October 2009
Bob Blakley from The Burton Group recently posted a great reponse to Andrea DiMaio of Gartner Group regarding privacy.
There are lots of great viewpoints expressed in Bob's blog and comments. But I'd like to raise a perspective on privacy that is not fully addressed.
I'll start with an analogy. Fortunately, my daughter is not yet old enough to drive but I'm sure this story is a reality for many of you. You loan your car to your kid. You set an expectation-either explicitly ("you may go to the mall with your friend but only you can drive and you may not go anywhere else") or implicitly (previously communication or rules and/or precedent about who can drive the vehicle). The expectation is a shared understanding of what may be done with the vehicle. You take on a calculated risk based on the nature of the act, your ability to "know" that the expectation is fulfilled (visibility), and to incent the fulfillment of that expectation. (The incentive can be a carrot or a stick-and can arise from friends, family, or institutions in our society, e.g., law enforcement.) In short, I let the kid have the car and cross my fingers she is not letting her friend drive or going somewhere other than the mall. Visibility is tough, although GPS and other technologies are helping these days. In a hypothetical world of complete trust, I can simply ask my daughter if she followed the expectation.
So why am I talking about loaning a car in a blog about Privacy? The answer is simple-privacy is a special case of trusting others with assets. In the world of privacy, the asset is information. Instead of loaning her a car, suppose I am telling my doctor about a medical condition. I take a calculated risk. (Will my doctor tell others or post my name and condition on a web page?). I believe we have a common expectation. (Thank you HIPAA for ensuring I receive a Privacy Statement.) And I know there are incentives to uphold the Privacy Statement. (HIPAA does have teeth, right? Well, maybe: In a recent survey by Ponemon Institute, 80 percent of responding health care organizations had experienced at least one incident of lost or stolen electronic health information in the past year.)
Now, in the automobile analogy I set an expectation about the transference of the asset. "You may not let any one else drive." I didn't say "you can only loan the car to someone you trust." In the case of my HIPAA Privacy Policy, there is a provision for transference-my medical information will be provided to my health insurance provider. But not my employer. OK.
In short, my view is that this is all about setting and meeting expectations. This is as old as human discourse and is not based on technology. But technology changes things-it both helps and hurts. And it could help a lot more than it is presently doing. I haven't said much about visibility so far. Visibility is tricky: it's nearly impossible to know if my daughter lets her friend drive and where she takes the car. (Well, until I get the photo radar speeding citation with friend Suzie driving nowhere near the mall.) But visibility could be easy with information assets-metadata can be included to identify the source of an asset (and even the chain of transference if it has been passed along). And privacy policies abound, so maybe we have enforceability to incent stewards of private information to abide by our expectations. Maybe.
So to me, privacy is not black and white. I might trust low-risk information to others even when there is little visibility or privacy incentives. I might set an expectation that transitive trust is OK-I not only trust my doctor with my medical history, I trust them to pass it along to others that are trusted and fall within the same parameters of our shared expectation. In some cases I know litigation is a real incentive. In other cases, societal pressures may suffice (when I expect a social behavior and not an anti-social behavior as Bob would say). And in many cases, the expectation is not fully articulated or precise-I expect that "private information will be used to benefit me and not harm me."
One thing that is fascinating about today's connected world is the ease of disseminating information. One post to a website can get millions of viewers. And information is freely replicated, unlike physical assets. So we need to be extremely careful with our private information. And digital information can stick around a long, long, time. And it is readily searched. So in these ways the technology hurts privacy.
The first time someone sent me a "gift from Pennsylvania" on Facebook, I declined because of the warning that the Gift application can access all of my personal information. And there is no transitive expectation of what that application will do with it. There was no privacy expectation period. Even if there was, I don't feel I have visibility. (At least with the doctor's office I can ask who my medical history was shared with.) And as far as incentives and enforceability are concerned, I don't feel very protected on today's social networking sites. But, in the end, I have accepted (and sent) these kinds of gifts-based on one fact: my activities on Facebook are really pretty pedestrian. But I have yet to rush home from the doctor after being diagnosed with an embarrassing condition to post it on my Facebook wall. Check out Ian Glazer's blog about the Facebook issue and PPIA.
