Author Archive

VeriSign’s New Cloud Identity Initiative

April 21, 2010

We’re very excited today about the VeriSign announcement of a new industry collaboration (which includes Conformity) to build trusted online identity solutions that will help accelerate SaaS and cloud adoption.   In conjunction with the initiative, we’re working with VeriSign as well as Ping Identity, Qualys and TriCipher to establish a blueprint for achieving identity trust by combining technologies and services with proven policies and certification programs.   The effort spans the major requirements for achieving identity trust, including

  • Strong mutual identification
  • Provisioning
  • Federation
  • Vulnerability and Compliance Management

We totally agree with Nico Popp, vice president of product development at VeriSign when he says “Trust won’t happen if users worry their identities are vulnerable, or if they’re unsure whether the cloud-based service they’re accessing is legitimate.  That makes identity trust the essential ingredient for cloud migration – and an industry imperative for SaaS providers.”

Read the full announcement here >>

Advertisements

Come See Conformity at Under the Radar

April 9, 2010

We’re excited to announce that Conformity will be presenting at the Under the Radar Conference, next Friday April 16th at the Microsoft Conference Center in Mountain View.   This years’ conference is focused on ‘Commercializing the Cloud’, and we’ll be presenting in the Compliance session from 11:30 to 12:30. Our moderator will be David Berlind, Editor-in-chief – TechWeb.com, and judges for our track will include:

We’re excited about participating in this great event, and hope to see you there!

An Internal Auditor’s Perspective on SaaS…

March 31, 2010

We recently spent some time with Sixto Bernal, Director of Internal Audit at SuccessFactors, who shared some very interesting insights on the governance and compliance challenges being created by SaaS and cloud applications, including:

  • The need for consistent user provisioning and management across SaaS applications
  • How each new SaaS deployment ‘scales the pain’ for IT management and auditors
  • The unsustainability of manual approaches to managing SaaS silos

View the full discussion here:

Get a Free SaaS Identity Audit from Conformity

March 8, 2010

As we’ve frequently discussed here in this blog, SaaS identity ’silos’ are creating major headaches for companies moving to the cloud. In fact we’re finding that  in most organizations 5-20% of SaaS user identities have errors or mismatches that can result in major security and compliance risks.  Some of these issues include:

  • Orphaned user accounts
  • Duplicate user identities
  • Misaligned user data
  • Inappropriate user roles and permissions
  • Unauthorized ’super admins’

We’re excited to announce that for a limited time Conformity is offering a free SaaS Identity Assessment that will help organizations identify user identity gaps and mismatches with their SaaS deployments and corporate directories. With the assessment, Conformity SaaS identity experts will provide:

  • A summary report of major SaaS identity exceptions
  • Assessment of potential audit and compliance risks
  • Recommended best practices and policies for aligning SaaS user identities

Click on the link below to learn more about our free assessment, and let Conformity help you and your organization get ahead of the curve on SaaS audit and compliance issues.

Click here to learn more >>

SaaS Adoption and the ‘Scaling’ of Management Pain

March 2, 2010

The current approach most organizations are taking to managing SaaS applications and user access is unsustainable.

In our webinar today on SaaS, Access Controls and Compliance (an on-demand recording can be viewed here), we shared the reasons we think organizations are setting themselves up for a costly fall as they accelerate SaaS and cloud adoption:

  • The hidden costs of cloud applications – as SaaS apps have largely been deployed around IT, the costs of management and administration have also remained ‘hidden’  from CIOs and IT executives.  Manual, redundant administration of users and access results in costs and risks that often shock executives when we bring it to their attention.  For example, we’re finding that identity ‘exceptions’ across SaaS apps in customer environments typically range from 5-20%.  Translation – nearly 1 in 5 SaaS users today have inappropriate access or multiple, inconsistent identities across systems.  The risk and compliance implications of this go without saying…
  • The scaling of management pain – each new SaaS app deployed creates another ‘source’ of user identity and associated authorizations.  The need to understand roles, profiles and permissions across apps means that the hidden costs and risks of SaaS expand exponentially with adoption.  Thus not only are costs not yet visible at the executive level, they’re rapidly scaling with SaaS and cloud adoption!
  • The oncoming SaaS management ‘tsunami’ – it’s almost universally true that SaaS and cloud adoption is accelerating across nearly every market segment.  Combine this fact with the ‘scaling’ of management pain, and you start to see why we think organizations are headed for trouble.   While today it appears that manual and spreadsheet-based approaches to managing SaaS users and access will ‘work for now’, trouble is rapidly growing beneath the surface, as internal auditors, IT operations and administrators will tell you.

IT management problems are often analagous to heart disease  – foresight and preventative steps (diet and exercise) are far preferable to open heart surgery after the problem gets out of control.

Unfortunately as SaaS and cloud adoption accelerates many organizations today are on the costly path to the operating table…

Top Ten Things IT Auditors Need to Know about SaaS

February 14, 2010

Despite the business benefits of using SaaS, there are well known risks and challenges related to loss of control, security, integrity, privacy and availability.  As cloud usage grows, compliance risks are going to increase, as is the case with any new wave of technology.

IT auditors should gain an understanding of any new technologies and/or systems to be audited and be aware of the key control issues related to SaaS.  In addition, IT auditors need to be involved with their organization’s cloud computing plans starting at assessment stage to help ensure identification and mitigation of risks.  Unfortunately, IT and auditors have many times been ‘out of the loop’, as SaaS applications have often been deployed directly by business users.

