Archive for the ‘Infosec’ Category

SaaS Adoption and the ‘Scaling’ of Management Pain

March 2, 2010

The current approach most organizations are taking to managing SaaS applications and user access is unsustainable.

In our webinar today on SaaS, Access Controls and Compliance (an on-demand recording can be viewed here), we shared the reasons we think organizations are setting themselves up for a costly fall as they accelerate SaaS and cloud adoption:

  • The hidden costs of cloud applications – as SaaS apps have largely been deployed around IT, the costs of management and administration have also remained ‘hidden’  from CIOs and IT executives.  Manual, redundant administration of users and access results in costs and risks that often shock executives when we bring it to their attention.  For example, we’re finding that identity ‘exceptions’ across SaaS apps in customer environments typically range from 5-20%.  Translation – nearly 1 in 5 SaaS users today have inappropriate access or multiple, inconsistent identities across systems.  The risk and compliance implications of this go without saying…
  • The scaling of management pain – each new SaaS app deployed creates another ‘source’ of user identity and associated authorizations.  The need to understand roles, profiles and permissions across apps means that the hidden costs and risks of SaaS expand exponentially with adoption.  Thus not only are costs not yet visible at the executive level, they’re rapidly scaling with SaaS and cloud adoption!
  • The oncoming SaaS management ‘tsunami’ – it’s almost universally true that SaaS and cloud adoption is accelerating across nearly every market segment.  Combine this fact with the ‘scaling’ of management pain, and you start to see why we think organizations are headed for trouble.   While today it appears that manual and spreadsheet-based approaches to managing SaaS users and access will ‘work for now’, trouble is rapidly growing beneath the surface, as internal auditors, IT operations and administrators will tell you.

IT management problems are often analagous to heart disease  – foresight and preventative steps (diet and exercise) are far preferable to open heart surgery after the problem gets out of control.

Unfortunately as SaaS and cloud adoption accelerates many organizations today are on the costly path to the operating table…

Top Ten Things IT Auditors Need to Know about SaaS

February 14, 2010

Despite the business benefits of using SaaS, there are well known risks and challenges related to loss of control, security, integrity, privacy and availability.  As cloud usage grows, compliance risks are going to increase, as is the case with any new wave of technology.

IT auditors should gain an understanding of any new technologies and/or systems to be audited and be aware of the key control issues related to SaaS.  In addition, IT auditors need to be involved with their organization’s cloud computing plans starting at assessment stage to help ensure identification and mitigation of risks.  Unfortunately, IT and auditors have many times been ‘out of the loop’, as SaaS applications have often been deployed directly by business users.

To help ensure that internal auditors are prepared to address potential control issues in their organizations, we’ve recently released a new whitepaper on the top ten facts that IT auditors need to know about SaaS and cloud applications.  In it learn key facts about cloud applications that will help organizations prepare for the increased scrutiny being place on access controls around SaaS and other virtualized resources.

Click here to request a free copy >>

Recap: The Enterprise SaaS Working Group

October 1, 2009

It’s been an exciting few days here at Conformity after our recent GA announcement and the kickoff of the Enterprise SaaS Working Group yesterday.  We had a very lively, engaging debate on the key issues the group believes need to be addressed for SaaS and cloud applications to become ‘mainstream’ technologies in the enterprises.  The group featured a diverse set of executive perspectives from cloud vendors, thought leaders and practitioners, and included:

A quick highlight of some of the discussion yesterday:

  • PaaS/SaaS – which model ‘wins’ in the enterprise? While opinions differed, a common sentiment shared by the panel was that there’s not going to be ‘right answer’ for all organizations.  Depending on the industry vertical, business process or IT management model PaaS or SaaS could be the ‘right answer’, and in many situations organizations could have PaaS and SaaS offerings sitting side by side.   
  • Private clouds – part of the answer or indicative of SaaS market immaturity? As with the PaaS/SaaS discussion a common theme was ‘it depends’.  The core advantage to SaaS and cloud delivery models is the ability to share resources – what part of the stack organizations decide they’d like to share will likely be driven primarily by security concerns and issues.  A likely scenario, as with PaaS/SaaS, is that different models will likely be adopted by different types of organizations depending on security and operational requirements.
  • Enterprise SaaS adoption – when does it overtake on-premise? Two different perspectives were discussed around when SaaS will overtake on-premise apps in the enterprise.   A common belief of the group was that SaaS is winning in a majority of new deals in the enterprise today, with the perspective shared that 50-75% of enterprises would ‘flip the switch’ on cloud in some manner by approximately 2012.  Peter Coffee of Salesforce also shared his belief that total installed base for SaaS would outnumber on-premise apps by 2020, though there would also likely be 1-2% of the market that would be ‘holdouts’.
  • Any applications that SaaS/cloud won’t be able to penetrate? If architected and deployed correctly, there are no perceived areas in which SaaS and cloud application models could not be leveraged with Peter Coffee of Salesforce , Tom Fisher of SuccessFactors and Ryan Nichols of Appirio all providing compelling examples of large scale, transaction intensive customer deployments.

