Six Best Practices for Cloud-Based IAM



Similar documents
Ensuring the Security of Your Company s Data & Identities. a best practices guide

expanding web single sign-on to cloud and mobile environments agility made possible

Top Eight Identity & Access Management Challenges with SaaS Applications. Okta White Paper

Speeding Office 365 Implementation Using Identity-as-a-Service

STRONGER AUTHENTICATION for CA SiteMinder

managing SSO with shared credentials

identity as the new perimeter: securely embracing cloud, mobile and social media agility made possible

Identity & Access Management in the Cloud: Fewer passwords, more productivity

Connecting Users with Identity as a Service

Top 8 Identity and Access Management Challenges with Your SaaS Applications. Okta White paper

How to Provide Secure Single Sign-On and Identity-Based Access Control for Cloud Applications

Avoid the Hidden Costs of AD FS with Okta

Federated single sign-on (SSO) and identity management. Secure mobile access. Social identity integration. Automated user provisioning.

How To Manage A Plethora Of Identities In A Cloud System (Saas)

Automating User Management and Single Sign-on for Salesforce.com OKTA WHITE PAPER. Okta Inc nd Street Suite 350 San Francisco CA, 94107

White. Paper. Enterprises Need Hybrid SSO Solutions to Bridge Internal IT and SaaS. January 2013

Increase the Security of Your Box Account With Single Sign-On

White paper Contents

Three Ways to Integrate Active Directory with Your SaaS Applications OKTA WHITE PAPER. Okta Inc. 301 Brannan Street, Suite 300 San Francisco CA, 94107

Integrating Single Sign-on Across the Cloud By David Strom

NCSU SSO. Case Study

An Overview of Samsung KNOX Active Directory-based Single Sign-On

Cloud Computing. Chapter 5 Identity as a Service (IDaaS)

How To Make A Cloud Service Federation A Successful Business Model

How to Overcome Challenges in Deploying Cloud Apps to Get the Most from your IAM Investment

How To Use Salesforce Identity Features

Top 8 Identity and Access Management Challenges with Your SaaS Applications. Okta Inc. 301 Brannan Street San Francisco, CA 94107

solution brief February 2012 How Can I Obtain Identity And Access Management as a Cloud Service?

Active Directory Integration WHITEPAPER

Interoperate in Cloud with Federation

E l i m i n a t i n g Au t hentication Silos and Passw or d F a t i g u e w i t h Federated Identity a n d Ac c e s s

B2C, B2B and B2E:! Leveraging IAM to Achieve Real Business Value

Cloud, On-premises, and More: The Business Value of Software Deployment Choice

The Who, What, When, Where and Why of IAM Bob Bentley

Google Apps Deployment Guide

F5 Identity and Access Management (IAM) Overview. Laurent PETROQUE Manager Field Systems Engineering, France

Delivering value to the business with IAM

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES

Identity. Provide. ...to Office 365 & Beyond

Identity and Access Management (IAM) Across Cloud and On-premise Environments: Best Practices for Maintaining Security and Control

The Top 5 Federated Single Sign-On Scenarios

Active Directory Integration twitter.com/onelogin ONELOGIN WHITEPAPER

Pick Your Identity Bridge

An Overview of Samsung KNOX Active Directory and Group Policy Features

Office365 Adoption eguide. Identity and Mobility Challenges. Okta Inc. 301 Brannan Street San Francisco, CA

Adding Stronger Authentication to your Portal and Cloud Apps

EXECUTIVE VIEW. SecureAuth IdP. KuppingerCole Report

Cisco Software-as-a-Service (SaaS) Access Control

How To Integrate With Salesforce Crm

Solving the Online File-Sharing Problem Replacing Rogue Tools with the Right Tools

Directory-as-a-Service Primer (DaaS)

CA Federation Manager

Guideline on Implementing Cloud Identity and Access Management

WHITE PAPER. Understanding Transporter Concepts

People-Focused Access Management. Software Consulting Support Services

WIPRO IDENTITY CLOUD UNLEASHING THE NEXT GENERATION OF IDENTITY AND ACCESS MANAGEMENT (IAM)

