Archive for the ‘IaaS’ Category

On the subject of password management…

August 19, 2010

There is an interesting movement that is happening in and around the Identity management space in there is a struggle going on between the desire to have a single universal and secure way of accessing resources and applications, and finding the right third-party to “trust” with your access.

A variety of technologies and vendors are involved including SAML, Active Directory, individual passwords, and some of the social media vendors such as Facebook and Twitter, to name a few. And of course, all the other cloud, enterprise, and identity vendors have a dog in this fight too.

Here at Conformity we are clearly a part of the discussion, and ultimately we hope, part of the solution, but the ugly truth is the vast majority of current secure website services and SaaS business applications still use passwords for their primary authentication model. Andrew Jaquith’s blog entry on “The Rationality Of Re-Using Passwords” makes an observation that passwords will be around for a long time, which is a point of view that I share.

Since we are on the topic of passwords and logins, I need to mention that Conformity just introduced a new product, ConformityConnect, that is designed to be a simple to use, simple to deploy, and simple to administer way of securely managing the plethora of logins that we face every day at work.  If you find yourself drowning in passwords, this might be the life saver you’ve been looking for. It also lays a foundation for addressing some of the other issues I raised above. Sometimes the best policy is to trust no one but yourself

You can try ConformityConnect out for free by clicking HERE.

An Internal Auditor’s Perspective on SaaS…

March 31, 2010

We recently spent some time with Sixto Bernal, Director of Internal Audit at SuccessFactors, who shared some very interesting insights on the governance and compliance challenges being created by SaaS and cloud applications, including:

  • The need for consistent user provisioning and management across SaaS applications
  • How each new SaaS deployment ‘scales the pain’ for IT management and auditors
  • The unsustainability of manual approaches to managing SaaS silos

View the full discussion here:

Get a Free SaaS Identity Audit from Conformity

March 8, 2010

As we’ve frequently discussed here in this blog, SaaS identity ’silos’ are creating major headaches for companies moving to the cloud. In fact we’re finding that  in most organizations 5-20% of SaaS user identities have errors or mismatches that can result in major security and compliance risks.  Some of these issues include:

  • Orphaned user accounts
  • Duplicate user identities
  • Misaligned user data
  • Inappropriate user roles and permissions
  • Unauthorized ’super admins’

We’re excited to announce that for a limited time Conformity is offering a free SaaS Identity Assessment that will help organizations identify user identity gaps and mismatches with their SaaS deployments and corporate directories. With the assessment, Conformity SaaS identity experts will provide:

  • A summary report of major SaaS identity exceptions
  • Assessment of potential audit and compliance risks
  • Recommended best practices and policies for aligning SaaS user identities

Click on the link below to learn more about our free assessment, and let Conformity help you and your organization get ahead of the curve on SaaS audit and compliance issues.

Click here to learn more >>

What is “The Cloud” Really?

March 4, 2010

Once upon a time I read a very good marketing paper that began with the statement: “People buy quarter-inch drill bits, but they want quarter-inch holes”.  The biggest mistake most tech companies make in marketing their products is they talk about the features of their quarter-inch drill bits, not the quality of the quarter-inch holes that can be made, or how the features of that hole are relevant or important for how the hole is going to end up being used.”  Assuming you accept this, I make the following observations about how most companies in “the cloud management space” are making it harder for their markets to understand what they do rather than easier.

Specifically, the concern I have is that “managing the cloud” or “the cloud management market” or “managing cloud computing”
is going to look markedly different depending on where you sit.  In particular, I think there are actually four cloud management markets or segments, with overlapping requirements to be sure, but still different enough that any company, vendor, or IT organization trying to “manage the cloud” should think about positioning itself in that context.  I also believe much of the confusion (or FUD) around “the cloud” and “cloud management” is because people use similar terms to mean very different things, each valid in its own right, but very, very different.