So as we further our privacy interests as a collective community of advocates, let's continue to ask about expectations, how they are asserted, communicated, and agreed, how privacy infractions can be made visible, and the economic, legal, social, and moral incentives we can cultivate. Regardless of what you feel should or should not be "private", we all have a right to set expectations that we trust will be met. And as technologists, we have the capability to improve the state of privacy in the face of technological advances that might otherwise undermine it. Privacy is not an Illusion. It is a challenge.
Managing The Threat Within
I'd like to applaud some of the recent points raised by Richard Stiennon (http://information-security-resources.com/2009/09/09/identifying-and-countering-the-insider-threat/ and http://threatchaos.com/). In his post, "Identifying and Countering the Insider Threat", he raised some points that resonated with me. For a long time I have been recapitulating concerns to enterprises about managing the internal threat. And with the recent economic downturn, layoffs and other sources of employee dissatisfaction are increasing the internal threat. The web is full of stats and case studies if you want to read more, e.g., http://www.secretservice.gov/ntac.shtml and http://www.csoonline.com/article/454890/Tough_Economy_Heightens_Insider_Threat. The fact is, corporate management must pay attention to the insider threat and implement policies and controls to manage it.
What to Do?
The one message I'd like to leave our readers with is well stated in Stiennon's article: "Identity and Access Management tools are the single most valuable defense you have against the insider threat."
Authentication
Employ authentication strength that is commensurate with risk and which complies with applicable rules and regulations. Whether this means passwords or MultiFactor Authentication (MFA) such as biometrics or smartcards, be sure to invest in appropriate technologies and train your user base on tools and policy.
Provisioning
Be sure your processes and tools for the creation, removal, and management of accounts do not leave you exposed. Entitlements and accounts for former employees must be revoked as quickly as possible. Use approval and/or attestation workflows and role based access control (RBAC) wherever possible. And do not forget about privileged account management: "You cannot begin to get control over privileged accounts, IT administrators, or even software licensing costs until you enable an effective Identity and Access Management solution."
RBAC
Defining and enforcing roles is a huge topic. Although simple in theory, assigning roles to people and then setting access control according to role is non-trivial. Bruce Schneier has some great info in his latest newsletter: "Real World Access Control" http://www.schneier.com/crypto-gram-0909.html#3. What may seem easy at first is complicated by poorly defined roles, constant role churn, multiple roles, and the pragmatic fact that under-entitling employees incurs productivity costs. I like Stiennon's suggestions to keep it simple, start by defining groups for each function in the organization, and include tools for review of exceptions; as he puts it, "granular control over what people do on your networks and a means to enforce the policies that regulation and security best practices require."
Compliance and Reporting
Regular review of audit logs to see who has accessed what is important. Monitoring and logging are essential to understanding risk and detecting malicious activities.
Enter the Cloud
Of course, all the above take on new challenges once we leave the corporate four walls. Technologies that extend the span of Authentication and Access Control to SaaS Apps are indispensible. Simply because an app is SaaS does not make it immune to regulatory needs.
What Now?
Listen to the experts! Employ processes and tools that manage the insider threat. Look at the facts: this threat is real. And all organizations have these risks. And of course, build your single most valuable defense: IAM--http://www.symplified.com/.
Coby Royer| Technical Product Manager
Symplified | Cloud Security Experts
August 2009
Who Holds the Keys to the Kingdom?
In today’s On Demand world, organizations face new
challenges when trying to manage user access, security, and audit to
cloud delivered applications. Unlike the past, when user identities and
access control could be managed within the enterprise network,
enterprises that deploy SaaS must manage user access to applications
that reside outside the firewall. Access management has always been a
difficult problem to solve; with the disappearing perimeter it has
become even more complicated. There are many more technical and
organizational challenges that must be addressed to manage access,
authentication, single sign-on, auditing, and regulatory compliance for
cloud-based applications.