The full recording of the webinar is available and can be access by clicking here.  Also, Ryan Nichols at Appirio had a great post on their perspective on our discussion topics here.

Please drop us an email as eswg@conformity-inc.com to be added to our mailing list, and to be notified of future Enterprise SaaS Working Group news and events.

Conformity Announces GA Release of First Enterprise-Class Management Platform for SaaS and Cloud Apps

September 30, 2009

We’re excited to announce today the general availability of the Conformity solution, which provides customers the first enterprise-class management platform for cloud applications and users.  The Conformity solution is designed to arm enterprises with the same level of visibility and control over on-demand applications as they’ve come to expect with traditional packaged apps.  With our solution, enterprises can now be confident bringing new cloud applications into their business environments, knowing there will no longer be compromises made in the areas of management processes, insight and control.  With today’s GA, enterprises can:

  • Increase data security and reduce compliance risks
  • Optimize license allocation and expenses
  • Automate and streamline administration
  • Expand and extend enterprise usage of SaaS and cloud applications

Specific capabilities of the Conformity solution include:

  • User provisioning – provides centralized point of provisioning and deprovisioning of users accounts within cloud applications, and ongoing management of user permissions and authorizations.
  • Role and profile management – enables organizations to centrally manage cloud application roles, profiles and permissions through normalized permission models, and maps policies to users and roles.
  • Approval workflows – provides auditable cross-functional approval processes for users requiring new or amended access permissions, or role and profile changes.
  • Directory integration – enables organizations to seamlessly synchronize Conformity’s user repository with on-premise directory services.
  • Compliance reporting – provides reports required for effective preparation for audits for SOX, HIPAA, PCI and other regulatory mandates and standards.
  • Usage analytics – provides visibility, analytics and reporting on cloud application and license utilization.
  • Change management – enables archiving, management and recovery of application configurations and role models.

The Conformity platform provides templates, tools and workflow needed to manage all cloud applications in a customer’s environment.  Conformity also provides additional analytics, reporting and provisioning automation through integrations with the following leading cloud applications:

The Conformity platform also supports directory integration for Microsoft Active Directory, and is compatible with industry standards such as SPML, SAML and WS-Federation.

Please click here to read the full announcement, and stay tuned for more upcoming news!!!

The Enterprise SaaS Working Group – Coming Soon…

August 20, 2009

As frequently discussed in this blog, here at Conformity we believe that there are a fundamental set of issues that the SaaS industry as a whole needs to address for SaaS and cloud applications to become truly ‘enterprise-ready’.  These issues range from management access and APIs to SLAs and performance monitoring.  To provide a forum to further surface, discuss and propose solutions to these issues, in September we will be introducing the first Enterprise SaaS Working Group.  The group will discuss challenges that need to be overcome to accelerate adoption of on-demand solutions in the enterprise, and will include a broad range of perspectives from thought leaders and practitioners alike.  Participants will include:

  • Enterprise CIOs and IT executives
  • SaaS vendor executives
  • SaaS consultants and service providers
  • Industry analysts

We will be formally introducing the group at an exciting event we’re going to be hosting in late September.  Please stay tuned for more details…

SaaS, the Cloud and the ‘Big Bang’

May 11, 2009

Here at Conformity we recently wrapped up some interesting market research on the topic of adoption of SaaS and cloud-based services and the management challenges it is creating for organizations and their IT departments in particular.  Conducted in conjunction with a leading analyst firm,  we spoke with IT and business executives at nearly 50 midsize and large enterprises that were adopters of multiple SaaS applications, and who were planning on extending their adoption of the model.  We’ve summarized our findings in a new whitepaper titled SaaS, the Cloud and the Big Bang.

The results?

In organizations we spoke with, business users drove the initial wave of SaaS adoption and largely took on the associated management and support responsibilities.   In a pattern similar to what happened with distributed computing 15-20 years earlier, as SaaS adoption hit ‘critical mass’ in these organizations (particularly those with compliance exposure),  IT has been brought in to extend existing management processes, controls and tools to SaaS and cloud-based resources.

The problem?  SaaS and cloud-based services are fundamentally exploding the traditional IT management model, due to:

  • Decentralization of management – in ‘traditional’ management environments,  IT has near complete responsibility and accountability for governance and management of technology resources.  The focus on autonomous IT governance and managmeent has increased due to increasing regulatory compliance requirements (SOX, GLBA, HIPAA, PCI etc) and the resulting increase in adoption of best practice policy and control frameworks (ITIL, COBIT, ISO 17799/27001, 27002).   In the SaaS world, business users have taken on management and support responsibilities traditionally owned by IT.  For example activities such as user provisioning and permissions management, role and profile management, application customization and configuration, and vendor management are now decentralized and distributed in many organizations.
  • Loss of control – in addition to the applications themselves, metadata on users, role and profile models, authorization and credential stores, usage activity and application performance all move outside the corporate firewall.  IT loses visibility and control over this critical management data that is now fragmented across heterogeneous SaaS service providers, in addition to the applications and users themselves.
  • Broken integrations – many IT processes around application and user management are highly automated, supported by integration with on-premise directory services, identity management and systems management solutions.  These integrations largely ‘break’ in an on-demand world, and organizations are rapidly finding that creating a new management ‘blade’ for a given SaaS app in legacy management application is not a realistic, cost effective answer.  Additionally, SaaS applications must be integrated into existing business processes through configuration and management by line-of-business users, with little or no ability to automate integration into cross-application business processes.

