatically reduce the effect on capital budgets, but it can actually increase the workload on IT in terms of provisioning, de-provisioning, and supporting employees working in the cloud. Figure 2 The complexity of the cloud grows with the popularity of the applications PARTNER CUSTOMER EMPLOYEE INTERNET USER CRM SFA HR PAYROLL ENTERPRISE PORTAL For example, when Bob Jones joins your organization, he needs to access both the on-site applications and the cloud-based applications his department has deemed necessary for his position. Unfortunately, most new employees are trying to remember a dozen new things at once, so they tend to scrimp on creativity when it comes to passwords. Bob may log into the travel expense management app with the username bobj and the password pwd123; the sales quote app with bob2 and pwd123; and the engineering require- ments management app with bjones and pwd123. Now he has to remember three different name and pass- word combinations, so he takes a shortcut and uses the same password for all three applications, never a good practice. The bigger problem is that Bob has done this pretty much all by himself, and the enterprise has no centralized control. This leads to weaker security because one password opens many doors, and redundant administration since Bob s user account in every one of those applications has to be administered and audited from within each application separately. In the case of a terminated employee, somebody in IT would need to de-provision the terminated employee s accounts at all of the applications the employee used on behalf of the enterprise. This means that the admin must first remove the terminated employee from Active Directory which will effectively block access to all of the on-site applications. However, the other immediate concern is the terminated employee s access to the wide variety of cloud-based applications must be eliminated. 3» Six Best Practices for Cloud-Based Identity Management Services»

4 This means that IT must also remove the employee from each SaaS application. When there is no centralized control of the services an enterprise uses, it is often difficult to determine which SaaS applications a user had access to in the first place. This leads to orphaned accounts those accounts at third party sites (like Salesforce or Google) that are not de-provisioned, and ultimately represent a security threat and licensed seat financial drain. While it can be relatively easy to control access to on-site applications through an enterprise Active Directory (LDAP), in this scenario managing access to cloud-based applications requires a very hands-on approach. Figure 3 The nightmare of de-provisioning employees who work in the cloud YOUR COMPANY ADMIN Manual deprovisioning EXTERNAL ACCOUNTS TERMINATED EMPLOYEE Immediately ends access to multiple external accounts. The Second Generation: Federated Single Sign-On In order to solve this challenge for applications owned by an organization, many organizations moved to a Web Access Management (WAM) solution. With a WAM approach, IT leveraged a centralized directory (often Active Directory) as a central identity repository. Products like TIM/TAM, RSA Access Manager, and CA Siteminder gave a single point of control for administration and audits, required fewer credentials, and allowed IT to de-provision terminated employees quickly. This worked until companies needed to collaborate with partners and customers more efficiently, as well as the desire to leverage applications provided by third parties. This is when a new player arose the Application Service Provider, now known as Software-as-a-Service (SaaS) providers. The rise of the SaaS provider highlighted some shortcomings in WAM solutions, namely that you couldn t deploy the agents those solutions required on partner web servers, and the identity management cookies were bound to the domains. Organizations adopted federation access management tools as an added component to complement their WAM products. Products emerged to provide the identity management link to the same directory used by WAM, and then extend authentication and authorization beyond the enterprise using the industry-standard SAML (Security Assertion Markup Language). Today, however, there is now a gap between the authentication and single sign-on capabilities of federation solutions and the additional authorization and access control, auditing, and provisioning capabilities of WAM. The other challenge is that the federation and WAM setup treats local and remote applications differently, with federation products only offering SSO and very little integration. In this model, somebody needs to configure each SaaS provider separately and gives users no consistency between applications. This approach ignores the organization s need to secure, audit and control both types of applications in the same way. Federation products also only work with SAML-based SaaS solutions, a system that is very expensive and time-consuming for smaller SaaS providers to deliver. However, the greatest challenge for federation products is the one-to-one nature of their relationships. 4» Six Best Practices for Cloud-Based Identity Management Services»