  • Segment 1 – Existing IT organizations that have on-premise services and also either have or aspires to have cloud-based services as well (whether IaaS, PaaS, SaaS, etc).  This management market will have a particular set of benefits and challenges associated with how the entity tries to integrate these IT services, and the management thereof, to make it look reasonably seamless (so they don’t simply replace one set of complex problems for a different set of complex problems).  Private/public clouds will create variations on this theme, with security and billing being the two main differences, but otherwise very similar problems.
  • Segment 2- The opposite end of this spectrum – organizations that aggressively pursue doing as much in the cloud as possible, and only doing on-premise what is either not yet available in cloud form or too business-critical to yet trust to a cloud-based solution.  I’ve spoken to a dozen CIO’s in the last two months who have set a mandate for their organizations along exactly these lines — cloud when you can, on-premise when you have to.  This is primarily an SMB-based discussion today, but it’s starting to bleed up into the enterprise space.

These first two represent more of a true user of “cloud-based” services and benefits.

  • Segment 3 – Groups that are actually hosting the cloud services used by the first two markets; the so-called “the service provider market.” It’s a real market, but tends to have a set of problems much more in common with the on-premise guys (insofar as they’re managing workloads within a well-defined IT  infrastructure — they’re still “on-premise,” just a different “premise” from the captive IT organization).  Their users come from the cloud, rather than being a captive user community.  This “where are the users coming from” tends to cause the management problems to have different priorities than the captive user version, but otherwise has more in common than not.  The one variation in this space is how high up into the stack a given organization chooses to go (IaaS, PaaS, SaaS, etc), which will also heavily influence what “management” means to them.   For example, Amazon is clearly an IaaS vendor in this space, and doesn’t know or care about applications per se.
  • Segment 4 – Also a provider market, but where all the services provided are actually located in the cloud, rather than a captive data centerConformity is representative of this type of market.  We provide a SaaS-based solution (which also happens to manage SaaS a specific problem of using SaaS applications, but that’s not a relevant distinction here) that runs entirely in the cloud, we don’t have a data center at all (except for a VPN server and a MS Domain Controller); we do everything else in the cloud (including development / builds / e-mail / calendaring / billing…. you name it).  This type of market will also have unique and real management problems, but with a very different emphasis than the first three.  It’s also still small, but rapidly growing, based on many VC discussions I’ve had in the last four months.

These last two represent more of a true provider of cloud-based services, even though they may also have “user-like” problems they need to solve.

As already noted, there is much overlap in these four “spaces,” so I don’t think one can be entirely pure in this four market segment model.  But the particular problems and their urgency will create a form of segmentation thatwill influence and govern how cloud management companies need to talk about themselves, what they do, what pain points they address, and the value of their solutions, because the value of a given solution will vary greatly depending on where in this four-market segmentation model a given customer views themselves.

So, assuming you agree at least in spirit with this segmentation, it might be helpful to start to introduce some of this nomenclature into the industry’s on-going discussion about cloud management issues.

Anyway, this is what occurred to me when I’ve tried to compare various “cloud management” offereings; it’s a bit of apples-and-oranges.  For example, CA or BMC might be expected to want to market its cloud-based offerings to companies in the first market, as on-premise is “core” and cloud is an “adjacent” space in this market (using the Baan / Zook “core/adjacency” nomenclature).

Smaller players, like UnivaUD, market its cloud-based offerings to companies in the third market, and while there’s clearly overlap and bleed-over between these two views,  they’re different enough that trying to compare them might not make sense.

As an aside, It’s also why I think “virtualization = cloud” is a horrible hoax that some vendors are foisting off on the rest of the industry.   Virtualization is an important technology, to be sure, but it’s a quarter-inch drill bit in the fullest sense of the word, and absent any discussion of what problem is being solved and why, carries almost no useful context in any final analysis of “the cloud management market.”

Conformity and Ping announce cloud identity partnership

February 2, 2010

We are excited to announce today a new partnership with Ping Identity, which will provide joint customers comprehensive visibility and control of user access and usage of SaaS and cloud-based applications. Ping Identity’s solutions provide a single control point for enterprise users accessing hundreds of leading cloud services. Deployed together, the Ping and Conformity solutions provide enterprise customers the ability to manage and control user access and authorizations to cloud applications and resources across the employee lifecycle.