“Organizations, large and small, are implementing cloud-based solutions
for collaboration, personal productivity, and line of business
applications. However, many industries are governed by compliance
regulations that require documented and auditable security controls
over who can access data,” said Darren Platt, CTO of Symplified.
“Managing access control across more than one SaaS application quickly
escalates in complexity, while auditing usage is problematic for even
just one cloud service.
Enterprises must now manage the shift of infrastructure control from
the enterprises over to service providers. SaaS providers (not the
enterprise) control the application’s technology stack and
multi-tenancy arrangements. New ways to secure access for Cloud apps
are needed because first generation WAM relies on agents; an outdated
architecture that doesn’t work in multi-tenant environments. The ideal
approach to Cloud security is to extend existing roles and policies to
the new environment, while keeping the keys to the kingdom - user
credentials – inside the firewall. This reduces redundant
administration, password reset costs and policy management points.
In
response, IT teams first turn to authentication technology and
processes in place today. Soon, they discover first generation identity
and access management technology was designed strictly for use
on-premises, inside the firewall and not across the Cloud.
Agent-based
architectures like those used by CA SiteMinder and RSA ClearTrust,
along with their assumptions on control of protected applications, no
longer function in Cloud-based scenarios. Because Cloud apps are
distributed and reside on the Internet, firewall perimeters can’t be
used to control access .SinglePoint Cloud Access Management (CAM)
enables security policy to be extended out to the Cloud without
exposing internal identities outside the firewall. Users get the
convenience of SSO and IT can unify multiple application and security
domains.
» Download The Cloud Access Management Data Sheet & Learn More About
Symplified's CAM Solution
Eric Olden| CEO, President and Founder
Symplified | Cloud Security Experts
August 2009
How to Have Your Cake and Eat It Too: Cloud Based Identity Management without Identities in the Cloud
This week I’d like to say a few things about managing User Identities. There has been a lot of talk lately about Private Clouds vs. Public Clouds. Enterprises that are slow to adopt SaaS and Cloud Based PaaS/IaaS are firing up their own virtualized environments and IT groups are provisioning on-demand applications for business processing. Some of the same Cloud benefits result, such as usage-based charges, ease of provisioning, location independence, and reduced overall demand due to load distribution over time.
One of the drivers for Private Clouds has been Security. Enterprises are sometimes unwilling to accept risks associated with the Public Cloud (i.e, Internet). Identity Management is sometimes a concern and I’d like to share some important considerations today.
Eric Ogren recently posted a great article about Cloud Security. One of his points is that early stage cloud vendors should support corporate clouds in early product releases. I’m proud to say that is exactly what Symplified has done, recognizing the needs to support security-focused enterprise adopters.
Ogren raised a good point that “The hurdle that must be cleared [in providing identity services] is assuring IT that corporate identities can be securely maintained in a cloud service... .” This is precisely why Symplified optionally provides on-premise components that integrate with our SaaS policy administration.
With Symplified, credentials and attributes for end users can remain on the Customer Premise if necessary. While our Policy Management Point (PMP) is SaaS based, the Policy Decision Point (PDP) (which retrieves user attributes for making access decisions) can be placed on-premise by way of our Identity Router. Even if in the Cloud, the PDP only briefly holds attributes in memory and never on disk. Credentials for Single Sign On (SSO) to applications are similarly stored on the customer premise. We have a number of security options for where these are placed and use established best practices and cryptography to keep these credentials secure (regardless of where stored). And, unlike many other SSO products, we do not store credentials on workstations or browsers.
I have to say that Ogren’s points resonated well with me. I can’t take the position that no enterprise should dismiss SaaS and Public Clouds. That is a topic for Enterprise Risk Management and every company has its own tolerance for risk. But whichever way an enterprise adopter leans, there are companies like Symplified out there who can support both Private and Public Clouds. I recognize (and have been part of) Enterprise security and risk management and as a vendor, am in no position to dispel the well thought out concerns Enterprises may have. But I can say with certainty: There are options that comply with your security and risk management policies! As folks are now returning from Burton Catalyst—the event that publicly launched Symplified about a year ago—let’s enjoy some birthday cake!
