• No results found

Six Best Practices for Cloud-Based IAM

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Six Best Practices for Cloud-Based IAM"

Copied!
9
0
0

Loading.... (view fulltext now)

Download now ( 9 Page )

Full text

(1)

a bes t

pr ac tices

guide

Six Best Practices for

Cloud-Based IAM

Making Identities Work Securely in

the Cloud

(2)

Executive Summary

Identity and access management (IAM) is the great IT challenge of the SaaS era. Providing authentication and authorization in a way that is convenient for users while delivering security and compliance for IT is the key. Done well, you can make IT a valuable asset in the deployment of cloud applications by offering a simple-to-use, yet highly sophisticated IAM solution. By offering a single sign-on solution, IT departments can provide an incentive for the lines of business that are adopting SaaS applications directly to start involving IT when bringing new applications on board – thus enabling you to regain visibility and control over application usage and data security. Using the six best practices outlined in this paper, along with a comprehensive Identity-as-a-Service (IDaaS) solution like Symplified, can help any IT department success-fully strike a balance between enabling productivity and managing risk.

Background

Wide adoption of cloud-based applications and access to them via mobile devices has made doing business much easier and more cost-effective. However, when people use their own mobile devices to access ap-plications and business units deploy SaaS apap-plications directly, IT is often left in the dark about where their company’s data and processes are moving.

This leads to several challenges that can also be security risks depending on: »1. The type of information you are working with in the cloud

»2.The amount and level of sensitive information (customer data plus personal identity information) that is residing in the cloud

»3. How that information is protected in the cloud

»4. How quickly you can restrict access to sensitive information in the case of termination

»5. How many passwords – accessing what types of information – you are comfortable not having control over

Forrester Research describes an extended enterprise as, “One for which a business function is rarely, if ever, a self-contained workflow within the infrastructure confines of the company.”1 Forrester goes on to

(3)

In short, you have a lot of sensitive data residing outside of your organization. Add in the complexity of al-lowing contractors, partners and customers to access parts of your cloud-based solutions in order to serve themselves or smooth ERP and manufacturing processes, plus the identity silos created when multiple third party service providers individually manage who has access to what.

One additional challenge is that everybody who has chosen to work in the cloud was sold on the idea that this would save on IT budgets. Realistically, it does dramatically reduce the effect on capital budgets, but it can actually increase the workload on IT in terms of provisioning, de-provisioning, and supporting employ-ees working in the cloud.

F I G U R E 2 : T H E CO M P L E X I T Y O F T H E C L O U D G R O W S W I T H T H E P O P U L A R I T Y O F T H E A P P L I C AT I O N S

For example, when Bob Jones joins your organization, he needs to access both the on-site applications and the cloud-based applications his department has deemed necessary for his position. Unfortunately, most new employees are trying to remember a dozen new things at once, so they tend to scrimp on creativity when it comes to passwords. Bob may log into the travel expense management app with the username bobj and the password pwd123; the sales quote app with bob2 and pwd123; and the engineering require-ments management app with bjones and pwd123. Now he has to remember three different name and password combinations, so he takes a shortcut and uses the same password for three applications, which is never a good practice.

The bigger problem is that Bob has done this pretty much all by himself, and the enterprise has no cen-tralized control. This leads to weaker security because one password opens many doors, and redundant administration since Bob’s user account in every one of those applications has to be administered and audited from within each application separately.

In the case of a terminated employee, somebody in IT would need to de-provision the terminated employ-ee’s accounts at all of the applications the employee used on behalf of the enterprise. This means that the admin must first remove the terminated employee from the Active Directory – which will effectively block access to all of the on-site applications. However, the other immediate concern is the terminated employ-ee’s access to the wide variety of cloud-based applications must be eliminated.

This means that IT must also remove the employee from each SaaS application. When there is no central-ized control of the services an enterprise uses, it is often difficult to determine which SaaS applications a user had access to in the first place. This leads to “orphaned accounts” – those accounts at third party sites (like Salesforce or Google) that are not de-provisioned, and ultimately represent a security threat.

internet user employees, customers, partners enterprise

internet

portal

(4)

F I G U R E 3 : T H E N I G H T M A R E O F D E- P R OV I S I O N I N G E M P L OY E E S W H O W O R K I N T H E C L O U D

While it can be relatively easy to control access to on-site applications through an enterprise Active Directo-ry (LDAP), in this scenario managing access to cloud-based applications requires a veDirecto-ry hands-on approach.

