Archive for the ‘HIPAA’ Category

Get a Free SaaS Identity Audit from Conformity

March 8, 2010

As we’ve frequently discussed here in this blog, SaaS identity ’silos’ are creating major headaches for companies moving to the cloud. In fact we’re finding that  in most organizations 5-20% of SaaS user identities have errors or mismatches that can result in major security and compliance risks.  Some of these issues include:

  • Orphaned user accounts
  • Duplicate user identities
  • Misaligned user data
  • Inappropriate user roles and permissions
  • Unauthorized ’super admins’

We’re excited to announce that for a limited time Conformity is offering a free SaaS Identity Assessment that will help organizations identify user identity gaps and mismatches with their SaaS deployments and corporate directories. With the assessment, Conformity SaaS identity experts will provide:

  • A summary report of major SaaS identity exceptions
  • Assessment of potential audit and compliance risks
  • Recommended best practices and policies for aligning SaaS user identities

Click on the link below to learn more about our free assessment, and let Conformity help you and your organization get ahead of the curve on SaaS audit and compliance issues.

Click here to learn more >>

Advertisements

SaaS, the Cloud and the ‘Big Bang’

May 11, 2009

Here at Conformity we recently wrapped up some interesting market research on the topic of adoption of SaaS and cloud-based services and the management challenges it is creating for organizations and their IT departments in particular.  Conducted in conjunction with a leading analyst firm,  we spoke with IT and business executives at nearly 50 midsize and large enterprises that were adopters of multiple SaaS applications, and who were planning on extending their adoption of the model.  We’ve summarized our findings in a new whitepaper titled SaaS, the Cloud and the Big Bang.

The results?

In organizations we spoke with, business users drove the initial wave of SaaS adoption and largely took on the associated management and support responsibilities.   In a pattern similar to what happened with distributed computing 15-20 years earlier, as SaaS adoption hit ‘critical mass’ in these organizations (particularly those with compliance exposure),  IT has been brought in to extend existing management processes, controls and tools to SaaS and cloud-based resources.

The problem?  SaaS and cloud-based services are fundamentally exploding the traditional IT management model, due to:

  • Decentralization of management – in ‘traditional’ management environments,  IT has near complete responsibility and accountability for governance and management of technology resources.  The focus on autonomous IT governance and managmeent has increased due to increasing regulatory compliance requirements (SOX, GLBA, HIPAA, PCI etc) and the resulting increase in adoption of best practice policy and control frameworks (ITIL, COBIT, ISO 17799/27001, 27002).   In the SaaS world, business users have taken on management and support responsibilities traditionally owned by IT.  For example activities such as user provisioning and permissions management, role and profile management, application customization and configuration, and vendor management are now decentralized and distributed in many organizations.
  • Loss of control – in addition to the applications themselves, metadata on users, role and profile models, authorization and credential stores, usage activity and application performance all move outside the corporate firewall.  IT loses visibility and control over this critical management data that is now fragmented across heterogeneous SaaS service providers, in addition to the applications and users themselves.
  • Broken integrations – many IT processes around application and user management are highly automated, supported by integration with on-premise directory services, identity management and systems management solutions.  These integrations largely ‘break’ in an on-demand world, and organizations are rapidly finding that creating a new management ‘blade’ for a given SaaS app in legacy management application is not a realistic, cost effective answer.  Additionally, SaaS applications must be integrated into existing business processes through configuration and management by line-of-business users, with little or no ability to automate integration into cross-application business processes.

While it is still early, clear perspectives are starting to emerge around what the characteristics of a new generation of management solutions that address the unique challenges of on-demand environments will need to include.  Organizations are finding that SaaS and cloud-based service models are driving a convergence in identity and systems management issues, which will require the reinvention of solutions that address these issues.   Areas such as  user access management, policy monitoring and enforcement, data integration and management and business process integration all need a fundamental ‘rethink’ in a cloud-based world.

If you’re interested in receiving a copy of the whitepaper, please contact us.

Cover your eyes !?!

August 8, 2007

A recent article in InformationWeek discussed ‘How 9 Hot Technologies Can Blow Up In Your Face’ – naturally, SaaS was one of the nine discussed.

The SaaS shortfalls?

The first is a familiar issue to us – the post-access security and privacy of sensitive data hosted in SaaS applications. The perceived security issues around the external risks of hosting data offsite with a third party SaaS vendor receives a great deal of attention (in our minds a little bit too much). The under appreciated risk often is the internal risks associated with employee access to SaaS applications and related data, which in many cases is not monitored and loosely managed. The example they give is that “you don’t necessarily want your New York sales reps to see sales data from reps in New Jersey” (yes, there’s probably a Soprano’s joke in here somewhere…) . The risks become even clearer when you start to think about the functional areas that SaaS is beginning to rapidly penetrate in addition to sales/CRM, and the sensitivity of the data that resides there (ERP, HR etc.)

The second issue was one that was a bit new to us. The article discusses the need for organizations that are subject to compliance mandates or standards such as HIPAA or SOX to have copies of critical hosted data on site. Rarely do compliance acts or standards explicitly mandate actions like this (SOX, as it’s merely a paragraph certainly does not). Instead organizations (at least better ones) implement standard IT process and control frameworks like ITIL, COBIT, ISO to help them demonstrate due care and that they’ve implemented an appropriate set of internal controls.

We haven’t run across any organizations that are being instructed by their internal or external audit teams to ensure onsite data replication of SaaS hosted data for compliance purposes, but would love to hear from someone if they have..