White Paper Getting ahead in the cloud A White Paper by Bloor Research Author : Fran Howarth Publish date : March 2013
Users are demanding access to applications and services from wherever they are, whenever they like, necessitating that organisations facilitate that access in a secure and efficient manner Fran Howarth
Executive summary Cloud-based applications are proving their worth for organisations of all types and sizes, providing not just a more cost-effective and efficient manner for accessing applications and services, but also enabling them to access best-of-breed applications to drive innovation and improve overall competitiveness. Software-as-a-service (SaaS) applications, in particular, are now in mainstream use, with spend on SaaS subscriptions growing six times as fast as all software sold. However, as the use of such applications explodes, so do the problems of managing and securing access to applications and the data that they contain as each has its own requirements for authenticating users, forcing users to remember and manage multiple credentials. The use of externally hosted applications provided by third parties and the need to support the growing army of mobile workers means that the old paradigm of centralised in-house provisioning and control over access to in-house resources is broken. What is required for today s distributed world is a centralised identity and access management platform through which access, authentication and authorisation events can be channelled. This takes the form of a portal that can be based in the cloud, or implemented on-premise, that brokers access to applications and services based in the cloud. Another option is a hybrid mix of the two, in which access to both externally and internally delivered applications can be controlled. This document explores the need for such a platform and provides pointers for organisations as to what capabilities they should be looking for in the selection process. It is intended to be read by organisations of any size or vertical industry that are looking to take advantage of cloud-based applications in a highly secure manner. Fast facts The core capabilities that such an identity and access management platform must deliver centre on user account management and self-service, federated access control and single sign-on, multi-factor authentication, automated provisioning and de-provisioning synchronised with enterprise identity repositories, and strong authentication. To be effective, those capabilities must be tightly integrated and provided through one common portal and management interface that incorporates other enterprise-class data protection features, such as malware detection and data loss prevention (DLP). All activity must be continuously monitored to ensure controls are effective and exceptions dealt with. This will provide the audit trail necessary for compliance purposes. The bottom line The use of cloud-based applications can provide organisations with a host of benefits, but many have put off taking full advantage of their use owing to security concerns. Among those concerns are that sensitive data is held in a host of cloud-based applications from a disparate range of service providers, compounding the problems of managing who has access to what. The use of an identity and access management portal for providing a centralised point of control over access to, and use of, those applications provides an efficient and effective way of solving those problems, providing organisations with the level of surety that they need that no data is being inappropriately accessed. A Bloor White Paper 1 2013 Bloor Research
The era of cloud computing Not so long ago, it was the norm for almost all office workers to be just that working in an office, using applications provisioned within the corporate network to perform their tasks. Those networks had clearly defined boundaries shielding internal processes from the outside world. However, that has changed rapidly in recent years. According to internet service provider Timico, 93% of UK small and medium businesses believe that mobile working is a continuing or rising trend 1 and the Department of Work and Pensions of the UK states that 65% of employers say that flexible working practices have had a positive effect on recruitment and retention 2. Technology advances have made today s world a very different place. It is characterised by ubiquitous connectivity, mobility, virtualisation, web-based networking and cloud computing. Such advances make it easier to communicate and collaborate with employees, partners, suppliers, customers, and friends and contacts. In order to cater to these needs, data and applications can no longer be confined to an internal network but must be shared with mobile workers and other collaborators over the web. One particular trend that has been growing fast is the use of applications provided as a public cloud-based software-as-a-service (SaaS) model. According to Gartner, total spend on public cloud services amounted to US$109 billion in 2012 and that spend is growing rapidly, averaging 18% per year, and spanning a wide range of applications such as office productivity, sales, customer service, customer relationship management and marketing automation tools 3. According to a recent survey undertaken by North Bridge Venture Partners, spending on SaaS subscriptions is growing six times as fast as all software sold 4. The use of SaaS brings many benefits, including lower costs in terms of hardware purchases and software licences, flexibility to quickly add or remove users or applications, the ability to scale across large, distributed enterprises, access to the latest best-of-breed applications, and the ability to accommodate mobile workers so that they can access data and applications at any time, from anywhere. Use of SaaS applications also benefits organisations by reducing the IT administrative burden, as many important tasks such as backup and recovery, patching, configuration management and updates are handled by the service provider. In the North Bridge survey, 53% of respondents in 2012 stated that use of the cloud makes IT manageability less complex, up from 39% in 2011. However, a global survey of SaaS and cloud business adoption undertaken by Saugatuck Technology in 2012 found that the reasons that organisations are adopting such technology delivery models are changing from a core focus on cost reduction to one focused on using SaaS as a means of enabling more effective and efficient business operations. They are being used to foster innovation and drive competitive advantage, thus proving their growing usefulness to organisations. Spending on SaaS subscriptions is growing six times as fast as all software sold North Bridge Venture Partners 2 2013 Bloor Research A Bloor White Paper
