Archive for the ‘SAML’ Category

On the subject of password management…

August 19, 2010

There is an interesting movement that is happening in and around the Identity management space in there is a struggle going on between the desire to have a single universal and secure way of accessing resources and applications, and finding the right third-party to “trust” with your access.

A variety of technologies and vendors are involved including SAML, Active Directory, individual passwords, and some of the social media vendors such as Facebook and Twitter, to name a few. And of course, all the other cloud, enterprise, and identity vendors have a dog in this fight too.

Here at Conformity we are clearly a part of the discussion, and ultimately we hope, part of the solution, but the ugly truth is the vast majority of current secure website services and SaaS business applications still use passwords for their primary authentication model. Andrew Jaquith’s blog entry on “The Rationality Of Re-Using Passwords” makes an observation that passwords will be around for a long time, which is a point of view that I share.

Since we are on the topic of passwords and logins, I need to mention that Conformity just introduced a new product, ConformityConnect, that is designed to be a simple to use, simple to deploy, and simple to administer way of securely managing the plethora of logins that we face every day at work.  If you find yourself drowning in passwords, this might be the life saver you’ve been looking for. It also lays a foundation for addressing some of the other issues I raised above. Sometimes the best policy is to trust no one but yourself

You can try ConformityConnect out for free by clicking HERE.

Advertisements

VeriSign’s New Cloud Identity Initiative

April 21, 2010

We’re very excited today about the VeriSign announcement of a new industry collaboration (which includes Conformity) to build trusted online identity solutions that will help accelerate SaaS and cloud adoption.   In conjunction with the initiative, we’re working with VeriSign as well as Ping Identity, Qualys and TriCipher to establish a blueprint for achieving identity trust by combining technologies and services with proven policies and certification programs.   The effort spans the major requirements for achieving identity trust, including

  • Strong mutual identification
  • Provisioning
  • Federation
  • Vulnerability and Compliance Management

We totally agree with Nico Popp, vice president of product development at VeriSign when he says “Trust won’t happen if users worry their identities are vulnerable, or if they’re unsure whether the cloud-based service they’re accessing is legitimate.  That makes identity trust the essential ingredient for cloud migration – and an industry imperative for SaaS providers.”

Read the full announcement here >>

Conformity Announces Integration and Partnership with VeriSign

February 10, 2010

We are excited to announce today a new partnership and integration with VeriSign. With our integration with the VeriSign® Identity Protection (VIP) Authentication Service , Conformity customers will have the ability to secure and safeguard critical cloud application access and authorization information, and have the ability to provide enterprise-class security to Conformity users. We also plan on extending our integration with VIP to provide additional functionalities to our customers in the areas of provisioning and policy enforcement.

In addition, we have also announced that we will be referring each other’s offerings to enteprise customers with a need for enhanced user authentication and authorization management for their cloud applications and users, and to engage in joint marketing and sales activities. We’re excited about the partnership, and look forward to working with the VeriSign team and our joint customers.

Conformity and Ping announce cloud identity partnership

February 2, 2010

We are excited to announce today a new partnership with Ping Identity, which will provide joint customers comprehensive visibility and control of user access and usage of SaaS and cloud-based applications. Ping Identity’s solutions provide a single control point for enterprise users accessing hundreds of leading cloud services. Deployed together, the Ping and Conformity solutions provide enterprise customers the ability to manage and control user access and authorizations to cloud applications and resources across the employee lifecycle.

We wholeheartedly agree with Tom Fisher, Vice President of Cloud Computing at SuccessFactors, who comments that “access and identity management issues are becoming more prevalent and painful as enterprises transition to SaaS and cloud-based applications. Ping and Conformity together help to take the issues off the table.” We’re looking forward to working with Ping in helping our joint enterprise customers address the identity management challenges as they migrate applications and resources to the cloud.

12/2 Enterprise SaaS Working Group webinar – Access and Identity Management for the Cloud

November 16, 2009

We’re excited to announce that on December 2nd  at 10:00am PST / 1:00pm EST we’ll be holding the second meeting of the Enterprise SaaS Working Group on the topic of Access and Identity Management for the Cloud.

