More Related Content
Similar to Achieving Compliance and Control of Software-as-a-Service and Cloud-Based Applications
Similar to Achieving Compliance and Control of Software-as-a-Service and Cloud-Based Applications (20)
More from white paper (20)
Achieving Compliance and Control of Software-as-a-Service and Cloud-Based Applications
- 1. A Whitepaper for IT/Business
Decision-Makers
Achieving Compliance and Control
of Software-as-a-Service and
THINKstrategies
Cloud-Based Applications
Streamlining the Management of End-User Access
and Security of On-Demand Applications
An Independent Analysis
Sponsored by:
© THINKstrategies, Inc., 2008
- 2. Achieving Compliance and Control of
THINKstrategies SaaS and Cloud-Based Applications
Executive Overview
An unprecedented set of macro-market trends is reshaping the way companies of all sizes must
operate.
The advent of globalization and ecommerce has fundamentally changed the competitive landscape.
At the same time, advancements in mobile technology are allowing employees to work anywhere.
But, most importantly the combination of escalating energy costs and increasingly turbulent capital
markets are forcing businesses to thoroughly reevaluate their operating budgets.
These forces are driving enterprises to pursue more effective ways to leverage business applications
to meet their corporate objectives and meet their changing operational requirements.
Companies can no longer afford the spiraling costs of deploying and maintaining traditional,
on-premise software applications which have seldom generated the return on investment (ROI)
anticipated.
Instead, a growing number of companies are adopting a new generation of ‘on-demand’,
Software-as-a-Service (SaaS) and ‘cloud’ computing alternatives to satisfy their rapidly changing
business needs.
These new SaaS and cloud computing solutions offer numerous business benefits including,
· Limited upfront costs or risks
· Accelerated deployment
· Flexible “pay-as-you-go” pricing
· Lower support requirements
Although corporate receptivity toward SaaS solutions is growing, much of the actual adoption has
been done in an unplanned or ad hoc fashion by individual departments or even renegade
end-users.
The proliferation of unauthorized SaaS and cloud computing users within corporate environments is
raising concerns among IT and business executives who are concerned about three key issues:
· Compliance
· Costs
· Security
This whitepaper will examine these business and IT management issues. We will describe the forces
driving the rapid growth of SaaS solutions and cloud computing services.
We will discuss the compliance, security and cost implications of these trends. And, we will show
how enterprises can ensure corporate compliance and security, and achieve greater operating
efficiency and cost-savings leveraging these on-demand services.
© THINKstrategies, Inc., 2008 www.thinkstrategies.com p2
- 3. Achieving Compliance and Control of
THINKstrategies SaaS and Cloud-Based Applications
Software-as-a-Service & Cloud Computing Market Trends
SaaS and cloud computing services are experiencing rapid growth as businesses of all sizes
leverage these ‘on-demand’, pay-as-you-go services to achieve their corporate objectives in an
increasingly tough economic environment.
A THINKstrategies survey of over 100 companies conducted in November 2007, in conjunction with
Cutter Consortium, found nearly a third (32%) of the companies had adopted a SaaS solution, and
another 36% were considering SaaS solutions.
(See, Figure 1.) Figure 1. Percent of Companies Using or
Considering SaaS
THINKstrategies’ and Cutter Consortium’s survey
also found SaaS solutions are getting high
grades from users. Over 90% of current
customers are not only satisfied with their SaaS
solutions, they plan to renew and expand their
use of these on-demand applications.
As a result of the growing interest and
acceptance of SaaS and cloud computing there
is a ‘gold-rush’ of SaaS and cloud computing
providers targeting nearly every aspect of an
enterprise organization’s needs. Source: THINKstrategies/Cutter Consortium 2007.
Over 800 companies are listed on THINKstrategies’ SaaS Showplace online directory offering SaaS
solutions in eighty (80) different horizontal and vertical market categories.
(www.saas-showplace.com) Gartner predicts 25% of software will be delivered via services by 2010.
Key Security and Compliance Issues Associated With SaaS Solutions and Cloud Computing
Services
Enterprises adopting SaaS today are facing a number of security and compliance challenges:
1. Business units are adopting multiple, mission-critical SaaS applications, driving the need for
specialized management infrastructure that ensures availability and reduces complexity.
2. SaaS applications now contain confidential data and sensitive information which raises greater
concerns about enterprise risks, stronger security and greater access controls.
3. SaaS applications outside the firewall can’t be secured by perimeter defenses and internal access
controls in the same fashion as on-premises on a local area network (LAN).
