Identity Management Blog | Symplified
|
 RSS Feed
July 2010
Have you ever been to a town (or lived in one) where the number of homes has grown faster than the supporting infrastructure could keep up? In other words, the freeways and other services could not adequately keep up with the pace of home construction resulting in traffic delays, confusion, and frustration.
Something similar has occurred with the evolution of the cloud and cloud services. The cloud and its significant number of apps have grown explosively and many companies are adopting the cloud for at least some of their basic IT functions such as email, payroll, and HR. Still, other companies are taking bolder initiatives and outsourcing both data and applications to the cloud in an attempt to save money and streamline operations. Regardless of the intent, all companies have a concern about cloud security. How safe is my data in the cloud? How much risk am I at with multi-tenancy applications? And what about my user accounts and providing access to all these new apps?
As enterprises shift some of their data and applications to the cloud they are caught between managing identities locally at the network level, and providing access to their users to applications in the cloud. Just like the proliferation of homes without the supporting infrastructure causes problems, so does the proliferation of user accounts with cloud adoption. IT cannot reasonably manage user identities for both the cloud and the network, nor can the end user!
So, the cloud is challenging the typical security model like never before. Organizations know that in order to be competitive they must provide an environment with access to multiple types of users (employees, partners, and customers). But, they must also maintain unprecedented levels of security due to today’s threats and compliance requirements. As more apps proliferate to the cloud and more companies migrate some of the apps and data to the cloud, the issue becomes more acute.
The answer lies in maintaining security credentials where they currently reside; protected behind corporate firewalls and enabling cloud-based apps to reach out to these secure user stores to verify access and implement user policies. There is no need to replicate user identities across the cyberscape of the universe, but rather make use of the directories and databases that you already have in use and have already spent tons of money and time to implement. This type of solution bridges the gap between cloud applications which inevitably need identity management and local user stores that already have the user's access and credentials defined. Doesn’t that seem like a better approach to you and your users?
Symplified | The Cloud Security Company
June 2010
I always like checking in with Salesforce.com to see what they are up to. And last week's Cloudforce event did not disappoint. It's great to see Salesforce continue to bring leading edge Cloud Computing to the mainstream, and the ever rampant adoption of their offerings reinforces my conviction about the widespread move to the Cloud.
The big buzz was about Salesforce Chatter, which incorporates elements of social networking into their Salesforce automation and Force.com platform. It's social, mobile, and real time--allowing employees to collaborate across their company. Apparently, Facebook reaching 50 million users in a mere 5 months inspired Salesforce--and for good reason. Jigsaw also presents some new capabilities--for improving the quality of data about companies and employees. Overall, the capabilities and presence behind Salesforce continue to grow.
In examining this trend, I can't help but ask, "How will companies manage the transition to Cloud based SFA?" On the surface, the transition seems easy-just sign up and use it. But ad hoc SaaS adoption leads to a number of issues, including proliferation of (often inconsistent) enterprise identities, loss of centralized access control, audit and compliance issues, provisioning nightmares, security risks, and more.
These problems are precisely why Symplified has introduced SinglePoint® for Salesforce.com. This product greatly reduces integration headaches and solves these problems. For starters, existing identities (e.g., employees in Active Directory) can be used for access to Salesforce via Single Sign-On. Integrated Windows Authentication can even be provided to allow authenticated network users to seamlessly access Salesforce without additional login. Or what if you don't want an on-premises directory or database to be the System of Record for your identities? It is Easy-the Contacts or Users you have set up in Salesforce can serve as the Identity Store. And with Symplified Access Control and Auditing, you can control and review what your employees are doing in Salesforce. Extend this technology to your other Cloud or On-Premises applications and you have a powerful platform that transcends the Cloud. And with SinglePoint Universal Sign-On (TM) you don't even need SAML to do it.
In conclusion, I am very excited about the growth of Salesforce, and the value added through Symplified integration. The partnership between our companies has yielded great synergies, and there is much yet to come. Stay tuned!
