As enterprise applications sprawl beyond corporate perimeters and as SaaS, Web Services and cloud-based applications continue to gain traction, organizations are learning something the hard way: their access and enforcement mechanisms aren’t ready for this new reality in the way employees and end-users do business.
Forcing employees to remember a slew of passwords is a non-starter, yet many IDs, roles, policies and privileges are stored in proprietary directories of various legacy applications. Many of these were designed well before the cloud, SaaS and mobile devices all became status quo.
Secure access is one of the main security sticking points with cloud computing. A variety of SSO (single sign-on) identity federation standards, such as SAML (Security Assertion Markup Language), OpenID and the Microsoft- and IBM-backed WS-Federation, offer guidance. However, it takes a lot of work to turn those standards into real-world solutions.
This is where IDM (identity management) and SSO vendors can help. A number of startups have been rolling out IDM and SSO solutions that are specifically designed to integrate with cloud, SaaS and Web 2.0 architectures. Incumbent security providers also are waking up to this problem, but many of their solutions entail clumsy retrofits, high operational costs and the need to own two solutions: one for traditional on-premise apps and one for the cloud.
When choosing an SSO or IDM solution, here are five questions to ask to help you identify the best solution for your organization:
1. How will the SSO/IDM solution help you achieve your overall cloud goals?
For Dave Leiker, the Web and Electronic Media Manager for the Emporia, Kansas Unified School District #253, managing Internet access for over 5,000 students, teachers and staff presented a unique set of challenges. IT administrators needed to restrict web traffic while managing student email account activity. At the same time, Leiker was in the process of migrating the school district’s core applications to Google Apps.
Leiker prefers the browser-based design of Google Apps and believes that moving to cloud-based apps is a way to prepare for the future. After all, device form factors may change radically over the next few years, but the browser and the cloud should have staying power.
However, Leiker identified a major conflict that threatened to undermine the school district’s migration to the cloud.
“Keeping email accounts in synch was really a nightmare,” Leiker said. “We quickly saw that the same problem would reoccur with Google Apps, where we’d have to administer each application separately or figure out how to tie those accounts back to Active Directory or just rely on generic passwords, which would mean we’d have poor security.”
Leiker hoped to find a solution that would tie into Active Directory, which was a hurdle with many IDM and SSO providers. Many recommended using entirely different credentialing systems in the cloud. Leiker didn’t want to manage two different identity management systems, which would add administrative overhead and could undermine security.
Leiker eventually turned to the IEP (Identity Enforcement Platform) solution from SecureAuth, a solution which not only validates identities in Active Directory and performs strong authentication against those identities, but also then automatically generates a SAML assertion for Google Apps.
With SecureAuth IEP, Emporia now has a SSO solution to secure email, Google Apps, Microsoft Exchange and a range of other applications. Moreover, since SecureAuth is an all-software solution that leverages existing directory services and is purpose built for the cloud, SSO is future-proofed. That is, Leiker can easily secure and manage access to an array of new devices, such as smartphones and tablets.
2. Does it automate manual tasks?
Greg Colegrove, Director of IT Operations and Communications Services for the Thomas M. Cooley Law School, was struggling to keep up with the ongoing administration of GroupWise. In recent years, the campus has experienced record growth, while the IT staff has not grown at all. Obviously, Colegrove needed to find some manual tasks that he and his staff could automate.
At the same time, students were requesting remote access to email and other apps from mobile devices, something that would have been a challenge with their existing email and authentication systems.
Many organizations are moving to the cloud for one reason: Google Apps/Gmail. The overhead that comes with supporting Exchange, GroupWise or Lotus Notes is simply too high. Gmail is far cheaper, and another advantage of Google is its behind-the-scenes patching, which saves IT from the trouble of downloading patches and pushing them out to every machine.
To save time and money, Cooley Law School turned to NetIQ’s Identity Manager, along with CosmosKey’s Connector for Google Apps. (CosmosKey builds a driver that enables NetIQ’s Identity Manager to communicate with the cloud-delivered Google Apps framework.)