Coby Royer, Technical Product Manager
Symplified | The Cloud Security Experts
July 2009
Cloud Integration-We are not alone
PaaS and IaaS consumers should have objectives in mind for how the apps they are creating with Cloud computing are to be integrated with other systems.
Constituency
What constituencies are you serving? So you are creating an app with PaaS-Is it for your company's employees? Or are you creating a corporate SaaS app to serve your partners or customers? Integration needs will vary based on constituencies.
Single Sign-On
Corporate users will want Single Sign-On (SSO) tied to their existing directories. Customers and Partners may want Single Sign-On tied to their own directories and systems. There are many options ranging from calling out to another authentication system to federation with standards like SAML. If you are in corporate IT, you can implement your own session management and validate session tokens from your own authentications. But if you are a SaaS vendor, federation may be the best way to provide SSO. For example, OpenSAML provides toolkits to make it easy to SAML enable your SaaS application.
Identities
Avoid creating yet another Identity Silo that requires user provisioning/deprovisioning and profile management. Again, federation can help. Providing integration to external identity systems avoids the whole problem of managing Identity life cycles. Don't take on the burden of managing this yourself when your customer is likely to already have solutions in place!
User Profiles and Attributes
In addition to being able to authenticate users and ensure proper management of Identity life cycles you should consider how you manage profile data associated with identities. There are methods to "single source" your data and minimize the need to synchronize and update multiple copies of the same information. Consider tying your new PaaS-hosted app to existing directories and Identity Management systems. Some systems (like Symplified) can pass user attributes to your application to avoid having to mirror what is already in your directories and databases. You can also expose secure APIs that enable import and export of data.
You Are Not the Only App
We have a natural tendency to focus on just the one application we are creating. But since almost no one uses "just one app" there is an aggregation effect: as each new app is added to your portfolio, it introduces incremental increase in pain surrounding credentials, profile data, transactional data, compliance data, etc. So even if managing users in your app is so easy you can do it in your sleep, your customers and their constituencies will still need to learn how your system works. This is Incremental Pain that turns into a nightmare-no matter how simple one task is, repeating that task many times in many ways is costly and prone to error.
Collaboration
Does your app need to support collaboration between different users of your app? Or across different apps? How can they securely exchange data while not violating privacy requirements? Will customers or integrators be creating mash ups with your application? How do you expose data and functionality (again, securely). These are all important considerations, and are increasingly easy to do in the world of Cloud Computing. But as we address our needs for security and privacy, identity and access management are fundamental building blocks. When handling a request for data, how do you know who is asking? How do you know they have permissions?
Conclusion
I hope the questions in this blog have been thought provoking. As you consider the PaaS and IaaS for hosting and deploying new apps, remember that "You are not Alone". Your app will be one of many for your customers; and collaboration and integration require identity management and access control solutions.
Coby Royer
Technical Product Manager
Symplified | The Cloud Security Company
View Symplified's Webcast with presenting Partner, Log Rhythm,
Register to Receive The Identity Management Blog weekly by entering your e-mail address in the left hand toolbar.
June 2009
Last week the Global Language Monitor announced that Web 2.0 had become the millionth word or phrase added to the English Language. While responses have ranged from debate to disinterest, I think the event does say something about our society's affinity for reinventing technology (and the buzzword bingo that goes along with it).
When it comes to evolution and revolution of technology, identity federation immediately comes to mind. Symplified's founders were a seminal force in shaping federation and we are once more at a time when this influence is shaping the future of federation. Today, federation suffers from complexity, prohibitive cost, and fails to address critical capabilities like access control, auditing, and user management.
In the past I've blogged about the Network Effect and the power of one-to-many. The unfortunate reality about the current state of federation is that it does not provide the one-to-many feature that enables easy adoption. Enter Federation 2.0: With technology like Symplified, you can connect to more applications at a lower cost than you would otherwise bear if you integrated those applications one at a time. And every time Symplified adds a new application to its network, everyone benefits from it. Stay tuned for our upcoming newsletter to hear more.