Coby Royer
Technical Product Manager
Symplified
April 2010
With the formation of the Open Identity Exchange and OASIS Identity in the Cloud TC there is a renewed interest in Identity Management Standards and a new focus on the Cloud model. This has led to some recent discussions such as "What standards to use?", "How to derive value from standards (old and new)?", and "What resources to leverage in delivering standards-based IDM?".
With Symplified's approach, enterprises can indeed leverage existing expertise and technologies. E.g., our embedded virtual directory allows you to retain any number of directories that you presently use for authentication and user profiles. If you have in-house SAML technology and expertise, we integrate with it--but if you don't, our solution still delivers and you don't need to purchase other tools or expertise. Although we are SaaS based and add great value to integration and protection of SaaS apps, we also can deploy on-premises components for customers who are more comfortable keeping certain functions inside their four walls. (This approach can be used to keep network traffic internal and to contain all user data within the enterprise.)
As with most infrastructure, employing third party products and services should allow an enterprise to focus on their own core competencies and lines of business. Value should be seen in not having to employ resources for the care and feeding of such systems, knowing that not only are initial needs met, but the solution continues to expand and evolve, for example integrating with new applications and services, and adopting new standards and functions. With the current splintering of standards, using a vendor that is not locked into any single standard is highly advisable. Time to implementation and TCO are important considerations as well. I have worked for large institutions that have implemented their own systems (as the need predated IDM technology) and can personally attest to the costs for creation and maintenance of such systems. With these lean times, CxOs, boards, and shareholders are raising eyebrows at large investments on internally developed infrastructure. Hence service based solutions, especially those with pay-as-you-go pricing, are increasingly desirable.
The fact that applications have differing trust models often complicates deployments and has contributed to failures in the adoption of federation. Eric Olden wrote an excellent article on this: Federation is Dead: Long Live Federation Fabric. So while I agree that federation is the way to go, the pragmatist in me knows we need solutions that work now. Waiting for a standard to mature and gain adoption means waiting to integrate, delaying such capabilities as User Provisioning, Single Sign-On, Access Control, and Compliance. I don't know of many IT managers willing to tell their business sponsor that they can't deliver a solution now because they must wait for an infrastructure standard to take hold! Please know I hold the utmost optimism and support for IDM standards to me this is all a matter of timing and planning of enterprise roadmaps. In short: set realistic expectations to leverage emerging technologies.
In closing I must add that I am excited to see renewed interest in making standards work. The biggest challenges I have seen are lack of adoption, and splintering not only in the adoption of specific standards, but also in decisions that determine interoperability--such as profiles, assertions, and semantics. It's the classic chicken and egg scenario: until standards adoption and interoperability are the norm there is less incentive to support the standards in the first place. For federation to become ubiquitous the network effect must be realized.
February 2010
One of the key issues in today’s highly inter-connected computing model, especially regarding Cloud Computing, is Control. In the old days, if I needed access control, I pulled together the Ops teams that managed applications to execute a plan for installing plug-ins that can both authenticate and authorize web accesses. I had control (or at least some influence!) on the applications and stacks that ran my enterprise business. But we now enter a new generation where I do not have that control. Just imagine calling Google, Salesforce.com, and Taleo to ask that they install my favorite brand of IAM plug-in on their servers! One of the first things I’d like to point out is that many IAM Vendors support deployment models that simply do not suit today’s needs. Network based IAM is the way to go. SaaS Applications require an entirely different approach.
When we talk about Virtualized Datacenters, our natural inclination is to say they are mostly no different than brick and mortar data centers. And what’s the difference if my enterprise owns and runs one as opposed to a hosting partner? The challenge I see is that the virtualization trend has gone beyond enterprises managing their own virtual machines with their own hosting infrastructure. Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) have driven virtualization, standardization, and commoditization further down the stack--which has two effects. Firstly, I might not be able to install platform-specific software components like WAM plug-ins. The new trend is for these environments to provide services that are abstracted away from the underlying machines, operating systems, and applications. Secondly, even if I can install the old style IAM tools, this is missing a huge opportunity for cost savings—putting standard infrastructure for IAM into the “drinking water” is the wave of the future, and it’s going to be difficult for legacy IAM vendors to adopt.