We wholeheartedly agree with Tom Fisher, Vice President of Cloud Computing at SuccessFactors, who comments that “access and identity management issues are becoming more prevalent and painful as enterprises transition to SaaS and cloud-based applications. Ping and Conformity together help to take the issues off the table.” We’re looking forward to working with Ping in helping our joint enterprise customers address the identity management challenges as they migrate applications and resources to the cloud.

Recap: Enterprise SaaS Working Group – Identity Management in the Cloud

December 4, 2009

We had a great second meeting of the Enterprise SaaS Working Group this week, which focused on the topic of access and identity management for the cloud.  Participants in the session included Chris Bedi from VeriSign, Peter Dapkus from  Salesforce.com, Ryan Nichols from Appirio (who also provided a great summary of the event on the Appirio blog), Steve Coplan from  The 451 Group, Michael Amend from Dell, Doug Harr from Ingres and Scott Carruth from Initiate Systems.   Our initial discussion focused on the unique management challenges created by SaaS and cloud applications due to the the identity silos they create in the enterprise as shown below.

Cloud identity in the enterprise

The ensuing roundtable discussion focused on the impact these issues are having in the enterprises, with a particular focus on the following topics:

  • Speed bump or show stopper – on the question of whether access and identity management issues were a going to be a ‘speed bump’ or ‘show stopper’ for SaaS adoption in the enterprise, the answer really revolved around timing and depth of penetration.  While today it is more of a speed bump for initial adoption in the enterprise (or else we wouldn’t be seeing enterprise deals today), the issues become more problematic when considering what it will take for SaaS and cloud applications to become a ‘mainstream’ technology. Taken from that perspective, there was agreement that identity issues around access, authentication and authorization created by SaaS identity ‘silos’ were going to soon become major, and that they need to be reconciled and addressed.  
  • The directory redefined – one of the questions we posed around the future of the corporate directory, and whether enterprises would ever permit it to live in the cloud.  Chris Bedi of VeriSign made the great point that the more relevant and important question is around what a directory really becomes in a cloud-centric environment – where it ends up residing will be a function of how that question is answered.
  • Federated identity – related to the directory point, the group generally also agreed that in a cloud-centric (or even hybrid SaaS/on-prem environment) that there was unlikely to be a monolithic directory or source of identity related data, and that SaaS applications, HR systems and directories (on-prem and cloud) would also likely each contain ‘versions of the truth’ that will need to be synchronized and federated.  Ryan Nichols provided a very interesting example of how Appirio themselves have built a cloud-centric organization with Salesforce.com and Google both providing separate but complementary directory and identity data.
  • Identity done right – Doug Harr made the excellent point that current cloud identity challenges actually offer an opportunity for SMB and midsize enterprises who haven’t been able to invest in identity and systems management technologies to date to ‘get it right’.   IAAS and cloud-based identity management services will likely make these capabilities cost-effective for these target markets for the first time, enabling these organizations to effectively ‘white sheet’ their identity management approaches for both cloud and on-premise applications.

The full recording of the webinar is available and can be access by clicking here.  Please drop us an email as eswg@conformity-inc.com to be added to our mailing list, and to be notified of future Enterprise SaaS Working Group news and events.

12/2 Enterprise SaaS Working Group webinar – Access and Identity Management for the Cloud

November 16, 2009

We’re excited to announce that on December 2nd  at 10:00am PST / 1:00pm EST we’ll be holding the second meeting of the Enterprise SaaS Working Group on the topic of Access and Identity Management for the Cloud.

One of the recognized challenges with SaaS in the enterprise is the silos of identity that are created by cloud applications. Each service contains its own ‘version of the truth’ around users, permissions and credentials, disconnected from legacy directory services and identity management systems. Based on feedback from our first event, this meeting will focus on the identity management and access control issues that need to be addressed for SaaS to become truly mainstream in the enterprise. Discussion will focus on several questions including:

  • SaaS identity issues in the enterprise – speed bump or show stopper?
  • What will be the identity source(s) in a cloud-centric world?
  • Can separate cloud and on-premise user identities co-exist?
  • Will enterprise IT ever put corporate directories in the cloud?