THE QUEST FOR A CLOUD INTEGRATION STRATEGY

Adding Single Sign-On to CloudPassage Halo

WHITEPAPER. 13 Questions You Must Ask When Integrating Office 365 With Active Directory

Overview of Microsoft Enterprise Mobility Suite (EMS) Cloud University

Authentication as a Service (AaaS): Creating A New Revenue Stream with AuthAnvil

Addressing the BYOD Challenge with Okta Mobility Management. Okta Inc. 301 Brannan Street San Francisco, CA

Extend and Enhance AD FS

Moving to the Cloud: What Every CIO Should Know

Identity Implementation Guide

Centrify Cloud Connector Deployment Guide

SaaS. A Cost Reduction Strategy or a Source of Strategic Advantage? Paul Selway Solution Architect

CLAIMS-BASED IDENTITY FOR WINDOWS

Directory Integration with Okta. An Architectural Overview. Okta Inc. 301 Brannan Street San Francisco, CA

JumpCloud is your Directory-as-a-Service. A fully managed directory to rule your infrastructure whether on-premise or in the cloud.

CA Single Sign-On Migration Guide

What s New in Centrify Privilege Service Centrify Identity Platform 15.4

The Top 3 Identity Management Considerations When Implementing Google Apps for the Enterprise

ATS. The. The Staffing Agency s Guide to Buying an Applicant Tracking System

Total Cost of Ownership Overview ADFS vs OneLogin WHITEPAPER

Flexible Identity Federation

Security Services. Benefits. The CA Advantage. Overview

RFP BOR-1511 Federated Identity Services - Response to Questions / Answers

SOLUTION BRIEF CA TECHNOLOGIES IDENTITY-CENTRIC SECURITY. Identity-centric Security: The ca Securecenter Portfolio

Executive s Guide to Cloud Access Security Brokers

White Paper. What is an Identity Provider, and Why Should My Organization Become One?

RSA Via Lifecycle and Governance 101. Getting Started with a Solid Foundation

CA Technologies Strategy and Vision for Cloud Identity and Access Management

A HIGH-LEVEL GUIDE TO EFFECTIVE IDENTITY MANAGEMENT IN THE CLOUD

TRANSITIONING ENTERPRISE CUSTOMERS TO THE CLOUD WITH PULSE SECURE

White Paper. Getting ahead in the cloud. the need for better identity and access controls

SAML SSO Configuration

Transcription:

a best practices guide Six Best Practices for Cloud-Based IAM Making Identities Work Securely in the Cloud Symplified 1600 Pearl Street, Suite 200» Boulder, CO, 80302» www.symplified.com» @Symplified

Executive Summary Identity and access management (IAM) is the great IT challenge of the SaaS era. Providing authentication and authorization in a way that is convenient for users while delivering security and compliance for IT is the key. Done well, you can make IT a valuable asset in the deployment of cloud applications by offering a simple-to-use, yet highly sophisticated IAM solution. By offering a single sign-on solution, IT departments can provide an incentive for the lines of business that are adopting SaaS applications directly to start involving IT when bringing new applications on board thus enabling you to regain visibility and control over application usage and data security. Using the six best practices outlined in this paper, along with a comprehensive Identity-as-a-Service (IDaaS) solution like Symplified, can help any IT department successfully strike a balance between enabling productivity and managing risk. Background Wide adoption of cloud-based applications and access to them via mobile devices has made doing business much easier and more cost-effective. However, when people use their own mobile devices to access applications and business units deploy SaaS applications directly, IT is often left in the dark about where their company s data and processes are moving. This leads to several challenges that can also be security risks depending on: 1. The type of information you are working with in the cloud 2.The amount and level of sensitive information (customer data plus personal identity information) that is residing in the cloud 3. How that information is protected in the cloud 4. How quickly you can restrict access to sensitive information in the case of termination 5. How many passwords accessing what types of information you are comfortable not having control over Forrester Research describes an extended enterprise as, One for which a business function is rarely, if ever, a self-contained workflow within the infrastructure confines of the company. 1 Forrester goes on to state that most organizations now meet that definition, thanks to the use of SaaS applications and other cloud-based computing resources such as Gmail and Google Drive; ADP Payroll and Jobvite for your HR department; marketing s Eloqua, Marketo, and almost every email marketing tool; Salesforce; most of your social media tools; as well as Evernote, Dropbox, Hubspot, WorkDay, Force.com, Xactly, and scores of others. FIGURE 1: CLOUD-BASED APPLICATIONS YOU MIGHT BE USING 2» Six Best Practices for Cloud-Based IAM» www.symplified.com» @Symplified