But despite the virtues of Cloud Computing, and the fact that the Cloud visionaries are leading the wave with standards, they are often ad hoc standards (e.g., proprietary Authentication and Provisioning APIs). It will take time for the industry standards to shake out, and there remains much skepticism in the industry. So hitching your enterprise IAM strategy to a vendor that only offers one type of solution (e.g., SAML) appears risky at best. The dominant integration standards have yet to reach critical mass among SaaS vendors (e.g., SAML, WS-Fed, SPML)—and IAM Vendors are having difficulty integrating with SaaS vendors that don’t support standards. In effect, the Cloud Computing Permutations present challenges to many IAM vendors.
In closing, it’s important to understand that IAM (Identity and Access Management) spans many facets and has different meaning to different folks. While the basic building blocks may not have changed much, delivering manageable solutions with SSO, access control, provisioning, and user administration is challenging when we include the Cloud. So while creation of a user in a local Windows Domain is not fundamentally much different than doing so in a SaaS app, provisioning a user in a way that allows multiple Cloud and on-premise apps to automatically accept authentication of the user and provide SSO is indeed a challenge.
Coby Royer
Technical Product Manager
Symplified
Cloud leader, Salesforce.com, is in the midst of their DreamForce conference in San Francisco. It's amazing to reflect on their success and growth. Even with our current economic woes, Salesforce has managed to continue steady growth and stock performance. And with 19,000 people registered for this year's DreamForce, interest is certainly not dropping off.
At the helm of Salesforce, CEO Marc Benioff spoke of new product innovations and what lies ahead. With the announcement of Sales Cloud 2 and Service Cloud 2, we see expansions of Salesforce services into exciting new areas with a strong Cloud Community theme. New offerings for knowledge management tie into Google, Facebook, and Twitter with email integration and complete customer service call centers in the Cloud. Salesforce will offer social networking for the enterprise with their own Salesforce Chatter and scheduling with Salesforce Scheduler.
And if you are in San Francisco for this event, Symplified would like to extend an invitation to our exclusive Cloud party where you can learn how to unlock the potential of Force.com and other SaaS applications by making Salesforce the center of your cloud platform.
From collaboration to sales mobility, Symplified secures the Cloud, the enterprise & everything in between. We are the Cloud security experts.
Coby Royer
Technical Product Manager
Symplified
October 2009This is a good question, but we have to understand what is meant by Enterprise Architecture (EA). It is generally accepted to be a discipline and sometimes a role or organization responsible for those activities that strategically align an organization to its technology and business goals. Activities such as Enterprise Architecture Planning (EAP) serve this need and are essential to IT Governance. Other activities relate to the application of Enterprise Architecture to specific domains, such as Line of Business (LOB) portfolios, Technical Architecture (which may include networking, security, etc.) and Application Architecture.
So, given this definition--YES, EA is essential because even (or perhaps especially) if the applications and business processes leave the enterprise four walls (ala SaaS), planning and governance are needed to ensure alignment to strategic goals. The role of EA is to periodically adjust those long term goals and the trajectory to attain them in response to changing technologies, business drivers, etc. So as new paradigms like SaaS and other types of Cloud Computing emerge, EA must evaluate them and establish standards, guidelines, policies, etc. For example, EA may incorporate SaaS based on cost benefit and an assessment that recognizes SaaS apps as being aligned to enterprise needs for security, privacy, compliance, service level, business function, etc.
And in addressing whether there is a need to architect solutions when adopting SaaS (presumably in support of EA as a discipline), then YES, there is still a critical need to define how SaaS integrates with the enterprise technology landscape. Questions such as What is the master of my data? How do I manage Identities and Accounts? How do I produce Compliance Reporting? How do I migrate to/from adopted and sunset SaaS Apps? How do I establish Trust Relationships? How do I provide Quality and Service to my constituencies? etc. require solutions in the domains of Information Architecture, Security Architecture, Network Architecture, Application Architecture, Technical Architecture and so on--presumably envisioned and vetted by architects of various types (including Portfolio Architects, Solutions Architects, etc.)