4. Zombie accounts are becoming a common security risk, exposing SaaS applications and sensitive
data to backdoor attacks through abandoned user accounts.
5. Compliance auditors are discovering critical data residing outside the firewall are not being
effectively tracked by traditional audit tools or ad-hoc approaches, like spreadsheets.
6. Unauthorized, or ‘cowboy’ purchasing of SaaS applications by business units and end-users
outside of IT creates new burdens to bring these ‘mushrooms’ under management control.
© THINKstrategies, Inc., 2008 www.thinkstrategies.com p3
- 4. Achieving Compliance and Control of
THINKstrategies SaaS and Cloud-Based Applications
7. Enterprises want to integrate their
C
R
M
existing IT infrastructure – Active
Silo
Directory, LDAP, applications – and IT
wth INTERNET
processes – policies, procedures and
S
FA
o
Gr
practices - with cloud-based Silo
alternatives, but there is a lack of Pay
roll
security and integration expertise
in-house. Silo
H
R
Silo
8. Acquiring security technology is
aexpensive and hard to deploy/maintain.
9. Recruiting security staff is difficult and
hard to retain.
10. Today’s economic environment is making it cost-prohibitive to make significant capital
roh
investments or absorb additional operating expenses.
Gaining Access Control and Streamlining Security for SaaS Solutions and
Cloud Computing Services
There are a number of key considerations for scaling the adoption of SaaS applications and cloud
computing capabilities. In particular, businesses must more effectively manage security, streamline
compliance and simplify user access to SaaS and cloud-based applications.
Most companies do not have the in-house skills to address their escalating identity management
requirements. Rather than invest in these skills and deploy these sophisticated systems, enterprises
need to respond to the growing compliance, security and cost challenges of managing today’s SaaS
and cloud computing solutions with an equally flexible and effective access control and security
management strategy.
The ideal security and compliance platform should provide a unified understanding of corporate
policies and procedures from a centralized perspective. This platform should address the following
security, compliance and integrated management requirements.
Security
1. Access controls must be centralized and driven by policies. Access management is the ‘crown
jewel’ for achieving effective security, and is the first thing which should be addressed to meet
today’s compliance needs.
2. Audit and logging of user activity must be done centrally for consistency – across external SaaS
and internal protected applications. If a company can’t centrally audit access then it won’t be able
to identify all violations or show auditors that appropriate policies are being enforced in a
consistent fashion.
3. Centralized access controls can eliminate zombie accounts and prevent back-door access.
4. Centralized and streamlined security management eliminates siloed or redundant yet conflicting
access controls, authentication, auditing and compliance.
© THINKstrategies, Inc., 2008 www.thinkstrategies.com p4
- 5. Achieving Compliance and Control of
THINKstrategies SaaS and Cloud-Based Applications
5. Single Sign-On (SSO) tools and methodologies can alleviate users suffering password fatigue, but
doesn’t solve broader security requirements.
Compliance
1. While there are many complex and sometimes conflicting aspects of security and compliance, the
essence of compliance is simple:
a. Companies must assess risk and
develop security policies to address ta
Da
unacceptable risk levels.
401k
4
b. These policies must be implemented in ta
Da
the form of controls. S
SFA
c. These controls must be consistently INTERNET ta
Da
enforced. HR
H
d. Audit logs must be able to demonstrate
enforcement of these policies/controls.
2. Securing access to confidential data, credit
information, personally identifiable information (PII), access controls/management, and user
authentication and authorization with logging of these events, are universally required by all
compliance regulations.
3. Preparing for an audit should not take weeks. With the right controls and audit tools, audits can
be done quickly, demonstrating compliance and minimizing the time and cost of an audit.
4. Forensic audits of suspected violations should also be quick and easy with good logging and
correlation tools, so you can catch the hacker or minimize risk of exploitation.
Streamlined Management Through Enterprise Integration.
1. Extending existing IT infrastructure to address SaaS and cloud computing security and
compliance requirements can reduce administration costs and complexity.
2. By deploying management actions from a central location, security is strengthened via rapid
propagation of updates that reduce the window of risk.
3. The existing technology investment is leveraged to reduce the total cost of ownership (TCO) and
boost return on investment (ROI).
4. Including security and compliance integration considerations into the planning process reduces
unnecessary costs and problems.
5. Avoid silos of administration which create duplication and added costs from redundant
management systems.
6. Unified controls also strengthen security and compliance across SaaS, on-premise applications
and web portals.