In short, you have a lot of sensitive data residing outside of your organization. Add in the complexity of allowing contractors, partners and customers to access parts of your cloud-based solutions in order to serve themselves or smooth ERP and manufacturing processes, plus the identity silos created when multiple third party service providers individually manage who has access to what. One additional challenge is that everybody who has chosen to work in the cloud was sold on the idea that this would save on IT budgets. Realistically, it does dramatically reduce the effect on capital budgets, but it can actually increase the workload on IT in terms of provisioning, de-provisioning, and supporting employees working in the cloud. internet user growth employees, customers, partners internet >>personal data + financial data<< enterprise portal crm sfa hr payroll FIGURE 2: THE COMPLEXITY OF THE CLOUD GROWS WITH THE POPULARITY OF THE APPLICATIONS For example, when Bob Jones joins your organization, he needs to access both the on-site applications and the cloud-based applications his department has deemed necessary for his position. Unfortunately, most new employees are trying to remember a dozen new things at once, so they tend to scrimp on creativity when it comes to passwords. Bob may log into the travel expense management app with the username bobj and the password pwd123; the sales quote app with bob2 and pwd123; and the engineering requirements management app with bjones and pwd123. Now he has to remember three different name and password combinations, so he takes a shortcut and uses the same password for three applications, which is never a good practice. The bigger problem is that Bob has done this pretty much all by himself, and the enterprise has no centralized control. This leads to weaker security because one password opens many doors, and redundant administration since Bob s user in every one of those applications has to be administered and audited from within each application separately. In the case of a terminated employee, somebody in IT would need to de-provision the terminated employee s s at all of the applications the employee used on behalf of the enterprise. This means that the admin must first remove the terminated employee from the Active Directory which will effectively block access to all of the on-site applications. However, the other immediate concern is the terminated employee s access to the wide variety of cloud-based applications must be eliminated. This means that IT must also remove the employee from each SaaS application. When there is no centralized control of the services an enterprise uses, it is often difficult to determine which SaaS applications a user had access to in the first place. This leads to orphaned s those s at third party sites (like Salesforce or Google) that are not de-provisioned, and ultimately represent a security threat. 3» Six Best Practices for Cloud-Based IAM» www.symplified.com» @Symplified

it employee manual deprovisioning your company terminated employee! continued access to multiple external s FIGURE 3: THE NIGHTMARE OF DE-PROVISIONING EMPLOYEES WHO WORK IN THE CLOUD While it can be relatively easy to control access to on-site applications through an enterprise Active Directory (LDAP), in this scenario managing access to cloud-based applications requires a very hands-on approach. The Second Generation: Federation Single Sign-On In order to solve this challenge for applications owned by an organization, many organizations moved to a Web Access Management (WAM) solution. With a WAM approach, IT leverages a centralized directory (often Active Directory) as a central identity repository. Products like TIM/TAM, RSA Access Manager, and CA Siteminder give a single point of control for administration and audits, require fewer credentials, and allow IT to de-provision terminated employees quickly. This worked until companies needed to collaborate with partners and customers more efficiently, as well as leverage applications that are provided by third parties. This is when a new player arose the Application Service Provider, now known as Software-as-a-Service (SaaS) providers. The rise of the SaaS provider highlighted some shortcomings in WAM solutions, namely that you couldn t deploy the agents those solutions required on partner web servers, and the identity management cookies were bound to the domains. Organizations adopted federation access management tools as an added component to complement their WAM products. Products emerged to provide the identity management link to the same directory used by WAM, and then extend authentication and authorization beyond the enterprise using the industry-standard SAML (Security Assertion Markup Language). However, now there is a gap between the authentication and single sign-on capabilities of federation solutions and the additional authorization and access control, auditing, and provisioning capabilities of WAM. The other challenge is that the federation and WAM setup treats local and remote applications differently, with federation products only offering SSO today and very little integration. In this model, somebody needs to configure each SaaS provider separately and gives users no consistency between applications. This approach ignores the organization s need to secure, audit and control both types of applications in the same way. Federation products also only work with SAML-based SaaS solutions, a system that is very expensive and time-consuming for smaller SaaS providers to deliver. However, the greatest challenge for federation products is the one-to-one nature of their relationships. 4» Six Best Practices for Cloud-Based IAM» www.symplified.com» @Symplified