So while the GAME may have changed, the need for the PLAYERS has not. Architecture--in all senses of the word--remains essential.
In closing I will say that SaaS pushes the emergence of Business Architecture to a new height because of the direct empowerment of LOB owners. Acquisition and deployment of real solutions is now within grasp of business owners (seemingly) without the need for conventional IT delivery and support. But many of the above questions may go unanswered without engagement of EA, and latent risks (such as compliance and security) may turn into real issues.
Coby Royer
Technical Product Director
Symplified | Cloud Security Experts
September 2009  For years, enterprise architects worked toward standardization and consolidation to achieve economies of scale across enterprise LOB portfolios. Data centers often looked like IT museums with one of every imaginable RDBMS, App Server, Web Server, OS, and hardware platform--and capacity was underutilized while TCO was out of control. Platforms like J2EE were initially created around N-Tier discretionary architectures that provided scalability and standardization. As enterprises achieved some successes in the standardization and consolidation in the 1990s and early 2000s, a new technology entered the scene: Virtualization. Even with a diversity of stacks, economies could be achieved, as peaks and valleys in CPU and memory of VM guests averaged out in the VM host. And the ease of deployment and management of VM guests introduced unparalleled cost reductions.
So virtualization is here to stay, but is it the end game? I think of virtualization as a means to achieve micro-scale economies. At the macro-scale, we still have to address needs for ping, power, and pipe at the data center, and ensure availability, disaster recovery, and more. So the consolidation of VM resources represents the next wave of change. (And with grid computing, the VM hosts do not even have to be physically collocated.) So now I can use Amazon EC2 to fire up VM servers of my choosing, on demand. No, virtualization is not the end game—it is a crucial enabler for Cloud Computing (more specifically, for PaaS and IaaS). And given its importance, and the economies that are fueling this trend, I do see virtualization vendors making Cloud Computing more of a reality.
So what about security and enabling infrastructure such as IAM? The same economies that are driving Cloud Computing will extend across all crucial infrastructure that adds value to it. And in time, standards will be adopted to lend further economies and broaden the reach of standard infrastructure. (Standards can be a mixed bag, though, as they often embrace a philosophy of “Build it and they will come.”)
We are already seeing high demand for Cloud Security and IAM here at Symplified, and we believe this trend will continue strongly. We are building the network that enables SSO and Access Control across the full breadth of SaaS Apps, as well as COTS and homegrown Apps that our customers host. This is the real deal, and our own SaaS economies are delivering these capabilities at a fraction of the cost of the former generation of IAM technology.
Check out some additional perspectives on Cloud Computing and the Enterprise. Check out the Linked In Conversation surrounding this question written by Brian Nettles, VP of IT at CB Richard Ellis: “Everyone is talking about cloud computing these days. I've heard various opinions from execs but little from Architects and Engineers. Is this another passing fad? Do you think the moves by top tier virtualization vendors will make cloud computing more of a reality? If you believe this is the real deal, what direction do you see vendors going to provide security for large scale enterprises and will it be cost effective?”
Coby Royer
Technical Product Manager
Symplified | The Cloud Security Experts
http://www.symplified.com
July 2009 Cloud Integration-We are not alone PaaS and IaaS consumers should have objectives in mind for how the apps they are creating with Cloud computing are to be integrated with other systems. Constituency What constituencies are you serving? So you are creating an app with PaaS-Is it for your company's employees? Or are you creating a corporate SaaS app to serve your partners or customers? Integration needs will vary based on constituencies. Single Sign-On Corporate users will want Single Sign-On (SSO) tied to their existing directories. Customers and Partners may want Single Sign-On tied to their own directories and systems. There are many options ranging from calling out to another authentication system to federation with standards like SAML. If you are in corporate IT, you can implement your own session management and validate session tokens from your own authentications. But if you are a SaaS vendor, federation may be the best way to provide SSO. For example, OpenSAML provides toolkits to make it easy to SAML enable your SaaS application.
Identities Avoid creating yet another Identity Silo that requires user provisioning/deprovisioning and profile management. Again, federation can help. Providing integration to external identity systems avoids the whole problem of managing Identity life cycles. Don't take on the burden of managing this yourself when your customer is likely to already have solutions in place!