The Second Generation: Federation Single

Sign-On

In order to solve this challenge for applications owned by an organization, many organizations moved to a Web Access Management (WAM) solution. With a WAM approach, IT leverages a centralized directory (often Active Directory) as a central identity repository. Products like TIM/TAM, RSA Access Manager, and CA Sit-eminder give a single point of control for administration and audits, require fewer credentials, and allow IT to de-provision terminated employees quickly.

This worked until companies needed to collaborate with partners and customers more efficiently, as well as leverage applications that are provided by third parties. This is when a new player arose – the Application Service Provider, now known as Software-as-a-Service (SaaS) providers. The rise of the SaaS provider high-lighted some shortcomings in WAM solutions, namely that you couldn’t deploy the agents those solutions required on partner web servers, and the identity management cookies were bound to the domains. Organizations adopted federation access management tools as an added component to complement their WAM products. Products emerged to provide the identity management link to the same directory used by WAM, and then extend authentication and authorization beyond the enterprise using the industry-standard SAML (Security Assertion Markup Language).

However, now there is a gap between the authentication and single sign-on capabilities of federation solu-tions and the additional authorization and access control, auditing, and provisioning capabilities of WAM. The other challenge is that the federation and WAM setup treats local and remote applications differently,

terminated employee it employee account account account account account account continued access to multiple external accounts manual depr

ovisioning

!

(5)

F I G U R E 4 : T H E S A M L F E D E R AT I O N T R U S T R E L AT I O N S H I P

SAML federations are based on a pair-wise model, where the Service Provider trusts the Identity Provider to authenticate the user so the Service Provider can grant the user access. Each relationship between an Identity Provider and a Service Provider must be established for each user via technical integration. This means that if Bob Jones needs access to five SaaS applications, somebody will need to establish each of those relationships for Bob, making SAML federations difficult to scale.

Ten new users like Bob will require somebody in IT to establish and manage 50 relationships. With 500 users accessing an average of five SaaS solutions, your organization needs to establish and manage 2,500 relationships. The geometric growth of this situation is pretty easy to calculate: the Number of Employees

(e) multiplied by the Number of Applications (a) equals the Number of Relationships (r), or e x a = r. It

simply doesn’t scale.

As access to SaaS applications grows, the SAML federation model won’t scale with your organization – regardless of whether you grow linearly or exponentially. This could result in a deterioration of security, compliance, agility, flexibility, or any combination of the four.

The only feasible means of handling this growth is to rethink how federation is done. You need to move from a one-to-one mindset to creating a one-to-many relationship that allows the number of connections to grow in a linear fashion. Your IT team establishes relationships between each user and a central integration platform (preferably one that leverages identity stores like LDAP which you already have in place), which in turn connects to your SaaS portfolio. This single point of control gives IT the ability to audit, enforce poli-cies, provision and de-provision across all of the organization’s applications.

A New Way

Symplified’s service gives you a single point of access to both your on-premises and cloud-based applica-tions. A single point of entry that IT controls, making it easy to provision and deprovision users as needed. It acts as an identity bridge for employees as well as “external” users – contractors, customers and partners – to access the applications, or even parts of the applications, that you want them to access, and nothing more. Symplified has a flexible deployment model, delivering services via a virtual server in your infrastructure or as a hosted cloud service. It sits beside your existing products to enable a clean migration path.

service provider

application user

identity provider trust

integrate

(6)

F I G U R E 5 : T H E S Y M P L I F I E D S O L U T I O N

Symplified’s approach to IDaaS (Identity as a Service) gives you the ability to scale in the way that you need to in order to keep pace with the growth of both external applications and access needs. Symplified provides SSO, authorization, authentication and auditing capabilities, so it can work for both on-premises and cloud-based applications accessed across any device or location.

Best Practices for Identity Management in

the Era of SaaS

Keeping in mind the growing number of applications your organization is using to run its operations, BYOD, and the expanding population of “external” users who need to access your applications, Symplified outlines six best practices to help you deliver access management while achieving your goals for security, compli-ance, IT simplicity and end user convenience.

1. LE VER AGE E X IS TING INFR A S TRUC TURE WHENE VER YOU C AN

If you’re implementing IAM in order to provide SaaS applications for employees, you’ve likely already made a significant investment in processes and technology for managing usernames, passwords and other profile information. Most organizations leverage Active Directory, for example, as their primary system of record for user information. Some organizations also have deployed one-time password solutions, and others may have first-generation WAM systems in place which are difficult to extend to SaaS applications.