identity provider trust integrate service provider authenticate access application user FIGURE 4: THE SAML FEDERATION TRUST RELATIONSHIP SAML federations are based on a pair-wise model, where the Service Provider trusts the Identity Provider to authenticate the user so the Service Provider can grant the user access. Each relationship between an Identity Provider and a Service Provider must be established for each user via technical integration. This means that if Bob Jones needs access to five SaaS applications, somebody will need to establish each of those relationships for Bob, making SAML federations difficult to scale. Ten new users like Bob will require somebody in IT to establish and manage 50 relationships. With 500 users accessing an average of five SaaS solutions, your organization needs to establish and manage 2,500 relationships. The geometric growth of this situation is pretty easy to calculate: the Number of Employees (e) multiplied by the Number of Applications (a) equals the Number of Relationships (r), or e x a = r. It simply doesn t scale. As access to SaaS applications grows, the SAML federation model won t scale with your organization regardless of whether you grow linearly or exponentially. This could result in a deterioration of security, compliance, agility, flexibility, or any combination of the four. The only feasible means of handling this growth is to rethink how federation is done. You need to move from a one-to-one mindset to creating a one-to-many relationship that allows the number of connections to grow in a linear fashion. Your IT team establishes relationships between each user and a central integration platform (preferably one that leverages identity stores like LDAP which you already have in place), which in turn connects to your SaaS portfolio. This single point of control gives IT the ability to audit, enforce policies, provision and de-provision across all of the organization s applications. A New Way Symplified s service gives you a single point of access to both your on-premises and cloud-based applications. A single point of entry that IT controls, making it easy to provision and deprovision users as needed. It acts as an identity bridge for employees as well as external users contractors, customers and partners to access the applications, or even parts of the applications, that you want them to access, and nothing more. Symplified has a flexible deployment model, delivering services via a virtual server in your infrastructure or as a hosted cloud service. It sits beside your existing products to enable a clean migration path. 5» Six Best Practices for Cloud-Based IAM» www.symplified.com» @Symplified

EMPLOYEE CUSTOMER ON-PREMISES and/or CLOUD PARTNER EXISTING IDENTITY INFRASTRUCTURE LDAP OTHER DBS & REST/SOAP FIGURE 5: THE SYMPLIFIED SOLUTION Symplified s approach to IDaaS (Identity as a Service) gives you the ability to scale in the way that you need to in order to keep pace with the growth of both external applications and access needs. Symplified provides SSO, authorization, authentication and auditing capabilities, so it can work for both on-premises and cloud-based applications accessed across any device or location. Best Practices for Identity Management in the Era of SaaS Keeping in mind the growing number of applications your organization is using to run its operations, BYOD, and the expanding population of external users who need to access your applications, Symplified outlines six best practices to help you deliver access management while achieving your goals for security, compliance, IT simplicity and end user convenience. 1. LEVERAGE EXISTING INFRASTRUCTURE WHENEVER YOU CAN If you re implementing IAM in order to provide SaaS applications for employees, you ve likely already made a significant investment in processes and technology for managing usernames, passwords and other profile information. Most organizations leverage Active Directory, for example, as their primary system of record for user information. Some organizations also have deployed one-time password solutions, and others may have first-generation WAM systems in place which are difficult to extend to SaaS applications. The solution you choose to secure your employees usage of SaaS applications needs to leverage these existing investments rather than recreate them in a parallel system and maintain them independently. Redundant systems are inefficient, more difficult to secure, and fall out of sync, which in this case leads to orphaned s and access policy violations. One such example of where this fails is when an inside sales representative leaves a company and still has access to a corporate application. He can be removed from Active Directory immediately and lose access to on-premises applications. But if his Salesforce remains in place he can log back in, download a customer lead list and deliver it into the hands of his new employer. If Salesforce had been relying on his former employer s Active Directory to authenticate the user, he would not have been able to get back into the service and access that list. If you re an organization implementing IAM to extend applications to customers or partners, you may not have an existing user store to manage identities. In these cases, the identity directories managed by a third party such as Facebook or Google can be used to authenticate users as they access applications. The ancillary benefits are cost savings and gathering more user information than you would if you try to manage external users like these directly. 6» Six Best Practices for Cloud-Based IAM» www.symplified.com» @Symplified

