Archive for the ‘GRC’ Category

An Internal Auditor’s Perspective on SaaS…

March 31, 2010

We recently spent some time with Sixto Bernal, Director of Internal Audit at SuccessFactors, who shared some very interesting insights on the governance and compliance challenges being created by SaaS and cloud applications, including:

  • The need for consistent user provisioning and management across SaaS applications
  • How each new SaaS deployment ‘scales the pain’ for IT management and auditors
  • The unsustainability of manual approaches to managing SaaS silos

View the full discussion here:

SaaS Adoption and the ‘Scaling’ of Management Pain

March 2, 2010

The current approach most organizations are taking to managing SaaS applications and user access is unsustainable.

In our webinar today on SaaS, Access Controls and Compliance (an on-demand recording can be viewed here), we shared the reasons we think organizations are setting themselves up for a costly fall as they accelerate SaaS and cloud adoption:

  • The hidden costs of cloud applications – as SaaS apps have largely been deployed around IT, the costs of management and administration have also remained ‘hidden’  from CIOs and IT executives.  Manual, redundant administration of users and access results in costs and risks that often shock executives when we bring it to their attention.  For example, we’re finding that identity ‘exceptions’ across SaaS apps in customer environments typically range from 5-20%.  Translation – nearly 1 in 5 SaaS users today have inappropriate access or multiple, inconsistent identities across systems.  The risk and compliance implications of this go without saying…
  • The scaling of management pain – each new SaaS app deployed creates another ‘source’ of user identity and associated authorizations.  The need to understand roles, profiles and permissions across apps means that the hidden costs and risks of SaaS expand exponentially with adoption.  Thus not only are costs not yet visible at the executive level, they’re rapidly scaling with SaaS and cloud adoption!
  • The oncoming SaaS management ‘tsunami’ – it’s almost universally true that SaaS and cloud adoption is accelerating across nearly every market segment.  Combine this fact with the ‘scaling’ of management pain, and you start to see why we think organizations are headed for trouble.   While today it appears that manual and spreadsheet-based approaches to managing SaaS users and access will ‘work for now’, trouble is rapidly growing beneath the surface, as internal auditors, IT operations and administrators will tell you.

IT management problems are often analagous to heart disease  – foresight and preventative steps (diet and exercise) are far preferable to open heart surgery after the problem gets out of control.

Unfortunately as SaaS and cloud adoption accelerates many organizations today are on the costly path to the operating table…

Top Ten Things IT Auditors Need to Know about SaaS

February 14, 2010

Despite the business benefits of using SaaS, there are well known risks and challenges related to loss of control, security, integrity, privacy and availability.  As cloud usage grows, compliance risks are going to increase, as is the case with any new wave of technology.

IT auditors should gain an understanding of any new technologies and/or systems to be audited and be aware of the key control issues related to SaaS.  In addition, IT auditors need to be involved with their organization’s cloud computing plans starting at assessment stage to help ensure identification and mitigation of risks.  Unfortunately, IT and auditors have many times been ‘out of the loop’, as SaaS applications have often been deployed directly by business users.

To help ensure that internal auditors are prepared to address potential control issues in their organizations, we’ve recently released a new whitepaper on the top ten facts that IT auditors need to know about SaaS and cloud applications.  In it learn key facts about cloud applications that will help organizations prepare for the increased scrutiny being place on access controls around SaaS and other virtualized resources.

Click here to request a free copy >>

12/2 Enterprise SaaS Working Group webinar – Access and Identity Management for the Cloud

November 16, 2009

We’re excited to announce that on December 2nd  at 10:00am PST / 1:00pm EST we’ll be holding the second meeting of the Enterprise SaaS Working Group on the topic of Access and Identity Management for the Cloud.