The downsides to SaaS When the majority of applications were deployed on the internal network behind firewalls, users were granted access to a certain number of applications after supplying, generally, one user name and password. Only applications used to process the most sensitive information would require additional authentication credentials. Now, many applications used by organisations are hosted externally, often from an array of service providers. Forrester Research has estimated that organisations will subscribe to an average of 13 SaaS applications in 2013, as well as web-based applications such as social and professional networking sites. Each of those applications tends to have its own user authentication requirements, generally in the form of a user name and password, with varying policies for password complexity and expiration cycles. As the number of applications in use increases, so does the complexity of managing the associated passwords, which is a burden for users who tend to get around the problem of remembering them all by using insecure practices for storing the passwords, or who tend to reuse the same passwords over and over again for multiple separate services. Another issue with the use of SaaS applications is that, in many organisations, individual business units may make the decision to subscribe to a particular application from their own budget, without informing IT. Or users may sign up themselves to web-based applications that are free or inexpensive to use. In these cases, users may be exposing the corporate network to malware, inappropriately posting sensitive corporate information to the application, or could continue to access information after they have left the company; any of which are serious security risks. A Bloor White Paper 3 2013 Bloor Research
A new approach to securing access is needed With the need to support SaaS and to allow users to connect via mobile devices from wherever they are, the old paradigm of centralised in-house provisioning and control over on-premise applications is broken. What is needed is one central point of access control and user authentication that provides efficient, one-stop access to the resources that a user needs and also ensures that no sensitive or confidential information is accessed inappropriately. Cloud-based identity controls provide much greater efficiency for the processes involved in identity and access management for clouddelivered applications, as well as overcoming some of the security issues involved, such as poor password management practices and rogue accounts set up by users themselves. They can also be used to support a hybrid environment whereby the organisation wishes to leverage investments made in on-premise identity and access management systems, corporate directories and human resources systems to manage users and their access to cloud-based applications and services. This model can also be used to allow external users, including mobile users, access to internal applications. Figure 1 depicts the choices that organisations have when selecting an identity and access management platform for securing access to cloud-based resources. Figure 1: Choices of deployment methods for cloud-based platforms 4 2013 Bloor Research A Bloor White Paper
The components required for cloud-based identity and access management There are a number of core capabilities that should be provided by a system designed to provide identity and access management capabilities for cloud-based applications and services. These include user account management and self-service, federated access control and single sign-on (SSO), application and service provisioning and de-provisioning, and strong authentication. One of the key factors for success in implementing such a system is that access to applications and services must be tightly integrated, provided through a common access and protection platform, with centralised management. The service must be highly secure, providing a full audit trail of events taking place over the system, and should provide support for industry standards, even though these are still emerging in some areas. User account management and provisioning A central identity management service must provide an efficient way for users to be provided access to the resources that they need to use and preferably to be able to request access rights to be granted themselves via self-service capabilities. It should provide automated provisioning capabilities to increase the efficiency, agility and reliability of the service, as well as to improve security overall. Through automation, services can be accessed faster, reducing the timeframe to get workers productive and cutting administrative overheads and costs, as well as administrative errors, and can also be revoked more quickly, such as when a user leaves the organisation. The centralised management capabilities will allow for automated reporting and audit of all activities related to access rights, which can also be used to monitor service delivery levels against those defined in the service-level agreement. Automated provisioning allows permissions to be granted to users according to their role in the organisation