Whether you re implementing IAM to extend SaaS application access to employees or consumers, there s likely already a system and process in place for managing their user profile information. Be sure to leverage it. 2. LEVERAGE OPEN STANDARDS WHEREVER POSSIBLE Identity is fundmentally an integration challenge. It s about enabling providers of SaaS applications to leverage your existing identity stores. If you integrate with each one differently it s much more expensive to implement and maintain access. Rather than having to create a unique integration with each partner, open standards enable you to leverage a common integration approach across all of your partners that implement those standards. Additionally, standards enable more functionality than proprietary integrations, such as global logout. Keep in mind that implementing a standard doesn t require you to implement all of it. For example, the SAML technical committee defined several different conformance profiles for the SAML specification where each implements a different subsection of the SAML specification. SAML was created before the emergence of SaaS and the cloud to enable SSO between business partners. SAML defines a one-to-one relationship between two organizations. The emergence of the SaaS application delivery model has created huge demand for federated SSO as businesses use more and more SaaS applications to run their operations. The cloud has become the primary driver for the adoption of SAML resulting in a many-to-one usage model that gives IDaaS providers the opportunity to make it easier for organizations to implement SAML for their use of cloud applications. 3. LEVERAGE A CLOUD IDENTITY BROKER The advantage of a service that acts as a bridge to the cloud is that they will already have SSO integrations with many (if not most) of the SaaS providers you want to work with. The reality today is, despite their benefits, the standards described above aren t implemented by most SaaS applications. Gartner estimates that less than 25% of SaaS application vendors support federated authentication today. 2 Where they are being used, they re often implemented in different ways. As a result, an organization ends up managing unique integrations for each of its partners an expensive proposition that requires identity expertise that most organizations don t have. There s a spectrum of solutions available today ranging from ones focused solely on user convenience to others focused more on enabling enterprise control and visibility. One one end, you have providers such as Okta, OneLogin, and others which are built around the convenience aspect of SSO. On the other end, enterprise solutions like TIM/TAM, RSA Access Manager, and CA Siteminder were built from the perspective of security, and focus on authorization rules, authentication, and auditing. In between these offerings lies IDaaS providers like Symplified, which provides the simplicity, ease of use and lower total cost of ownership a cloud-delivered service is capable of offering while still providing the security benefits of an on-premises enterprise security solution. It s important you choose one with the right set of capabilities from the start (see Best Practice #6 for more on this point). 4. DON T REPLICATE SENSITIVE USER DATA IN THE CLOUD WHEN YOU DON T ABSOLUTELY NEED TO. The problem federation sets out to solve is redundant data the fact that a given user s data is maintained uniquely within each service he uses. As mentioned earlier, it s inevitable these identities will fall out of sync. Choosing a federation solution that requires you to replicate data to yet another silo simply doesn t make sense. In many cases, it violates end user agreements to do so, and it increases the attack surface on one of your most critical systems. Fortunately, solutions exist, like Symplified, that work with your existing Active Directory (or other identity store) to provide secure access to cloud-based applications, without requiring you to replicate the information. 7» Six Best Practices for Cloud-Based IAM» www.symplified.com» @Symplified

