On the subject of password management…

August 19, 2010 by

There is an interesting movement that is happening in and around the Identity management space in there is a struggle going on between the desire to have a single universal and secure way of accessing resources and applications, and finding the right third-party to “trust” with your access.

A variety of technologies and vendors are involved including SAML, Active Directory, individual passwords, and some of the social media vendors such as Facebook and Twitter, to name a few. And of course, all the other cloud, enterprise, and identity vendors have a dog in this fight too.

Here at Conformity we are clearly a part of the discussion, and ultimately we hope, part of the solution, but the ugly truth is the vast majority of current secure website services and SaaS business applications still use passwords for their primary authentication model. Andrew Jaquith’s blog entry on “The Rationality Of Re-Using Passwords” makes an observation that passwords will be around for a long time, which is a point of view that I share.

Since we are on the topic of passwords and logins, I need to mention that Conformity just introduced a new product, ConformityConnect, that is designed to be a simple to use, simple to deploy, and simple to administer way of securely managing the plethora of logins that we face every day at work.  If you find yourself drowning in passwords, this might be the life saver you’ve been looking for. It also lays a foundation for addressing some of the other issues I raised above. Sometimes the best policy is to trust no one but yourself

You can try ConformityConnect out for free by clicking HERE.

VeriSign’s New Cloud Identity Initiative

April 21, 2010 by

We’re very excited today about the VeriSign announcement of a new industry collaboration (which includes Conformity) to build trusted online identity solutions that will help accelerate SaaS and cloud adoption.   In conjunction with the initiative, we’re working with VeriSign as well as Ping Identity, Qualys and TriCipher to establish a blueprint for achieving identity trust by combining technologies and services with proven policies and certification programs.   The effort spans the major requirements for achieving identity trust, including

  • Strong mutual identification
  • Provisioning
  • Federation
  • Vulnerability and Compliance Management

We totally agree with Nico Popp, vice president of product development at VeriSign when he says “Trust won’t happen if users worry their identities are vulnerable, or if they’re unsure whether the cloud-based service they’re accessing is legitimate.  That makes identity trust the essential ingredient for cloud migration – and an industry imperative for SaaS providers.”

Read the full announcement here >>

Come See Conformity at Under the Radar

April 9, 2010 by

We’re excited to announce that Conformity will be presenting at the Under the Radar Conference, next Friday April 16th at the Microsoft Conference Center in Mountain View.   This years’ conference is focused on ‘Commercializing the Cloud’, and we’ll be presenting in the Compliance session from 11:30 to 12:30. Our moderator will be David Berlind, Editor-in-chief – TechWeb.com, and judges for our track will include:

We’re excited about participating in this great event, and hope to see you there!

An Internal Auditor’s Perspective on SaaS…

March 31, 2010 by

We recently spent some time with Sixto Bernal, Director of Internal Audit at SuccessFactors, who shared some very interesting insights on the governance and compliance challenges being created by SaaS and cloud applications, including:

  • The need for consistent user provisioning and management across SaaS applications
  • How each new SaaS deployment ‘scales the pain’ for IT management and auditors
  • The unsustainability of manual approaches to managing SaaS silos

View the full discussion here:

Get a Free SaaS Identity Audit from Conformity

March 8, 2010 by

As we’ve frequently discussed here in this blog, SaaS identity ’silos’ are creating major headaches for companies moving to the cloud. In fact we’re finding that  in most organizations 5-20% of SaaS user identities have errors or mismatches that can result in major security and compliance risks.  Some of these issues include:

  • Orphaned user accounts
  • Duplicate user identities
  • Misaligned user data
  • Inappropriate user roles and permissions
  • Unauthorized ’super admins’

We’re excited to announce that for a limited time Conformity is offering a free SaaS Identity Assessment that will help organizations identify user identity gaps and mismatches with their SaaS deployments and corporate directories. With the assessment, Conformity SaaS identity experts will provide:

  • A summary report of major SaaS identity exceptions
  • Assessment of potential audit and compliance risks
  • Recommended best practices and policies for aligning SaaS user identities

Click on the link below to learn more about our free assessment, and let Conformity help you and your organization get ahead of the curve on SaaS audit and compliance issues.

