Companies today are feeling the pressure to make it easier for end users to get access to a rapidly growing number of SaaS applications. Couple that with the emergence of bring your own device (BYOD) and shadow IT/bring your own app (BYOA) on the end user side, and you can see how the challenge of giving users convenient access to the applications they want, from whatever device they want to use, from where ever they choose to access them, is growing rapidly. However, while many companies are focusing on the “convenience” side of the equation, they’re forgetting the need to provide this access in a secure and compliant manner. Failing to do so will create significant security vulnerabilities for themselves.
In fact, history is in the process of repeating itself: it’s like the year 2000 all over again. At that time, the nascent identity and access management (IAM) market was dominated by web access management (WAM) vendors who provided single sign-on (SSO) for companies under pressure to help end users get easy access to the explosion of web applications in their environments. It’s understandable that companies were trying to address end user requests for convenient access to all the new productivity web apps.
But after the initial proliferation of web applications, organizations realized they had created a new population of access points that required the IAM disciplines needed to address the secure and efficient on-boarding and off-boarding of users into those applications. That’s when companies like Waveset (my first company) stated providing the market with much-needed identity administrative capabilities. But our focus was really on supporting the “A” part of what is now called identity governance and administration (IGA). The “G”, or governance, aspect was not the primary driver for the market at the time. That came much later with the emergence of legislature mandating that companies take due care in protecting sensitive digital assets and later, with the realization that identity governance needs to be at the center of cyber-security strategies.
What’s wrong with the current picture?
Without a doubt, many companies need a solution that allows users to quickly and conveniently login to SaaS applications – hence the initial focus on SSO solutions. However, as history proved, solving this tactical IAM problem will not ensure that security, compliance, and business enablement goals are met. I’ve heard from numerous organizations recently who bought an SSO solution to address end user frustrations only to realize that they now have to re-evaluate the SSO product capabilities as part of their IAM strategy, oftentimes resulting in wasted time and resources.
These organizations aren’t alone. In fact, for organizations looking for a more a strategic IAM as-a-service (IDaaS, also referred to as cloud-based IGA program), SSO may not be the most effective starting point. While it’s easy to understand why organizations think that their challenges begin and ends with SSO (it’s what the end-users are asking for, after all), we should be in a phase of maturity where organizations understand that both the “G” and the “A” (governance and administration) for SaaS apps is just as important for these applications as it was for web applications before them, and client-server applications before that. At the same time, managing the new SaaS environment in conjunction with all the other applications and data in the hybrid IT environments is the right strategy to undertake.
Bringing Maturity to IDaaS
There are three defining capabilities that an IDaaS solution must possess:
- See everything. You need visibility to all the information about an identity, across all the applications an enterprise uses, all the data they have, and across all users – no matter where they are located or what devices they may use.
- Govern everything.You need to know who does have access, who should have access, and what users are doing with that access on all your applications for all your users and for all your data.
- Empower everyone. You need to enable your users to work how they like to work, wherever they are and on whatever device they want to use.
Therefore, in terms of strategy, organizations need to consider the bigger IAM picture, asking these three questions when putting their IDaaS plans together:
- Where do we start to build an effective IAM program, balancing the need to enable users and to meet our security and compliance needs?
- Which solutions are capable of managing our entire IT environment, spanning cloud systems and SaaS applications, on-premises systems and applications, and
- What approach will ensure a straightforward deployment and be easier for our business and technical staff to use?
With the answers to these questions in mind, enterprises can create a strategy that centralizes the management of users and applications across ALL IT environments: legacy, on-prem, private and public cloud, and SaaS. This is absolutely necessary in providing enterprises with a complete view of their identity environment. This will avoid silos of identity management – where one solution governs one set of applications, and another solution manages a different set.
By taking a step back to understand what ALL of the components of IDaaS are, and then outlining how a cloud-based IGA solution can help expedite a company’s shift to the cloud, organizations are in a much better position to do so efficiently, effectively and importantly – securely. The great thing about history is that we can learn from the past in order to avoid the same pitfalls of the future.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.