One of the recognized challenges with SaaS in the enterprise is the silos of identity that are created by cloud applications. Each service contains its own ‘version of the truth’ around users, permissions and credentials, disconnected from legacy directory services and identity management systems. Based on feedback from our first event, this meeting will focus on the identity management and access control issues that need to be addressed for SaaS to become truly mainstream in the enterprise. Discussion will focus on several questions including:

  • SaaS identity issues in the enterprise – speed bump or show stopper?
  • What will be the identity source(s) in a cloud-centric world?
  • Can separate cloud and on-premise user identities co-exist?
  • Will enterprise IT ever put corporate directories in the cloud?

Participants in the session will include:

The discussion will focus on critical issues and corresponding best practices in the areas of access management, authentication, identity synchronization and identity policy enforcement and will include a Q&A session open to all attendees. Click here for more information and to register for this exciting event!

Register now >>

Conformity Announces GA Release of First Enterprise-Class Management Platform for SaaS and Cloud Apps

September 30, 2009

We’re excited to announce today the general availability of the Conformity solution, which provides customers the first enterprise-class management platform for cloud applications and users.  The Conformity solution is designed to arm enterprises with the same level of visibility and control over on-demand applications as they’ve come to expect with traditional packaged apps.  With our solution, enterprises can now be confident bringing new cloud applications into their business environments, knowing there will no longer be compromises made in the areas of management processes, insight and control.  With today’s GA, enterprises can:

  • Increase data security and reduce compliance risks
  • Optimize license allocation and expenses
  • Automate and streamline administration
  • Expand and extend enterprise usage of SaaS and cloud applications

Specific capabilities of the Conformity solution include:

  • User provisioning – provides centralized point of provisioning and deprovisioning of users accounts within cloud applications, and ongoing management of user permissions and authorizations.
  • Role and profile management – enables organizations to centrally manage cloud application roles, profiles and permissions through normalized permission models, and maps policies to users and roles.
  • Approval workflows – provides auditable cross-functional approval processes for users requiring new or amended access permissions, or role and profile changes.
  • Directory integration – enables organizations to seamlessly synchronize Conformity’s user repository with on-premise directory services.
  • Compliance reporting – provides reports required for effective preparation for audits for SOX, HIPAA, PCI and other regulatory mandates and standards.
  • Usage analytics – provides visibility, analytics and reporting on cloud application and license utilization.
  • Change management – enables archiving, management and recovery of application configurations and role models.

The Conformity platform provides templates, tools and workflow needed to manage all cloud applications in a customer’s environment.  Conformity also provides additional analytics, reporting and provisioning automation through integrations with the following leading cloud applications:

The Conformity platform also supports directory integration for Microsoft Active Directory, and is compatible with industry standards such as SPML, SAML and WS-Federation.

Please click here to read the full announcement, and stay tuned for more upcoming news!!!

Mark your calendar – Enterprise SaaS Working Group webinar

August 28, 2009

We’re excited to announce that on September 30th at 11:00am PDT / 2:00pm EDT we’ll be holding the first event in our Best Practices webinar series, featuring a roundtable discussion with the Enterprise SaaS Working Group. Comprised of recognized thought leaders and visionaries in SaaS and cloud computing, the group will discuss the challenges and issues that need to be overcome for SaaS and cloud applications to become truly ‘enterprise-ready’. Participants in the session will include:

The discussion will focus on critical issues and corresponding best practices in the areas of management, governance, security and compliance, and will include a Q&A session open to all attendees. Click here for more information and to register for this exciting event!

Success in the Enterprise – Making SaaS Manageable

August 3, 2009

As we heard once again last week at Catalyst from end-users, partners and vendors alike, many large enterprises are now finally taking a serious look at how to effectively leverage SaaS and cloud applications in their environments.   As we’ve observed in this blog before, enterprise CIOs are also finding that there are no easy answers to how to address the fundamentally disruptive impact that SaaS and cloud-based applications have on current IT management approaches.