Click here to learn more >>

What is “The Cloud” Really?

March 4, 2010 by

Once upon a time I read a very good marketing paper that began with the statement: “People buy quarter-inch drill bits, but they want quarter-inch holes”.  The biggest mistake most tech companies make in marketing their products is they talk about the features of their quarter-inch drill bits, not the quality of the quarter-inch holes that can be made, or how the features of that hole are relevant or important for how the hole is going to end up being used.”  Assuming you accept this, I make the following observations about how most companies in “the cloud management space” are making it harder for their markets to understand what they do rather than easier.

Specifically, the concern I have is that “managing the cloud” or “the cloud management market” or “managing cloud computing”
is going to look markedly different depending on where you sit.  In particular, I think there are actually four cloud management markets or segments, with overlapping requirements to be sure, but still different enough that any company, vendor, or IT organization trying to “manage the cloud” should think about positioning itself in that context.  I also believe much of the confusion (or FUD) around “the cloud” and “cloud management” is because people use similar terms to mean very different things, each valid in its own right, but very, very different.

  • Segment 1 – Existing IT organizations that have on-premise services and also either have or aspires to have cloud-based services as well (whether IaaS, PaaS, SaaS, etc).  This management market will have a particular set of benefits and challenges associated with how the entity tries to integrate these IT services, and the management thereof, to make it look reasonably seamless (so they don’t simply replace one set of complex problems for a different set of complex problems).  Private/public clouds will create variations on this theme, with security and billing being the two main differences, but otherwise very similar problems.
  • Segment 2- The opposite end of this spectrum – organizations that aggressively pursue doing as much in the cloud as possible, and only doing on-premise what is either not yet available in cloud form or too business-critical to yet trust to a cloud-based solution.  I’ve spoken to a dozen CIO’s in the last two months who have set a mandate for their organizations along exactly these lines — cloud when you can, on-premise when you have to.  This is primarily an SMB-based discussion today, but it’s starting to bleed up into the enterprise space.

These first two represent more of a true user of “cloud-based” services and benefits.

  • Segment 3 – Groups that are actually hosting the cloud services used by the first two markets; the so-called “the service provider market.” It’s a real market, but tends to have a set of problems much more in common with the on-premise guys (insofar as they’re managing workloads within a well-defined IT  infrastructure — they’re still “on-premise,” just a different “premise” from the captive IT organization).  Their users come from the cloud, rather than being a captive user community.  This “where are the users coming from” tends to cause the management problems to have different priorities than the captive user version, but otherwise has more in common than not.  The one variation in this space is how high up into the stack a given organization chooses to go (IaaS, PaaS, SaaS, etc), which will also heavily influence what “management” means to them.   For example, Amazon is clearly an IaaS vendor in this space, and doesn’t know or care about applications per se.
  • Segment 4 – Also a provider market, but where all the services provided are actually located in the cloud, rather than a captive data centerConformity is representative of this type of market.  We provide a SaaS-based solution (which also happens to manage SaaS a specific problem of using SaaS applications, but that’s not a relevant distinction here) that runs entirely in the cloud, we don’t have a data center at all (except for a VPN server and a MS Domain Controller); we do everything else in the cloud (including development / builds / e-mail / calendaring / billing…. you name it).  This type of market will also have unique and real management problems, but with a very different emphasis than the first three.  It’s also still small, but rapidly growing, based on many VC discussions I’ve had in the last four months.

These last two represent more of a true provider of cloud-based services, even though they may also have “user-like” problems they need to solve.

