Achieving Compliance and Control of Software-as-a-Service and Cloud-Based Applications
- 1. A Whitepaper for IT/Business Decision-Makers Achieving Compliance and Control of Software-as-a-Service and THINKstrategies Cloud-Based Applications Streamlining the Management of End-User Access and Security of On-Demand Applications An Independent Analysis Sponsored by: © THINKstrategies, Inc., 2008
- 2. Achieving Compliance and Control of THINKstrategies SaaS and Cloud-Based Applications Executive Overview An unprecedented set of macro-market trends is reshaping the way companies of all sizes must operate. The advent of globalization and ecommerce has fundamentally changed the competitive landscape. At the same time, advancements in mobile technology are allowing employees to work anywhere. But, most importantly the combination of escalating energy costs and increasingly turbulent capital markets are forcing businesses to thoroughly reevaluate their operating budgets. These forces are driving enterprises to pursue more effective ways to leverage business applications to meet their corporate objectives and meet their changing operational requirements. Companies can no longer afford the spiraling costs of deploying and maintaining traditional, on-premise software applications which have seldom generated the return on investment (ROI) anticipated. Instead, a growing number of companies are adopting a new generation of ‘on-demand’, Software-as-a-Service (SaaS) and ‘cloud’ computing alternatives to satisfy their rapidly changing business needs. These new SaaS and cloud computing solutions offer numerous business benefits including, · Limited upfront costs or risks · Accelerated deployment · Flexible “pay-as-you-go” pricing · Lower support requirements Although corporate receptivity toward SaaS solutions is growing, much of the actual adoption has been done in an unplanned or ad hoc fashion by individual departments or even renegade end-users. The proliferation of unauthorized SaaS and cloud computing users within corporate environments is raising concerns among IT and business executives who are concerned about three key issues: · Compliance · Costs · Security This whitepaper will examine these business and IT management issues. We will describe the forces driving the rapid growth of SaaS solutions and cloud computing services. We will discuss the compliance, security and cost implications of these trends. And, we will show how enterprises can ensure corporate compliance and security, and achieve greater operating efficiency and cost-savings leveraging these on-demand services. © THINKstrategies, Inc., 2008 www.thinkstrategies.com p2
- 3. Achieving Compliance and Control of THINKstrategies SaaS and Cloud-Based Applications Software-as-a-Service & Cloud Computing Market Trends SaaS and cloud computing services are experiencing rapid growth as businesses of all sizes leverage these ‘on-demand’, pay-as-you-go services to achieve their corporate objectives in an increasingly tough economic environment. A THINKstrategies survey of over 100 companies conducted in November 2007, in conjunction with Cutter Consortium, found nearly a third (32%) of the companies had adopted a SaaS solution, and another 36% were considering SaaS solutions. (See, Figure 1.) Figure 1. Percent of Companies Using or Considering SaaS THINKstrategies’ and Cutter Consortium’s survey also found SaaS solutions are getting high grades from users. Over 90% of current customers are not only satisfied with their SaaS solutions, they plan to renew and expand their use of these on-demand applications. As a result of the growing interest and acceptance of SaaS and cloud computing there is a ‘gold-rush’ of SaaS and cloud computing providers targeting nearly every aspect of an enterprise organization’s needs. Source: THINKstrategies/Cutter Consortium 2007. Over 800 companies are listed on THINKstrategies’ SaaS Showplace online directory offering SaaS solutions in eighty (80) different horizontal and vertical market categories. (www.saas-showplace.com) Gartner predicts 25% of software will be delivered via services by 2010. Key Security and Compliance Issues Associated With SaaS Solutions and Cloud Computing Services Enterprises adopting SaaS today are facing a number of security and compliance challenges: 1. Business units are adopting multiple, mission-critical SaaS applications, driving the need for specialized management infrastructure that ensures availability and reduces complexity. 2. SaaS applications now contain confidential data and sensitive information which raises greater concerns about enterprise risks, stronger security and greater access controls. 3. SaaS applications outside the firewall can’t be secured by perimeter defenses and internal access controls in the same fashion as on-premises on a local area network (LAN). 4. Zombie accounts are becoming a common security risk, exposing SaaS applications and sensitive data to backdoor attacks through abandoned user accounts. 5. Compliance auditors are discovering critical data residing outside the firewall are not being effectively tracked by traditional audit tools or ad-hoc approaches, like spreadsheets. 6. Unauthorized, or ‘cowboy’ purchasing of SaaS applications by business units and end-users outside of IT creates new burdens to bring these ‘mushrooms’ under management control. © THINKstrategies, Inc., 2008 www.thinkstrategies.com p3