To help ensure that internal auditors are prepared to address potential control issues in their organizations, we’ve recently released a new whitepaper on the top ten facts that IT auditors need to know about SaaS and cloud applications.  In it learn key facts about cloud applications that will help organizations prepare for the increased scrutiny being place on access controls around SaaS and other virtualized resources.

Click here to request a free copy >>

Conformity Announces Integration and Partnership with VeriSign

February 10, 2010

We are excited to announce today a new partnership and integration with VeriSign. With our integration with the VeriSign® Identity Protection (VIP) Authentication Service , Conformity customers will have the ability to secure and safeguard critical cloud application access and authorization information, and have the ability to provide enterprise-class security to Conformity users. We also plan on extending our integration with VIP to provide additional functionalities to our customers in the areas of provisioning and policy enforcement.

In addition, we have also announced that we will be referring each other’s offerings to enteprise customers with a need for enhanced user authentication and authorization management for their cloud applications and users, and to engage in joint marketing and sales activities. We’re excited about the partnership, and look forward to working with the VeriSign team and our joint customers.

Introducing our newest contributor, Tom Bishop

February 4, 2010

We’re excited to welcome Tom Bishop on board as our new CTO here at Conformity, and as the newest contributor to this blog.

As we’ve discussed here, the nature of SaaS and virtualized resources is driving a fundamental rethink of what identity and systems management needs to be in increasingly cloud-centric environments. Migration of business-critical applications from on-premise to cloud doesn’t remove the need for some level of control and visibility (i.e. management), just changes it. Our mission at Conformity is to lead the transformation of identity and systems management for the cloud, and we are excited to have Tom on board to help lead the charge.

Tom is a true visionary in the systems management space, and has played critical roles in several pioneering management solution vendors, having served as CTO at Tivoli Systems before and after it’s acquisition by IBM, and as the CTO at BMC Software. Tom is well known as a technology innovator, having led the development of industry standards such as the Distributed Management Task Force (DMTF), the CMDB federation specification and POSIX.

We welcome him to Conformity, and look forward to his contributions to our forum…

Conformity and Ping announce cloud identity partnership

February 2, 2010

We are excited to announce today a new partnership with Ping Identity, which will provide joint customers comprehensive visibility and control of user access and usage of SaaS and cloud-based applications. Ping Identity’s solutions provide a single control point for enterprise users accessing hundreds of leading cloud services. Deployed together, the Ping and Conformity solutions provide enterprise customers the ability to manage and control user access and authorizations to cloud applications and resources across the employee lifecycle.

We wholeheartedly agree with Tom Fisher, Vice President of Cloud Computing at SuccessFactors, who comments that “access and identity management issues are becoming more prevalent and painful as enterprises transition to SaaS and cloud-based applications. Ping and Conformity together help to take the issues off the table.” We’re looking forward to working with Ping in helping our joint enterprise customers address the identity management challenges as they migrate applications and resources to the cloud.

Recap: Enterprise SaaS Working Group – Identity Management in the Cloud

December 4, 2009

We had a great second meeting of the Enterprise SaaS Working Group this week, which focused on the topic of access and identity management for the cloud.  Participants in the session included Chris Bedi from VeriSign, Peter Dapkus from  Salesforce.com, Ryan Nichols from Appirio (who also provided a great summary of the event on the Appirio blog), Steve Coplan from  The 451 Group, Michael Amend from Dell, Doug Harr from Ingres and Scott Carruth from Initiate Systems.   Our initial discussion focused on the unique management challenges created by SaaS and cloud applications due to the the identity silos they create in the enterprise as shown below.

Cloud identity in the enterprise

The ensuing roundtable discussion focused on the impact these issues are having in the enterprises, with a particular focus on the following topics:

  • Speed bump or show stopper – on the question of whether access and identity management issues were a going to be a ‘speed bump’ or ‘show stopper’ for SaaS adoption in the enterprise, the answer really revolved around timing and depth of penetration.  While today it is more of a speed bump for initial adoption in the enterprise (or else we wouldn’t be seeing enterprise deals today), the issues become more problematic when considering what it will take for SaaS and cloud applications to become a ‘mainstream’ technology. Taken from that perspective, there was agreement that identity issues around access, authentication and authorization created by SaaS identity ‘silos’ were going to soon become major, and that they need to be reconciled and addressed.  
  • The directory redefined – one of the questions we posed around the future of the corporate directory, and whether enterprises would ever permit it to live in the cloud.  Chris Bedi of VeriSign made the great point that the more relevant and important question is around what a directory really becomes in a cloud-centric environment – where it ends up residing will be a function of how that question is answered.
  • Federated identity – related to the directory point, the group generally also agreed that in a cloud-centric (or even hybrid SaaS/on-prem environment) that there was unlikely to be a monolithic directory or source of identity related data, and that SaaS applications, HR systems and directories (on-prem and cloud) would also likely each contain ‘versions of the truth’ that will need to be synchronized and federated.  Ryan Nichols provided a very interesting example of how Appirio themselves have built a cloud-centric organization with Salesforce.com and Google both providing separate but complementary directory and identity data.
  • Identity done right – Doug Harr made the excellent point that current cloud identity challenges actually offer an opportunity for SMB and midsize enterprises who haven’t been able to invest in identity and systems management technologies to date to ‘get it right’.   IAAS and cloud-based identity management services will likely make these capabilities cost-effective for these target markets for the first time, enabling these organizations to effectively ‘white sheet’ their identity management approaches for both cloud and on-premise applications.

The full recording of the webinar is available and can be access by clicking here.  Please drop us an email as eswg@conformity-inc.com to be added to our mailing list, and to be notified of future Enterprise SaaS Working Group news and events.