Top 9 Identity & Access Management Challenges with Your Hybrid IT Environment
The Importance of Identity for SaaS Applications
The enterprise cloud revolution is here. IT organisations everywhere, from small and mid-sized businesses to Fortune 500 companies, are moving from on-premises software to on-demand, cloud-based services. As enterprise IT adopts more cloud systems while keeping on-prem solutions, controlling who is granted access to which applications becomes increasingly important. This presents CIOs and their teams with a whole new set of identity management challenges. In addition, users must keep track of multiple URLs, user names, and passwords to get access to their applications from ground to cloud. IT’s role is also fundamentally changing. As the steward of these new services, IT must provide insight and advice about Software- as-a-Service (SaaS) products to ensure the company is maximising the business value of their investments, all while keeping on-prem systems secure and accessible from anywhere.
There are nine main identity and access management (IAM) challenges associated with adopting cloud and SaaS applications while keeping on-prem systems safe, as well as best practices for addressing each of them.
1. User Password Fatigue
Although the SaaS model initially makes it easier for users to access their applications, complexity quickly increases with the number of applications. Each application has their own identity store with their own login URLs and requirements for passwords. This proliferation of credentials results in diminished user productivity and increased user frustration as they spend time trying to reset, remember, and manage these constantly changing passwords and URLs across all of their applications.
Perhaps of even greater concern are the security risks caused by users who react to this “password fatigue” by using obvious, insecure passwords or reusing the same passwords across multiple systems. Worse yet, these credentials are usually written down on Post-it notes or saved in an insecure text document on their laptop.
Cloud-based IAM services can alleviate these concerns by providing single sign-on (SSO) across all of these applications, giving users a central place to access all of their resources with a single username and password. A great SSO solution can connect equally well to both cloud applications and on-premises applications, which is critical as many organisations will need to enable access to both types of applications.
The majority of enterprises use Microsoft Active Directory (AD) as the authoritative user directory that governs access to basic IT services, such as email and file sharing. AD is often also used to control access to a broader set of business applications and IT systems. The right on-demand IAM solution should leverage Active Directory, and allow users to continue using their AD credentials to access SaaS applications—this increases the likelihood that users will find the newest and best SaaS applications their company provides them.
2. Failure-Prone Manual Provisioning and Deprovisioning Process
When a new employee starts at a company, IT often provides the employee with access to the corporate network, file servers, email accounts, and printers. Since many SaaS applications are managed at department level (e.g. Sales Operations manages Salesforce.com), access to these applications is often granted separately by the specific application’s administrator, rather than by a single person in IT.
Given their on-demand architecture, SaaS apps should be easy to centrally provision. A modern IAM solution should be able to automate the provisioning of new SaaS applications as a natural extension of the existing onboarding process. When a user is added to the core directory service (such as Active Directory), their membership in particular security groups should ensure that they are automatically provisioned with the appropriate applications and given the access permissions their role would be entitled to.
Almost certainly, an employee termination is a bigger concern. IT can centrally revoke access to email and corporate networks, but they have to rely on external application administrators to revoke the terminated employee’s access to each SaaS application. This leaves the company vulnerable—critical business applications and data are in the hands of potentially disgruntled former employees, while auditors look for holes in your deprovisioning processes.
A strong IAM solution should not only enable IT to automatically add new applications, but it should also provide:
- Automated user deprovisioning across all applications
- Deep integration with all user stores including Active Directory and LDAP
- Clear audit trails
The IAM service should provide organisations with the peace of mind that once an employee has left the company, the company’s data hasn’t left with them.
3. Compliance Visibility: Who Has Access to What?
It’s important to understand who has access to applications and data, where they are accessing it, and what they are doing with it. This is particularly true when it comes to cloud services. However only the most advanced offerings like Salesforce.com offer any compliance-like