and the policies that have been set. Such policies determine conditions of access to specific resources and allow for access to be granted according to contextual factors such as time of day or location of the user so that, for example, access to sensitive data can be restricted to only within office hours and to those using an office-based computer. Such policies will also enforce security clearances according to the requirements of the organisation and will ensure that the mandates of regulatory controls and industry standards are met. For those organisations wishing to leverage existing investments, such as directories for managing users, including Active Directory, other LDAP directories or those associated with individual applications such as financial and human resource systems, some cloudbased identity management systems provide interfaces to corporate networks via so-called identity bridges. Interfacing with on-premise systems, an identity bridge checks user credentials in directories in order to make access decisions and automatically updates access rights when changes are made in directories. In this way, user access rights will be updated to reflect changes such as a user moving from one role to another or leaving the organisation, in which case all access rights can be automatically terminated. The provisioning engine used needs to provide interfaces to multiple SaaS applications, some of which provide proprietary application programming interfaces (APIs) for brokering access. There are also provisioning standards that should be supported as some of the major SaaS applications support them, providing a standard way for provisioning and de-provisioning to be performed. Standards for provisioning include the service provisioning markup language (SPML) and the newer simple cloud identity management (SCIM) standards. Federated SSO To solve problems associated with poor password management practices, the identity and access management portal should provide one central authentication point through which users can access all the applications to which they have been granted access by authenticating themselves to the system just once. In a Windows environment, Integrated Windows Authentication, a technology used to generate and validate Windows identity tokens, can be used to allow users to be authenticated once at Windows logon and to access the SSO portal without any further authentication being required. This means that users need remember just one user name and password combination, greatly reducing the burden on not just the users, but also reducing the cost and time spent by help desk resources on password resets for those users who have forgotten credentials for particular applications. In this way, federated SSO can be achieved and users remain productive. A Bloor White Paper 5 2013 Bloor Research
The components required for cloud-based identity and access management For secure authentication to SaaS service providers, many cloud identity management systems provide support for federated authentication protocols based on standards such as the Security Assertion Markup Language (SAML) and other emerging standards that include open authorisation (OAuth) and OpenID identity standards. Such standards can be used to securely attest to the identity of the user and can replace user names and passwords altogether. Where the SaaS service does not support such standards, the system should provide support for proprietary connectors by default, at least for the most popular SaaS applications. Where none of these authentication standards or connectors are available, another alternative is for form-based access requests to be supported, whereby the user fills in an initial form to request access to a service. The system will capture their credentials during the first login, store them in a secure, encrypted manner and will automatically supply those credentials for subsequent logins so that the user is not burdened with having to remember them. Strong authentication For access to SaaS applications containing regulated or highly sensitive personal or corporate data, many organisations deploy stronger methods of authentication than passwords alone. Therefore, an organisation should look for a cloud identity management system that supports strong, multi-factor authentication, including tokens and, in some cases, biometrics. There are also hardware-based options that include a hardware chip built directly onto the motherboard of a computer that can attest that the computer is known to the organisation and is trusted. Many of these strong authentication methods include use of one-time passwords (OTPs) that are automatically generated by the system, that change on a regular basis and that are good for just one authentication event. Increasingly, organisations are looking to deploy strong authentication in the form of soft tokens, options for which include OTPs delivered via mobile devices, software applications, USB tokens, Short Message Service (SMS), email or instant messages. The use of a soft token removes the cost of having to deploy and manage physical tokens to all those who need them. They also are useful in that they allow mobile devices to connect and authenticate themselves to the applications and services that they require without needing to deploy a virtual private network. A soft token installed on a smart phone, for example, allows a user to generate a unique OTP without requiring connection to a cellular network. If the user has a plain cell phone, then an SMS text message containing the OTP can automatically be sent when the user attempts to access the protected application. Soft tokens also allow users to authenticate to multiple SaaS applications with a single device; unlike hard tokens, which are often linked to a single application. Management, monitoring and reporting All of these services should be tightly integrated and provided through one central management console, which should be capable of continuously monitoring