We would like to keep you up to date with the latest news from Digitalisation World by sending you push notifications.
Digital Newsletter
Each week our editor Phil Alsop rounds up the most popular articles, videos and expert opinions. We compile this into a Digital Newsletter and send it straight to your inbox every week.
Digital Magazines
We'll let you know each time a new edition of Digitalisation World is released so that you're always kept up-to-date with the latest and greatest news and press releases.
Video Magazines
The Digitalisation World Video magazine contains the latest Zoom interviews with experts in the industry.
ENTERPRISES MUST UNDERSTAND that the evolution to cloud computing affects their IAM strategies in two distinct ways: how it’s used and how it’s deployed. First, the cloud has created new management challenges because enterprises must now extend the scope of their IAM to manage users and their access to cloud applications in addition to their on-premise applications. Second, the growing acceptance of cloud-based management tools has opened up a world of possibilities for implementing IAM-as-a-service (IDaaS), a new approach that can increase business agility, speed time to value, and reduce operating costs. Given that these two challenges are both critical to the evolution of the enterprise IT infrastructure, let’s take a closer look at each scenario.
Managing SaaS as Part of Your IAM Implementation
Cloud adoption is accelerating for most ente rprises. Based on current adoption trends, it’s clear that in the future the vast majority of new applications purchased by organizations will be software-as-a-service (SaaS) applications. All too often, business units within the enterprise are procuring SaaS applications without involving IT - even for critical and sensitive applications. This has mainly been due to the ease in which business units can adopt these services, get up and running quickly, and keep the services going all without needing to involve IT from technological standpoint. In fact, through a survey conducted by my company, SailPoint, we found the selection and deployment of SaaS applications is increasingly becoming a business-led process. Alarmingly, we also found that only 34% of business leaders brought IT into the decision-making process when choosing a cloud service, and only 29% got IT’s help while the service was being deployed.
The lack of IT involvement in the procurement and deployment of cloud applications makes it difficult for IT organizations to manage security and compliance risks. In an increasing number of cases, IT has no visibility to the SaaS applications being used and therefore could not ensure the proper security and access controls (i.e., understanding and managing who has access to what) are in place. Failing to control access to sensitive applications and data can leave an organization at risk for fraud, misuse of data, and privacy breaches, not to mention negative audit findings.
Frighteningly, our recent survey found that nearly half of business leaders aren’t well educated on this need nor are they equipped to effectively handle user access privileges and other key factors necessary to safeguard the data housed in these new SaaS applications. At the end of the day, someone in the organization needs to manage and govern who has access to these mission-critical applications no matter where they reside, which is where IAM for the cloud comes into play.
The right IAM solution helps organizations manage the new reality of a “hybrid” IT environment, made up of both on-premises and SaaS applications. Rather than implementing niche IAM tools to manage SaaS applications in a separate silo, it’s better to take a holistic approach that manages both on-premises IT and cloud environments. This approach provides enterprise-wide visibility and control, and allows enterprises to extend their existing IAM business processes, such as granting access to new users and removing access for terminated users, to manage cloud applications.
Ensuring compliance with corporate or regulatory policy is also critical for SaaS applications. Based on the potential risk or criticality a particular cloud application represents, different levels of management and control are required. For mission-critical cloud applications, such as financial services and customer relationship management applications, an organization would want complete visibility and oversight as to “who has access to what.” Therefore, for this class of SaaS applications, it’s important to implement preventive and detective controls over the processes that grant, change and remove access to cloud applications to ensure that compliance and security guidelines are being followed. By providing detailed reporting on user access, IT and business staff will be armed with the intelligence they need to secure the application, reduce corporate risk and meet audit and compliance requirements.
For less sensitive applications, IT should still have visibility into how and when those applications are used so that decisions can be made about the appropriate degree of management and control they require over time. While not directly managed by IT, organizations should ensure employees understand that sensitive or proprietary information should not be posted to those applications.
For some SaaS applications, cost control may be just as important as security. For example, many SaaS applications charge fees based on the number of user accounts each month. Because of this, it important that accounts are maintained only for users that actively require that a SaaS application to do their jobs and that those accounts are promptly removed when the user leaves the organization or no longer has a need for it. As more and more applications move to the cloud, it will be important to know not just who can access applications, but whether workers are truly using the SaaS applications that the organization has licensed on their behalf.