Participants in the session will include:

The discussion will focus on critical issues and corresponding best practices in the areas of access management, authentication, identity synchronization and identity policy enforcement and will include a Q&A session open to all attendees. Click here for more information and to register for this exciting event!

Register now >>

Emerging Best Practices – Extending Microsoft Active Directory to SaaS and Cloud Applications

November 13, 2009

Though cloud and SaaS solutions are seeing rapid adoption in the enterprise, management of these applications is not aligned with traditional IT controls and policies.  SaaS has been deployed and managed largely by business users, with limited input from CIOs and IT organizations.  As these cloud-based technologies replace mission-critical on-premise applications and host sensitive organizational data, enterprise IT is now regaining their ‘seat at the table’.   When seeking to extend policies and controls to SaaS, these IT organizations are disappointed to learn that existing directories and  IT management technologies don’t easily extend to the cloud.  These organizations struggle to achieve alignment of SaaS and cloud solutions with established enterprise identity sources including Human Resources Information Systems (HRIS), directory services, and Identity Management (IdM) solutions.  This alignment and resulting visibility and control is critical for IT and Finance departments concerned with regulatory compliance, governance, and identity and access management.

Given the role that Microsoft Active Directory and associated proxy services play in  providing centralized authentication, access control, and identity synchronization for on-premise applications  it would seem to be a logical integration point to also harness SaaS and cloud solutions.  Unfortunately IT organizations are finding that AD itself does not easily extend into leading SaaS applications, with direct integration difficult if not impossible.

Despite this inability to directly integrate AD with major cloud applications, forward-thinking enterprises are focusing on a “loose coupling” of on-premise Microsoft Active Directory and SaaS solutions through new third party management solutions.  This approach allows an integration path with the existing, deployed directory technologies and does not require major adjustments in the SaaS vendor technology roadmaps.  By integrating the current SaaS and directory solutions, the enterprise can align critical services including user identity and attributes, login services (Single Sign-On), and IT policies.  This alignment can lead to immediate benefits in security, IT efficiency, and governance and regulatory compliance.  In our new white paper, Extending Microsoft Active Directory to the Cloud, we explore the approaches and solutions organizations are leveraging to identity synchronization, policy enforcement and single sign-on (SSO).

Click here to request a free copy >>

Top Ten Mistakes Companies Make When Adopting SaaS

November 3, 2009

While billions of dollars will be spent on SaaS and cloud applications by the end of 2009, executives continue to question data security inside the cloud.  A recent article in CIO Magazine notes a growing majority of execs are worried about cloud security.  These executives recognize that each SaaS application, like Salesforce.com, represents a potential highway of highly sensitive corporate data outside the firewall and outside IT’s security protocol.  While no means exhaustive, here is a list of mistakes we’re seeing companies make when deploying SaaS applications, creating unnecessary risk and cost for their organizations:

  1. Creating the ‘three-headed admin’ – granting multiple people administrator-level roles inside a single SaaS application, or having multiple admins share the same credentials.  Aside from the obvious security issues, resulting SaaS app management data typically ends up reflecting multiple perspectives of users and permissions.
  2. Hoping that everyone ‘locks the door’ – relying on manual workflows, phone calls and emails to de-provision SaaS users’ access in an accurate and timely fashion across SaaS apps.   If there’s not an automated way to guarantee deprovisioning across all apps, then it’s unlikely that it’s happening.
  3. Applying a short term ‘band-aid’ for management – using trouble ticketing and help desk systems to coordinate administration between central IT and departmental SaaS admins.  This is typically a short term fix that just kicks critical provisioning and identity management issues down the road, and does it in a way that creates more pain later.
  4. Attempting the IT ‘end-run’ – not engaging IT on management and support until SaaS app(s) become “mission critical” within the organization.  As SaaS and cloud are now becoming more mainstream technologies, IT is regaining their seat at the table to help extend existing policies and controls – ignore this dynamic at your own peril.
  5. Delegating policy enforcement – relying on individual SaaS administrators to enforce corporate policies for roles and permissions.  Most organizations have access control policies and controls exist for on-premise apps and data, but few think about how to extend them to SaaS and cloud applications prior to deployment, particularly in environments with distributed administration.
  6. Believing in a management ‘silver bullet’ – assuming that existing on-premise directories (such as Microsoft Active Directory) or identity management tools (including SSO) extend to support all SaaS-related identity challenges.  They don’t.
  7. Creating ‘two sets of rules’ – treating SaaS governance differently than on-premise applications with regard to user identity and compliance.  Governance frameworks and best practices should consistently apply to applications no matter how they’re delivered.
  8. Failing to create a ‘rearview mirror’ for audit and compliance – failure to identify and approach for capturing an audit trail of access, usage, user change and permissions history.  Though delivered by a 3rd party, companies are still responsible for implementing and enforcing access control policies, and for demonstrating it at audit time.
  9. Forgetting about compliance reporting – wasting 20-30 executive hours each quarter to manually compile reports for internal or external compliance audits.  Forgetting to consider compliance reporting needs up front when evaluating SaaS vendors and overall SaaS/cloud strategy can be painful.
  10. When in doubt, spending more – buying unnecessary subscription seats because of a lack of visibility to actual subscriptions and current usage.

We’d be interested in hearing what others are seeing and hearing in these areas as well…

Recap: The Enterprise SaaS Working Group

October 1, 2009

It’s been an exciting few days here at Conformity after our recent GA announcement and the kickoff of the Enterprise SaaS Working Group yesterday.  We had a very lively, engaging debate on the key issues the group believes need to be addressed for SaaS and cloud applications to become ‘mainstream’ technologies in the enterprises.  The group featured a diverse set of executive perspectives from cloud vendors, thought leaders and practitioners, and included:

A quick highlight of some of the discussion yesterday:

  • PaaS/SaaS – which model ‘wins’ in the enterprise? While opinions differed, a common sentiment shared by the panel was that there’s not going to be ‘right answer’ for all organizations.  Depending on the industry vertical, business process or IT management model PaaS or SaaS could be the ‘right answer’, and in many situations organizations could have PaaS and SaaS offerings sitting side by side.   
  • Private clouds – part of the answer or indicative of SaaS market immaturity? As with the PaaS/SaaS discussion a common theme was ‘it depends’.  The core advantage to SaaS and cloud delivery models is the ability to share resources – what part of the stack organizations decide they’d like to share will likely be driven primarily by security concerns and issues.  A likely scenario, as with PaaS/SaaS, is that different models will likely be adopted by different types of organizations depending on security and operational requirements.
  • Enterprise SaaS adoption – when does it overtake on-premise? Two different perspectives were discussed around when SaaS will overtake on-premise apps in the enterprise.   A common belief of the group was that SaaS is winning in a majority of new deals in the enterprise today, with the perspective shared that 50-75% of enterprises would ‘flip the switch’ on cloud in some manner by approximately 2012.  Peter Coffee of Salesforce also shared his belief that total installed base for SaaS would outnumber on-premise apps by 2020, though there would also likely be 1-2% of the market that would be ‘holdouts’.
  • Any applications that SaaS/cloud won’t be able to penetrate? If architected and deployed correctly, there are no perceived areas in which SaaS and cloud application models could not be leveraged with Peter Coffee of Salesforce , Tom Fisher of SuccessFactors and Ryan Nichols of Appirio all providing compelling examples of large scale, transaction intensive customer deployments.

The full recording of the webinar is available and can be access by clicking here.  Also, Ryan Nichols at Appirio had a great post on their perspective on our discussion topics here.

Please drop us an email as eswg@conformity-inc.com to be added to our mailing list, and to be notified of future Enterprise SaaS Working Group news and events.