all access and authentication events to ensure no resources are being accessed inappropriately. The system should provide interfaces that enable enterprise-class web gateway technologies, such as malware detection, data encryption, DLP, intrusion detection services, and other capabilities to be easily and seamlessly incorporated. Since the system needs to collect event data logs, it is useful if it also can be integrated with log management tools and security information and event management (SIEM) systems. When suspicious or abnormal behaviour is detected, the system should generate alerts so that remediation steps can be taken. Such monitoring activities will provide the audit trail that the organisation needs in order to show that data is only being accessed in a secure manner and that it is complying with the requirements of government regulations and industry standards that demand that secure controls are placed around data access. The central console should also be capable of handling administrative requirements such as monitoring usage of applications and services for billing purposes so that the organisation can be sure that it is only paying for SaaS subscriptions that are actually being used and that there are no orphan accounts. It should also be able to monitor that the terms of the service-level agreements are being adhered to, raising alerts should conditions not be met. 6 2013 Bloor Research A Bloor White Paper
The benefits of implementing an identity and access management system The benefits of an identity and access management system for cloud applications include improved efficiency in terms of administration and management, improved user experience and productivity, the ability to leverage mobile technologies and extend existing investments, and improved security and ability to meet compliance objectives. The use of a streamlined, integrated platform for managing access to cloud-based applications offers many benefits to organisations. Those benefits include vastly improved efficiency in terms of administration and management, improved user experience and productivity, the ability to leverage mobile technologies and extend existing investments, and improved security and ability to meet compliance objectives. Greater administration and management efficiency is achieved through the use of a single management console which can be premises-based or in the cloud that automates the main processes involved with identity and access management across an integrated set of capabilities, with many tasks available through self-service. These include the ability to manage user accounts and access rights and to ensure that no resources are accessed inappropriately. Such platforms provide the ability to add or remove applications and services easily and quickly, without the need for complex configurations, to uniformly apply and manage enterprise security policies, and can manage needs, such as usage billing, to ensure the organisation is only paying for what it uses. Such a platform can provide many benefits for the individual users of the service, who can be quickly and securely granted the access rights that they need to a wide range of cloud-based applications. Many basic tasks are provided by self-service, such as a user enrolling himself for use of a new application, with streamlined approval processes to grant or deny that access. The use of a central portal, which delivers all applications to which access has been granted, provides one central interface for SSO accessed via one authentication event. This solves the problem of users having too many user name and password combinations to remember easily, which often results in poor password management practices and the use of weak passwords that are easy to remember, but equally easy for malicious attackers to expose. By replacing multiple credentials with one single SSO credential, individuals will be able to remain more productive and the organisation will be able to eliminate much of the help desk burden and costs related to password resets. The use of a cloud-based portal will also allow individuals to connect to, and be authenticated for, the resources they need to access from a wide range of devices. This caters to the fastgrowing need for organisations to support mobile devices of any flavour and even those that those individuals own themselves, which is a fast-developing trend, as authentication tokens can be sent to those devices on the fly, for use whenever needed. This removes the need to install software such as virtual private networks on those devices, which is a bonus especially for personally owned devices, in order to establish authenticated, secure connections. The central portal will also provide the benefits of allowing mobile and external users controlled access to in-house applications, as well as being able to leverage existing investments in identity and access systems and identity stores to give internal users access to external applications in a secure manner. Another benefit for organisations using such services is improved security. Such systems should provide support for a wide range of strong authentication factors, which can be selected during setup, and which provide for higher assurances over data security and can better enforce segregation of duties by ensuring that credentials cannot be shared. Tokens with OTPs provide a higher level of assurance that the user is who they say they are and provide credentials that are good for just one authentication event meaning that those credentials are useless to phishers and other attackers who are looking to steal credentials in order to gain access to resources. Through logging and monitoring of all activities, organisations will be able to attest to the effectiveness of the security controls governing access to applications and services, with audit trails proving the authenticity of activities A Bloor White Paper 7 2013 Bloor Research