Coby Royer, Technical Product Manager at Symplified
June 2009
History has a way of repeating itself. Consider the
lifecycle of empires. Nearly every empire through history started out
small, grew through acquisition (conquest), promised a better life for
its denizens (through integrated laws) but eventually collapsed under
the weight of complexity and expense (rulers excessively taxed the
populace) then disintegrated through revolt of some kind. This happened
to the Romans, the British and later the Soviets (and others). Eventually federated nation states form, replacing the monolith with stability and relative peace.
If
CA was the dominant empire builder of the 80’s and 90’s, does Oracle
represent a new empire? Consider its M&A conquest of Sun, BEA,
Siebel, PeopleSoft and others. There have been promises of a better
life for customers through ‘integration’ across the product line, but
what enterprise is actually realizing a unified Oracle experience
(beyond an integrated invoice)?
Using
BEA as an example, Oracle has steeply raised maintenance fees and
prices (taxes) of it acquired competitors. Long loved by Wall St., but
less so by CFOs, is the 22% annual maintenance expense that gives
Oracle ~90% margin and more revenue than the sale of new software ($2.9B in maintenance vs. $1.5B in new licenses).
If history is our guide, has Oracle’s empire become over-extended, its
customers over-taxed and a revolt in the making? Will the Sun set on
Oracle’s empire?
With
the recession heightening and the concern of even higher software costs,
enterprises are cutting budgets and many are questioning the strategy
of putting too many eggs in a single vendor’s basket. This has led
enterprises to move to the Cloud in droves seeking best of breed
providers that offer next generation capabilities at a fraction of the
cost. Best of all the Cloud comes without maintenance fees and a far
lower degree of lock-in. Why is the Cloud so compelling?
»
The Cloud offers pay-as-you-go pricing that matches actual use rather
than incurring large upfront costs experienced with traditional
software. Cloud-delivered security like that offered by Symplified
costs only 20% of competing legacy software.
»
There are no additional maintenance fees with Software as a Service
(SaaS) saving the cost of 20-22% annual maintenance expense. Symplified
provides a completely managed service that includes upgrades, patches
and enhancements in the monthly price.
»
The Cloud offers next level flexibility through its loosely coupled
architecture giving enterprises unprecedented levels of agility for
software enablement. Symplified’s network architecture does not rely on
agents but instead works at Layer 7 for simple drop-in deployments that
go live in days rather than weeks or months.
»
The Cloud is ideally suited for the ‘anywhere, anyone, anytime’ world
of the mobile enterprise workforce. No longer constrained to access
applications from a LAN, employees can now access Web and SaaS apps
securely across the Internet
»
Cloud projects are up and running in a fraction of the time and cost
compared to enterprise software deployments. Symplified delivers ROI in
30-60 days as compared to traditional software installs where achieving
ROI could take multiple quarters because of perhaps millions of dollars
in upfront expense.
The
move to the Cloud has specific challenges, however, that must be
overcome to be trusted and reliable. Among these challenges is the need
for secure access management to the Cloud. Symplified was founded to
specifically address these challenges through its delivery of a simple
Access Management system that also provides compliance and Single
Sign-On (SSO) capability for SaaS, enterprise Web and Cloud
applications.
As
your enterprise looks for ways to move beyond the age of Empires toward
Cloud-based computing you can rely on Symplified to provide a simple
and affordable way to securely bridge the world of your existing
enterprise with the expanding Cloudscape.
Eric Olden | President, Founder and CEO
Symplified | The Cloud Security Company
April 2009
I recently wrote about perspectives on Software as a Service, inspired in large part by Jeff Kaplan's presentation at IT Roadmap Denver. Today, I’d like to address Security concerns that have been expressed about SaaS.