5 Figure 4 : The SAML federation on Trust Relationship Figure 4 The SAML federation trust relationship SAML federations are based on a pair-wise model, where the Service Provider trusts the Identity Provider to authenticate the user so the Service Provider can grant the user access. Each relationship between an Identity Provider and a Service Provider must be established for each user via technical integration. This means that if Bob Jones needs access to five SaaS applications, somebody will need to establish each of those relationships for Bob, making SAML federations difficult to scale. AUTHENTICATE Ten new users like Bob will require somebody in IT to establish and manage 50 relationships. With 500 users accessing an average of five SaaS solutions, your organization needs to establish and manage 2,500 relationships. The geometric growth of this situation is pretty easy to calculate: the Number of Employees (e) multiplied by the Number of Applications (a) equals the Number of Relationships (r), or e x a = r. It simply doesn t scale. IDENTITY PROVIDER TRUST RELATIONSHIP APPLICATION USER SERVICE PROVIDER As access to SaaS applications grows, the SAML federation model won t scale with your organization regardless of whether you grow linearly or exponentially. This could result in a deterioration of security, compliance, agility, flexibility, or any combination of the four. The only feasible means of handling this growth is to rethink how federation is done. You need to move from a one-to-one mindset to creating a one-to-many relationship that allows the number of connections to grow in a linear fashion. Your IT team establishes relationships between each user and a central integration platform (preferably one that leverages identity stores like LDAP which you already have in place), which in turn connects to your SaaS portfolio. This single point of control gives IT the ability to audit, enforce policies, provision and de-provision across all of the organization s applications. ACCESS You need to move from a one-to-one mindset to creating a one-to-many relationship. A New Way Symplified s service gives you a single point of access to both your on-premises and cloud-based applications. A single point of entry that IT controls, making it easy to provision and deprovision users as needed. It acts as an identity bridge for employees as well as external users contractors, customers and partners to access the applications, or even parts of the applications, that you want them to access, and nothing more. Symplified has a flexible deployment model, delivering services via a virtual server in your infrastructure or as a hosted cloud service. It sits beside your existing products to enable a clean migration path. Symplified s approach to identity and access managemetn gives you the ability to scale in the way that you need to in order to keep pace with the growth of both external applications and access needs. Symplified provides SSO, authorization, authentication and auditing capabilities, so it can work for both on-premises and cloud-based applications accessed across any device or location. 5» Six Best Practices for Cloud-Based Identity Management Services»

6 Figure 5 The Symplified solution EMPLOYEE and/or CUSTOMER ON-PREMISES CLOUD PARTNER EXISTING IDENTITY INFRASTRUCTURE LDAP OTHER DBS & REST/SOAP Best Practices for Identity Management in the Era of SaaS Keeping in mind the growing number of applications your organization is using to run its operations, BYOD, and the expanding population of external users who need to access your applications, Symplified outlines six best practices to help you deliver access management while achieving your goals for security, compliance, IT simplicity and end user convenience. 1. LEVERAGE EXISTING INFRASTRUCTURE WHENEVER YOU CAN If you re implementing IAM in order to provide SaaS applications for employees, you ve likely already made a significant investment in processes and technology for managing usernames, passwords and other profile information. Most organizations leverage Active Directory, for example, as their primary system of record for user information. Some organizations have also deployed one-time password solutions, and others may have first-generation WAM systems in place which are difficult to extend to SaaS applications. The solution you choose to secure your employees usage of SaaS applications needs to leverage these existing investments rather than recreate them in a parallel system and maintain them independently. Redundant systems are inefficient, more difficult to secure, and fall out of sync, which in this case leads to orphaned accounts and access policy violations. One such example of where this fails is when an inside sales representative leaves a company and still has access to a corporate application. He can be removed from Active Directory immediately and lose access to on-premises applications. But if his Salesforce account remains in place he can log back in, download a customer lead list and deliver it into the hands of his new employer. If Salesforce had been relying on his former employer s Active