As already noted, there is much overlap in these four “spaces,” so I don’t think one can be entirely pure in this four market segment model.  But the particular problems and their urgency will create a form of segmentation thatwill influence and govern how cloud management companies need to talk about themselves, what they do, what pain points they address, and the value of their solutions, because the value of a given solution will vary greatly depending on where in this four-market segmentation model a given customer views themselves.

So, assuming you agree at least in spirit with this segmentation, it might be helpful to start to introduce some of this nomenclature into the industry’s on-going discussion about cloud management issues.

Anyway, this is what occurred to me when I’ve tried to compare various “cloud management” offereings; it’s a bit of apples-and-oranges.  For example, CA or BMC might be expected to want to market its cloud-based offerings to companies in the first market, as on-premise is “core” and cloud is an “adjacent” space in this market (using the Baan / Zook “core/adjacency” nomenclature).

Smaller players, like UnivaUD, market its cloud-based offerings to companies in the third market, and while there’s clearly overlap and bleed-over between these two views,  they’re different enough that trying to compare them might not make sense.

As an aside, It’s also why I think “virtualization = cloud” is a horrible hoax that some vendors are foisting off on the rest of the industry.   Virtualization is an important technology, to be sure, but it’s a quarter-inch drill bit in the fullest sense of the word, and absent any discussion of what problem is being solved and why, carries almost no useful context in any final analysis of “the cloud management market.”

SaaS Adoption and the ‘Scaling’ of Management Pain

March 2, 2010 by

The current approach most organizations are taking to managing SaaS applications and user access is unsustainable.

In our webinar today on SaaS, Access Controls and Compliance (an on-demand recording can be viewed here), we shared the reasons we think organizations are setting themselves up for a costly fall as they accelerate SaaS and cloud adoption:

  • The hidden costs of cloud applications – as SaaS apps have largely been deployed around IT, the costs of management and administration have also remained ‘hidden’  from CIOs and IT executives.  Manual, redundant administration of users and access results in costs and risks that often shock executives when we bring it to their attention.  For example, we’re finding that identity ‘exceptions’ across SaaS apps in customer environments typically range from 5-20%.  Translation – nearly 1 in 5 SaaS users today have inappropriate access or multiple, inconsistent identities across systems.  The risk and compliance implications of this go without saying…
  • The scaling of management pain – each new SaaS app deployed creates another ‘source’ of user identity and associated authorizations.  The need to understand roles, profiles and permissions across apps means that the hidden costs and risks of SaaS expand exponentially with adoption.  Thus not only are costs not yet visible at the executive level, they’re rapidly scaling with SaaS and cloud adoption!
  • The oncoming SaaS management ‘tsunami’ – it’s almost universally true that SaaS and cloud adoption is accelerating across nearly every market segment.  Combine this fact with the ‘scaling’ of management pain, and you start to see why we think organizations are headed for trouble.   While today it appears that manual and spreadsheet-based approaches to managing SaaS users and access will ‘work for now’, trouble is rapidly growing beneath the surface, as internal auditors, IT operations and administrators will tell you.

IT management problems are often analagous to heart disease  – foresight and preventative steps (diet and exercise) are far preferable to open heart surgery after the problem gets out of control.

Unfortunately as SaaS and cloud adoption accelerates many organizations today are on the costly path to the operating table…

Top Ten Things IT Auditors Need to Know about SaaS

February 14, 2010 by

Despite the business benefits of using SaaS, there are well known risks and challenges related to loss of control, security, integrity, privacy and availability.  As cloud usage grows, compliance risks are going to increase, as is the case with any new wave of technology.

IT auditors should gain an understanding of any new technologies and/or systems to be audited and be aware of the key control issues related to SaaS.  In addition, IT auditors need to be involved with their organization’s cloud computing plans starting at assessment stage to help ensure identification and mitigation of risks.  Unfortunately, IT and auditors have many times been ‘out of the loop’, as SaaS applications have often been deployed directly by business users.