© THINKstrategies, Inc., 2008 www.thinkstrategies.com p5
- 6. Achieving Compliance and Control of
THINKstrategies SaaS and Cloud-Based Applications
Multi-tenant SaaS applications such as Salesforce.com, Workday and others do not allow
enterprise-specific code on their servers because it compromises the operational and
cost-efficiencies of their service delivery infrastructures.
Therefore, a SaaS security and compliance platform should integrate with the enterprise
infrastructure composed of Active Directory (AD), lightweight directory access protocol (LDAP),
legacy on-premise applications and relational databases with web services. It should permit access
management using on-premise Active Directory, LDAP repositories, and SQL databases, as well as
cloud-based data stores. Extend the enterprise Active Directory, or whatever authoritative directory
already exists, to manage users and access groups for the cloud.
The platform should allow secure and federated single sign-on (SSO), including multi-domain SSO
using both Security Assertion Markup
Language (SAML) and HTTP forms to
increase user convenience and
reduce password fatigue. It must
support SSO across all domains
using federation technologies such as ps ers
Ap Us
SAML where possible and HTTP aS
Sa Internet
Forms as needed. SAML currently
enjoys support from only 5% of SaaS
applications, so federation
alternatives are needed.
Just as companies have discovered
that it no longer makes sense to r
acquire, deploy and administer their ute
Ro
ID
own on-premise applications when
SaaS solutions can deliver quicker business benefits at a lower total cost of ownership (TCO), a
ene h
growing number of businesses are recognizing that they can take advantage of SaaS-based identity
management platforms to satisfy their access control and compliance requirements.
Symplified is an emerging player led by a seasoned security management team that has developed
SinglePoint™, a secure hosted integration hub that secures access for SaaS and enterprise
applications.
Symplified’s enterprise-class KeyChain™ identity management service provides access
management, federated SSO and unified compliance reporting. KeyChain gives corporate
administrators centralized access control, authentication, and auditing capabilities integrated with
enterprise and cloud-based user repositories.
Summary and Recommendations
A combination of unprecedented market forces are driving companies of all sizes to fundamentally
restructure the way they do business. In many cases, these efforts have meant moving their
employees outside the four walls of traditional offices so they can be closer to customers and
partners.
© THINKstrategies, Inc., 2008 www.thinkstrategies.com p6
- 7. Achieving Compliance and Control of
THINKstrategies SaaS and Cloud-Based Applications
An increasing proportion of these companies have begun adopting SaaS solutions and cloud
services to better serve their remote workers. While these web-based services offer the convenience
of anytime, anywhere access they also create a new set of security and compliance challenges for IT
managers and business executives.
These IT/business decision-makers are recognizing that it doesn’t make sense to buy and build their
own identity management systems to address these new challenges. Instead, they can take
advantage of a new generation of SaaS/cloud-based identity management platforms that offer
greater functional capabilities to meet their evolving needs. Companies can also gain the following
business benefits from these powerful new solutions as they address their security and compliance
needs:
· Faster time to value
· Lower upfront costs
· More flexible packaging and pricing
· Higher reliability and scalability
· Better ROI
This whitepaper was sponsored by Symplified.
About Symplified:
Symplified’s vision is to enable Enterprise 2.0 to adopt cloud computing by providing the identity
infrastructure for the On Demand world. Symplified was founded by the same management team
that created Securant, which pioneered the market for Web access management software and was
acquired for $140M by RSA Security. The company has developed revolutionary technology that
addresses the complexity and cost associated with monolithic software approaches to Web identity
management. Venture funding for the company was provided by Granite Ventures and Allegis
Capital. Symplified is headquartered in Boulder, Colo., with offices in Palo Alto, Calif. For more
information, visit www.symplified.com
About THINKstrategies, Inc.
THINKstrategies is a strategic consulting services company formed specifically to address the
unprecedented business challenges facing IT managers, solutions providers, and investors today as
the technology industry shifts toward a services orientation. The company’s mission is to help our
clients re-THINK their corporate strategies, and refocus their limited resources to achieve their
business objectives. THINKstrategies has also founded the Software-as-a-Service Showplace
(www.saas-showplace.com), an easy-to-use, online directory and resource center of SaaS solutions
from around the world organized into over 80 Application and Industry categories, and insights and
information regarding industry best practices. For more information regarding our unique services,
visit www.thinkstrategies.com, or contact us at info@thinkstrategies.com.
© THINKstrategies, Inc., 2008 www.thinkstrategies.com p7