- 4. Achieving Compliance and Control of THINKstrategies SaaS and Cloud-Based Applications 7. Enterprises want to integrate their C R M existing IT infrastructure – Active Silo Directory, LDAP, applications – and IT wth INTERNET processes – policies, procedures and S FA o Gr practices - with cloud-based Silo alternatives, but there is a lack of Pay roll security and integration expertise in-house. Silo H R Silo 8. Acquiring security technology is aexpensive and hard to deploy/maintain. 9. Recruiting security staff is difficult and hard to retain. 10. Today’s economic environment is making it cost-prohibitive to make significant capital roh investments or absorb additional operating expenses. Gaining Access Control and Streamlining Security for SaaS Solutions and Cloud Computing Services There are a number of key considerations for scaling the adoption of SaaS applications and cloud computing capabilities. In particular, businesses must more effectively manage security, streamline compliance and simplify user access to SaaS and cloud-based applications. Most companies do not have the in-house skills to address their escalating identity management requirements. Rather than invest in these skills and deploy these sophisticated systems, enterprises need to respond to the growing compliance, security and cost challenges of managing today’s SaaS and cloud computing solutions with an equally flexible and effective access control and security management strategy. The ideal security and compliance platform should provide a unified understanding of corporate policies and procedures from a centralized perspective. This platform should address the following security, compliance and integrated management requirements. Security 1. Access controls must be centralized and driven by policies. Access management is the ‘crown jewel’ for achieving effective security, and is the first thing which should be addressed to meet today’s compliance needs. 2. Audit and logging of user activity must be done centrally for consistency – across external SaaS and internal protected applications. If a company can’t centrally audit access then it won’t be able to identify all violations or show auditors that appropriate policies are being enforced in a consistent fashion. 3. Centralized access controls can eliminate zombie accounts and prevent back-door access. 4. Centralized and streamlined security management eliminates siloed or redundant yet conflicting access controls, authentication, auditing and compliance. © THINKstrategies, Inc., 2008 www.thinkstrategies.com p4
- 5. Achieving Compliance and Control of THINKstrategies SaaS and Cloud-Based Applications 5. Single Sign-On (SSO) tools and methodologies can alleviate users suffering password fatigue, but doesn’t solve broader security requirements. Compliance 1. While there are many complex and sometimes conflicting aspects of security and compliance, the essence of compliance is simple: a. Companies must assess risk and develop security policies to address ta Da unacceptable risk levels. 401k 4 b. These policies must be implemented in ta Da the form of controls. S SFA c. These controls must be consistently INTERNET ta Da enforced. HR H d. Audit logs must be able to demonstrate enforcement of these policies/controls. 2. Securing access to confidential data, credit information, personally identifiable information (PII), access controls/management, and user authentication and authorization with logging of these events, are universally required by all compliance regulations. 3. Preparing for an audit should not take weeks. With the right controls and audit tools, audits can be done quickly, demonstrating compliance and minimizing the time and cost of an audit. 4. Forensic audits of suspected violations should also be quick and easy with good logging and correlation tools, so you can catch the hacker or minimize risk of exploitation. Streamlined Management Through Enterprise Integration. 1. Extending existing IT infrastructure to address SaaS and cloud computing security and compliance requirements can reduce administration costs and complexity. 2. By deploying management actions from a central location, security is strengthened via rapid propagation of updates that reduce the window of risk. 3. The existing technology investment is leveraged to reduce the total cost of ownership (TCO) and boost return on investment (ROI). 4. Including security and compliance integration considerations into the planning process reduces unnecessary costs and problems. 5. Avoid silos of administration which create duplication and added costs from redundant management systems. 6. Unified controls also strengthen security and compliance across SaaS, on-premise applications and web portals. © THINKstrategies, Inc., 2008 www.thinkstrategies.com p5
