onsdag 12 februari 2014
Bridging Enterprise and Cloud in the shadow of Mr. Snowden
As the Software Industry and the way we procure enterprise software shifts from on-premise with proprietary licensing to off-premise with a subscription, there is an emerging need to control this hybrid environment being created. For small startups with less than a hundred people on the payroll, its natural to leverage cloud-services for file storage, customer relationship management, mail and calendar etc, but if you look at older and/or bigger companies, often there is a mix of on-premise and off-premise deployments. Despite what the industry hype says, not everybody is in The Cloud, but many are taking trembling steps to explore this model.
Now, the problem that emerges from a hybrid environment is of course the issue of compliance and the regulatory concerns associated with shuffling identity data to SaaS providers, as well as the actual “shuffling” itself. It needs to be secure, in sync with any potential authoritative sources, and the appropriate logs need to be kept.
Whenever an enterprise outsources sensitive business information, such as personal information about employees, contractors and partners to a SaaS vendor in the Cloud, there is a risk of data privacy issues and access control complexities. Not to mention the risk of foreign governments accessing the information for reasons other than national security. Especially in light of the recent interview with Mr. Snowden, the NSA whistleblower, where he states that such information would be collected in the name of national interest, regarding the topic of whether or not the NSA is spying on Siemens, Mercedes or other successful German companies.
“If there’s information at Siemens that they think would be beneficial to the national interests, not the national security of the United States, they’ll go after that information and they’ll take it.”
For companies and organizations embracing Cloud Services, it is critical that they not only enforce and monitor controls, but also make sure that users are who they claim to be and ensure that the appropriate entitlements within the SaaS application are managed. Looking at this from the other side of the fence, the SaaS vendors want customers to quickly and securely be on-boarded and provide some of the capabilities the above concern raises. This is where the need for Identity Bridges arise or IDM systems that can manage both traditional enterprise applications and new SaaS applications.
Often in the hybrid environment, a local, on-premise authoritative source for employee data is present and managed by e.g. the Human Resources department. Alternatively, there might be a directory of some sort such as an LDAP-directory or Active Directory from Microsoft. In these cases its convenient if Cloud-Services are just seen as additions to their current infrastructure and do not require additional management, such as juggling with exported CSV files from an HR system that needs to be uploaded or worse, have to be manually onboarded/off-boarded to a Cloud Service.
However, Jonathan Lehr predicts that Identity and Entitlements will move beyond the active directory paradigm as we know it today. Especially with tools such as Workday already storing employee data in the Cloud.
ForgeRock OpenIDM provides an extensive integration layer that spans across both on-premise enterprise applications and systems for cloud based SaaS solutions, such as Salesforce and Google Apps. This allows an enterprise to control the provisioning flow and ensure that entitlements are set according to applicable policies. Identities can be kept in sync using OpenIDM’s discovery engine, reconciling and synchronizing down to the attribute level, yet at the same time record the provisioning activities for monitoring, regulatory and compliance reasons.
Now of course managing the boundaryless identities is one thing, but still there are fears, especially among Europeans, that data being stored in the Cloud could be vulnerable to foreign surveillance. Sensitive data flows quickly between servers, possibly in multiple countries, making it very complex to regulate and protect the data - but at least with the appropriate tools proper Identity Management can be done.