On the subject of password management…

There is an interesting movement that is happening in and around the Identity management space in there is a struggle going on between the desire to have a single universal and secure way of accessing resources and applications, and finding the right third-party to “trust” with your access.

A variety of technologies and vendors are involved including SAML, Active Directory, individual passwords, and some of the social media vendors such as Facebook and Twitter, to name a few. And of course, all the other cloud, enterprise, and identity vendors have a dog in this fight too.

Here at Conformity we are clearly a part of the discussion, and ultimately we hope, part of the solution, but the ugly truth is the vast majority of current secure website services and SaaS business applications still use passwords for their primary authentication model. Andrew Jaquith’s blog entry on “The Rationality Of Re-Using Passwords” makes an observation that passwords will be around for a long time, which is a point of view that I share.

Since we are on the topic of passwords and logins, I need to mention that Conformity just introduced a new product, ConformityConnect, that is designed to be a simple to use, simple to deploy, and simple to administer way of securely managing the plethora of logins that we face every day at work.  If you find yourself drowning in passwords, this might be the life saver you’ve been looking for. It also lays a foundation for addressing some of the other issues I raised above. Sometimes the best policy is to trust no one but yourself…

You can try ConformityConnect out for free by clicking HERE.

Conformity Announces GA Release of First Enterprise-Class Management Platform for SaaS and Cloud Apps

We’re excited to announce today the general availability of the Conformity solution, which provides customers the first enterprise-class management platform for cloud applications and users.  The Conformity solution is designed to arm enterprises with the same level of visibility and control over on-demand applications as they’ve come to expect with traditional packaged apps.  With our solution, enterprises can now be confident bringing new cloud applications into their business environments, knowing there will no longer be compromises made in the areas of management processes, insight and control.  With today’s GA, enterprises can:

• Increase data security and reduce compliance risks
• Optimize license allocation and expenses
• Automate and streamline administration
• Expand and extend enterprise usage of SaaS and cloud applications

Specific capabilities of the Conformity solution include:

• User provisioning – provides centralized point of provisioning and deprovisioning of users accounts within cloud applications, and ongoing management of user permissions and authorizations.
• Role and profile management – enables organizations to centrally manage cloud application roles, profiles and permissions through normalized permission models, and maps policies to users and roles.
• Approval workflows – provides auditable cross-functional approval processes for users requiring new or amended access permissions, or role and profile changes.
• Directory integration – enables organizations to seamlessly synchronize Conformity’s user repository with on-premise directory services.
• Compliance reporting – provides reports required for effective preparation for audits for SOX, HIPAA, PCI and other regulatory mandates and standards.
• Usage analytics – provides visibility, analytics and reporting on cloud application and license utilization.
• Change management – enables archiving, management and recovery of application configurations and role models.

The Conformity platform provides templates, tools and workflow needed to manage all cloud applications in a customer’s environment.  Conformity also provides additional analytics, reporting and provisioning automation through integrations with the following leading cloud applications:

• Salesforce.com
• NetSuite
• SuccessFactors
• Xactly Incent
• Google Apps
• OpenAir
• QuickArrow

The Conformity platform also supports directory integration for Microsoft Active Directory, and is compatible with industry standards such as SPML, SAML and WS-Federation.

Please click here to read the full announcement, and stay tuned for more upcoming news!!!

Mark your calendar – Enterprise SaaS Working Group webinar

We’re excited to announce that on September 30th at 11:00am PDT / 2:00pm EDT we’ll be holding the first event in our Best Practices webinar series, featuring a roundtable discussion with the Enterprise SaaS Working Group. Comprised of recognized thought leaders and visionaries in SaaS and cloud computing, the group will discuss the challenges and issues that need to be overcome for SaaS and cloud applications to become truly ‘enterprise-ready’. Participants in the session will include:

• Michael Amend – Director of Enterprise Architecture at Dell Computer
• Scott Carruth – VP, Information Systems at Initiate Systems
• Peter Coffee – Director of Platform Research at Salesforce.com
• Steve Coplan – Senior Analyst, Enterprise Security Practice at The 451 Group
• Tom Fisher – VP of Cloud Computing at SuccessFactors
• Doug Harr – CIO at Ingres Corporation
• Ryan Nichols – VP of Marketing and Product Management at Appirio

The discussion will focus on critical issues and corresponding best practices in the areas of management, governance, security and compliance, and will include a Q&A session open to all attendees. Click here for more information and to register for this exciting event!