- 6. Achieving Compliance and Control of THINKstrategies SaaS and Cloud-Based Applications Multi-tenant SaaS applications such as Salesforce.com, Workday and others do not allow enterprise-specific code on their servers because it compromises the operational and cost-efficiencies of their service delivery infrastructures. Therefore, a SaaS security and compliance platform should integrate with the enterprise infrastructure composed of Active Directory (AD), lightweight directory access protocol (LDAP), legacy on-premise applications and relational databases with web services. It should permit access management using on-premise Active Directory, LDAP repositories, and SQL databases, as well as cloud-based data stores. Extend the enterprise Active Directory, or whatever authoritative directory already exists, to manage users and access groups for the cloud. The platform should allow secure and federated single sign-on (SSO), including multi-domain SSO using both Security Assertion Markup Language (SAML) and HTTP forms to increase user convenience and reduce password fatigue. It must support SSO across all domains using federation technologies such as ps ers Ap Us SAML where possible and HTTP aS Sa Internet Forms as needed. SAML currently enjoys support from only 5% of SaaS applications, so federation alternatives are needed. Just as companies have discovered that it no longer makes sense to r acquire, deploy and administer their ute Ro ID own on-premise applications when SaaS solutions can deliver quicker business benefits at a lower total cost of ownership (TCO), a ene h growing number of businesses are recognizing that they can take advantage of SaaS-based identity management platforms to satisfy their access control and compliance requirements. Symplified is an emerging player led by a seasoned security management team that has developed SinglePoint™, a secure hosted integration hub that secures access for SaaS and enterprise applications. Symplified’s enterprise-class KeyChain™ identity management service provides access management, federated SSO and unified compliance reporting. KeyChain gives corporate administrators centralized access control, authentication, and auditing capabilities integrated with enterprise and cloud-based user repositories. Summary and Recommendations A combination of unprecedented market forces are driving companies of all sizes to fundamentally restructure the way they do business. In many cases, these efforts have meant moving their employees outside the four walls of traditional offices so they can be closer to customers and partners. © THINKstrategies, Inc., 2008 www.thinkstrategies.com p6
- 7. Achieving Compliance and Control of THINKstrategies SaaS and Cloud-Based Applications An increasing proportion of these companies have begun adopting SaaS solutions and cloud services to better serve their remote workers. While these web-based services offer the convenience of anytime, anywhere access they also create a new set of security and compliance challenges for IT managers and business executives. These IT/business decision-makers are recognizing that it doesn’t make sense to buy and build their own identity management systems to address these new challenges. Instead, they can take advantage of a new generation of SaaS/cloud-based identity management platforms that offer greater functional capabilities to meet their evolving needs. Companies can also gain the following business benefits from these powerful new solutions as they address their security and compliance needs: · Faster time to value · Lower upfront costs · More flexible packaging and pricing · Higher reliability and scalability · Better ROI This whitepaper was sponsored by Symplified. About Symplified: Symplified’s vision is to enable Enterprise 2.0 to adopt cloud computing by providing the identity infrastructure for the On Demand world. Symplified was founded by the same management team that created Securant, which pioneered the market for Web access management software and was acquired for $140M by RSA Security. The company has developed revolutionary technology that addresses the complexity and cost associated with monolithic software approaches to Web identity management. Venture funding for the company was provided by Granite Ventures and Allegis Capital. Symplified is headquartered in Boulder, Colo., with offices in Palo Alto, Calif. For more information, visit www.symplified.com About THINKstrategies, Inc. THINKstrategies is a strategic consulting services company formed specifically to address the unprecedented business challenges facing IT managers, solutions providers, and investors today as the technology industry shifts toward a services orientation. The company’s mission is to help our clients re-THINK their corporate strategies, and refocus their limited resources to achieve their business objectives. THINKstrategies has also founded the Software-as-a-Service Showplace (www.saas-showplace.com), an easy-to-use, online directory and resource center of SaaS solutions from around the world organized into over 80 Application and Industry categories, and insights and information regarding industry best practices. For more information regarding our unique services, visit www.thinkstrategies.com, or contact us at info@thinkstrategies.com. © THINKstrategies, Inc., 2008 www.thinkstrategies.com p7