Implementing IAM-as-a-Service
Now that we’d discussed how IAM can help manage SaaS applications alongside on-premises resources, it’s important to delve into how IAM solutions can themselves be implemented “as-a-service”. Clearly, cloud computing is here to stay and is changing how IT and business users alike are thinking about how we deploy, implement and consumer technology across the enterprise. We have seen a continuous wave of traditional software tools moving to SaaS models, as vendors have begun to address the various requirements of enterprise-level SaaS. On the other hand, the shift to deploying complex enterprise software as-a-service is not always an easy one, especially for mission-critical infrastructure like IAM. The good news is that as the industry begins to deliver more robust and enterprise-grade IAM-as-a-service (IDaaS) solutions, organizations will have more offerings at their disposal that allow them to manage all their apps – SaaS and on-premises apps alike – from the cloud. IDaaS adoption may take several years, and IDaaS may not be the right fit for every organization. Today, there is small, growing number of organizations that want to move their IAM infrastructure to the cloud, but I expect those numbers to grow. In fact, according to Gartner, by the end of 2015, IDaaS will account for 25% of all new IAM sales, compared with 5% in 2012. At the end of 2012, the market for IDaaS was $180 million. By the end of this year, that number is expected to jump to $265 million. That said, this is not an evolution that will happen overnight. Every organization must ensure they are ready for IDaaS before implementing the technology. IAM is a key component of enterprise mission-critical infrastructure, so it’s not the place to start “cutting your teeth” on SaaS. Below are three key criteria to evaluate whether your IAM needs align with an IDaaS model:
1. Is there widespread use of SaaS/cloud technologies across your organization?
Take a look at what your organization is currently doing with other SaaS applications. You need to determine if your organization is an early cloud adopter – i.e. if there are SaaS applications being deployed throughout the organization, including within the IT department. If the answer is yes, then IDaaS might be right for you. There are definitely organizations where this is not the case, especially in highly regulated industries. If your organization has taken a conservative stance on the cloud, then IDaaS is probably not the right choice.
2. Is reducing initial deployment and ongoing maintenance costs more important than the ability to tailor a solution to meet your current business process?
Many of our customers have complex infrastructures and use cases, and for them a highly tailored IAM solution deployed on-premises is probably the most realistic option. While IDaaS provides configuration options, it will not accommodate the level of customization that has been typical in IAM projects. You have to really examine if the trade-off is right for you - simplicity of deployment and lower cost of ownership over time versus a solution tailored to your specific use cases. If you’re willing to bend existing identity processes to conform to a more standardized approach, then IDaaS may be the path for you.
3. Are SaaS options becoming an
executive mandate?
It has been well-documented that SaaS applications offer a whole list of benefits that appeals to the C-level executives, including faster time to value, ease of use, and lower operational and upgrade costs. Due to this broad scope of benefits, we are starting to see IT teams that are required to consider SaaS every time they evaluate and purchase new software. If this is the case with IAM, be sure you are evaluating true SaaS offerings that provide the end-to-end solution you need. Many of the options available today are simply a hosted version of an on-premises IAM solution, which does not provide the benefits promised by SaaS.
Clearly, cloud computing is becoming an integral part of enterprise infrastructure, as more and more organizations adopt SaaS applications as part of their business strategy. However, the benefits of the cloud, from cost savings to speed to flexibility can be negated if they leave a business exposed to security breaches and compliance issues. Successfully managing the adoption of SaaS applications requires a shift in IT’s role from that of a “gatekeeper” to becoming an enabler. It also means a shift in how enterprises think about how they deploy and implement traditional applications.
IAM plays a critical role in addressing cloud security and compliance issues by providing a centralized, holistic approach to managing access for any enterprise application, regardless of whether it is deployed on-premises or the cloud. Those who figure out how to combine the convenience of easy access to cloud applications in tandem with on-premises will gain the buy-in of business users, which will ultimately allow for IT oversight to protect assets and manage corporate risk. Today’s IAM, whether deployed on-premises or as-a-service, can help enterprises ensure they have the right controls in place to, ultimately, protect assets and manage corporate risk.