User Profiles and Attributes In addition to being able to authenticate users and ensure proper management of Identity life cycles you should consider how you manage profile data associated with identities. There are methods to "single source" your data and minimize the need to synchronize and update multiple copies of the same information. Consider tying your new PaaS-hosted app to existing directories and Identity Management systems. Some systems (like Symplified) can pass user attributes to your application to avoid having to mirror what is already in your directories and databases. You can also expose secure APIs that enable import and export of data.
You Are Not the Only App
We have a natural tendency to focus on just the one application we are creating. But since almost no one uses "just one app" there is an aggregation effect: as each new app is added to your portfolio, it introduces incremental increase in pain surrounding credentials, profile data, transactional data, compliance data, etc. So even if managing users in your app is so easy you can do it in your sleep, your customers and their constituencies will still need to learn how your system works. This is Incremental Pain that turns into a nightmare-no matter how simple one task is, repeating that task many times in many ways is costly and prone to error.
Collaboration Does your app need to support collaboration between different users of your app? Or across different apps? How can they securely exchange data while not violating privacy requirements? Will customers or integrators be creating mash ups with your application? How do you expose data and functionality (again, securely). These are all important considerations, and are increasingly easy to do in the world of Cloud Computing. But as we address our needs for security and privacy, identity and access management are fundamental building blocks. When handling a request for data, how do you know who is asking? How do you know they have permissions?
Conclusion I hope the questions in this blog have been thought provoking. As you consider the PaaS and IaaS for hosting and deploying new apps, remember that "You are not Alone". Your app will be one of many for your customers; and collaboration and integration require identity management and access control solutions.
Coby Royer
Technical Product Manager
Symplified | The Cloud Security Company View Symplified's Webcast with presenting Partner, Log Rhythm, Register to Receive The Identity Management Blog weekly by entering your e-mail address in the left hand toolbar.
July 2009 Cloud Computing
For starters it’s important to understand that Cloud Computing has taken the entire systems stack and exposed it as services in the Internet. Whereas Software as a Service (SaaS) provides capabilities to end users of applications, Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) provide services to technologists (developers and administrators) who are creating applications. Most folks are now familiar with popular SaaS platforms such as Salesforce.com, Taleo, and Google Apps. There are now thousands of SaaS providers available: Check out The SaaS Showplace for more listings.
With PaaS and IaaS, technologists can spin up virtual servers and build in solutions for storage, network, UI, multi-tenancy, etc. using services for collaboration, development, and instrumentation that are part of the Cloud environment. For example, we have Amazon Elastic Compute Cloud (EC2 ), Salesforce Force.com, Rackspace Mosso, and many others. You can check out Peter Laird’s cloud taxonomy. The following sections address considerations for PaaS and IaaS adoption.
Integration Philosophy
PaaS and IaaS consumers should have objectives in mind for how the apps they are creating with Cloud computing are to be integrated with other systems. Even if they are delivering SaaS Apps for end users, they should consider how to address Identities, Data, Collaboration, and Security (to name a few) and be aware of the fact that their customers will almost certainly be using other SaaS apps as well. It’s easy to become myopic and ignore the fact that the apps we write as developers are not at the center of our customer’s universe and that our apps must play well with the larger constellation of Apps, Services, and Data.
User Provisioning Lifecycle
How will creation and removal/disabling of user accounts in your application relate to other processes and technology of your customers/users? Are you exposing secure APIs to enable this programmatically?
Single Sign On
Enterprise customers will want to bring your application into the fold of other applications by using Single Sign-On (SSO). Will you support federation, APIs, or web forms that make this feasible?
Access Control
How can your enterprise customers set policies that prescribe permissions for accounts within your application? Are you going to force your customers to learn and use yet another access control system or will you integrate with other access control technologies to enable a single, consolidated, view of policies?
Logging and Auditing
What are your customers’ needs for accessing and processing log data on account activities? How can customers solve compliance needs to monitor privileged accounts?