One of the recognized challenges with SaaS in the enterprise is the silos of identity that are created by cloud applications. Each service contains its own ‘version of the truth’ around users, permissions and credentials, disconnected from legacy directory services and identity management systems. Based on feedback from our first event, this meeting will focus on the identity management and access control issues that need to be addressed for SaaS to become truly mainstream in the enterprise. Discussion will focus on several questions including:

  • SaaS identity issues in the enterprise – speed bump or show stopper?
  • What will be the identity source(s) in a cloud-centric world?
  • Can separate cloud and on-premise user identities co-exist?
  • Will enterprise IT ever put corporate directories in the cloud?

Participants in the session will include:

The discussion will focus on critical issues and corresponding best practices in the areas of access management, authentication, identity synchronization and identity policy enforcement and will include a Q&A session open to all attendees. Click here for more information and to register for this exciting event!

Register now >>

Emerging Best Practices – Extending Microsoft Active Directory to SaaS and Cloud Applications

November 13, 2009

Though cloud and SaaS solutions are seeing rapid adoption in the enterprise, management of these applications is not aligned with traditional IT controls and policies.  SaaS has been deployed and managed largely by business users, with limited input from CIOs and IT organizations.  As these cloud-based technologies replace mission-critical on-premise applications and host sensitive organizational data, enterprise IT is now regaining their ‘seat at the table’.   When seeking to extend policies and controls to SaaS, these IT organizations are disappointed to learn that existing directories and  IT management technologies don’t easily extend to the cloud.  These organizations struggle to achieve alignment of SaaS and cloud solutions with established enterprise identity sources including Human Resources Information Systems (HRIS), directory services, and Identity Management (IdM) solutions.  This alignment and resulting visibility and control is critical for IT and Finance departments concerned with regulatory compliance, governance, and identity and access management.

Given the role that Microsoft Active Directory and associated proxy services play in  providing centralized authentication, access control, and identity synchronization for on-premise applications  it would seem to be a logical integration point to also harness SaaS and cloud solutions.  Unfortunately IT organizations are finding that AD itself does not easily extend into leading SaaS applications, with direct integration difficult if not impossible.

Despite this inability to directly integrate AD with major cloud applications, forward-thinking enterprises are focusing on a “loose coupling” of on-premise Microsoft Active Directory and SaaS solutions through new third party management solutions.  This approach allows an integration path with the existing, deployed directory technologies and does not require major adjustments in the SaaS vendor technology roadmaps.  By integrating the current SaaS and directory solutions, the enterprise can align critical services including user identity and attributes, login services (Single Sign-On), and IT policies.  This alignment can lead to immediate benefits in security, IT efficiency, and governance and regulatory compliance.  In our new white paper, Extending Microsoft Active Directory to the Cloud, we explore the approaches and solutions organizations are leveraging to identity synchronization, policy enforcement and single sign-on (SSO).

Click here to request a free copy >>

Top Ten Mistakes Companies Make When Adopting SaaS

November 3, 2009

While billions of dollars will be spent on SaaS and cloud applications by the end of 2009, executives continue to question data security inside the cloud.  A recent article in CIO Magazine notes a growing majority of execs are worried about cloud security.  These executives recognize that each SaaS application, like Salesforce.com, represents a potential highway of highly sensitive corporate data outside the firewall and outside IT’s security protocol.  While no means exhaustive, here is a list of mistakes we’re seeing companies make when deploying SaaS applications, creating unnecessary risk and cost for their organizations:

  1. Creating the ‘three-headed admin’ – granting multiple people administrator-level roles inside a single SaaS application, or having multiple admins share the same credentials.  Aside from the obvious security issues, resulting SaaS app management data typically ends up reflecting multiple perspectives of users and permissions.
  2. Hoping that everyone ‘locks the door’ – relying on manual workflows, phone calls and emails to de-provision SaaS users’ access in an accurate and timely fashion across SaaS apps.   If there’s not an automated way to guarantee deprovisioning across all apps, then it’s unlikely that it’s happening.
  3. Applying a short term ‘band-aid’ for management – using trouble ticketing and help desk systems to coordinate administration between central IT and departmental SaaS admins.  This is typically a short term fix that just kicks critical provisioning and identity management issues down the road, and does it in a way that creates more pain later.
  4. Attempting the IT ‘end-run’ – not engaging IT on management and support until SaaS app(s) become “mission critical” within the organization.  As SaaS and cloud are now becoming more mainstream technologies, IT is regaining their seat at the table to help extend existing policies and controls – ignore this dynamic at your own peril.
  5. Delegating policy enforcement – relying on individual SaaS administrators to enforce corporate policies for roles and permissions.  Most organizations have access control policies and controls exist for on-premise apps and data, but few think about how to extend them to SaaS and cloud applications prior to deployment, particularly in environments with distributed administration.
  6. Believing in a management ‘silver bullet’ – assuming that existing on-premise directories (such as Microsoft Active Directory) or identity management tools (including SSO) extend to support all SaaS-related identity challenges.  They don’t.
  7. Creating ‘two sets of rules’ – treating SaaS governance differently than on-premise applications with regard to user identity and compliance.  Governance frameworks and best practices should consistently apply to applications no matter how they’re delivered.
  8. Failing to create a ‘rearview mirror’ for audit and compliance – failure to identify and approach for capturing an audit trail of access, usage, user change and permissions history.  Though delivered by a 3rd party, companies are still responsible for implementing and enforcing access control policies, and for demonstrating it at audit time.
  9. Forgetting about compliance reporting – wasting 20-30 executive hours each quarter to manually compile reports for internal or external compliance audits.  Forgetting to consider compliance reporting needs up front when evaluating SaaS vendors and overall SaaS/cloud strategy can be painful.
  10. When in doubt, spending more – buying unnecessary subscription seats because of a lack of visibility to actual subscriptions and current usage.

We’d be interested in hearing what others are seeing and hearing in these areas as well…

The Three Key SaaS Management Challenges

October 15, 2009

We find very few people today that would dispute the notion that SaaS and cloud applications have become mainstream technologies in SMB and the midmarket.  The challenges for the SaaS industry are also changing as a result.   With the battle over the viability of the on-demand model largely won,  the questions are now turning to the operational and IT management  implications of a SaaS-centric environment.

Our customers and prospects here at Conformity are forward-thinking organizations that are aggressively leveraging the cloud delivery model for multiple, if not a majority of their business applications.  Given our strong  belief in the SaaS and cloud model, we believe that they are a good indicator of trends we’ll shortly be seeing more broadly in the market.    All of these organizations are struggling with what their management processes and approaches look like in a purely ‘on-demand’ model.   Among these multi-SaaS organizations we’re consistently seeing three general problem domains:

  1. User provisioning and administration – as they’re optimized for different problem sets, all major SaaS applications have fundamentally different ways of thinking about users, roles, profiles and permissions.  Organizations have tended to have separate business administrators for say Salesforce.com, NetSuite and SuccessFactors.  Each of these admins as a result has had to develop a separate model of their organization, deparments and role structures, with the result being that various siloed identity stores have been created across the organization.  These stores are are all independent from each other and from on-premise directory services (Microsoft AD) and identity management solutions.  Normalizing these identity stores in support of centralized, streamlined administration and reporting is a common theme we’re hearing, and what what our solution here at Conformity is addressing.
  2. Single sign-on (SSO) / authentication – another common challenge we’re hearing is the desire to provide end-users the ability to access multiple SaaS applications (and often on-prem apps as well) using a single set of credentials, both for end-user convenience and security purposes.  This is the problem set being  addressed by vendors such as Ping Identity, Tricipher and Symplified.
  3. Data integration – the final theme we’re hearing is around cross-application data integration, and the desire to integrate multiple ‘best of breed’ applications across a common business processes or workflow.  This issue set consists of integration of cloud apps to both cloud and on-premise applications.   This is the domain being addressed by vendors such as Cast Iron Systems, Pervasive and Boomi.

While the data integation challenge is fairly distinct from the first two challenges, significant market confusion exists around provisioning and SSO, and whether a solution in one addresses both areas.  The short answer is no – the very simple analogy we use is that SSO tells you if you should let the visitor knocking on the front door into the house – provisioning and permissions management provides guardrails around what they can and cannot do once they’re in the front door.  Both are needed, but complementary capabilities – more to come on this….