The Enterprise SaaS Working Group – Coming Soon…

As frequently discussed in this blog, here at Conformity we believe that there are a fundamental set of issues that the SaaS industry as a whole needs to address for SaaS and cloud applications to become truly ‘enterprise-ready’.  These issues range from management access and APIs to SLAs and performance monitoring.  To provide a forum to further surface, discuss and propose solutions to these issues, in September we will be introducing the first Enterprise SaaS Working Group.  The group will discuss challenges that need to be overcome to accelerate adoption of on-demand solutions in the enterprise, and will include a broad range of perspectives from thought leaders and practitioners alike.  Participants will include:

• Enterprise CIOs and IT executives
• SaaS vendor executives
• SaaS consultants and service providers
• Industry analysts

We will be formally introducing the group at an exciting event we’re going to be hosting in late September.  Please stay tuned for more details…

Closing the gap between IT and SaaS

One of the big challenges the SaaS industry continues to face (which we talked about at our presentation at SaaS University last week in Chicago) is the gap that exists between the APIs/management access that SaaS applications provide today and the expectations of CIOs and IT teams, particularly in the enterprise.  The end-customer CIOs we’re working with are typically surprised at how difficult it is to integrate most SaaS applications into their existing management processes and solutions –  a CIO we recently spoke with just assumed that all major SaaS applications supported direct integrations into Active Directory and LDAP.  On the flip side, most SaaS vendors are being faced with IT requirements and expectations they haven’t yet considered, let alone support in their services (though there are exceptions) particularly in identity-related areas such as user authentication and access control.

Why is this important?

IT is regaining its seat at the table when it comes to SaaS.  In mid-size enterprises, as SaaS adoption has accelerated cross-functionally organizations are beginning to look to IT to centralize management and governance of SaaS applications and users to minimize compliance risks and administrative costs.   In a recent survey we found that IT was involved in management and administration of SaaS applications in 72% of multi-SaaS organizations.   In larger enterprises that are now taking a serious look at SaaS, IT is involved from the start to determine how the applications will be integrated into broader business processes and other on-premise applications, as well as management processes and solutions.  We’re starting to hear from both types of organizations, as well as the SaaS vendors that serve them, that application ‘manageability’ is becoming a consideration in sales cycles – in fact we’re aware of several situations where an incumbent SaaS provider was displaced by an offering with improved API and management access.

Why the disconnect between SaaS vendors and IT?  Based on our experiences and interactions with both sides of the issue, the gap that exists between SaaS applications and IT is driven by two factors:

• SMB legacy – the majority of leading SaaS vendors (including Salesforce.com) grew from an initial focus on SMB customers.   Applications were architected and optimized to solve a specific functional business problem for this initial class/size of customer, with (understandably) limited focus on how the application would have to integrate into multi-SaaS or enterprise environments.
• IT as ‘the enemy’ – the ease of deployment and flexibility of SaaS eliminated the need for business users to involve their IT organizations in the selection, configuration and management of SaaS applications.   As IT historically has neither been a decision-maker or influencer in the sales process, most SaaS vendors haven’t been exposed to IT organizations, particularly in the enterprise.  In fact, IT was and is often times (and often unfairly) characterized as the enemy of SaaS adoption, needlessly entangling business users in red tape and bureaucracy.  IT teams have also been part of the problem, often taking little interest in administering or managing SaaS applications.  In either case, most SaaS vendors have had relatively limited interactions with enterprise IT organizations, particularly when compared to on-premise ISVs.

We fundamentally believe that for SaaS adoption to continue to accelerate in both midmarket and large enterprises that the gap between IT requirements and SaaS application capabilities will need to be closed.  SaaS vendors need to improve APIs, management access and visibility in areas such as user and identity management, activity logging and monitoring, service management and back-office/financial management.  More on this to come….