Summing It Up
In conclusion, I recognize these are the same old questions IT has been addressing over the years, just with a new twist. For PaaS and IaaS we don’t have a unified set of tools and standards to address all of these needs. And the PaaS and IaaS environments don’t all provide these capabilities out of the box. The new generation of technologists must answer these questions for themselves, and make technology decisions of how to satisfy their needs. While, yes, there are emerging sets of standards to support these capabilities (such as SAML for federated authentication that enables SSO), Cloud adopters will need to make informed decisions about what standards and tools to use.
Coby Royer
Technical Product Manager
Symplified | The Cloud Security Company
June 2009 History has a way of repeating itself. Consider the
lifecycle of empires. Nearly every empire through history started out
small, grew through acquisition (conquest), promised a better life for
its denizens (through integrated laws) but eventually collapsed under
the weight of complexity and expense (rulers excessively taxed the
populace) then disintegrated through revolt of some kind. This happened
to the Romans, the British and later the Soviets (and others). Eventually federated nation states form, replacing the monolith with stability and relative peace.
If
CA was the dominant empire builder of the 80’s and 90’s, does Oracle
represent a new empire? Consider its M&A conquest of Sun, BEA,
Siebel, PeopleSoft and others. There have been promises of a better
life for customers through ‘integration’ across the product line, but
what enterprise is actually realizing a unified Oracle experience
(beyond an integrated invoice)?
Using
BEA as an example, Oracle has steeply raised maintenance fees and
prices (taxes) of it acquired competitors. Long loved by Wall St., but
less so by CFOs, is the 22% annual maintenance expense that gives
Oracle ~90% margin and more revenue than the sale of new software ($2.9B in maintenance vs. $1.5B in new licenses).
If history is our guide, has Oracle’s empire become over-extended, its
customers over-taxed and a revolt in the making? Will the Sun set on
Oracle’s empire?
With
the recession heightening and the concern of even higher software costs,
enterprises are cutting budgets and many are questioning the strategy
of putting too many eggs in a single vendor’s basket. This has led
enterprises to move to the Cloud in droves seeking best of breed
providers that offer next generation capabilities at a fraction of the
cost. Best of all the Cloud comes without maintenance fees and a far
lower degree of lock-in. Why is the Cloud so compelling?
»
The Cloud offers pay-as-you-go pricing that matches actual use rather
than incurring large upfront costs experienced with traditional
software. Cloud-delivered security like that offered by Symplified
costs only 20% of competing legacy software.
»
There are no additional maintenance fees with Software as a Service
(SaaS) saving the cost of 20-22% annual maintenance expense. Symplified
provides a completely managed service that includes upgrades, patches
and enhancements in the monthly price.
»
The Cloud offers next level flexibility through its loosely coupled
architecture giving enterprises unprecedented levels of agility for
software enablement. Symplified’s network architecture does not rely on
agents but instead works at Layer 7 for simple drop-in deployments that
go live in days rather than weeks or months.
»
The Cloud is ideally suited for the ‘anywhere, anyone, anytime’ world
of the mobile enterprise workforce. No longer constrained to access
applications from a LAN, employees can now access Web and SaaS apps
securely across the Internet
»
Cloud projects are up and running in a fraction of the time and cost
compared to enterprise software deployments. Symplified delivers ROI in
30-60 days as compared to traditional software installs where achieving
ROI could take multiple quarters because of perhaps millions of dollars
in upfront expense.
The
move to the Cloud has specific challenges, however, that must be
overcome to be trusted and reliable. Among these challenges is the need
for secure access management to the Cloud. Symplified was founded to
specifically address these challenges through its delivery of a simple
Access Management system that also provides compliance and Single
Sign-On (SSO) capability for SaaS, enterprise Web and Cloud
applications. As
your enterprise looks for ways to move beyond the age of Empires toward
Cloud-based computing you can rely on Symplified to provide a simple
and affordable way to securely bridge the world of your existing
enterprise with the expanding Cloudscape. Eric Olden | President, Founder and CEO Symplified | The Cloud Security Company
Error sending email
Email sent successfully
|
|
|
|