While it is still early, clear perspectives are starting to emerge around what the characteristics of a new generation of management solutions that address the unique challenges of on-demand environments will need to include.  Organizations are finding that SaaS and cloud-based service models are driving a convergence in identity and systems management issues, which will require the reinvention of solutions that address these issues.   Areas such as  user access management, policy monitoring and enforcement, data integration and management and business process integration all need a fundamental ‘rethink’ in a cloud-based world.

If you’re interested in receiving a copy of the whitepaper, please contact us.

Some additional thoughts on SaaS user provisioning…

May 1, 2009

As the term ‘provisioning’ tends to have different meanings depending on who you talk to, we wanted to follow-up on our post last week on SAML / SPML-based ‘just-in-time’ user provisioning to provide some quick additional thoughts…

Effective user provisioning requires much more than just ensuring users have an active account and access to a given service or SaaS application.  User authorizations and permissions within the service also need to be consistent with role-based access control (RBAC), least privilege and segregation-of-duties (SOD) concepts.  This requires that organizations ensure that permissions and authorizations are consistent across services, not just within each individual SaaS silo.   What makes provisioning challenging is that each SaaS service provider has their own unique role, profile and authorization model optimized around the particular problem set they address.   Virtually all SaaS user attribute and permission models are unique to the individual vendor, with some services providing the ability to configure over 50 different user attributes.  In our mind, proper user provisioning ensures that user accounts and all associated authorizations are consistent with corporate policy, which is a much deeper, more challenging problem that it first appears…

The Data has Left the Building…

February 23, 2009

In light of the mass layoffs unfortunately occurring these days,  somewhat terrifying results were recently released from a study conducted by the Ponemon Institute and sponsored by Symantec on data theft by former employees.  Major high(or low) lights of the study of approximately 900 employees who lost their jobs in 2008 includes:

  • 59% of respondents kept corporate data after leaving their job
  • Approximately one quarter of respondents said they had the ability to access data after they had left the company
  • 32% of survey participants said that they had successfully accessed corporate systems using their credentials after leaving their job

While the survey didn’t distinguish between data residing in SaaS vs on-premise applications, we have to believe that the relatively immature access controls and distributed approach most organizations take towards SaaS user management would lead to even worse numbers for on-demand applications and related data…

CSO survey – SaaS concerns

September 7, 2007

Goldman Sachs this week released its 2007/8 security software spending survey. One of the more interesting findings from the survey of Fortune 1000 information security executives was around their issues and concerns around SaaS. When asked what the key security issues around SaaS adoption were in their minds, the top three answers were:

  • Identity and access management
  • Compliance related issues
  • Post-access data security

While these answers fly a bit in the face of conventional wisdom, they reaffirm our perspective at Conformity that SaaS vendor security and the multi-tenant model in general are not the biggest security concerns organizations are having with the SaaS model….

The evolving role of IT in SaaS management

August 28, 2007

One question was inevitably bound to arise with the proliferation of SaaS within organizations- whether lines of business or IT should have ‘ownership’ of SaaS applications.  Which raises another question – what actually does ‘ownership’ of SaaS applications mean?  Without the need to manage, maintain and support on-premise applications, SaaS ‘ownership’ is less about managing the software life cycle, and more about ensuring that SaaS procurement, management and usage is consistent with corporate policies.  An interesting article appeared recently in SearchSMB exploring the role that IT is playing in SaaS procurement and management.

While business units typically have had free reign over SaaS deployments, evidence is starting to suggest that the pendulum is starting to swing towards greater IT involvement. A recent survey by Saugatuck Technology cited in the article shows that while 36% of organizations procure SaaS apps with no IT involvement, 24% require SaaS products to conform to pre-established guidelines from IT, and 44% require review by joint business/IT oversight committees. And why is IT increasingly feeling the need to get involved?

  • Integration – while business units have been happy to procure SaaS at will, IT is starting to be pulled in when business units realize the need for their SaaS application to integrate with data and/or applications that reside on-premise or with another 3rd party vendor. Many IT teams are only now finding out (the hard way) how broadly SaaS has penetrated their organizations and business processes.
  • Security and compliance – organizations are rapidly realizing the need for their SaaS and web-based applications to adhere to corporate access control, security and compliance policy requirements. Many organizations are increasingly looking to IT to ensure that SaaS usage in their environment is consistent with the policies and controls they’ve developed for traditional on-premise applications.

You can read the complete article here.