The solution you choose to secure your employees’ usage of SaaS applications needs to leverage these existing investments rather than recreate them in a parallel system and maintain them independently. Redundant systems are inefficient, more difficult to secure, and fall out of sync, which in this case leads to orphaned accounts and access policy violations. One such example of where this fails is when an inside sales representative leaves a company and still has access to a corporate application. He can be removed from Active Directory immediately and lose access to on-premises applications. But if his Salesforce account remains in place he can log back in, download a customer lead list and deliver it into the hands of his new

EXISTING IDENTITY INFRASTRUCTURE

(7)

Whether you’re implementing IAM to extend SaaS application access to employees or consumers, there’s likely already a system and process in place for managing their user profile information. Be sure to leverage it.

2 . LE VER AGE OPEN S TANDARDS WHERE VER POSSIBLE

Identity is fundmentally an integration challenge. It’s about enabling providers of SaaS applications to le-verage your existing identity stores. If you integrate with each one differently it’s much more expensive to implement and maintain access. Rather than having to create a unique integration with each partner, open standards enable you to leverage a common integration approach across all of your partners that imple-ment those standards. Additionally, standards enable more functionality than proprietary integrations, such as global logout.

Keep in mind that implementing a standard doesn’t require you to implement all of it. For example, the SAML technical committee defined several different conformance profiles for the SAML specification where each implements a different subsection of the SAML specification.

SAML was created before the emergence of SaaS and the cloud to enable SSO between business partners. SAML defines a one-to-one relationship between two organizations. The emergence of the SaaS application delivery model has created huge demand for federated SSO as businesses use more and more SaaS applica-tions to run their operaapplica-tions. The cloud has become the primary driver for the adoption of SAML resulting in a many-to-one usage model that gives IDaaS providers the opportunity to make it easier for organizations to implement SAML for their use of cloud applications.

3 . LE VER AGE A CLOUD IDENTIT Y BROKER

The advantage of a service that acts as a bridge to the cloud is that they will already have SSO integrations with many (if not most) of the SaaS providers you want to work with. The reality today is, despite their benefits, the standards described above aren’t implemented by most SaaS applications. Gartner estimates that less than 25% of SaaS application vendors support federated authentication today.2 Where they are

being used, they’re often implemented in different ways. As a result, an organization ends up managing unique integrations for each of its partners – an expensive proposition that requires identity expertise that most organizations don’t have.

There’s a spectrum of solutions available today ranging from ones focused solely on user convenience to others focused more on enabling enterprise control and visibility. One one end, you have providers such as Okta, OneLogin, and others which are built around the convenience aspect of SSO. On the other end, enter-prise solutions like TIM/TAM, RSA Access Manager, and CA Siteminder were built from the perspective of se-curity, and focus on authorization rules, authentication, and auditing. In between these offerings lies IDaaS providers like Symplified, which provides the simplicity, ease of use and lower total cost of ownership a cloud-delivered service is capable of offering while still providing the security benefits of an on-premises enterprise security solution. It’s important you choose one with the right set of capabilities from the start (see Best Practice #6 for more on this point).

4 . DON’ T REPL IC ATE SENSITI VE USER DATA IN THE CLOUD WHEN YOU

DON’ T ABSOLUTELY NEED TO.

The problem federation sets out to solve is redundant data – the fact that a given user’s data is maintained uniquely within each service he uses. As mentioned earlier, it’s inevitable these identities will fall out of sync. Choosing a federation solution that requires you to replicate data to yet another silo simply doesn’t make sense. In many cases, it violates end user agreements to do so, and it increases the attack surface on one of your most critical systems.

(8)

5. TO ENG AGE W ITH BUSINESS UNIT S ON SA A S DEPLOYMENT S, USE A

C ARROT, NOT A S TICK .

Business unit leaders have been adopting SaaS applications without involving the corporate IT depart-ment. Where IT may take weeks to move on deployment, the SaaS provider may take hours, which makes IT appear as a speed bump they’d prefer to avoid. This sidelines IT in important decisions about where critical applications and data are being stored. From a risk management perspective, it’s critical for IT to be involved in that process. IT needs something they can offer to provide incentive to those departments to come back and involve them in those SaaS deployments.

SSO is of one of the most powerful weapons at your disposal for restoring IT’s role while also meeting your security and compliance needs. If you’ve rolled out SSO, employees will expect each new application to be accessible via that SSO solution. If a business unit uses a new app that’s not a part of their SSO session, employees will be very vocal about having it included in their SSO session and force the business unit to have that conversation with IT.

One you’ve implemented a comprehensive IDaaS solution, you will then get what are perhaps the more important benefits – security, provisioning, authentication, compliance, and usage auditing.

6. IMPLEMENT AN IDENTIT Y MANAGEMENT C A PABIL IT Y THAT W ILL

PROV IDE ALL OF THE SECURIT Y PROPER TIES YOU MIGHT ULTIMATELY

NEED.