Many potential SaaS adopters have concerns about the co-mingling of data between customers in multi-tenant SaaS architectures. The concern is that one customer’s data could be accessible to another customer through a technical glitch (e.g., coding error, database problem, etc.). The concern is understandable as the use of a single RDBMS server is common in SaaS and a key enabler to the reduced costs and provisioning time for new SaaS customers. The overhead for maintaining a separate DB instance for each customer is significant and putting customer data into rows or tables in the same server yields significant cost and performance improvements that transfer to the SaaS customer.
As with any risk, I advise a risk management approach that reconciles the customers’ tolerance for risk against the costs and benefits that go along with the risk. An informed decision can be made given the likelihood of the risk and a simple analysis. Look at the benefits of the specific SaaS app you are considering (e.g., reduced cost in comparison to COTS alternatives). Consider how costly or damaging your privacy concerns would be. Then look at how your SaaS vendor is reducing the likelihood of the risk you are concerned about. As with any risk assessment, we are not looking to completely eliminate risk. You probably already have many other data privacy risks throughout your enterprise—from your outsourced payroll processing to transmission of data across the Internet to employees who routinely transport laptops off site. The goal is to invest in risk mitigation costs that are commensurate with the likelihood and impact of the risk. By analogy, I wouldn’t spend a thousand bucks on a safe to protect the two hundred dollars worth of jewelry I own.
So what is the likelihood of others seeing your data in a SaaS app anway? (And what is your vendor doing to help?) Vendors should support industry specific controls that serve compliance needs. For example, PCI DSS has specific terms to address SaaS compliance. Identity Management and Access Control are important. Audit logs may be necessary for compliance. Quantifying this risk is tough, but I recommend talking to your SaaS vendor about what they do to minimize the risk.
In the case of Symplified, our engineers have gone to great lengths to design a system that is immune to data leakage in its multi-tenant architecture. For example, our data model includes a “tenant ID” (GUID that identifies each customer) for every table that holds customer data. We use Aspect Oriented Programming (AOP) to enforce the constraint that no queries or updates can apply if the tenant ID is incorrect, thus insulating our production system from coding errors and other issues. We run application security (and other) scans as recommended by OWASP. We ensure separation of duties in our SAS 70 compliant data center. If you would like to learn more about this solution, watch the Technology Dig Webcast hosted by Darren Platt, an identity expert at Symplified.
Coby Royer
Technical Product Manager
Symplified | The Cloud Security Company
April 2009
I recently had the chance to enjoy SaaS Guru, Jeff Kaplan's, presentation at IT Roadmap Denver. While the presentation itself was outstanding, I especially enjoyed the diverse perspectives of the audience, and also got a grass roots feel for the state of adoption from other discussions during the event. In particular, reservations about security and readiness of SaaS apps struck me.
One of the perspectives was that SaaS apps have to cater to a least common denominator of features to achieve the economies of scale for a "one size fits all" model. "How can Google Apps compete with the richness of legacy office software? How could I even consider using them?" As a twenty year IT veteran who has worked in numerous Fortune 1000 IT shops, I have to ask "how could I not?" While we may believe in the indispensability of the continually extended and redefined breadth of features of our office software, the fact is that most users can readily survive and even prosper with SaaS. The cost savings of not managing desktop software, let alone the licensing and support, is something not to ignore. I'll be honest that as a power user of certain spreadsheet apps, it pains me to say it, but "one size fits all" is good for business. The TCO savings for SaaS can be redirected toward the corporate bottom line, which is something to consider in today's lean times.
In closing, it is true that many SaaS apps are early in their maturity curve and have not yet filled out their products with the full feature sets they will eventually rest on. Looking at the trend, however, I predict rapid growth and enhancements in SaaS products, and would rather go with the fast rising stars, given that the current state is good enough. In short, I'll bet my productivity on SaaS, with a few minor exceptions for those that can truly justify the feature bloated alternatives. And us SaaS adopters will ride the maturity curve to a quality, mature, product, with savings in our wallets.
I'll have more to say about Security and Compliance in my next blog.