Conformity Announces GA Release of First Enterprise-Class Management Platform for SaaS and Cloud Apps

September 30, 2009

We’re excited to announce today the general availability of the Conformity solution, which provides customers the first enterprise-class management platform for cloud applications and users.  The Conformity solution is designed to arm enterprises with the same level of visibility and control over on-demand applications as they’ve come to expect with traditional packaged apps.  With our solution, enterprises can now be confident bringing new cloud applications into their business environments, knowing there will no longer be compromises made in the areas of management processes, insight and control.  With today’s GA, enterprises can:

  • Increase data security and reduce compliance risks
  • Optimize license allocation and expenses
  • Automate and streamline administration
  • Expand and extend enterprise usage of SaaS and cloud applications

Specific capabilities of the Conformity solution include:

  • User provisioning – provides centralized point of provisioning and deprovisioning of users accounts within cloud applications, and ongoing management of user permissions and authorizations.
  • Role and profile management – enables organizations to centrally manage cloud application roles, profiles and permissions through normalized permission models, and maps policies to users and roles.
  • Approval workflows – provides auditable cross-functional approval processes for users requiring new or amended access permissions, or role and profile changes.
  • Directory integration – enables organizations to seamlessly synchronize Conformity’s user repository with on-premise directory services.
  • Compliance reporting – provides reports required for effective preparation for audits for SOX, HIPAA, PCI and other regulatory mandates and standards.
  • Usage analytics – provides visibility, analytics and reporting on cloud application and license utilization.
  • Change management – enables archiving, management and recovery of application configurations and role models.

The Conformity platform provides templates, tools and workflow needed to manage all cloud applications in a customer’s environment.  Conformity also provides additional analytics, reporting and provisioning automation through integrations with the following leading cloud applications:

The Conformity platform also supports directory integration for Microsoft Active Directory, and is compatible with industry standards such as SPML, SAML and WS-Federation.

Please click here to read the full announcement, and stay tuned for more upcoming news!!!

Enterprise-Class SaaS Provisioning

June 3, 2009

As those of us at Conformity engage enterprise IT teams, we continue to explore the gap between existing provisioning options and SaaS deployments.  Enterprise customers are caught between the promise of cloud and SaaS solutions and the impact of this adoption on their already stretched teams and processes.   In the Conformity white paper, Enterprise-Class SaaS Provisioning, we describe the management challenges organizations face in adopting SaaS applications, and explain why IT groups struggle to utilize existing options for federating on-demand environments.

So, what information can we take away from the enterprise SaaS customers?  As pointed out in our other discussion threads, SaaS is not easily tamed by existing solutions.  We find that the cloud deployment model exposes the following shortcomings of existing alternatives:

  • Disconnected Environments: The most obvious challenge is the separation of multiple SaaS applications and the management solutions.  This disconnect fragments the core IT capabilities, creating unique cloud-based silos of user identity, business policy, and administrative rights.
  • Unexpected Deployment Complexity: IT teams can easily underestimate the impact of adopting SaaS as a solution platform.  Detailed SaaS configurations, coordination between applications, and evolving licensing models can exceed IT expectations, especially when the deployments were independently cultivated in the lines of business.
  • Lack of Deployed Standards: Customers are discovering the industry standards for management and provisioning are not aligned with the aggressive SaaS expansion.  Many advertised standards such as SAML or XACML are focused on alternative use cases and designed for either an on-premise or cloud model, limiting their real adoption by SaaS ISVs.

These challenges have curtailed enterprise efforts to utilize current deployed technologies, and in turn have impacted SaaS rollouts.  IT teams continue to evaluate complementary but incomplete options including enterprise software vendors, cloud-based identity solutions, and unique SaaS ISVs themselves.  This discovery process has provided the benefit of allowing the enterprise teams to better understand the market challenges and applicability of existing solutions.

Working with these IT teams, we have defined a common set of issues for provisioning and management and select criteria for a new approach to federating on-demand environments.  Any solution must provision users to a fully functional state across the user life cycle, a distinct challenge with many SaaS and cloud implementations.   This provisioning must align with existing IT and business processes, leverage line of business expertise, and meet the organizations compliance, security, and data visibility needs.  And deployments must be flexible enough to align with and possibly impact developing standards such as SPML or federation options like Microsoft Geneva while supplying value prior to standards adoption.  In short, these attributes define a new breed of management platform that is designed for the SaaS and cloud-based environments.

For more information, read the Conformity white paper that outlines our findings.  And please feel free to reply and continue the discussion.