The SaaS industry, APIs and standards

A session titled “Herding Cats: Managing SaaS Sprawl” provoked some very interesting debate and discussion at Interop last week, as covered in this Network World article.  Several important themes emerged which we wanted to highlight and expand upon:

• Current state of APIs – the state of SaaS vendor APIs is clearly not where it needs to be – here at Conformity we see a broad range of SaaS vendor API maturity, with some vendors offering robust web services APIs to most of their data objects, and others offering literally no access whatsoever.  Unfortunately our experience is that most vendors tend to fall closer to the second camp, particularly when it comes to providing visibility required for effective management and control of user access and usage of SaaS applications.
• CIO expectations – as mentioned in the session, we also are seeing CIOs becoming more and more aware and involved in SaaS procurement, deployment and ongoing management and support processes. Experience managing on-premise applications has set expectations (rightly or wrongly) for CIOs and their teams, who many times are unpleasantly surprised at the lack of accessibility SaaS vendors provide to data critical to effective management and control, such as event logs.  The current lack of vendor APIs also frustrates IT teams, who are used to integrating on-premise applications into IT management processes and tools such as identity management tools and directory services.  These expectations for management and visibility of SaaS applications, users and activity are unlikely to change, and SaaS vendors will have to meet these expectations, versus attempting to modify them.
• Standards and adoption – we also agree Narinder Singh of Appirio who’s concerned about the potential impact that standards and compliance efforts could have on SaaS innovation and vendor API development.  Successful standards typically emerge after, not before a particular problem is solved by the industry, which could partially explain the relatively lackluster ISV adoption of SAML, SPML, XACML and other standards around authentication, access control and provisioning.  The challenge is for the industry to develop models and approaches for APIs and interoperability to solve the underlying problem first.  While the standards mentioned above may end up being the right answer (or part of it), the first order problem is for the industry to make sure it has a model for satisfying end-customer requirements around APIs and interoperability.

The key to addressing the challenge the SaaS industry is facing around APIs is for vendors is to get started now, by exposing what they can around their objects and data models.  The SaaS vendors that we believe have made the most progress and who demonstrate the most maturity around APIs and interoperability decided to get started by opening up access to data and objects, not by first determining what API standard(s) to support.  Channel partners, customers and even other SaaS vendors can help solve the industry problem around what needs to be exposed via APIs and how.  Starting with standards first is a bit like putting the cart in front of the horse…

SaaS, the Cloud and the ‘Big Bang’

Here at Conformity we recently wrapped up some interesting market research on the topic of adoption of SaaS and cloud-based services and the management challenges it is creating for organizations and their IT departments in particular.  Conducted in conjunction with a leading analyst firm,  we spoke with IT and business executives at nearly 50 midsize and large enterprises that were adopters of multiple SaaS applications, and who were planning on extending their adoption of the model.  We’ve summarized our findings in a new whitepaper titled SaaS, the Cloud and the Big Bang.

The results?

In organizations we spoke with, business users drove the initial wave of SaaS adoption and largely took on the associated management and support responsibilities.   In a pattern similar to what happened with distributed computing 15-20 years earlier, as SaaS adoption hit ‘critical mass’ in these organizations (particularly those with compliance exposure),  IT has been brought in to extend existing management processes, controls and tools to SaaS and cloud-based resources.

The problem?  SaaS and cloud-based services are fundamentally exploding the traditional IT management model, due to:

• Decentralization of management – in ‘traditional’ management environments,  IT has near complete responsibility and accountability for governance and management of technology resources.  The focus on autonomous IT governance and managmeent has increased due to increasing regulatory compliance requirements (SOX, GLBA, HIPAA, PCI etc) and the resulting increase in adoption of best practice policy and control frameworks (ITIL, COBIT, ISO 17799/27001, 27002).   In the SaaS world, business users have taken on management and support responsibilities traditionally owned by IT.  For example activities such as user provisioning and permissions management, role and profile management, application customization and configuration, and vendor management are now decentralized and distributed in many organizations.

• Loss of control – in addition to the applications themselves, metadata on users, role and profile models, authorization and credential stores, usage activity and application performance all move outside the corporate firewall.  IT loses visibility and control over this critical management data that is now fragmented across heterogeneous SaaS service providers, in addition to the applications and users themselves.