Not all IDaaS solutions are the same. Because they are designed with different architectures, they inher-ently deliver different security features. Some solutions are built with architectures that limit what security features they can provide; if you start with a very basic offering today, you may find yourself in a place where you can’t get to the features you need tomorrow. Look at all of your security needs – both for internal applications and public cloud-based applications – to determine the full scope of what you’ll ulti-mately need and select a product that’s ultiulti-mately capable of getting you there. For example, if you need to segment authorization based on roles, make sure your IDaaS solution provides that capability. Another example is in more regulated industries where it’s often required to have an audit trail of all end user activities in your SaaS applications beyond when they logged in.

Summary

SaaS, BYOD, and an ever-growing user mix of employees, contractors, customers and partners have intro-duced new complexities to identity and access management. Providing it in a way that is convenient and efficient for employees while providing IT with visibility and control into SaaS application usage is key. Open standards exist for facilitating this kind of federated access. IDaaS vendors provide solutions that make it very easy to leverage those standards.

(9)

Symplified features a hybrid architecture that enables you to deploy your SSO capability in a way that makes the most sense for your organization, whether that’s on premises or in the cloud. In one deploy-ment model, Symplified provides a multitenant cloud service while still enabling the control and security of a single-tenant on-site deployment via a virtual appliance. Symplified can also run entirely in the cloud for organizations that want to completely leverage the benefits of the cloud. As a proxy-based solution, Sympli-fied also delivers flexibility in processing: The solution has the capability to stay in the flow of all web traf-fic and provide an audit log of all user activity. This visibility is increasingly important to organizations as they address BYOD and SaaS used together; people are using more of their own devices, and organizations have lost visibility into what their users are doing when logged into SaaS services. Proxying offers the ben-efit of knowing what a user did while logged into an application, not just when he logged in. Additionally, as organizations attempt to get a handle on the value they’re getting out of the SaaS applications they’ve licensed, this information is beneficial.

For more on the features and benefits of IDaaS from Symplified, access additional resources online at www. symplified.com/resources.

Sources:

1. The Extended Enterprise: A Security Journey, Forrester Research, November 2011

2. Supporting Mobile Device Authentication and Single Sign-On to the Enterprise and Cloud, Gartner Research, August 2012

THE SYMPL IFIED ADVANTAGE

Symplified enables IT organizations to simplify user access to applications, regain visibility and control over usage and meet security and compliance requirements. Symplified provides single-sign-on, identity and access management, directory integration, centralized provisioning, strong authentication, mobile device support and flexible deployment options. Symplified is headquartered in Boulder, Colorado.

References

Download now ( PDF - 9 Page - 588.40 KB )

Related documents

Ein einheitliches Risikoakzeptanzkriterium für Technische Systeme

ƒ In the European TSI-CCS, a reference for a tolerable risk is given which could be generally applied to new functions or systems: “For the safety-related part of one onboard unit

Executive Suite Series A Prolexic White Paper

If your web site is hosted on a shared cloud platform or if you offer services or applications in the cloud, Prolexic recommends the following best practices to help ensure that

Linking Fibrosis and Cancer through the Differentiation of Fibrocytes

LGALS3BP is upregulated in metastatic cancers (including breast cancers and melanomas) and is the factor that inhibits fibrocyte differentiation in the CM of MDA-MB 231 breast

Impact of Product Packaging on Consumer Perception and Purchase Intention

The finding of our research impact of packaging on consumer perception and purchase intention show that the packaging are important element for the consumer buying behavior

Karakteristik Komoditas Sub Sektor Pertanian di Wilayah Jalur Lintas Selatan (Jls) Kabupaten Jember [ Commodity Characteristics Of Agricultural Sub-sector In Regional Of Southern Cross Line (Jls) Of Jember Regency ]

Komoditas kelapa merupakan komoditas dengan nilai spesifikasi rata-rata tertinggi di JLS Kecamatan Ambulu dengan nilai sebsesar 0,333 Nilai tersebut bahkan

FIS FREESTYLE SKIING JUDGING HANDBOOK

The body rotates backwards a total of 360 degrees on the horizontal axis and 720 degrees on the vertical secondary axis, then the skiers extends and prepares for the landing... Front

We believe in building better communities.

Dream provides asset management and management services for Dream Global REIT, Dream Office REIT, Dream Industrial REIT, Dream Alternatives Trust, Dream Van Horne Properties,

IPMG CODE OF PHARMACEUTICAL MARKETING PRACTICES June 2015 Revision

(iii) The IPMG Code of Pharmaceutical Marketing Practices (the “Code”) sets forth standards for the ethical promotion of pharmaceutical products to healthcare professionals