To help ensure that internal auditors are prepared to address potential control issues in their organizations, we’ve recently released a new whitepaper on the top ten facts that IT auditors need to know about SaaS and cloud applications.  In it learn key facts about cloud applications that will help organizations prepare for the increased scrutiny being place on access controls around SaaS and other virtualized resources.

Click here to request a free copy >>

Conformity Announces Integration and Partnership with VeriSign

February 10, 2010 by

We are excited to announce today a new partnership and integration with VeriSign. With our integration with the VeriSign® Identity Protection (VIP) Authentication Service , Conformity customers will have the ability to secure and safeguard critical cloud application access and authorization information, and have the ability to provide enterprise-class security to Conformity users. We also plan on extending our integration with VIP to provide additional functionalities to our customers in the areas of provisioning and policy enforcement.

In addition, we have also announced that we will be referring each other’s offerings to enteprise customers with a need for enhanced user authentication and authorization management for their cloud applications and users, and to engage in joint marketing and sales activities. We’re excited about the partnership, and look forward to working with the VeriSign team and our joint customers.

Thinking about “The Cloud”

February 10, 2010 by

Thanks, Scott, for the warm welcome to Conformity’s Blog universe.  I’ve been at Conformity for just about a month now, and I’ve been appointed (is there an opposite of disappointed?) at the excitement around the space, the quality and dedication of the team, and the interest in “our problem” (identity in the cloud) by customers and prospects.

Of course, unless you’ve been under a rock for the past, say, 10 years, you’ve no doubt heard that Cloud Computing (or On-Demand before that or ASP’s before that or Grid’s even before that) will solve everything from bad breath and world hunger to global warming and peace in our time.  While many of the developments are truly exciting, what we today call Cloud Computing should have been expected as an obvious trend from a whole collection of trends that have led up to it.

Why?  Because every advanced endeavor ultimately evolves into increasingly smaller and focused areas of specialization, where we (as individuals or business units or corporations) pay someone else to do things we’re either too busy, too inexperienced, or too lazy to do ourselves.

I suspect few of you reading this now actually grow your own vegetables.  It’s not that you can’t, mind you, since it’s not all that hard.  But farmers and grocery stores and the whole infrastructure behind the process of getting lettuce and carrots into the trunk of my car do it faster, cheaper, and better than I can (or am willing to – I do have small children, after all).

Historically, providing whatever computing services businesses large and small use in the course of their primary business activities has been difficult enough and expensive enough that these same businesses formed “IT Organizations” to provide those services for them (believing — largely correctly — that the IT group could do it faster, cheaper, and better than they could — an early and surprising enduring form of specialization).

No reason why this same process won’t happen again and again and again, with increasing segments of what has traditionally been the purview of what we now call an “on-premise” IT service being delivered by external entities that can perform more and more elements of what IT has traditionally done themselves, and with IT’s role evolving along the way.  With the introduction of a good enough transmission medium (the Internet), a good enough computing platform (LAMP stack, with or without virtualization), and sufficient consolidation, standardization, and economies of scale around certain business applications (e-mail, SFA, CRM, HR, etc), and *POOF* Cloud Computing and Cloud-based Applications are born.

The interesting news (and for companies like Conformity and our partners the good news) is that each of these forays into these areas of specialization come with their own technical and business challenges that must be solved along the way.  We, as technology professionals, get another chance to try to address long-standing questions around business process, pricing, ease-of-use, and the never-ending quest for a more efficient way to separate and distinguish between what Geoff Moore calls “core” versus “context”.

I won’t attempt to address the specifics of how we’ll be solving bad breath, world hunger, global warming, and peace in our time today (must leave something interesting to write about in future posts), but wanted to begin the dialog around what is and is not particularly new about Cloud Computing, what problems we might expect need to be solved (because they *are* different from what’s come before) and which problems are simply old wine in new bottles…


Follow

Get every new post delivered to your Inbox.