The benefits of implementing an identity and access management system undertaken and showing where and when alerts were raised to flag suspicious activities, along with the remediation actions that were taken. This will allow organisations to improve their regulatory compliance ability by extending the ability to prove that security controls are effective for sensitive data processed and stored by applications based in the cloud, outside of the organisation s control. 8 2013 Bloor Research A Bloor White Paper
Summary Traditional identity and access management technologies focused primarily on securing access to applications provisioned within the corporate network. Few, if any, catered to the needs of mobile workers or external people, such as suppliers needing to connect to applications without the need for dedicated, secure connections to be implemented. Many such systems were complex and lengthy to implement and administrative burdens were high. Their use was largely confined to larger organisations. Today s mobile world is highly interconnected. Collaboration is the norm, enabled by externally delivered applications. Users are demanding access to applications and services from wherever they are, whenever they like, necessitating that organisations facilitate that access in a secure and efficient manner even when the individual is using their own personal device on which they are unwilling to install additional programs for ensuring access to applications is secure. Organisations looking to facilitate secure access to cloud-based applications and services have a number of options a portal based in the cloud, one deployed on-premise, or a hybrid mixture of the two. This provides one centralised access point through which enterprise security policies can be enforced, users access rights can be granted and controlled, their identities authenticated securely and authorisation to access resources granted. The central console will provide one place to perform the associated management tasks, employ security tools like DLP and malware prevention, and perform constant real-time monitoring functions to ensure controls are effective and secure, providing an audit trail to be used for proving governance and compliance requirements are being met. References 1. http://www.timico.co.uk/about-timico/pressrelease/timicolaunches-mobile-working-report-in-response-to-coit-and-byodtrends 2. http://www.dwp.gov.uk/docs/family-friendly-task-force-report.pdf 3. http://www.asiacloudforum.com/content/ gartner-global-cloud-services-market-surpass-us109b-2012 4. http://northbridge.com/2012-cloud-computing-survey Further Information Further information about this subject is available from http://www.bloorresearch.com/update/2158 A Bloor White Paper 9 2013 Bloor Research
Bloor Research overview Bloor Research is one of Europe s leading IT research, analysis and consultancy organisations. We explain how to bring greater Agility to corporate IT systems through the effective governance, management and leverage of Information. We have built a reputation for telling the right story with independent, intelligent, well-articulated communications content and publications on all aspects of the ICT industry. We believe the objective of telling the right story is to: Describe the technology in context to its business value and the other systems and processes it interacts with. Understand how new and innovative technologies fit in with existing ICT investments. Look at the whole market and explain all the solutions available and how they can be more effectively evaluated. About the author Fran Howarth Senior Analyst - Security Fran Howarth specialises in the field of security, primarily information security, but with a keen interest in physical security and how the two are converging. Fran s other main areas of interest are new delivery models, such as cloud computing, information governance, web, network and application security, identity and access management, and encryption. Fran focuses on the business needs for security technologies, looking at the benefits they gain from their use and how organisations can defend themselves against the threats that they face in an ever-changing landscape. For more than 20 years, Fran has worked in an advisory capacity as an analyst, consultant and writer. She writes regularly for a number of publications, including Silicon, Computer Weekly, Computer Reseller News, IT-Analysis and Computing Magazine. Fran is also a regular contributor to Security Management Practices of the Faulkner Information Services division of InfoToday. Filter noise and make it easier to find the additional information or news that supports both investment and implementation. Ensure all our content is available through the most appropriate channel. Founded in 1989, we have spent over two decades distributing research and analysis to IT user and vendor organisations throughout the world via online subscriptions, tailored research services, events and consultancy projects. We are committed to turning our knowledge into business value for you.
Copyright & disclaimer This document is copyright 2013 Bloor Research. No part of this publication may be reproduced by any method whatsoever without the prior consent of Bloor Research. Due to the nature of this material, numerous hardware and software products have been mentioned by name. In the majority, if not all, of the cases, these product names are claimed as trademarks by the companies that manufacture the products. It is not Bloor Research s intent to claim these names or trademarks as our own. Likewise, company logos, graphics or screen shots have been reproduced with the consent of the owner and are subject to that owner s copyright. Whilst every care has been taken in the preparation of this document to ensure that the information is correct, the publishers cannot accept responsibility for any errors or omissions.
2nd Floor, 145 157 St John Street LONDON, EC1V 4PY, United Kingdom Tel: +44 (0)207 043 9750 Fax: +44 (0)207 043 9748 Web: www.bloorresearch.com email: info@bloorresearch.com