Directory to authenticate the user, he would not have been able to get back into the service and access that list. If you re an organization implementing IAM to extend applications to customers or partners, you may not have an existing user store to manage identities. In these cases, the identity directories managed by a third party such as Facebook or Google can be used to authenticate users as they access applications. The ancil- lary benefits are cost savings and gathering more user information than you would if you try to manage external users like these directly. Whether you re implementing IAM to extend SaaS application access to employees or consumers, there s likely already a system and process in place for managing their user profile information. Be sure to leverage it. 6» Six Best Practices for Cloud-Based Identity Management Services»

7 2. LEVERAGE OPEN STANDARDS WHEREVER POSSIBLE Identity is fundmentally an integration challenge. It s about enabling providers of SaaS applications to leverage your existing identity stores. If you integrate with each one differently it s much more expensive to implement and maintain access. Rather than having to create a unique integration with each partner, open standards enable you to leverage a common integration approach across all of your partners that implement those standards. Additionally, standards enable more functionality than proprietary integrations, such as global logout. Rather than having to create a unique integration with each partner, open standards enable you to leverage a common integration approach across all of your partners Keep in mind that implementing a standard doesn t require you to implement all of it. For example, the SAML technical committee defined several different conformance profiles for the SAML specification where each implements a different subsection of the SAML specification. SAML was created before the emergence of SaaS and the cloud to enable SSO between business partners. SAML defines a one-to-one relationship between two organizations. The emergence of the SaaS application delivery model has created huge demand for federated SSO as businesses use more and more SaaS applications to run their operations. The cloud has become the primary driver for the adoption of SAML resulting in a many-to-one usage model that gives cloud IAM providers the opportunity to make it easier for organizations to implement SAML for their use of cloud applications. 2 Supporting Mobile Device Authentication and Single Sign-On to the Enterprise and Cloud, Gartner Research, August LEVERAGE A CLOUD IDENTITY BROKER The advantage of a service that acts as a bridge to the cloud is that they will already have SSO integrations with many (if not most) of the SaaS providers you want to work with. The reality today is, despite their benefits, the standards described above aren t implemented by most SaaS applications. Gartner estimates that less than 25% of SaaS application vendors support federated authentication today. 2 Where they are being used, they re often implemented in different ways. As a result, an organization ends up managing unique integrations for each of its partners an expensive proposition that requires identity expertise that most organizations don t have. There s a spectrum of solutions available today ranging from ones focused solely on user convenience to others focused more on enabling enterprise control and visibility. On one end, you have providers such as Okta, OneLogin, and others which are built around the convenience aspect of SSO. On the other end, enterprise solutions like TIM/TAM, RSA Access Manager, and CA Siteminder were built from the perspective of security, and focus on authorization rules, authentication, and auditing. In between these offerings lies identity and management providers like Symplified, which provides the simplicity, ease of use and lower total cost of ownership a cloud-delivered service is capable of offering while still providing the security benefits of an on-premises enterprise security solution. It s important you choose one with the right set of capabilities from the start (see Best Practice #6 for more on this point). 4. DON T REPLICATE SENSITIVE USER DATA IN THE CLOUD WHEN YOU CAN AVOID IT The problem federation sets out to solve is redundant data the fact that a given user s data is maintained uniquely within each service he uses. As mentioned earlier, it s inevitable these identities will fall out of sync. Choosing a federation solution that requires you to replicate data to yet another silo simply doesn t make sense. In many cases, it violates end user agreements to do so, and it increases the attack surface on one of your most critical systems. Fortunately, solutions like Symplified exist that work with your existing Active Directory (or other identity store) to provide secure access to cloud-based applications, without requiring you to replicate the information. 7» Six Best Practices for Cloud-Based Identity Management Services»