5. TO ENGAGE WITH BUSINESS UNITS ON SAAS DEPLOYMENTS, USE A CARROT, NOT A STICK. Business unit leaders have been adopting SaaS applications without involving the corporate IT department. Where IT may take weeks to move on deployment, the SaaS provider may take hours, which makes IT appear as a speed bump they d prefer to avoid. This sidelines IT in important decisions about where critical applications and data are being stored. From a risk management perspective, it s critical for IT to be involved in that process. IT needs something they can offer to provide incentive to those departments to come back and involve them in those SaaS deployments. SSO is of one of the most powerful weapons at your disposal for restoring IT s role while also meeting your security and compliance needs. If you ve rolled out SSO, employees will expect each new application to be accessible via that SSO solution. If a business unit uses a new app that s not a part of their SSO session, employees will be very vocal about having it included in their SSO session and force the business unit to have that conversation with IT. One you ve implemented a comprehensive IDaaS solution, you will then get what are perhaps the more important benefits security, provisioning, authentication, compliance, and usage auditing. 6. IMPLEMENT AN IDENTITY MANAGEMENT CAPABILITY THAT WILL PROVIDE ALL OF THE SECURITY PROPERTIES YOU MIGHT ULTIMATELY NEED. Not all IDaaS solutions are the same. Because they are designed with different architectures, they inherently deliver different security features. Some solutions are built with architectures that limit what security features they can provide; if you start with a very basic offering today, you may find yourself in a place where you can t get to the features you need tomorrow. Look at all of your security needs both for internal applications and public cloud-based applications to determine the full scope of what you ll ultimately need and select a product that s ultimately capable of getting you there. For example, if you need to segment authorization based on roles, make sure your IDaaS solution provides that capability. Another example is in more regulated industries where it s often required to have an audit trail of all end user activities in your SaaS applications beyond when they logged in. Summary SaaS, BYOD, and an ever-growing user mix of employees, contractors, customers and partners have introduced new complexities to identity and access management. Providing it in a way that is convenient and efficient for employees while providing IT with visibility and control into SaaS application usage is key. Open standards exist for facilitating this kind of federated access. IDaaS vendors provide solutions that make it very easy to leverage those standards. Using the six best practices outlined above along with a comprehensive IDaaS solution like Symplified will help you extend your existing identity infrastructure to SaaS applications enabling the security your organization needs and the simplicity your users want. 8» Six Best Practices for Cloud-Based IAM» www.symplified.com» @Symplified

Symplified features a hybrid architecture that enables you to deploy your SSO capability in a way that makes the most sense for your organization, whether that s on premises or in the cloud. In one deployment model, Symplified provides a multitenant cloud service while still enabling the control and security of a single-tenant on-site deployment via a virtual appliance. Symplified can also run entirely in the cloud for organizations that want to completely leverage the benefits of the cloud. As a proxy-based solution, Symplified also delivers flexibility in processing: The solution has the capability to stay in the flow of all web traffic and provide an audit log of all user activity. This visibility is increasingly important to organizations as they address BYOD and SaaS used together; people are using more of their own devices, and organizations have lost visibility into what their users are doing when logged into SaaS services. Proxying offers the benefit of knowing what a user did while logged into an application, not just when he logged in. Additionally, as organizations attempt to get a handle on the value they re getting out of the SaaS applications they ve licensed, this information is beneficial. For more on the features and benefits of IDaaS from Symplified, access additional resources online at www. symplified.com/resources. Sources: 1. The Extended Enterprise: A Security Journey, Forrester Research, November 2011 2. Supporting Mobile Device Authentication and Single Sign-On to the Enterprise and Cloud, Gartner Research, August 2012 THE SYMPLIFIED ADVANTAGE Symplified enables IT organizations to simplify user access to applications, regain visibility and control over usage and meet security and compliance requirements. Symplified provides single-sign-on, identity and access management, directory integration, centralized provisioning, strong authentication, mobile device support and flexible deployment options. Symplified is headquartered in Boulder, Colorado. Visit us at www.symplified.com. 9» Six Best Practices for Cloud-Based IAM» www.symplified.com» @Symplified

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information