The issue comes down to this: if a third party controls the software, data and access, and the CIO no longer has the capabilities to directly monitor and manage software operations, how can the CIO fulfill his or her responsibility for governance and compliance?  It’s a question that SaaS vendors must address if they expect to effectively compete and succeed in the enterprise marketplace

Our new white paper titled Success in the Enterprise: Making SaaS Manageable examines the CIOs need to manage SaaS applications as part of the larger responsibility for systems management in the enterprise.  It also looks at steps SaaS vendors can being to take to meet this need, and outlines best practices in the following areas:

  • APIs
  • Activity access
  • Performance monitoring
  • Back office visibility
  • Standards

The enterprise continues to present an enormous opportunity for SaaS vendors, but to capture this opportunity vendors need to take the next steps to ensure their services provide the management visibility needed to be truly enterprise-ready, and that they address the unique identity and systems management challenges created by the SaaS model.

This is the first in a series of best practice white papers that Conformity will be publishing for SaaS vendor executives to help the industry meet the needs of enterprise CIOs and their teams.  Please visit our website to download a copy of Success in the Enterprise and to subscribe for future white papers, and to learn more about how we can help SaaS vendors address IT enterprise challenges.

SaaS, the Cloud and the ‘Big Bang’

May 11, 2009

Here at Conformity we recently wrapped up some interesting market research on the topic of adoption of SaaS and cloud-based services and the management challenges it is creating for organizations and their IT departments in particular.  Conducted in conjunction with a leading analyst firm,  we spoke with IT and business executives at nearly 50 midsize and large enterprises that were adopters of multiple SaaS applications, and who were planning on extending their adoption of the model.  We’ve summarized our findings in a new whitepaper titled SaaS, the Cloud and the Big Bang.

The results?

In organizations we spoke with, business users drove the initial wave of SaaS adoption and largely took on the associated management and support responsibilities.   In a pattern similar to what happened with distributed computing 15-20 years earlier, as SaaS adoption hit ‘critical mass’ in these organizations (particularly those with compliance exposure),  IT has been brought in to extend existing management processes, controls and tools to SaaS and cloud-based resources.

The problem?  SaaS and cloud-based services are fundamentally exploding the traditional IT management model, due to:

  • Decentralization of management – in ‘traditional’ management environments,  IT has near complete responsibility and accountability for governance and management of technology resources.  The focus on autonomous IT governance and managmeent has increased due to increasing regulatory compliance requirements (SOX, GLBA, HIPAA, PCI etc) and the resulting increase in adoption of best practice policy and control frameworks (ITIL, COBIT, ISO 17799/27001, 27002).   In the SaaS world, business users have taken on management and support responsibilities traditionally owned by IT.  For example activities such as user provisioning and permissions management, role and profile management, application customization and configuration, and vendor management are now decentralized and distributed in many organizations.
  • Loss of control – in addition to the applications themselves, metadata on users, role and profile models, authorization and credential stores, usage activity and application performance all move outside the corporate firewall.  IT loses visibility and control over this critical management data that is now fragmented across heterogeneous SaaS service providers, in addition to the applications and users themselves.
  • Broken integrations – many IT processes around application and user management are highly automated, supported by integration with on-premise directory services, identity management and systems management solutions.  These integrations largely ‘break’ in an on-demand world, and organizations are rapidly finding that creating a new management ‘blade’ for a given SaaS app in legacy management application is not a realistic, cost effective answer.  Additionally, SaaS applications must be integrated into existing business processes through configuration and management by line-of-business users, with little or no ability to automate integration into cross-application business processes.

While it is still early, clear perspectives are starting to emerge around what the characteristics of a new generation of management solutions that address the unique challenges of on-demand environments will need to include.  Organizations are finding that SaaS and cloud-based service models are driving a convergence in identity and systems management issues, which will require the reinvention of solutions that address these issues.   Areas such as  user access management, policy monitoring and enforcement, data integration and management and business process integration all need a fundamental ‘rethink’ in a cloud-based world.

If you’re interested in receiving a copy of the whitepaper, please contact us.