Cloud or SaaS applications are increasingly used in enterprises. This is a strong market trend, as this technology makes it easier to provide applications and helps service providers be closer to their consumers, with no need to go through IT.
Enterprises must take into account these new application management modes. Indeed, companies are decentralised and although they use state-of-the-art interfaces, the people in charge of these applications have to manage users "manually" which, potentially, is a source of errors. The consequences of this type of management are well known in terms of security (passwords forgotten by users, multiple dormant accounts, weak password policy generating security holes), and in terms of cost (the price of the use of the service depends on its usage). The IAM solution (Identity & Access Management) which integrates support of cloud or SaaS applications is key as it gives control to people operating at a functional level.
How to perform cloud provisioning?
Today, there is no unique standard to manage provisioning for SaaS applications. The SPML (Service Provisioning Markup Language) standard has failed in this segment. As far as the SCIM (System for Cross-domain Identity Management) standard is concerned it is currently rarely used, even by those who promote it (Google, Ping Identity and SalesForce, for example do not use it for their application provisioning) or, it is used as a marketing argument by new entrants on the IAM market. Nevertheless, the SCIM standard, which will be enhanced in the 2.0 version, offers many advantages for the future since it is easy to use via its REST interface, easier to configure than SPML and finally, since it provides more possibilities for the user definition.
As a matter of fact, provisioning management for these applications is based on non-standard connectors, for example:
· The provisioning of Office 365 and Exchange Online is really operational only when using the PowerShell APIs, the REST interface is used for queries more specifically. The complexity lies in mastering the execution of the PowerShell from the dedicated Microsoft servers. Salesforce is interesting from an account creation management perspective as it can be performed on the fly, at connection time. For this, an identity federation must be implemented, where the identity server indicates to the Salesforce service the parameters required for the creation of the user, thus performing Just-In-Time (JIT) provisioning. Concerning the management of account modifications and deletions, the REST API must be used.
How to implement cloud provisioning in enterprises?
Cloud computing revolutionises business practices and the way enterprises use and manage their services. As far as identity management is concerned, it must continue to guarantee the company’s security policy that must be unique and centralised while flexible at the same time. Tools promoting identity management for cloud computing only are on the wrong track (or simply not good enough). Identity management tools must be adapted in order to manage cloud applications in the same way as internal applications. The level of service and ease of use of identity management functions do not depend on the location of servers!
We should also mention how Identity Federation mechanisms can also strengthen the security of these systems. This will be the topic of a future post.
As a conclusion, IAM solutions have a great future because if we want to control security and costs, we must be able to manage internal as well as external users – internal and external service consumers – in the best possible way.