Cooley now uses NetIQ’s Identity Manager to control access and automatically provision users to Google Apps. “Provisioning was a major headache,” Colegrove said. “With more than 3,500 students – who wanted to access email and apps from all sorts of different devices – we just weren’t able to keep up.”
Now, provisioning is automatic. Once an account is created in their existing directory (Novell’s eDirectory), it is automatically propagated in Google Apps. Students have access to a self-service portal for password resets or for simple things like a shift to a different campus or a name change after a marriage.
Before, those were all manual tasks. Colegrove estimates that the shift to Google Apps and NetIQ has already translated into a 30 percent productivity gain for his IT staff.
3. How well does it support a variety of apps?
Cooley also looked to this new IDM solution as the foundation that they could build on to further shift apps and services to the cloud.
“We look at our cloud roll-out as a hub-and-spoke architecture. Identity Management is our hub. The spokes are various apps, with email being the first spoke. With the hub in place, and with the proper access control and identity management as the core of that hub, it’s trivial to add new spokes,” Colegrove said.
One cool app that Colegrove has begun planning for is a tie-in to physical security. Today, if someone is fired or drops out of school, that person’s ID badge may still grant them access to a building or computer lab. “We want to tie that into our IDM system so that the badge would automatically expire too,” he said.
Nathan McBride, Executive Director of IT for AMAG Pharmaceuticals also considered app support as a key factor when selecting an SSO solution, but besides app support he also was looking down the road to mobile support.
AMAG Pharmaceuticals had suffered through the typical process of managing different passwords and user identities for different applications, with users writing down their passwords on sticky notes and misplacing them every time they cleaned out their desks.
In a test, AMAG tried out both with a variety of applications that they wanted to unify under an SSO umbrella. Symplified only had a few applications ready to go, and it would be costly and involve a good deal of integration work to get other key apps up and running.
With Okta, all 18 applications that AMAG needed to test were already available before testing, and more and more applications were being added each week. Of course, AMAG chose Okta.
Now, life is much easier for both workers and IT. IT has fewer moving parts to maintain and support, while employees have only two passwords to keep track of: Google and Okta.
4. How well does the SSO/IDM solution support smartphones and tablets?
Another thing McBride appreciates about Okta is its ability to support mobile devices.
“A lesson I learned a long time ago is that whenever you take something away from an employee, you should give them something else that’s better,” McBride said. “In the case of SSO, it was more like removing a headache and offering something better. Not only did we remove the need to juggle multiple passwords, but since we shifted to strong 15-character passwords, we’re now able to provide access to any device with a browser.”
In fact, everyone I talked to had mobile support in mind as they investigated various solutions. SecureAuth and NetIQ also both make mobile support painless.
5. What is the SSO or IDM vendor’s long-term roadmap?
Many of the best cloud-ready SSO and IDM solutions on the market come from startups. A key advantage startups have as technology shifts radically (as has been the case with cloud computing and the rapid adoption of smartphones and tablets) is that they don’t have a bunch of legacy applications they need to support, which so often slows them down.
Startups are able to set their sights on the most current and successful trends and are built from the ground up to support them.
A drawback, though, is that many startups don’t survive intact. Few see successful IPOs. That doesn’t necessarily mean they’ll all fail, but an acquisition or merger can be nearly as disruptive for end users.
Under current economic conditions, though, are startups any more risky than incumbents?
It’s a tough question, and one you’ll have to hash out as you choose an SSO/IDM provider.
One thing to consider, regardless, is how difficult it will be to migrate your identities elsewhere if the vendor fails or changes in such a way that makes it no longer feasible to maintain a relationship with them.
With today’s cloud-based architectures and service-based delivery, it shouldn’t be too difficult to shift to a different provider. If after investigating the SSO/IDM vendor at the top of your list, ID migration looks like it’ll be a major problem, you’re probably better off moving to your second choice.
(Lindsay Armstrong contributed to this story)