• Broken integrations – many IT processes around application and user management are highly automated, supported by integration with on-premise directory services, identity management and systems management solutions.  These integrations largely ‘break’ in an on-demand world, and organizations are rapidly finding that creating a new management ‘blade’ for a given SaaS app in legacy management application is not a realistic, cost effective answer.  Additionally, SaaS applications must be integrated into existing business processes through configuration and management by line-of-business users, with little or no ability to automate integration into cross-application business processes.

While it is still early, clear perspectives are starting to emerge around what the characteristics of a new generation of management solutions that address the unique challenges of on-demand environments will need to include.  Organizations are finding that SaaS and cloud-based service models are driving a convergence in identity and systems management issues, which will require the reinvention of solutions that address these issues.   Areas such as  user access management, policy monitoring and enforcement, data integration and management and business process integration all need a fundamental ‘rethink’ in a cloud-based world.

If you’re interested in receiving a copy of the whitepaper, please contact us.

Some additional thoughts on SaaS user provisioning…

As the term ‘provisioning’ tends to have different meanings depending on who you talk to, we wanted to follow-up on our post last week on SAML / SPML-based ‘just-in-time’ user provisioning to provide some quick additional thoughts…

Effective user provisioning requires much more than just ensuring users have an active account and access to a given service or SaaS application.  User authorizations and permissions within the service also need to be consistent with role-based access control (RBAC), least privilege and segregation-of-duties (SOD) concepts.  This requires that organizations ensure that permissions and authorizations are consistent across services, not just within each individual SaaS silo.   What makes provisioning challenging is that each SaaS service provider has their own unique role, profile and authorization model optimized around the particular problem set they address.   Virtually all SaaS user attribute and permission models are unique to the individual vendor, with some services providing the ability to configure over 50 different user attributes.  In our mind, proper user provisioning ensures that user accounts and all associated authorizations are consistent with corporate policy, which is a much deeper, more challenging problem that it first appears…

SaaS and Federated Provisioning

Some quick thoughts on the idea of just-in-time (JIT) provisioning of users based on combined use of SAML and SPML between an organization and the SaaS vendor / service provider (or federated provisioning), which has been recently discussed in a variety of forums including Network World and the Burton Group…

From a practical point of view SAML/SPML enabled JIT provisioning (or federated provisioning) is still in the category of ‘science project’ – theoretically possible, but currently an unrealistic approach in actual live customer environments.  Based on our discussions in the industry SaaS vendor support for SAML has been modest at best, SPML even less so, and without vendor implementation the approach doesn’t even get to square one.  While we’re fully supportive here at Conformity of SAML/SPML and the need for a more standards-based approach to user authentication and authorization across SaaS applications, we also recognize that customers need to address the SaaS provisioning problem today, which means working with the proprietary APIs and connectors that do exist.

Even in a theoretical world of fully SPML-enabled SaaS providers (if and when that day arrives), the fundamental challenge of attribute mapping will remain (as noted by Mark Diodati at the Burton Group).   Each application will continue to have its own individual set of user attributes that will have to be mapped back to the internal schema of the requesting provisioning service, certainly a non-trivial exercise.

There are also a variety of  business considerations the JIT model needs to account for that at worst could ‘break’, and at very minimum create significant impediments to actually implementing the model.  The vagaries of vendor licensing models, customer provisioning workflow and processes and role and permission change management are just a few of these considerations that need to be taken into account.

Stay tuned as we’ll soon have much more to say about SaaS, provisioning and user management…

The Data has Left the Building…

In light of the mass layoffs unfortunately occurring these days,  somewhat terrifying results were recently released from a study conducted by the Ponemon Institute and sponsored by Symantec on data theft by former employees.  Major high(or low) lights of the study of approximately 900 employees who lost their jobs in 2008 includes:

• 59% of respondents kept corporate data after leaving their job
• Approximately one quarter of respondents said they had the ability to access data after they had left the company
• 32% of survey participants said that they had successfully accessed corporate systems using their credentials after leaving their job

While the survey didn’t distinguish between data residing in SaaS vs on-premise applications, we have to believe that the relatively immature access controls and distributed approach most organizations take towards SaaS user management would lead to even worse numbers for on-demand applications and related data…