8 5. TO ENGAGe WITH BUSINESS UNITS ON SAAS DEPLOYMENTS, USE A CARROT, NOT A STICK Business unit leaders have been adopting SaaS applications without involving the corporate IT department. Where IT may take weeks to move on deployment, the SaaS provider may take hours, which makes IT appear as a speed bump they d prefer to avoid. This sidelines IT in important decisions about where critical applications and data are being stored. From a risk management perspective, it s critical for IT to be involved in that process. IT needs something they can offer to provide incentive to those departments to come back and involve them in those SaaS deployments. If a business unit uses a new app that s not a part of their SSO session, employees will be very vocal about having it included in their SSO session and force the business unit to have that conversation with IT. SSO is of one of the most powerful weapons at your disposal for restoring IT s role while also meeting your security and compliance needs. If you ve rolled out SSO, employees will expect each new application to be accessible via that SSO solution. If a business unit uses a new app that s not a part of their SSO session, employees will be very vocal about having it included in their SSO session and force the business unit to have that conversation with IT. One you ve implemented a comprehensive IAM solution, you will then get what are perhaps the more important benefits security, provisioning, authentication, compliance, and usage auditing. 6. IMpLEMENT AN IDENTITY MANAGEMENT CAPABILITY THAT WILL PROVIDE ALL OF THE SECURITY PROPERTIES YOU MIGHT ULTIMATELY NEED Not all IAM solutions are the same. Because they are designed with different architectures, they inherently deliver different security features. Some solutions are built with architectures that limit what security features they can provide; if you start with a very basic offering today, you may find yourself in a place where you can t get to the features you need tomorrow. Look at all of your security needs both for internal applications and public cloud-based applications to determine the full scope of what you ll ultimately need and select a product that s ultimately capable of getting you there. For example, if you need to segment authorization based on roles, make sure your IAM solution provides that capability. Another example is in more regulated industries where it s often required to have an audit trail of all end user activities in your SaaS applications beyond initial log in. 8» Six Best Practices for Cloud-Based Identity Management Services»

9 Summary SaaS, BYOD, and an ever-growing user mix of employees, contractors, customers and partners have introduced new complexities to cloud identity and access management. Providing it in a way that is convenient and efficient for employees while providing IT with visibility and control into SaaS application usage is key. Open standards exist for facilitating this kind of federated access. Identity and access management vendors provide solutions that make it very easy to leverage those standards. Using the six best practices outlined above along with a comprehensive identity management services from Symplified will help you extend your existing identity infrastructure to SaaS applications. You will deliver the security your organization needs and the simplicity your users want. Proxying offers the benefit of knowing what a user did while logged into an application, not just when they logged in. Symplified features a hybrid architecture that enables you to deploy your SSO capability in a way that makes the most sense for your organization, whether that s on premises or in the cloud. In one deployment model, Symplified provides a multitenant cloud service while still enabling the control and security of a single-tenant on-site deployment via a virtual appliance. Symplified can also run entirely in the cloud for organizations that want to completely leverage the benefits of the cloud. As a proxy-based solution, Symplified also delivers flexibility in processing: The solution has the capability to stay in the flow of all web traffic and provide an audit log of all user activity. This visibility is increasingly important to organizations as they address BYOD and SaaS used together; people are using more of their own devices, and organizations have lost visibility into what their users are doing when logged into SaaS services. Proxying offers the benefit of knowing what a user did while logged into an application, not just when they logged in. Additionally, as organizations attempt to get a handle on the value they re getting out of the SaaS applications they ve licensed, this information is extremely beneficial. For more on the features and benefits of identity management services from Symplified, access additional resources online at www. symplified.com/resources. The Symplified Advantage Symplified enables IT to securely manage identities in a world where enterprises increasingly have fewer boundaries. Support a mobile workforce; engage customers and partners; and enable and control access to any application on premises, in the cloud, or mobile anywhere in the world. Symplified is headquartered in Boulder, Colorado. Visit us at 9» Six Best Practices for Cloud-Based Identity Management Services»