As enterprise applications sprawl beyond corporate perimeters and as SaaS, Web Services and cloud-based applications continue to gain traction, organizations are learning something the hard way: their access and enforcement mechanisms aren’t ready for this new reality in the way employees and end-users do business.
Forcing employees to remember a slew of passwords is a non-starter, yet many IDs, roles, policies and privileges are stored in proprietary directories of various legacy applications. Many of these were designed well before the cloud, SaaS and mobile devices all became status quo.
Secure access is one of the main security sticking points with cloud computing. A variety of SSO (single sign-on) identity federation standards, such as SAML (Security Assertion Markup Language), OpenID and the Microsoft- and IBM-backed WS-Federation, offer guidance. However, it takes a lot of work to turn those standards into real-world solutions.
This is where IDM (identity management) and SSO vendors can help. A number of startups have been rolling out IDM and SSO solutions that are specifically designed to integrate with cloud, SaaS and Web 2.0 architectures. Incumbent security providers also are waking up to this problem, but many of their solutions entail clumsy retrofits, high operational costs and the need to own two solutions: one for traditional on-premise apps and one for the cloud.
When choosing an SSO or IDM solution, here are five questions to ask to help you identify the best solution for your organization:
For Dave Leiker, the Web and Electronic Media Manager for the Emporia, Kansas Unified School District #253, managing Internet access for over 5,000 students, teachers and staff presented a unique set of challenges. IT administrators needed to restrict web traffic while managing student email account activity. At the same time, Leiker was in the process of migrating the school district’s core applications to Google Apps.
Leiker prefers the browser-based design of Google Apps and believes that moving to cloud-based apps is a way to prepare for the future. After all, device form factors may change radically over the next few years, but the browser and the cloud should have staying power.
However, Leiker identified a major conflict that threatened to undermine the school district’s migration to the cloud.
“Keeping email accounts in synch was really a nightmare,” Leiker said. “We quickly saw that the same problem would reoccur with Google Apps, where we’d have to administer each application separately or figure out how to tie those accounts back to Active Directory or just rely on generic passwords, which would mean we’d have poor security.”
Leiker hoped to find a solution that would tie into Active Directory, which was a hurdle with many IDM and SSO providers. Many recommended using entirely different credentialing systems in the cloud. Leiker didn’t want to manage two different identity management systems, which would add administrative overhead and could undermine security.
Leiker eventually turned to the IEP (Identity Enforcement Platform) solution from SecureAuth, a solution which not only validates identities in Active Directory and performs strong authentication against those identities, but also then automatically generates a SAML assertion for Google Apps.
With SecureAuth IEP, Emporia now has a SSO solution to secure email, Google Apps, Microsoft Exchange and a range of other applications. Moreover, since SecureAuth is an all-software solution that leverages existing directory services and is purpose built for the cloud, SSO is future-proofed. That is, Leiker can easily secure and manage access to an array of new devices, such as smartphones and tablets.
Greg Colegrove, Director of IT Operations and Communications Services for the Thomas M. Cooley Law School, was struggling to keep up with the ongoing administration of GroupWise. In recent years, the campus has experienced record growth, while the IT staff has not grown at all. Obviously, Colegrove needed to find some manual tasks that he and his staff could automate.
At the same time, students were requesting remote access to email and other apps from mobile devices, something that would have been a challenge with their existing email and authentication systems.