2012: Cloud and SaaS To Drive Need for Enterprise-wide Identity, Access Management

Grazed from Developer Integration News.  Author: Vance McCarthy.

The explosive success of cloud computing, especially SaaS, will spark searches in 2012 for better ways to ensure security, privacy and enterprise-wide identity and access management, said Darren Platt, CTO and co-founder of Symplified.

Researcher have noted cloud security is attracting more interest from IT. In 2012, IDC predicts as many as 80% of all new commercial apps will be deployed from cloud platforms. Further, by the end of 2012, Forrester Research predicts that enterprises that tap into  the cloud will be using 10 or more cloud-based services or SaaS applications…

Platt said these trends are creating access control, single sign-on, integration and audit challenges for organizations. “In 2012, we see convergence – the seamless combination of identity across platforms and mobile devices creating breakthrough user experiences – as the big theme,” he said.

“The cloud is rapidly creating identity management silos,” Platt told IDN. “Companies are managing their users within each SaaS app individually, but they have no central point of control, and current eDiscovery methods have no way to audit what they did.” Another factor complicating end-to-end identity management will be enterprise mobility, particularly BYOD (bring your own device) policies, Platt added.

Single sign-on (SSO) authentication is an important component of a complete identity management solution, but companies need more, Platt said. “They also need to enforce access policies seamlessly between on-premise and SaaS or cloud services, and they also need to have capabilities to audit those applications,” he said.

Despite a number of security standards (e.g. WS-*, SAML, XACML, among others) none of them today deliver an easy and low-cost approach to unified identity management across legacy, web, cloud and mobile, Platt added.

“Passing a company’s Active Directory credential to a third party security provider is a non-starter,” Platt said. “And, asking customers to copy their whole Active Directory into another infrastructure doesn’t work either.”

So, Platt’s vision is that the key to unlocking a solution to today’s identity sprawl problem lies in revisiting web access management (WAM), technologies and principals first learned more than a decade ago, when end-to-end security management comprised legacy, on-premise and web applications and data.

“Access and identity management in principal is largely the same problem it was back then when we were looking to unify traditional software and the web, Platt said. “Today, it’s happening for SaaS apps. And, we know from that experience, that adding a federated single sign-on solution isn’t enough.”

He also contends that current cloud-focused extensions to web access management solutions developed by larger vendors prove too expensive for many customers, and are often unable to address the nuances of security in cloud architectures.

One metaphor Platt used to explain how Symplified works comes from the pre-Internet world of EDI and VANs (value added networks). In that world, VANs would know the mappings and semantics of items to be transmitted between enterprises, such as a purchase orders. “That’s very much a good analogy for what we do, as we’re acting as a [security] broker between the enterprise and SaaS, cloud or even mobile apps,” he said. “We deliver access management as a service, which reduces costs and won’t compromise their own internal security practices.”

Because not all customers will want to go 100% cloud for their identity management, Symplified’s proxy-based approach allows enterprises to deploy its Identity Router on-premise, via a managed physical or virtual appliance that runs in their own domains without ever going to the Symplified data center.

“Either way, we don’t see anything your users do, what we do is provide authentication management in multi-tenant [mode] and enforcement in single-tenant [mode],” Platt said.

Symplified’s approach to unify identity management across on-premise, or cloud uses proxies that sit in between the end user’s browser and the application. The proxy will authenticate the customer’s users, and the enterprise can also authenticate its users against its own repository. And Symplified’s Identity Router can authorize the proxies for access to other SaaS, cloud or mobile assets, in the blind – without the need for a customer to share or transfer access credentials to a third-party cloud provider.

This architecture avoids the need for identities or other security components to be migrated or to be tightly-coupled at either end. Symplified’s proxies, which can be run in an on-premise data center or Symplified’s Amazon data center, are what allow the company to enforce authentication without a deep level of integration. The end-to-end communications between apps is performed by adapters that connect each application to the Symplified broker. Symplified also has a wizard-driven toolkit to allow customers to build their own custom connectors.

Symplified is Amazon’s authorization partner. “There is a certain level of complexity in identity management that Amazon chooses not to make,” Platt said. “We’ve invested in a web access management for SaaS as a service. So, the routers can be deployed as single tenant components and we have a multi-tenant cloud that manages it all.”

Many of the members of today’s Symplified team helped developed a web access management solution at Securant Technologies, which was acquired by RSA in 2001.