Increasingly, organizations are turning to Software as a Service as a way to address business needs without taking on the burden of maservinaging and maintaining the application. As the SaaS customer, you must obtain assurance that the provider is adequately protecting your data that it has in its possession. But when it comes to integrating the cloud-based application with your on-premises applications, identity and access management is your responsibility.
Integrating SaaS and on-premises applications doesn't change security practices so much as create a broader question of governance. It becomes a question of "How do you establish the policies for who can use the cloud resources as well as how to use them," says Jason Bloomberg, president, ZapThink, a Dovèl Technologies company.
"The primary consideration has to do with identity management. If you have a third-party SaaS application, it's not going to be aware of all your internal users' identities and permissions," says Bloomberg. For example, a SaaS application may provide access controls, but they won't be the same controls the organization uses internally.
Furthermore, organizations that integrate SaaS applications with on-premises applications risk "exposing access credentials that would give a malicious party access to on-premises resources," says Scott Crawford, managing research director of Enterprise Management Associates. "You want to protect credentials from being exploited in that way."
When an on-premises application needs to interact with a cloud-based application, the on-premises application needs to "tell" the cloud-based application that the user is indeed properly authorized to do whatever it is he or she is trying to do. This is a matter of passing the authorization token to the cloud, explains Bloomberg. However, this isn't as simple as it sounds, because the cloud doesn't always understand the authorization method the customer uses.
"Cloud providers have varied support for fine grain control of user provisioning for establishing permissions for various capabilities. Typically, a SaaS provider will provide a customer with one login or allow you to go into their system and provision users. That's set up different from your internal user context. That becomes the challenge. How do you extend your own identity management to the cloud?" says Bloomberg.
In some cases, the SaaS provider may offer the capability to use enterprise identities to access their application. For example, SalesForce recently introduced SalesForce Identity, which provides a single trusted identity that can be used to access all enterprise applications. However, not all SaaS providers offer this capability, and the onus is on the customer.
"From the SaaS provider's perspective, what you see is what you get," says Bloomberg. "The challenge is essentially provisioning users internally in order to use that third-party application, and then establishing and enforcing policies on who can do what with that application, essentially federating identity to the cloud," he says.
Third-party solutions like those from Okta and Symplified provide single sign-on services for SaaS applications. These identity federation technologies depend on a token that represents successful identification of an individual enrolled with the enterprise, and it passes that token to the applications without exposing it, explains Crawford.
The identity federation technology sits in the on-premises demilitarized zone and manages all requests from the on-premises applications to the SaaS applications. "Any request coming from on premises must be controlled. The only way to do that is via this on-premises governance tool. It is up to the governance tool to decide that any request is properly authorized," says Bloomberg.
These identity federation tools, which are also referred to as cloud governance tools, cloud governance appliances and identity management as a service, are the outgrowth of single sign-on. Historically, users had separate usernames and passwords for their on-premises applications. IT organizations sought to make the most of single sign-on for these resources and have successfully used Microsoft Active Directory to enable users to access Microsoft resources under one username and login. Similarly, federated authentication enables users to log into one Web application and access others. "We're now looking at extending that to a SaaS environment, to broaden functionality by making authentication more seamless to users," says Crawford.