Coby Royer
Technical Product Manager
Symplified | The Cloud Security Company
March 2009
Organizations
are depending on IT like never before to help navigate through today’s
economic crisis. Adopting cloud delivered technology allows an
organization to cut costs and reduce staffing needs. Smart enterprises
are leveraging intelligent, next generation Web and Cloud Access
Management saving millions of dollars, extending IT budgets and getting
more done with less.
Here’s 10 ways Cloud and Web Access Management saves real dollars:
1. Focus on your core competency.
Symplified empowers an organization to remain laser focused on IT
initiative that relate to the core of their business competency. The
efficiencies associated with outsourcing non-core IT functions are
undeniable, freeing up budget and resources and allowing your IT staff
to focus on the innovation of revenue producing systems. If you no
longer want to be bogged down by being in the identity management
business, then Symplified is here to help.
2. Reduce cost of your core IAM platform by 80%.
Symplified delivers more capabilities than first generation identity
products like SiteMinder, Oracle, Sun and ClearTrust – for
approximately the cost of annual software maintenance alone. Plus
Symplified allows you to address a complete WAM solution for both
on-premise and hosted SaaS apps. Symplified has dramatically lowered
upfront costs, predictable subscription pricing, faster deployment and
integration. Why pay more than you have to for WAM?
3. Reduce operational costs.
SSO cuts helpdesk and support costs, increases SaaS application
adoption, makes your users happier and more productive through an
improved user experience. With Symplified you can reduce the number of
accounts and passwords that IT has to support. IDC reports SSO projects
often deliver a 95% reduction in service desk calls - fewer user ID
inquiries and fewer password resets.
4. Quantifiable financial benefits.
The analyst at Forrester Research found implementing Web SSO provided
demonstrable financial results. Forrester found that improved data
management saves enterprises $350 per user per year. Also, reduced
development of security features and user management save $12,000 per
application and general support improvements of $70,000 per year.
5. Cut costs related to demonstrating compliance.
Compliance is a fact of life in today’s enterprise. Optimizing the time
and money needed to demonstrate compliance saves significant money and
resources. Symplified provides centralized access and authentication,
improving consistency, reducing risk and enhancing security. Auditors
have a single point of audit to verify policies and activity relating
to sensitive data on both sides of the firewall meaning shorter audit
cycles and lower costs.
6. Reduce your carbon footprint.
Symplified eliminates your IAM hardware footprint and data center
costs. Our high performance Cloud Scale™ architecture means no need to
manage, power and house excessive equipment. Such carbon reduction
footprint efforts are good for the environment and good for your
organizations bottom line.
7. Cost effectively implement portals.
Whether customer, partner or employee facing, Web portals have been
proven to streamline collaboration, supply chains and simplify Intranet
access. Portals provide the IT team with a high visibility win that
makes users happy and builds momentum for other IT efforts. With
Symplified Access you can provide secure personalized access and SSO
for multiple Web applications deploying quickly and extending existing
commercial or open source portal CMS.
8. Reduce the cost of scaling your Web infrastructure.
Managing user populations with diverse access levels can be
complicated. Symplified solves this with simple policies that leverage
your existing Active Directory, LDAP, SQL - securing custom Web apps as
well as commercial apps like SAP and SharePoint. Centralizing Web
identity infrastructure into a re-useable architecture easily secures
multiple Web applications. No more reinventing the wheel with every new
Web app.
9. Cut the costs and complexity of home grown WAM.
Using a commercial IAM solution instead of building a homegrown system
saves your enterprise hundreds of thousands of dollars of custom coding
and integration, enabling your team to focus on innovation not
maintenance and to go live quickly. Who will support and enhance a
custom-built SSO or access control system? Does your homegrown system
have a future roadmap or is it a ‘just enough’ effort that doesn’t
scale and isn’t extensible?
10. Reduce administrative costs.
As your user community grows, user management workload also increases.
Extending existing Active Directory and LDAP user repositories to Web
applications automates user access and authentication.
Symplified | The Cloud Security Company
Download a free whitepaper: