Cloud First IT: Managing A Growing Network of SaaS Applications
SaaS Adoption and Cloud First IT
The adoption rate of cloud-based or Software as a Service (SaaS) applications has increased dramatically. Just a few years ago, small groups in IT organizations started experimenting with applications like Salesforce.com, WebEx, NetSuite. Many of those trials have now transitioned into enterprise-wide deployments that store critical information and power core business processes. Today, the majority of small and midsize businesses (SMBs) have enacted SaaS or Cloud First IT policies. In fact, a recent market survey by Goldman Sachs highlighted that 70 percent of SMBs always consider a SaaS option and 58 percent prefer a SaaS option, if available. The move to the cloud is definitely on.
The Rise of the Cloud Services Network
The move to the cloud is driving significant change across enterprise IT organizations. Fundamentally, IT is transforming from a managed set of applications and data residing behind the firewall, to a set of distributed services subscribed to and accessed from the cloud. As a result, the LAN of the 90s is giving way to the cloud services network of today.
90s: Local Area Networks
• Apps ran behind firewalls and real walls
• Served a well defined set of users
• Two access points to secure: front door, VPN
Today: Cloud Services Networks
• Services running in the cloud
• Serving a highly distributed set of users
• Must secure access from anywhere, at anytime
Unlike a LAN, a cloud services network powers a federated collection of on-demand services provided by a variety of vendors for a set of highly distributed users— all in a business environment where IT services power mission-critical systems that must be available to users from anywhere at any time.
Challenges of Running a Cloud Services Network
The on-demand applications and services that make up a cloud services network enable companies to rapidly deploy powerful capabilities to a broad set of users at very low costs. However, this accessibility introduces a new set of organizational and technical challenges.
Controlling Access to Applications and Data
Controlling who is granted access to which applications and data becomes a real challenge when users can get access from any browser, at any time, from any place. This is exacerbated by the purchasing and approval process that is unique to cloud applications today. IT is no longer required to deploy the hardware and install, configure, and manage the software. As a result, the purchase of a new cloud application is often made directly by the user or business unit head. In this case, the immediate business needs and technological benefits of moving to the cloud are frequently put ahead of ensuring information security.
In fact, an 2010 Ponemon Institute survey of 637 IT security professionals in midsize to large enterprises found that:
• 53 percent of respondents indicated that there is no security evaluation of cloud computing services before they’re deployed by business users.
• In the cases where there was a security evaluation, 78 percent of the time users or business unit heads are responsible for that evaluation, with corporate IT being involved only 11 percent of the time.
• 80 percent of respondents said security team members were rarely or never involved in the decision making process about purchasing and deploying a cloud application.
Security challenges multiply as partnerships, mergers, divestitures, and employee terminations dynamically affect who the users are, what they have access to, and whether their existing access to applications and data should be eliminated completely.
In addition to these organizational challenges, the problem is technically exacerbated by the fact that every SaaS application has its own model for administering users, and that the models usually do not integrate well with typical user management behind a firewall.
IT organizations need a solution that can help them assume a leadership role in cloud computing decisions and drive more secure deployments of SaaS applications.
Addressing User Password Fatigue
The SaaS model makes it easier for users to initially access an application; but with the growing number of applications in use, complexity has quickly increased. Each application has different password requirements: one might require that a password be at least seven characters and contain one number while another may only require six characters that can be any combination of numbers and letters. In addition, password expi¬ration cycles vary—some require a monthly or quarterly reset, while others require a reset due to changing URLs.
Integrating with On-Premises Directories
SaaS applications were developed with their own user directories so that they could adequately control direct access to their service. In the majority of enterprises, Microsoft Active Directory (AD) is the user directory that governs access to core IT systems behind the firewall.
In a cloud services network, independent user directories cause complication and pain for both IT organizations and users. Users have to remember passwords for their Windows network and each SaaS app. IT has to manage user accounts in Active Directory and the SaaS applications, and is challenged with mapping AD users to the corresponding accounts in the SaaS applications.
IT needs a single integration with Active Directory that is synchronized and federated with all of the SaaS applications in their cloud services network.
Managing ROI and Compliance
Cloud computing and SaaS applications have fundamentally changed the role IT plays within the business. As determined by the Ponemon Institute survey, many on-demand vendors no longer involve IT as a primary player in their sales process. In fact, many vendors purposely avoid IT and focus instead only on the relevant business leader or user.
In organizations that have matured their usage or dramatically grown the scale of their initial deployments, IT is often brought in after the fact to drive some level of integration with existing IT infrastructure or business processes. To move into a more proactive relationship with the business, IT needs to deliver value above and beyond integrating and managing systems after they are purchased.
Traditionally, businesses acquired software with large upfront payments and then paid for a perpetual license with a small recurring maintenance fee. IT’s only responsibility was to deploy the software, train users, and manage the software on behalf of the business.
Recurring software costs were not highly correlated to actual usage. But with the advent of monthly, per-user pricing models, subscription prices are 100 percent correlated with usage—both in terms of number of users and breadth of functionality.
By better understanding actual usage and utilization, IT can partner more effectively with their business counterparts to manage ROI and make better financial decisions about the applications that have a material effect on the business.
In addition, with increasing regulatory scrutiny, it’s critical that IT is able to address compliance pressures. They must constantly monitor which users have access to which SaaS systems and with what privileges, as well as who is actually using those privileges and how. IT must also be able to rapidly react as user status changes, such as automatically de-provisioning a user’s access when they leave the company and providing an audit trail of those actions.
Okta: Covering Your Cloud
Okta develops the capabilities enterprises need to manage the transition to a cloud-first infrastructure—something that we believe is foundational to the future of corporate IT.
Companies that are using just one or two cloud applications can afford to think about their network in more traditional ways—with a behind-the-firewall focus, leveraging legacy domain controllers, directories, firewalls and VPN technologies.
But enterprises that have moved beyond initial SaaS deployments and into broad cloud application adoption require a solution to help them adopt, deploy, secure, and manage these services. That solution should itself be built from the ground up as a highly reliable, scalable, secure, on-demand service.
Okta’s initial offering is an on-demand identity and access management service that enables enterprises to accelerate the secure adoption of web based applications, both in the cloud and behind the firewall.
A complete, turnkey solution, it addresses the needs of IT, users, and business leaders across the company.
Users: One Destination for All of Their Applications
Adding new users to Okta is as easy as adding a user to any other SaaS application. Once activated, each user receives a customized home page providing single sign-on (SSO) across applications, and self-service across applications and credentials. Users can access their home page across browsers and devices, and the entire home page and individual applications are easily integrated into a custom portal.
IT: Secure, Integrated Control Across People and Applications
Okta provides one service from which IT can manage people, applications, and policies across all cloud and web applications. An administrative dashboard contains a summary of key usage and activity statistics, notifications of any problems or outstanding work to be completed, and shortcuts to the most commonly performed tasks.
A central directory provides a view of both people and the identities they are mapped to in all of their web applications. Adding applications is as simple as selecting a pre-integrated application from the Okta Application Network and performing the additional configuration that is specific to your organization. Each application has its own administrative home page, which provides a summary of the current integration settings across SSO and user management, as well as a view of recent log activity and users who currently have this application assigned to them.
Executives: Insight to Maximize ROI and Minimize Risk
Okta offers a centralized system log that captures a comprehensive set of activity events across both Okta and the integrated applications spanning authentication, application state changes, and user provisioning and management.
Okta also includes a full reporting experience that spans all integrated applications— no separate reporting solution needed. Out-of-the-box reports help you track activity, ensure compliance, and monitor application usage and ROI. Key reports include User Activation, User Activity, User Access, Application Usage, User Provisioning, and De-Provisioning. Reports can be scheduled for distribution and data is easily exported for use outside of Okta.
As a complement to the de-provisioning reports, Okta also offers an end-to-end de-provisioning workflow that informs an administrator when a user has been deactivated, indicates which applications they have automatically been deactivated from, and helps the administrator finalize any manual user account deactivation. All deactivation activity is tracked in a central audit log for compliance purposes.
Cover Your Cloud with Okta Today
The move to the cloud is on. Cloud-first IT organizations need a solution to help them adopt, deploy, secure, and manage their cloud services networks. Okta is that service. A 100-percent on-demand service itself, Okta requires no upfront investments in hardware, software, or development time, and it offers a consumer-like experience for both users and administrators. An initial deployment can happen in minutes, not months.
Getting Started with Your Free Trial To discover how Okta can help you secure and manage your cloud services network, visit www.okta.com/freetrial to get started.